Archive for July, 2011

Quick & Dirty secure chat; ncat

Posted: July 21, 2011 in general
Tags: , , ,

Sometimes you just need a quick and dirty “secure” chat. Secure meaning it’s not terribly easy to eavesdrop on the conversation. Well lucky for us nmap comes with ncat. Directly from it’s website:

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Among Ncat’s vast number of features there is the ability to chain Ncats together, redirect both TCP and UDP ports to other sites, SSL support, and proxy connections via SOCKS4 or HTTP (CONNECT method) proxies (with optional proxy authentication as well). Some general principles apply to most applications and thus give you the capability of instantly adding networking support to software that would normally never support it.

Sounds just like what we need. Let’s get it working:

We generate the needed cert(more openssl tricks here: openssl tricks):

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

We get it’s fingerprint:

openssl x509 -noout -in mycert.pem -fingerprint

We set ncat up to be the secure chat server we want it to be:

ncat -v -l –chat –allow 127.0.0.1,10.0.3.8 –ssl –ssl-key mycert.pem –ssl-cert mycert.pem 1080

The process to actually chat is very easy, transfer the fingerprint to your buddies with an out-of-bound channel and have your buddies run ncat like this and then verify the fingerprint before typing any text:

ncat -v –ssl 10.0.3.7 1080

You also need to connect to the server yourself or your buddies won’t be able to see your messages. If you just need an one-on-one chat, remove the –chat option.

The options are kinda self explanatory, but here is the quick overview:

-v = verbose
-l = listen mode
–chat = chat server mode, multi-user with user prefixes
–allow = the ip addresses allowed to connect
–ssl = use ssl
–ssl-key = needed for ssl
–ssl-cert = needed for ssl

References:

Disclaimer
Do not use this for really sensitive conversations, use this only at your own risk and as always think before using.

So here is a quick midnight thought to retrieve data when facing a blind sql injection. It’s nothing ground breaking on the horizon I just wanted the technique to get some more attention, since I don’t see it used that often. I’m using MySQL as an example, but this can be used on any database which has somewhat of a reliable way to force it to do time related actions. The downside is that it’s pretty unstable if your connection to the target is not reliable and it’s a slow method like all time based methods. The upside however is that you only need one request for one character instead of eight requests and it can be further improved. If you are a whitehat then the amount of requests usually aren’t that important, if you are a blackhat you might prefer a small footprint in the logs.


sleep(ascii(substr(user(),1,1)))

The above is the quick and dirty way. You can probably guess it we use sleep() as the transport medium for the character value. The only reference I found to this technique is in this paper [PDF] on page 4. Maybe I haven’t searched long enough and there are better papers out there exploring this method of data extraction.

You do want to speed the above up, since the character ‘r’ (if we assume ‘root’ as an example username) gives you a waiting time of 114 seconds (1min 54sec). The easiest way is to just substract a constant from it and add the constant up when you have retrieved the value. You can use the following ascii chart to see what a save constant values could be. An example could be:


sleep(ascii(substr(user(),1,1))-32)

We can further improve this however by involving the human factor. As often said humans are the weakest links in the security field, yet they are the strongest link when it comes down to thinking (artificial intelligence is still trying to catch up). For example the following text has circulated a REALLY long time on the internet (original):

Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

So…this actually means that to be able to extract data we don’t really need all the data do we? YES there are exceptions to the rule like hashes and the like. So all we need is to get the first and last letter and then just get random letters in between. You can use letter frequency analysis to make sure your request for a letter has a high probability of being in there, for example using the following wikipedia page:

http://en.wikipedia.org/wiki/Letter_frequency

So after getting the first and last letter of the data you are after, you can use the following query to get the intermediate letters:


sleep(instr(user(),"o"))

If that’s too fast because of the positions being returned are in the range of 0-10, you can always add a constant or wrap it with ascii(). I won’t be coding a tool or POC for this, since I think this is just a technique that should be included in already available tools like sqlmap, sqlninja and the like.

Hope someone finds this useful.