Location header is optional not mandatory

September 13th, 2013

I thought I’d write a short post about this issue as I’ve seen it come up a couple of times in PHP code audits. The incorrect assumption is that the Location header somehow forces a browser or forces execution to move elsewhere.

Take a look at the following code sample –

<?php
	$logged_in = 0;

	/* Do login verification routine here */

	if (!$logged_in)
	{
		/* User is not logged in and shouldn't be here */
		header("Location: /index.php");
	}
	/* User is logged in */
	echo "Secret Member Content";
?>

Read the rest of this entry »

A new method for network tunnelling: tundeep

September 10th, 2013

I’ve been frustrated during several pen tests lately at the lack of a tool to tunnel through a network in the way that I want to.

Consider the following network:

[Attacker 
192.168.200.40 (eth0)]
|
|
[192.168.200.41(eth0) 
VICTIM 1 
10.0.0.5(eth1)]
|
|
[10.0.0.10(eth0) 
VICTIM2 
10.10.10.20(eth1)]
|
|
[10.10.10.21(eth0) 
VICTIM3]

Once we’ve compromised VICTIM1 we have a number of current choices to tunnel deeper into the network. As far as I’m aware, these are:

  1. Metasploit’s ‘autoroute’ module.
    Advantages: This is a great tool that does exactly what I want. It tunnels traffic through the victim so that the attacker appears to be on the victim’s network.
    Disadvantages: Works great, but only works from within metasploit. No use for running external tools, scans, or layer 2 protocols. Metasploit Pro has a VPN tunneling feature that looks ideal although not all of us can afford it 😉
  2. Metasploit’s portfwd module/iptables/simpleproxy.
    Advantages: Quick and easy
    Disadvantages: Only forwards specified single layer 3 UDP/TCP ports, and each port must be forwarded individually.
  3. Proxychains/ssh -D SOCKS tunnelling.
    Advantages: This is my current preferred method wherever possible. Easy and reasonably flexible
    Disadvantages: Proxychains is a hack in itself, and only supports layer 3 TCP.
  4. Implement a VPN server and set up bridging on your victim.
    Advantages: Will do exactly what we want
    Disadvantages: Disastrous idea, requires config and install on victim, possibly reboot or interface reconfiguration/bridging, very unstealthy

Currently, my preferred method is a mixture of the above depending on the scenario. What I’ve always wanted though, is a method to bring up a local interface on the remote network, that I can interact with as if I was directly connected, running any tools I wish including ARP scans and poisoning.

Introducing TUNDEEP… [Get tundeep now]

For the next release I’m planning compression mode, packet mangling, and a code cleanup as well as any bug fixes that arise.