Saturday, August 31, 2013

Update to kaliupdate.sh

I totally revamped my kali update script.  From looking at the activity here and my github page, that is the thing most people seem to be using.  It requires switches now.  So ./kaliupdate.sh -a does everything, or you can select just -p to update the packages and MSF but not wait for things to compile, etc.  I also testing the script on a fresh Kali install and I noticed packages were missing required to compile nmap.  I must have had those installed and didn't notice.  I fixed that so now /opt/nmap-svn/nmap will really run.  Although the packaged version on Kali is pretty current so I almost never run it anyway.  But have the most current scripts in the /opt/nmap-svn/scripts directory does come in handy.

So put if fresh like this:
git clone https://github.com/secjohn/kali-scripts.git

Or if you have it already go into the kali-scripts directory and run:
git pull

Then run the script and the help will tell you what switches to use.

I hope you like it.

Wednesday, August 28, 2013

Crypter support for Obfy


If you are following along at home, you now know that crypter http://nullsecurity.net/tools/binary.html is great.  And you followed along here to get it working with smbexec: http://secjohn.blogspot.com/2013/08/encrypting-payloads-with-smbexec-on.html

And of course you saw my post on Obfy here and are using it too right?  http://secjohn.blogspot.com/2013/08/introducing-obfy.html

Well then you are in luck.  I just added crypter support to Obfy as well.  So if you follow the directions in my encrypting payloads with smbexec post and compile crypter.exe and run updatedb so the locate command finds it, Obfy will now see it and ask you if you want to use it on the payload you just made.  If you say yes you will get two exe files, the original one and the one put through crypter.  Have fun testing each out.

The updated version of the script can be found here: https://github.com/secjohn/obfy
If you used git to download it originally as in git clone https://github.com/secjohn/obfy.git then simply running git pull in the obfy directory will get you up to date.

Tuesday, August 27, 2013

Fake AP on Kali Linux

At the time of this post there is a lot of wrong information on how to setup a fake AP on Kali Linux.  This seems to be mostly because Kali Linux uses the isc-dhcp-server package and not dhcp3.  Right now SET’s fake AP doesn’t work due to this.  I’m sure that will be fixed soon, @dave_rel1k puts a lot of effort into that tool which is why it is so great.  But for right now, it doesn’t work for setting up a fake AP.  So if you google around you find videos about Websploit like this one: http://www.youtube.com/watch?v=DXGj2vxdzvo

Well that doesn’t work either for the same reason.  How frustrating is that?  I found two tools that do work with some setup.  Easy-Creds and PwnSTAR.  While both worked I decided I liked Easy-Creds better but I’ll help you get both going now.

Easy-Creds:

Setup:
Check the github page and see if Brav0Hax added the install.sh script there yet https://github.com/brav0hax/easy-creds.  If so, download everything from github.  If there is no install.sh file download the tarball from there: http://sourceforge.net/projects/easy-creds/files/easy-creds-v3.7.3.tar.gz/download.  Untar the file and run the install.sh script.

Two things will fail but that is OK.  First, it tries to install and older version of lilssl, no worries.  The other is the dhcp3 server.  So manually run apt-get install isc-dhcp-server.  Now in case you played with dhpc3 or another script that I mentioned above, make sure there is no /etc/dhcp3 directory.  If there is delete it or things won’t work.  The directory isc-dhcp-server uses is /etc/dhcp and there is a dhcpd.conf file in there, that is the one you will use.

Now download the current version of the easy-creds.sh script from github https://github.com/brav0hax/easy-creds and copy if over the version that you installed with install.sh (probably /opt/easy-creds/easy-creds.sh).

Run updatedb one last time for good luck.

The cool thing about this install script is it always setups FreeRADIUS-WPE for you all automated, which is another whole blog post.

Now run the script.    Pick option 1 and then 4, and then 7:

Note: the version at the top is 3.8-dev.  If you are running something older things won’t work.

I found if you don’t do this the AP you setup is a bit flaky and karmetasploit won’t work, and you want that to work now don’t you?  Finally, in the Prerequisites & Configurations menu select 5 and add at0 to the INTERFACES in the file it opens up as so:


Remember to save the file when you exit.  Now you are ready to go.

Create a Fake AP:
Simply pick FakeAP Attacks from the main menu, select the one you want, and fill in the info it asks for.  In almost all cases its example is exactly what you want to use.  It is as easy as that. The Static attack will setup an AP with a name that you set, if you are testing it that is the easiest to use for a test so you can connect to it and make sure everything is working.  The EvilTwin will simply respond to whatever clients ask for, which is probably what you want to do for real, but can be harder to test.
Brov0Hax has some good videos for this tool, here is a good one for setting up the Static AP:

PwnSTAR:

Setup:
First, do everything I just told you to do in the setup of Easy-Creds.  That is right, that tool’s setup automates things and it is all the same requirements.  So if you skipped that tool, go back and start from the beginning. 

Next, run Eterm, select Background, Pixmap, None.  Then Eterm, Save Them Settings and Save User Settings.  You may not have to do this, but for me the Eterm pop up windows all had messed up backgrounds that made it impossible for me to read the text.  It was crazy annoying, if that happens to you, that is how you fix it.

I also recommend reading the README.txt as well.

Create a Fake AP:
Run the script and pick and option and go through the menu.  It is almost that easy since you set things up for Easy-Creds:
Now there is one catch, when you see this:

You just lost your Internet connection.  In another windows bring it back up and don’t move on until you can ping google.com or things won’t work.  I found I just needed to do a dhclient eth0 and everything was all fixed.  I don’t know why this happens.


Conclusion:


Both tools do slightly different things.  Easy-Creds has the handy install script which helps a lot with setting things up for both tools and it doesn’t kill your LAN connection like PwnSTAR does. The one thing PwnSTAR does that Easy-Creds doesn’t is it offers a “Both” option for Evil Twin where it will both broadcast a specific SSID and respond to whatever the client ask for.  I like that.  Easy-Creds looks like it is one or the other only.  Other than that Easy-Creds seems cleaner and seems to work more consistently.  Overall that is the tool I would recommend you use right now.  I’m sure SET and Websploit will update their tools as well before too long and they will start working again.  Until then, you now know what to do.

Friday, August 23, 2013

Encrypting Payloads with Smbexec on Kali Linux with Hyperion Crypter

So smbexec https://github.com/brav0hax/smbexec is great, you should already know that.  If you don’t, play with it on your Kali Linux box/image and now know it is great.  Once you have a windows hash for a password you can use smbexec to do all kinds of things, including get you a meterpreter session on the box.  Yes, you can already do this inside msfconsole but all stock metasploit payloads now get picked up by AV.  Smbexec already does a good job working around this issue.  But you can take it one step future.  Note this in the smbexec readme:

v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it will encrypt your payload after obfuscation. (uncomment line 46)

What does that mean?  Well check out Hyperion http://nullsecurity.net/tools/binary.html.  This is a cool little tool that will encrypt your executable with a weak key it does not keep and then brute forces the key at execution time.  This is amazingly effective at bypassing AV.  So what that note in the readme means, is if smbexec sees crypter.exe on your system it will use it on the payloads it makes making it even less likely AV will pick them up.  There are a few things you will need to do in order to get this working since the download page linked above for the tool is source code only.  So let’s get it working.

Use smbexec to make a backdoor.exe payload to make sure everything is working with it first.  Run smbexec, select option 2, and 2 again.  Pick a payload out your IP and watch it work.  If things are working you will get no errors and when you exit the tool you will find a backdoor.exe file in the directory smbexec made.  If this doesn’t work download the tool from github and run the install.sh script.  If it still doesn’t work and you are running Kali on 64 bit, make sure you don’t have mingw packages installed other than binutils-mingw-w64 gcc-mingw-w64 mingw-w64 mingw-w64-dev.  If you have those and 32 bit versions or others, remove the other ones and try again.

Now that you are sure smbexec is working, let’s get setup to compile crypter.exe.

If you are running the 64 bit version of Kali, we need to switch your version of Wine to the 32 bit version.  To do it run these commands from a shell:
dpkg –add-architecture i386
apt-get update
apt-get install wine-bin:i386
If you are already running the 32-bit version of Kali Linux, skip that part, you already have the right version of Wine.


Copy this exe file you just downloaded to the  /root/.wine/drive_c/users/root/Desktop folder.  Now in the Applications menu select System Tools, Wine Uninstaller.  In the Wine Uninstaller program click the Install button, tell it to see all files, find that exe file on your desktop and tell it to install.  It is mostly a click next install but you do need to click on C++ and the MinGW Developer Toolkit when it prompts you, leave C checked of course.  Everything else the default is fine.  This will hang at the end for a long time, just wait it out and it will finally finish with an error that means nothing.

If that all worked at a command line you should be able to go to the /root/.wine/drive_c/MinGW/bin directory and see the g++.exe file.  If so, we are good to go.

Download Hyperion from here: http://nullsecurity.net/tools/binary.html  Put all the contents of this download in a /opt/crypter directory.   Make sure /opt/crypter/Src is a directory.  If it isn’t fix that, you probably left things under the default Hyperion-1.0 directory or something.  You can simply rename the default directory it unzips to crypter and move that dir to /opt if you like.  Technically you can put it anywhere you like and call the dir anything you want.  But the rest of the directions are assuming you are using /opt/crypter.  If you want to use something else just alter the paths in the upcoming commands.

Now cd into the  /root/.wine/drive_c/MinGW/bin directory and run the following commands:
wine ./g++.exe -static /opt/crypter/Src/Crypter/*.cpp -o crypter.exe
mv crypter.exe /opt/crypter
updatedb
locate crypter.exe

That -static switch part is required, without if the file give dll errors when you try to use it.

If all that worked you now have the crypter.exe file in /opt/crypter and locate found it.

Now next time you generate a payload with smbexec as we did above, you will see it encrypt it.  You can also use crypter.exe simply using the wine crypter.exe command at your shell on any payload file you want to. 


Enjoy and never let AV kill your shell.  Never.

Friday, August 9, 2013

Introducing Obfy

Are you sick of AV products killing any payload made by Metasploit when doing a pen test?  Me two.  First let me say, if you have a password or a hash, you should use smbexec: https://github.com/brav0hax/smbexec Seriously, use smbexec to collect more hashes and work your way up to domain admin without any AV problems.  Done.

But what if you don’t have a password or a hash yet, but you have something else, say a reliable exploit picked up on a scan but the reverse shell isn’t popping and you think it is due to AV.  Well thanks to the EXE::Custom option in Metasploit now, you have more options.  Do a show advanced in the module you want to use, and if you see EXE::Custom you are in business.  More info on it can be found here: http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/ In a nutshell, set EXE::Custom to the file you want to be the payload, setup the multi/handler listener set to the correct payload and port in another window, and run the exploit and watch it connect back.

One option is to use a custom shell, like the kind I have here: https://github.com/secjohn/ruby-shells.  But that is the worst case scenario, we want Meterpreter and we want it now.  That is where Obfy comes in.

Obfy is a simple Ruby script that runs on Kali and BackTrack Linux and will make the payload for you, decompile it, alter the assembly code to change the signature to fool AV, and compile it for you.  Then that executable can be used with EXE::Custom and you are off to the races.  I got the idea from Royce’s blog post here: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/.  But I hate doing things manually, so I automated it.

The magic in Obfy is in the valuables that randomly pick which assembly code to inject at specific places.  The public version of the tool right now has only very simple commands, far more simple than explained in the blog post linked above.  Code like, push edi, pop edi.  Adding a bunch of those all over the place doesn’t seem like it should work, but it totally does.  However, since I made this public I doubt it will work for long as new signatures will be made over time for this.  So I highly recommend reading Royce’s blog post, watching Security Tube’s Linux Assembly Primer if you need to http://www.securitytube.net/groups?operation=view&groupId=5 and adding some of your own code there to make it unique to you (and submitting the code back to github to help others).  But I could be wrong this may work forever as is, time will tell.

Now, some AV software like MS SE will still see this.  Therefore there is one more step I recommend.  Run your payload through ditto: https://github.com/mubix/ditto and copy the resources from a normal file like calc or notepad.  Using Obfy and then ditto will get you past most things. If it doesn’t work either revert back to the custom shell I linked above and kill AV, or you have something else messing with you and you may need to sign the executable.  Also remember to always try the HTTPS version of the payload to get past IDS, but I digress.

Anyway, I’m excited to see how many people use this and if anyone contributes assembly code to it to help make it better and keep it working.  So here is the link:


Enjoy and provide feedback as always.