Cracking WatchGuard passwords
Watchguard Firewall appliances offer the ability to manage policies per user. Several mechanisms can be used to authenticate users (Active Directory, LDAP, Radius, ..) including a local database called “Firebox database” (Firebox-DB). Based on the XML configuration file of the appliance (which includes the Firebox-DB accounts), I recently needed to evaluate the passwords strength defined by a customer. Unfortunately, the firebox passwords appeared to be encrypted or hashed and I couldn’t find any information about the algorithm used.
Sample hash
Hereunder is an excerpt of the XML configuration file, showing the definition of the user “john“. The password was set to “readwrite“, a deliberately simple choice for testing purposes.
<account>
<id>john</id>
<password>628427e87df42adc7e75d2dd5c14b170</password>
<description/>
<idle-timeout>1800</idle-timeout>
<session-timeout>28800</session-timeout>
[...SNIP...]
</account>
If you heard about the following vulnerabilities in McAfee ePolicy Orchestrator version 4.6.5 and earlier:
- CVE-2013-0140 – Pre-authenticated SQL injection
- CVE-2013-0141 – Pre-authenticated directory path traversal
and your environments haven’t been updated yet, then you should consider watching this video…
Main Features:
- Remote command execution on the ePo server.
- Remote command execution on the Managed stations (one ring to rule them all).
- File upload on the ePo server.
- Active Directory credentials stealing.
More information:
- https://kc.mcafee.com/corporate/index?page=content&id=sb10042
- http://www.kb.cert.org/vuls/id/209131
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0140
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0141
(20 votes, average: 4.35 out of 5)
Loading...
Ok, here we are..
Thank you for your patience. It is time to release the version 0.1 of the “tool“.. ;-)
The archive is composed of:
- An EXE template (ultimate-payload-template1.exe) which manage the sandbox evasion.
- A Perl script (ultimate-payload.pl) which read a shellcode in binary format from STDIN, encode it, and build a new EXE file based on the template.
- The source code of the encoder (in assembly) and the template (Visual Studio 2008).
The (stupid) sandbox evasion technique used in the EXE template is explained in the part2 of this story. And the output of the tool is shown in part1.
I do not expect it to bypass all AVs forever. I guess new signatures of the template will appear shortly. But don’t worry, all you have to do is to modify the source code of the template, and recompile it. In case of new sandbox problems, just use your imagination ;-)
Note: this technique doesn’t work anymore against MS Essential Security. For this reason, I wrote a new version (0.2) with a new technique, but this one will not be published.. (yet). However, a little bird told me that using a stupid junk loop in v0.1 would do the trick against Essential Security ;-)
Download the tool: ultimate-payload-v0.1.tar.gz and read the HOWTO.txt file.
As usual, be nice. Ask the permission of the owner before infecting a computer…
Enjoy ;-)
Foip
(8 votes, average: 3.38 out of 5)Loading...
psk-crack (ike-scan) CUDA add-on
UPDATE: Thinks are moving well on Hashcat.net ! https://hashcat.net/trac/ticket/5
Hello,
If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared Keys with your GPU(s).
As it is my first CUDA/GPU implementation and that I have limited knowledge of cryptography, this code must not be considered as optimized. Technically, I only reused basic source codes of MD5 and SHA-1 inside a CUDA code. Don’t blame me. I was working on a pentest and I thought : “Cracking this PSK could be nice for my report, let’s do ‘man cuda’ .. ”
To give you an idea of the improvement, brute-forcing the PSK “hello1“requires about:
- 2 hours and 50 minutes with CPU (HP EliteBook 8440p – 2.5GHz Intel Core 5)
- 2 minutes and 40 seconds with GPUs (GTX480 + GTX570)
It’s not that bad for a first try, even if the occupancy rate of the cards is low.
Hello,
Here is the PowerPoint presentation explaining the sandbox evasion technique, used in the part 1 of this story (see Antivirus Sandbox Evasion (par1)).
Enjoy,
(2 votes, average: 5.00 out of 5)Loading...