IT Breathes!

Welcome to Part 2 of the /pentest A to Z story. Previously we went through the Bluetooth and Cisco folders. I also went through the trouble of explaining my lab setup. In this part we’re just going to be visiting one folder: database

Initially I thought this folder would contain tools for exploiting common database vulnerabilities or something simple like a mysql/mssql bruteforcers. Instead it contains some rather robust tools for testing databases and SQL injections.

For most of the testing performed here I used a Linux distro called ‘Moth’. Moth is a vulnerable Linux distro which runs a web app designed for exactly what I was doing, testing webapp/SQLInjection tools.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

1. Testing Web Application Security Scanners

2. Testing Static Code Analysis tools (SCA)

3. Giving an introductory course to Web Application Security.”

Speaking of SQL injections the first tool: blindsql fits right in. This tool is really just two shell scripts:

1. Sqlcheck.sh. This script simply takes a known URL and a known value that the page is supposed to return and checks if its vulnerably to SQL injection
2. Sqldata.sh. This script should be able to grab data from the SQL server itself. I, however, was unable to get it to do much more than complain and return nothing

The next three tools I’m going to lump in together here because I wasn’t really able to put them through their paces.

Metacoretex is a slick looking Java tool that’s supposedly to be used for testing Oracle databases. Not running Oracle in my lab (yet) made testing this tool tough. Also, walking through the tool I don’t think I ever got it working right and trying to read about it on the internet proved impossible because the site for the tool is down (and because Metacoretex is a term used in the Matrix Online which makes finding anything about it non Matrix Online related even harder).

SQLNinja sounds like a great tool for testing vulnerable ASP/.NET pages and getting a shell on a remote machine. Currently, however, I don’t have a vulnerable web-app I can bang this tool against in my lab. I’m sure ones exist all over the net (the entire .cn TLD perhaps, Exotic Liability shoutout!) but the way I’ve setup this lab is to be completely segregated from any outside network so I won’t be testing that.

Finally there’s sqlbrute. Presumably a tool used for brute forcing SQL databases. Unfortunately it’s only good for MS SQL and ORACLE database. Neither of which I have so I wasn’t able to test this tool. Though if you have tested this tool out let me know in the comments.

Next on the list is MiniMysqlat0r. I loaded this tool up and was surprised by the nice gui interface. I put in the ‘moth’ server IP address and let it scan away for about 10 minutes. What I was presented with was a whole slew of places where injection were possible. I selected one of these URLs from the list presented and tested out the SQL Exploiter feature

SQLater Exploit Tab

This tool was literally able to give me anything I wanted from the server. I could dump the MySQL users table, dump all the databases and even grab a copy of the /etc/passwd file!

That right there is a nice /etc/passwd file

I tried the /etc/shadow file but alas the mysql user didn’t have the right permissions. Given the time though I would be able to get enough information about this server to find another way in since I’d be able to grab every config file and read through them for weaknesses. One caveat, this was against a very vulnerable server and I’m curious if it’s able to work this well in the real world.

After spending about an hour playing with SQLator I pulled myself away to check out Pblind. Not a very complicated tool. You supply it with the URL to test and it tells you if it worked or not, plus a little bit extra. I was able to use it to get the current user but not much else beyond that.

T h a t i s t h e u s e r n a m e. Hard to read and other tools do a better job.

Next I tested out SQLiX. No idea what the name of the tool means or what exactly it’s supposed to do. But I was able to get it to tell me that the server I’m testing was vulnerable. Though the tool is a little old and there are far better tools available today.

SQLiX sounds like a charecter from Star Trek: Voyager

Finally we have SQLMap.

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Same as SQLator I really liked this tool and was able to get some interesting information gleaned from the database. In this screenshot you can see I was able to get all the users usernames from the MySQL user database:

It even recreates the formatting

Keep in mind this screenshot is from SQLMap itself, pulling information from a blind SQL injection. I don’t have access to the database other than the URL I supplied in the screenshot. However that was just the tip of the iceberg. Using sqlmap I was able to retrieve the name of all the databases I had access to, all the tables within those databases and, if I wanted them, the columns within those tables. All in all I was fairly impressed with this tool.

The version  provided on the back track 4 CD, however, is a little old and I’d recommend getting the most recent version from http://sqlmap.sourceforge.net. The newer version has even more interesting functionality such as creating a remote shell and your own sql shell. If you don’t want to download sqlmap yourself I would recommend you check out the Samurai LiveCD. A LiveCD designed specifically for testing web frameworks.

That pretty much wraps up the ‘database’ folder. There was one folder I didn’t touch: The UDF folder.  I have no idea what it’s for and apparently neither does the good people Remote Exploit https://wiki.remote-exploit.org/backtrack/wiki/UDF either (the makers of backtrack).

So since I just got my GreenCard I thought I’d throw together a quick blog entry that will help people transition from a TN visa to a GreenCard (through marriage only). The reason I’m doing this is because when I went through the whole process it was basically a crap shoot trying to get information about the TN status and what I should put where.

I’m not a lawyer and this is just what I did on my forms. If you have questions/comments above and beyond this document you’ll probably want to consult a lawyer.

First some things to get out of the way, from Wikipedia:

TN (Trade NAFTA) status is a special non-immigration status unique to citizens of the United States, Canada and Mexico. TN status was created by virtue of the 1994 North American Free Trade Agreement (NAFTA). It allows American, Canadian and Mexican citizens the opportunity to work in each other’s countries in certain professional occupations.

One thing to pay attention to is that a TN-1 status is not a visa. You do not have a visa number, nor will you have an alien number. All you have is your departure number. If you’re working in the US on a TN status and you get married you can no longer renew that status. With the new 3 year period you’ve probably got a long while until you need to renew but if you get married and leave the country with your TN status in hand be aware that USCIS can deny you re-entry in to the country. So once you get married it’s probably a good idea to start to submit all the paper work. So what can you do? It’s called ‘Adjustment of Status’. It allows you to change your status from TN to GreenCard. To do so you must submit whets known as an ‘AOS Package’.

I’m going to quickly describe what I included in my AOS package:

1)       I-130 Petition for Alien Relative

1. My birth certificate
2. Wife’s passport, in full
3. G-325a Biographic information for wife (including 2 passport photos)
4. G-325a Biographic information for me (including 2 passport photos)
5. Evidence of bonafide marriage (marriage cert, joint bank account, lease, car loan etc)

2)       I-485 Adjustment of Status

1. Copy of my passport bio page
2. Copy of my I-94 front and back
3. Copy of my birth certificate
4. Copy of marriage cert
5. 2 passport photos of me
6. Another G-325a (including 2 passport photos)
7. I-693 (Medical Exam)
8. I-864
   1. i.      Wife’s 2009 Tax return and W2

3)       I-131 Advance Parole

1. Copy of my passport bio page
2. Copy of my I-94 front and back
3. 2 passport photos of me

4)       I-765 Employment Authorization Document

1. Copy of my passport bio page
2. Copy of my I-94 front and back
3. 2 passport photos of me

The I-130 is used to create allow you to get a GreenCard. It’s a petition to give you an alien number and allow you to get a GreenCard. The I-485 is the application to change from TN to GreenCard. The I-131 allows you to travel, more on this in a second. Finally the I-765 is to allow you to work while you wait for the green card.

About the I-131 and the I-765. When you submit your paperwork your status changes from TN to ‘Pending’. Basically you’re still allowed to work under the TN-1 status until you get your Employment Authorization Document (EAD). The only difference between the TN-1 and EAD is you’re no longer tied to a company’s sponsorship when working under and EAD. Once you’ve submitted the paperwork you can no longer leave the country. If you leave the country you are dropping your application, unless you have an Advance Parole (or the I-131). With this document you’re allowed to leave the country without forfeiting your application.  You submit both these applications at the same time and you should receive them in about 90 days or less. Mine took 2 months but YMMV.

Now for the helpful advice that took me days to hunt down:

1)       You don’t have an alien number (or A# or A). The TN-1 status is not a visa and as such does not give you an alien number. So what are you supposed to put when every form asks for an A#, you but ‘none’.

2)       If the form asks for your class of admission, visa type, current status, how you arrived in the country etc. You put ‘TN-1 Status’.

3)       This is specific for the I-765 so I’ll just include a screenshot:

4)       Within the I-485, since the TN-1 status is not a visa you’re going to put ‘none’ a lot. Just like this screenshot:

5)       One of the hardest pieces for me was getting the medical exam (the I-693) completed. What you’re going to want to do is go to the USCIS website and put in your zip code. Then what I did was create a Google docs spreadsheet of all my local doctors and called each and every one of them. Make sure to ask how much the medical including all vaccinations will costs. Doing this I was able to find the cheapest doctor in my area that used the local city vaccination clinic to get my vaccines. Total cost was less than $200. You might be able to get your family doctor to give you a physical and prescribe the shots to have insurance pay for it but I didn’t go that route.

6)       When filling out the I-864 it will ask you for 3 previous year’s tax records. You can easily request these records from the IRS.

7)       When the package is complete scan the entire thing to email and save a copy. This will save you many sleepless nights when you doubt what you put down.

8)       When you’re ready to mail the entire thing take it to USPS and use their tracking feature, this will let you know when it arrived at USCIS and who took it in.

9)       You can use the online case status at USCIS when you’ve received your case numbers. Be aware, however, that the system isn’t always up to date; my cases still haven’t shown-up there.

This obviously doesn’t answer every question out there and if you’ve got question I would recommend you check out the forums over at Visa Journey and the rest of the site. They can walk you through exactly what paperwork to submit and generally answer questions you may have. Best bet is to use the forum search feature as 9 times out of 10 someone else has had your exact problem. I’m sure you’ve got questions. If the Visa Journey forums or site don’t help you out feel free to leave a comment here.

My Virtual Lab

Throughout my career in IT security I’ve always seen hacks, exploits and vulnerabilities and thought ‘hey, that’s interesting, Too bad I don’t run XYZ to test this out’. Around last year I was given a client where I had to install software on my machine. Not wanting to actually install this software on my work laptop I obtained a VMware license. Now I have been using VMware at home for a long time to try out LiveCD versions of operating systems or to play around with stuff like OS X. Mostly with the free VMPlayer software. This software allows you to test out one vmware image but it’s a little locked down. Now that I had VMware installed I was able to actually setup some test networks with various operating systems. I tried this out last year and figured out (to my dismay) that VMware + Encrypted harddrive = A very SLOW death. With one image running VMware was barely usable, starting up a second image would just kill my machine. So I let the topic die for a while. Then earlier this year someone posted a harddrive image from a machine they found running Win95. They supposedly found this computer in a parking lot and made an image of the harddrive. The problem was, it was made for Virtual Box. Being curious about this harddrive image I installed Virtual Box and took a look. While there was nothing too excited about the image I found that Virtual Box ran really great on my system. I decided to try out another OS and installed Ubuntu. What would originally bring my computer to a crawl was now running at almost full speed. With this in mind I slowly built up a virtual lab to test various exploits, scanners etc against. This is the lab I’m currently using for my Backtrack articles and find it works great!

My Lab

The current lab I have setup was really more for my entertainment than anything else. I set it up in such a way that I can install software used for security (such at NetMiner, Wireshark, nmap, metasploit etc) but I wanted to be sure that the data flying around inside this network couldn’t get out to my actual network. Virtual Box has a nice feature were you can setup a simple internal network where all the machines can communicate with one another but not the outside network. But if you need to update a machine it’s as simple as changing the network type drop down booting the OS and making your updates. Virtual box also allows you to set a DHCP server for this internal network so you don’t have to worry about setting static IP’s (not that setting static IPs is a problem but when setting up WinNT, Windows 95/98/ME it saves time not having to reboot all the time.

Let’s walk through my current lab setup:

1)       Windows NT 4. This is an unpatched machine. Really super vulnerable. I just keep it around for nostalgic reasons. If you’re still running Windows NT run, don’t walk, do your IT guy and tell him to upgrade to the newest windows server version. If your vendor is telling you it’s because their software won’t run on a newer OS then you should weigh the cost of upgrading with a different vendor vs. the cost of having a data breach. But that’s a different article.

2)       Windows 2003. This is windows 2003 server. I use it to test Web apps to learn Injection techniques as well as a DNS server, Fileserver and MS SQL database server.

3)       Ubuntu Server 9.04. This the newest release from Ubuntu. I use this to test vulnerable web apps and web app scanning tools. I installed Damn Vulnerable Web App over the weekend and really like it.

4)       Windows 95. Just a nostalgic machine. Nothing really worthwile on it except ski-free.

5)       Windows XP. This is my XP machine with SP3. I don’t really run tests against it (though I will be shortly). Mostly it’s for testing out windows tools such as Net Miner, Cain & Able, L0pht Crack and running my Cisco emulator

6)       Cisco 7200 router. This is my cisco emulated hardware running a 7200 image. I used this in the most recent article about backtrack where I was testing the cisco tools. It runs on top of GNS3 (Graphic Network Simulator) and worked great.

7)       This is the Backtrack 4b image running. It runs from the ISO so as I do my testing I know I’m not changing anything from the default. Eventually I’ll install it to a harddrive image but not until I’ve gone through all the /pentest apps.

Once I got the lab setup it was easy to expand my knowledge about how to use the tools, which tools work which don’t etc.  One thing you’ll notice absent is a windows 2000 server. I’ll get around to setting one up eventually but for now I think what I’ve got works pretty good.