Remotely lock a computer, and prevent them from logging back in

Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.

  1. First, change the target account’s AD password. This will prevent them from logging back in
  2. Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe \\<ip> -d -u <domain>\Administrator -i cmd.exe /c “C:\windows\system32\rundll32.exe user32.dll, LockWorkStation”
  3. Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.

This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/

Get PSExec here: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx?f=255&MSPPError=-2147217396

Here is a video demonstrating the remote terminal lockout.

SANS Holiday Hack Challenge 2016 write up

Brilliant CTF by Counter Hack team as usual. Tons of good fun, awesome challenges and a great story to go with it. Whats not to like?

Here’s a quick write-up on the answers I produced on the 2016 challenge.

1) What is the secret message in Santa’s tweets?

I wrote a simple Javscript to extract all the Tweets. All this script does is to concatinate all the tweet bodies into a single variable, then outputting the variable into the browsers console.

This produces the following output:

We can see that the output represents ASCII art character G. In total, the answer produced the string “BUG BOUNTY”.

2) What is inside the ZIP file distributed by Santa’s team?

The Instagram account of Santa had an image linking to a zip file. Simply download the ZIP file from the target webserver and inspect the file. The password was simply the string from the #1.

3) What username and password are embedded in the APK file?

Simply look through the resources files and configuration and you will see the credentials guest / busyreindeer78.

4) What is the name of the audible component (audio file) in the SantaGram APK file?

The audio file was in the resources\raw folder. It’s name was discombobulatedaudio1.

5) What is the password for the “cranpi” account on the Cranberry Pi system?

Procedure:

  1. Download the Cranberry PI image
  2. Use fdisk to review the partitions
  3. Mount the partitions
  4. Crack the passwords in the /etc/shadow file using JTR or Hashcat with the Rockyou dictionary file.
  5. This cracked into two different passwords:
    1. pi:thenorthpole07
    2. cranpi:yummycookies

6) How did you open each terminal door and where had the villain imprisoned Santa?

Door 1

We are presented with a shell and something to look for. Using the “find .” command.

This reveals several hidden files, one which is of our interest: elf@3030ec3eb5a9:~/.doormat/. / /\/\\/Don’t Look Here!/You are persistent, aren’t you?/’

From here we just had to cat the correct file, keeping in mind escaping the special characters such as “.!’\ “.

Door 2

Basically I just read the manual and defeated the wumpus by remembering the cave layout and the different options.

Door 3

The shell we’re in is less or more, and it supports command execution. By entering the command !/bin/bash , this gives us a proper shell, which we can now use to see all the files involved. One of the files was the source code to run the train, which also contained the password.

Door 4

We are in a shell with a pcap in the current directory. We don’t have read access to pcap, but sudo -l reveals that we can access it through the itchy user like this: sudo -u itchy strings out.pcap. This yields half of a flag, but not the rest. The rest of the flag is hidden in a transmission of an ELF file. Using strings -e l out.pcap revealed the second half of the flag.

Door 5

A dialog from the movie Wargames, between the main actor and the Wooper computer, was displayed, missing out the information from the actor. Simply typing what the actor would type in to the Wooper computer yielded the flag.

Door 6

With the 7 audio files in place, they were put into order, based on their track numbers. The speed of the audio was then sped up to about 700-800%, and the audio could then be understood. Removing the background noise also helped.

7) For each of the six items, which vulnerabilities did you discover and exploit?

The Mobile Analytics Server (via credentialed login access)

Simply log on to the solution using the guest / busyreindeer78 credentials, then click the Mp3 menu item.

The Dungeon Game

I googled walkthroughs for this game, and figured out a cheat command called the GDT, presumably named after the “Global Descriptor Table”. From here I could access all rooms, resources and what not. I identified the dialog and rooms necessary to get the password through the GDT.

The Debug Server

Activated the debug flag in the APK file, re-build and installed it onto my device. I then observed through Proxy the traffic going to the debug server. This traffic was then modified using the Burp Repeater. The JSON response revealed an interesting parameter called verbose, and this was set to false. Setting the verbose flag to true in the request makes the response suddenly give away a lot more information, among other things, a files array containing the mp3 we want.

The Banner Ad Server

The MeteorMiner Greasemonkey/Tampermoneky script by Tim Medin was used to browse what the Meteor application is exposing. The Home Quotes object had 5 records in them, while only 4 was shown as quotes on the front page. 1 quote was different and had an audio attribute on it. The HomeQuotes object was printed with the browsers console, and one could easily see the mp3 file hidden inside the object:

The Uncaught Exception Handler Server

The calls to the exceeption server was intercepted with burpsuite, revealing a JSON post request to exception.php. The request contained WriteCrashDump, and this was changed to ReadCrashDump to see what happened. From here, a simple tutorial of error messages gave us clues for the request we needed to create to make the script parse it properly. The request ended up like this, but it did not work for parsing other php files, such as index or exception:

{“operation”:”ReadCrashDump”, “data”:{“crashdump”:”crashdump-YhFSnH”}}

Instead, adding the stream handler convert.base64-encode, we could now read the contents of the files we wanted.

{“operation”:”ReadCrashDump”, “data”:{“crashdump”:”php://filter/convert.base64-encode/resource=exception”}}

This gave us an base64 result of the source code of exception.php, where the mp3 filepath was hidden in a php comment.

The Mobile Analytics Server (post authentication)

Running nmap with default scripts reveals a git repository hosted at this site. Downloading and repairing the repository lets us browse the source code of the page and also the database SQL build script.

Logging onto the analytics server as administrator with a password previously leaked, we could access more functionality. Specifically we could query for information, view and edit previously made queries. By first creating a simple query and specifying to save it, we could give the edit script the appropriate GUID to edit it. The log then tells us a hint, that it is checking for id, name, description, and finally, a query. The form only allows us to input id, name and description, but the script also parses the query parameter. Setting the query parameter to select * from audio allows us to see two audio files in this database, one which we already have. Using the query select to_base64(mp3) from audio where username = ‘administrator’ allowed us to copy the base64 encoded value of the mp3 data into a txt file. This was simply decoded using the command line: base64 –decode < mp3.txt > mp3.mp3

8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)

  • discombobulatedaudio1.mp3
  • discombobulatedaudio2.mp3
  • discombobulatedaudio3.mp3
  • debug-20161224235959-0.mp3
  • discombobulatedaudio5.mp3
  • discombobulated-audio-6-XyzE3N9YqKNH.mp3
  • discombobulated-audio-7.mp3

9) Who is the villain behind the nefarious plot.

Apprently Doctor Who. LoL!

10) Why had the villain abducted Santa?

To prevent the movie “Star Wars Holiday Christmas” being released.

Finding files and grepping for information

Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as:

find . -name <file> -exec grep -i -H <match> {} \;

This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever matching content you want to find. Additional interesting things to do with this is to grep with regex, or use the find command to further filter for specific types of files.

Slow DNS enumeration

Fierce is an excellent tool for doing DNS reconnaissance, i.e. querying the DNS server for potential domain names to be revealed. I’ve seen some setups where the enumeration has gone horrible slow.

If your DNS enumeration tool is going slow, fire up tcpdump and inspect the DNS traffic.

tcpdump -i <interface> -nn port 53 

Normally you should see tens and hundres of DNS queries flowing past the screen, but if the requests are slow, inspect the queries you are sending. Are you sending queries for .local domain as well?

This image shows 3 queries trying to resolve one name, but sends multiple queries

This is likely due to your DHCP settings are pushed out with a SearchDomain for <whatever>.local. Edit your /etc/resolv.conf and remove the line dictating the SearchDomain, and you should have a huge boost in speed!

Hassles and concerns upgrading from Windows 10 Home to Pro

Windows 10 Pro supports some features that are nice to have, especially if you like to take advantage of more features of your OS than the Home edition allows for.

Windows store changes my local account to an online account

The Window shop application requires you to sign in with your MSDN account. Once you’ve signed in and purchased the upgrade, your local Windows account is suddenly also converted to an MSDN account. This means, upon the next restart, you can’t log-on with your local accounts’ password anymore, you have to use your low security MSDN password. MSDN passwords are limited to 16 characters which I’ve blogged about earlier here: https://www.securesolutions.no/frustrations-with-microsoft-liveid-sign-on/

Is this a bug? Intended feature? I’ve got no idea.

Privacy settings reset

After the upgrade several of my privacy settings was suddenly reset. When I installed Windows Home a few days ago, I had all the privacy settings set to off, then all of the sudden, while updating my OS, the settings had reset into giving Microsoft my details:

privacy-issues

Not only is this rude, it’s a major disrespect to the users who expect privacy. Now onto some minor nuisances.

How to upgrade?

Furthermore, once you’ve purchased the upgrade, there’s no automation in activating the upgrade for your PC. I had to turn to Google (not Bing) in order to figure out how to activate the purchase. I believe I did not miss any vital information in the upgrade process, nor did the confirmation emails from Microsoft give me any information on how to actually use the upgrade I had purchased.

In order to facilitate the upgrade I had to re-enter the store and seek to purchase the upgrade again. This time the purchase button had been conveniently been replaced with an “Upgrade” button. I can see how this is useful if you are purchasing from one machine, and installing on another, however please give some instructions on how to go about this.

The upgrade itself cost about 1300 NOK, or about 150USD, which I consider is rather expensive considering you already bought the OS, and this is just a feature upgrade.

Hopefully Microsoft will A) don’t force users onto their online platform and B) don’t rip users privacy expectations in shreds when we’ve actively taken a choice to not participate.

Phish claiming your domain is about to be registered on Asian TLD’s

If you get email from someone claiming that your domain is about to be registered on Chinese and other Asian top-level-domains, don’t worry. This is very likely to be a scare tactic to get you to buy their domain for a high price. Ignore it, and move on.

Heres an example:

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent. If this email affects you, we are very sorry, please ignore this email. Thanks)

We are a Network Service Company which is the domain name registration center in China.
We received an application from Hualong Ltd on September 19, 2016. They want to register ” securesolutions” as their Internet Keyword and ” securesolutions.cn “、” securesolutions .com.cn ” 、” securesolutions.net.cn “、” securesolutions.org.cn ” 、” securesolutions .asia ” domain names, they are in China and Asia domain names. But after checking it, we find ” securesolutions ” conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim | Service Manager

CN Web Registry (Head Office)

8006, Xinlong Building, No. 415 WuBao Road, Shanghai 201105, China

Tel: +86-2161918696 | Fax: +86-2161918697  | Mob: +86-1870199 4951

Web: www.cnweb-registry.org

Cipher and Password Bruteforcing with OpenSSL

Ever had to crack something, but you don’t know the cipher? Sometimes the encrypted text gives you clues on which encryption algorithm has been used, but not always. For those cases, it might be useful with the script I am talking about in this post.

Bruteforcing the cipher type might be the only way to get through your challenge. It will create somewhat large amounts of data, but we’ll look at ways we can make it easier to process.

In the scripts below we have the following inputs:

  • A text file containing all the ciphers OpenSSL support. I’ve listed a bunch of them at the bottom of this post.
  • The password we will be trying to guess, or a dictionary of words. A dictionary could e.g. be the top 1000 common passwords.
  • Encrypted.txt contains our encrypted txt. The encrypted text file could contain base64 data, but then we would have to add the -a flag to the command.

Before running the command, we need a directory “cipherout” in the directory where we are running the command. The following command will try the passwords CompanyName00 through CompanyName99:

while read -r line; do for i in {00..99}; do openssl $line -v -d -in encrypted.txt -pass pass:CompanyName$i -out cipherout/$line-$i.txt; echo $line $i;done; done < openssl-ciphers.txt

If you’d rather use a wordlist for the password guessing, change the command into a double while loop:

while read -r line; do while read -r line2; do openssl $line -v -d -in encrypted.txt -pass pass:$line2 -out cipherout/$line-$line2.txt; echo $line $line2;done < wordlist.txt; done < ciphers.txt

This will produce a list of files inside the cipherout folder, each one representing the cipher type and the password tested. Now, analyze your cipherout folder looking for strings and alphanumeric output and see if anything makes sense. If you’re working this for a challenge, keep in mind that the resulting output could be yet another cipher.

Tools can also be used to create the passwords you are guessing. For example, a great idea could be to use Hashcat to produce the dictionary of words you can use for your cracking activities. Unfortunately Hashcat doesn’t directly support cracking these ciphers, as that tools is mostly used for cracking hashes (normally for password storage), not encryption ciphers. However, it can still create a nifty wordlist you can use though. An idea would be to manually create a list of potential passwords, then use Hashcat’s word mangling rules on this wordlist. In my wordlist I have the words securesolutions and netsecurity. Applying Hashcat’s leetspeak rule on this wordlist produces the following output:

hashcat64 –stdout /tmp/wordlist.txt -r /rules/leetspeak.rule
securesolutions
securesolutions
securesolutions
se<uresolutions
se{uresolutions
s3cur3solutions
securesolutions
securesolut1ons
securesolut!ons
secures0luti0ns
securesolutions
5ecure5olution5
$ecure$olution$
securesolu7ions
securesolu+ions
securesolutions
$3<ur3$0lut10n$
netsecurity
netsecurity
netsecurity
netse<urity
netse{urity
n3ts3curity
netsecurity
netsecur1ty
netsecur!ty
netsecurity
netsecurity
net5ecurity
net$ecurity
ne7securi7y
ne+securi+y
netsecurity
n3t$3<ur1ty

Quick list of open-ssl ciphers (might be missing some):

aes128
aes-128-cbc
aes-128-cfb
aes-128-cfb1
aes-128-cfb8
aes-128-ctr
aes-128-ecb
aes-128-gcm
aes-128-ofb
aes-128-xts
aes192
aes-192-cbc
aes-192-cfb
aes-192-cfb1
aes-192-cfb8
aes-192-ctr
aes-192-ecb
aes-192-gcm
aes-192-ofb
aes256
aes-256-cbc
aes-256-cfb
aes-256-cfb1
aes-256-cfb8
aes-256-ctr
aes-256-ecb
aes-256-gcm
aes-256-ofb
aes-256-xts
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
blowfish
camellia128
camellia-128-cbc
camellia-128-cfb
camellia-128-cfb1
camellia-128-cfb8
camellia-128-ecb
camellia-128-ofb
camellia192
camellia-192-cbc
camellia-192-cfb
camellia-192-cfb1
camellia-192-cfb8
camellia-192-ecb
camellia-192-ofb
camellia256
camellia-256-cbc
camellia-256-cfb
camellia-256-cfb1
camellia-256-cfb8
camellia-256-ecb
camellia-256-ofb
cast
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
des-cfb1
des-cfb8
des-ecb
des-ede
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-cfb1
des-ede3-cfb8
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
desx-cbc
id-aes128-ccm
id-aes128-gcm
id-aes192-ccm
id-aes192-gcm
id-aes256-ccm
id-aes256-gcm
idea-cfb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rc4-hmac-md5
seed
seed-cbc
seed-cfb
seed-ecb
seed-ofb

Rapid android application pentesting

This is a quick guide to get started with Android application testing. I wont delve into details of testing, but instead cover what is necessary to do in order to get started. The topics I go through are:

  1. Get a hold of an Android device through emulation or physical device
  2. Find and download the APK you want to test
  3. Decompile the APK
  4. Sign, Build and Install the updated APK

Find a suitable Android device

First, get ahold of a suitable Android device emulator, e.g. using the Android SDK or a commercial product such as Genymotion, Alternatively, set your device to USB debugging and connect your phone with a USB cable.

Get a hold of the APK

You need the APK file you want to attack. Normally developers have multiple ways of allowing you access to the APK file, however if it is located on the Android Play store, install it to your device, then pull the APK file with ADB.

Locate your package using ADB

Use the packet manager to list all packages on your device.

Then figure out its path on the device

Use the packet manager to locat the path of the installed package.

Pull the file from the device onto your workstation

Use adb pull a long with the path of the APK you discovered in the last step.

Decompile the APK

Grab apktool to easily decompile th APK into its different parts.

This will give us a directory tree containing assets, smali code, resources and manifests. You can also open up the APK with a zip viewer, e.g. 7zip and view and extract the contents.

Dalvik Excutable into Java

The APK is essentially only a compressed container. You can open it up in e.g. 7zip and review its files. One of the files is a dex file, a Dalvik Executionable, which is essentially the compiled Android application. This file can b decompiled into Java code using dex2jar.

The Dalvik Executable has now been converted into a Java JAR container. This can be further disassembled and inspected by a tool such as jd-gui.

java jar decompiled

Create keystore, build, sign, uninstall and deploy

Once you have made the necessary modifications to the source code, either through modifying e.g. assets or smali, you are now ready to deploy the modified application.

Create a keystore

Build the modified code back into APK

This will create a release folder containing the updated APK.

Sign the updated APK

Uninstall the APK from the device to allow for reinstall

Install the updated APK

Put it all together

The above commands can get tedius to write over and over when making small modifications to your APK. Instead pull them all together into one single line of command as this (commands after the keystore has been created):