Monday, November 4, 2013

Obfy Talk at B-Sides DFW

First let me say B-Sides DFW was a lot of fun.  DFW seems to have a good security community and they come together and put on a nice con.  I also got to hang out with my co-worker @integgroll who lives down there and @HackerHuntress who flew down there from Chicago land like myself.  And finally I got to hang out with my old boss @Network232 and I finally got a chance to see his talk.  Overall, good time and a good con.

Now many asked me for my slides on my Obfy Talk.  There isn't much to them since it was mostly a demo.  I Demo's using Obfy to gain access to a windows workstation running a popular current corporate AV software package and showed that same AV package detect and delete the same payload when built normally using only Metasploit tools.

For those who wanted them, there are my slides.
 Obfy Talk Slides

Friday, October 4, 2013

Obfy Update and News

I updated Obfy so it now makes an rc file for you to match the payload you created assuming you didn't select a custom file.  So now if you use Obfy to create a payload, you can run msfconsole -r obfy.rc and the listener to handle the payload will be setup for you.

Also, I'm giving a demo of Obfy at B-Sides DFW on Nov 1st.  If you are there say hi.  I don't know if the talks will be filmed but if they are I'll post a link to it.

Saturday, August 31, 2013

Update to kaliupdate.sh

I totally revamped my kali update script.  From looking at the activity here and my github page, that is the thing most people seem to be using.  It requires switches now.  So ./kaliupdate.sh -a does everything, or you can select just -p to update the packages and MSF but not wait for things to compile, etc.  I also testing the script on a fresh Kali install and I noticed packages were missing required to compile nmap.  I must have had those installed and didn't notice.  I fixed that so now /opt/nmap-svn/nmap will really run.  Although the packaged version on Kali is pretty current so I almost never run it anyway.  But have the most current scripts in the /opt/nmap-svn/scripts directory does come in handy.

So put if fresh like this:
git clone https://github.com/secjohn/kali-scripts.git

Or if you have it already go into the kali-scripts directory and run:
git pull

Then run the script and the help will tell you what switches to use.

I hope you like it.

Wednesday, August 28, 2013

Crypter support for Obfy


If you are following along at home, you now know that crypter http://nullsecurity.net/tools/binary.html is great.  And you followed along here to get it working with smbexec: http://secjohn.blogspot.com/2013/08/encrypting-payloads-with-smbexec-on.html

And of course you saw my post on Obfy here and are using it too right?  http://secjohn.blogspot.com/2013/08/introducing-obfy.html

Well then you are in luck.  I just added crypter support to Obfy as well.  So if you follow the directions in my encrypting payloads with smbexec post and compile crypter.exe and run updatedb so the locate command finds it, Obfy will now see it and ask you if you want to use it on the payload you just made.  If you say yes you will get two exe files, the original one and the one put through crypter.  Have fun testing each out.

The updated version of the script can be found here: https://github.com/secjohn/obfy
If you used git to download it originally as in git clone https://github.com/secjohn/obfy.git then simply running git pull in the obfy directory will get you up to date.

Tuesday, August 27, 2013

Fake AP on Kali Linux

At the time of this post there is a lot of wrong information on how to setup a fake AP on Kali Linux.  This seems to be mostly because Kali Linux uses the isc-dhcp-server package and not dhcp3.  Right now SET’s fake AP doesn’t work due to this.  I’m sure that will be fixed soon, @dave_rel1k puts a lot of effort into that tool which is why it is so great.  But for right now, it doesn’t work for setting up a fake AP.  So if you google around you find videos about Websploit like this one: http://www.youtube.com/watch?v=DXGj2vxdzvo

Well that doesn’t work either for the same reason.  How frustrating is that?  I found two tools that do work with some setup.  Easy-Creds and PwnSTAR.  While both worked I decided I liked Easy-Creds better but I’ll help you get both going now.

Easy-Creds:

Setup:
Check the github page and see if Brav0Hax added the install.sh script there yet https://github.com/brav0hax/easy-creds.  If so, download everything from github.  If there is no install.sh file download the tarball from there: http://sourceforge.net/projects/easy-creds/files/easy-creds-v3.7.3.tar.gz/download.  Untar the file and run the install.sh script.

Two things will fail but that is OK.  First, it tries to install and older version of lilssl, no worries.  The other is the dhcp3 server.  So manually run apt-get install isc-dhcp-server.  Now in case you played with dhpc3 or another script that I mentioned above, make sure there is no /etc/dhcp3 directory.  If there is delete it or things won’t work.  The directory isc-dhcp-server uses is /etc/dhcp and there is a dhcpd.conf file in there, that is the one you will use.

Now download the current version of the easy-creds.sh script from github https://github.com/brav0hax/easy-creds and copy if over the version that you installed with install.sh (probably /opt/easy-creds/easy-creds.sh).

Run updatedb one last time for good luck.

The cool thing about this install script is it always setups FreeRADIUS-WPE for you all automated, which is another whole blog post.

Now run the script.    Pick option 1 and then 4, and then 7:

Note: the version at the top is 3.8-dev.  If you are running something older things won’t work.

I found if you don’t do this the AP you setup is a bit flaky and karmetasploit won’t work, and you want that to work now don’t you?  Finally, in the Prerequisites & Configurations menu select 5 and add at0 to the INTERFACES in the file it opens up as so:


Remember to save the file when you exit.  Now you are ready to go.

Create a Fake AP:
Simply pick FakeAP Attacks from the main menu, select the one you want, and fill in the info it asks for.  In almost all cases its example is exactly what you want to use.  It is as easy as that. The Static attack will setup an AP with a name that you set, if you are testing it that is the easiest to use for a test so you can connect to it and make sure everything is working.  The EvilTwin will simply respond to whatever clients ask for, which is probably what you want to do for real, but can be harder to test.
Brov0Hax has some good videos for this tool, here is a good one for setting up the Static AP:

PwnSTAR:

Setup:
First, do everything I just told you to do in the setup of Easy-Creds.  That is right, that tool’s setup automates things and it is all the same requirements.  So if you skipped that tool, go back and start from the beginning. 

Next, run Eterm, select Background, Pixmap, None.  Then Eterm, Save Them Settings and Save User Settings.  You may not have to do this, but for me the Eterm pop up windows all had messed up backgrounds that made it impossible for me to read the text.  It was crazy annoying, if that happens to you, that is how you fix it.

I also recommend reading the README.txt as well.

Create a Fake AP:
Run the script and pick and option and go through the menu.  It is almost that easy since you set things up for Easy-Creds:
Now there is one catch, when you see this:

You just lost your Internet connection.  In another windows bring it back up and don’t move on until you can ping google.com or things won’t work.  I found I just needed to do a dhclient eth0 and everything was all fixed.  I don’t know why this happens.


Conclusion:


Both tools do slightly different things.  Easy-Creds has the handy install script which helps a lot with setting things up for both tools and it doesn’t kill your LAN connection like PwnSTAR does. The one thing PwnSTAR does that Easy-Creds doesn’t is it offers a “Both” option for Evil Twin where it will both broadcast a specific SSID and respond to whatever the client ask for.  I like that.  Easy-Creds looks like it is one or the other only.  Other than that Easy-Creds seems cleaner and seems to work more consistently.  Overall that is the tool I would recommend you use right now.  I’m sure SET and Websploit will update their tools as well before too long and they will start working again.  Until then, you now know what to do.

Friday, August 23, 2013

Encrypting Payloads with Smbexec on Kali Linux with Hyperion Crypter

So smbexec https://github.com/brav0hax/smbexec is great, you should already know that.  If you don’t, play with it on your Kali Linux box/image and now know it is great.  Once you have a windows hash for a password you can use smbexec to do all kinds of things, including get you a meterpreter session on the box.  Yes, you can already do this inside msfconsole but all stock metasploit payloads now get picked up by AV.  Smbexec already does a good job working around this issue.  But you can take it one step future.  Note this in the smbexec readme:

v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it will encrypt your payload after obfuscation. (uncomment line 46)

What does that mean?  Well check out Hyperion http://nullsecurity.net/tools/binary.html.  This is a cool little tool that will encrypt your executable with a weak key it does not keep and then brute forces the key at execution time.  This is amazingly effective at bypassing AV.  So what that note in the readme means, is if smbexec sees crypter.exe on your system it will use it on the payloads it makes making it even less likely AV will pick them up.  There are a few things you will need to do in order to get this working since the download page linked above for the tool is source code only.  So let’s get it working.

Use smbexec to make a backdoor.exe payload to make sure everything is working with it first.  Run smbexec, select option 2, and 2 again.  Pick a payload out your IP and watch it work.  If things are working you will get no errors and when you exit the tool you will find a backdoor.exe file in the directory smbexec made.  If this doesn’t work download the tool from github and run the install.sh script.  If it still doesn’t work and you are running Kali on 64 bit, make sure you don’t have mingw packages installed other than binutils-mingw-w64 gcc-mingw-w64 mingw-w64 mingw-w64-dev.  If you have those and 32 bit versions or others, remove the other ones and try again.

Now that you are sure smbexec is working, let’s get setup to compile crypter.exe.

If you are running the 64 bit version of Kali, we need to switch your version of Wine to the 32 bit version.  To do it run these commands from a shell:
dpkg –add-architecture i386
apt-get update
apt-get install wine-bin:i386
If you are already running the 32-bit version of Kali Linux, skip that part, you already have the right version of Wine.


Copy this exe file you just downloaded to the  /root/.wine/drive_c/users/root/Desktop folder.  Now in the Applications menu select System Tools, Wine Uninstaller.  In the Wine Uninstaller program click the Install button, tell it to see all files, find that exe file on your desktop and tell it to install.  It is mostly a click next install but you do need to click on C++ and the MinGW Developer Toolkit when it prompts you, leave C checked of course.  Everything else the default is fine.  This will hang at the end for a long time, just wait it out and it will finally finish with an error that means nothing.

If that all worked at a command line you should be able to go to the /root/.wine/drive_c/MinGW/bin directory and see the g++.exe file.  If so, we are good to go.

Download Hyperion from here: http://nullsecurity.net/tools/binary.html  Put all the contents of this download in a /opt/crypter directory.   Make sure /opt/crypter/Src is a directory.  If it isn’t fix that, you probably left things under the default Hyperion-1.0 directory or something.  You can simply rename the default directory it unzips to crypter and move that dir to /opt if you like.  Technically you can put it anywhere you like and call the dir anything you want.  But the rest of the directions are assuming you are using /opt/crypter.  If you want to use something else just alter the paths in the upcoming commands.

Now cd into the  /root/.wine/drive_c/MinGW/bin directory and run the following commands:
wine ./g++.exe -static /opt/crypter/Src/Crypter/*.cpp -o crypter.exe
mv crypter.exe /opt/crypter
updatedb
locate crypter.exe

That -static switch part is required, without if the file give dll errors when you try to use it.

If all that worked you now have the crypter.exe file in /opt/crypter and locate found it.

Now next time you generate a payload with smbexec as we did above, you will see it encrypt it.  You can also use crypter.exe simply using the wine crypter.exe command at your shell on any payload file you want to. 


Enjoy and never let AV kill your shell.  Never.

Friday, August 9, 2013

Introducing Obfy

Are you sick of AV products killing any payload made by Metasploit when doing a pen test?  Me two.  First let me say, if you have a password or a hash, you should use smbexec: https://github.com/brav0hax/smbexec Seriously, use smbexec to collect more hashes and work your way up to domain admin without any AV problems.  Done.

But what if you don’t have a password or a hash yet, but you have something else, say a reliable exploit picked up on a scan but the reverse shell isn’t popping and you think it is due to AV.  Well thanks to the EXE::Custom option in Metasploit now, you have more options.  Do a show advanced in the module you want to use, and if you see EXE::Custom you are in business.  More info on it can be found here: http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/ In a nutshell, set EXE::Custom to the file you want to be the payload, setup the multi/handler listener set to the correct payload and port in another window, and run the exploit and watch it connect back.

One option is to use a custom shell, like the kind I have here: https://github.com/secjohn/ruby-shells.  But that is the worst case scenario, we want Meterpreter and we want it now.  That is where Obfy comes in.

Obfy is a simple Ruby script that runs on Kali and BackTrack Linux and will make the payload for you, decompile it, alter the assembly code to change the signature to fool AV, and compile it for you.  Then that executable can be used with EXE::Custom and you are off to the races.  I got the idea from Royce’s blog post here: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/.  But I hate doing things manually, so I automated it.

The magic in Obfy is in the valuables that randomly pick which assembly code to inject at specific places.  The public version of the tool right now has only very simple commands, far more simple than explained in the blog post linked above.  Code like, push edi, pop edi.  Adding a bunch of those all over the place doesn’t seem like it should work, but it totally does.  However, since I made this public I doubt it will work for long as new signatures will be made over time for this.  So I highly recommend reading Royce’s blog post, watching Security Tube’s Linux Assembly Primer if you need to http://www.securitytube.net/groups?operation=view&groupId=5 and adding some of your own code there to make it unique to you (and submitting the code back to github to help others).  But I could be wrong this may work forever as is, time will tell.

Now, some AV software like MS SE will still see this.  Therefore there is one more step I recommend.  Run your payload through ditto: https://github.com/mubix/ditto and copy the resources from a normal file like calc or notepad.  Using Obfy and then ditto will get you past most things. If it doesn’t work either revert back to the custom shell I linked above and kill AV, or you have something else messing with you and you may need to sign the executable.  Also remember to always try the HTTPS version of the payload to get past IDS, but I digress.

Anyway, I’m excited to see how many people use this and if anyone contributes assembly code to it to help make it better and keep it working.  So here is the link:


Enjoy and provide feedback as always.

Friday, May 3, 2013

Dealing with being underpaid in InfoSec

I was part of a twitter conversation today with    which this tweet sums up.  It was all about how to deal with the situation where you are underpaid and new jobs are offering you less than you are worth because they are simply offering you a percentage more than what you are currently making, which is far less than where you should be.  Now in that conversation I said the better option is to simply not let yourself be that underpaid in the first place.  That is still the best advice.  But let's say it is too late for that.  There is my advice:

First, figure out why you are being underpaid.  Is it because you changed locations and didn't know the market, are you able to do a job more senior than the one you current have, etc?  If it is something like that then once you get the offer, explain that.  Explain how this job isn't a side step and you are underemployed, or whatever the case may be.  Most of the times making an offer to a percentage of the candidates current salary is only a strict rule if it is a lateral move.  If you can make the case that it isn't for whatever reason, then that rule should relax and you should be able to get yourself more money.  Now wait until you have an offer though, or you may be talking yourself out of a job by making your current job sound less than what it really is.

Now if you have no good reason and you simply let the market pass you by while you weren't looking, it isn't as easy.  The first step is to tell your boss what you now know.  Even if they won't get you to where you want to be every bit helps, and until you leave it is still money.  Even if you get a small raise this way you should still move on.  Either your boss isn't aware enough to know you are underpaid, or is aware and is fine with it.  I don't care which it is, you deserve a better boss.  Now when you get an offer, be honest.  Tell them you know you are being underpaid and this offer while more money is still less than you are worth.  See what they say.  If they say that is the policy and they can't give you too much more than you already make then ask if they will work to help get you to where you should be over the next two years or so.  If you think about it, it really isn't a good idea for a company to underpay their employees, it just causes turnover.  Managers really get together and call out who is underpaid and they give them bigger raises than normal to get them up to where they should be so they won't leave.  Your best hope is to find a company that will do that.  You won't get any of that in writing and the HR person won't like talking about that at all, talk to the hiring manager about it.  If you can't get that, then you will have to hop two or three jobs to get where you should be.  But once you are there be picky and find a good place and stay there for a long time.  No one likes hiring someone who switches jobs every year.  And try not to let yourself fall so far behind again.

Good luck, and feel free to keep the conversation going.

Thursday, May 2, 2013

USB GPS on Kali Linux

Quick technical post here.  I'm digging Kali Linux but some things that just worked on BackTrack take extra effort to get working on Kali.  This is one of them.  My USB GPS device just always worked on BackTrack, and didn't on Kali.  So I dug into it and got it working, and thought I would share what I found.

First you need to install the packages:
apt-get install gpsd gpsd-clients

Then plug in your GPS if it isn't already and test that it is working and you know what device it is:

gpsd -D 5 -N -n /dev/ttyUSB0

You should see GPS stuff scroll on the screen.  You may have to break out of it and try a second time to see it.  If ttyUSB0 isn't correct for you, figure out which one works, you need to know.  

Then configure gpsd to auto detect the device with this command:
dpkg-reconfigure -plow gpsd

Answer the questions, this where why you tested it and made sure you know the correct device.

Finally for it to start working properly for me I had to reboot and then plug the GPS in, but that may just be because I'm running it in a VM or just unlucky.  So at this point if it is working, great.  If not, reboot with the device unplugged and then plug it in after you login and it should start working fine.

Wednesday, March 27, 2013

chromium_fix.sh added to Kali-Scripts

As the title says, I added a script called chromium_fix.sh to https://github.com/secjohn/kali-scripts.  Chrome won't run as root unless you point it to a different home directory.  Which is annoying on Kali since you run as root.  That change gets blown away every time the package is updated, which is more annoying.  So enter this script.  It will setup chromium to run as root.  Use it every time the package is updated.  I decided to use the Debian package using apt-get install chromium instead of downloading the Chrome deb from Google and installing it, which is what I did for BlackTrack.  So far it is updated far less often so this annoying feature isn't as bad.  If a few people ask for it I'll make a chrome_fix.sh script as well, it is an easy change.  Enjoy.

Tuesday, March 26, 2013

Kali Linux and Update script

If you are one of the few people who read this, you may know I have a BackTrack Linux update script here: https://github.com/secjohn/backtrack-shell-scripts.  Well Kali Linux is the new version of BackTrack now and with it there are some new and exciting changes.

Gone are the days where you have to do so many steps to keep things updated.  Unlike BackTrack, the Kali packages are going to be kept very current, weekly, or even daily if you go with the bleeding edge option.  So most of the steps I took in my BackTrack update script are no longer needed.  Also, they won't work in Kali anyway.  Most of the tools don't have the git or svn info in the directories so updating them that way doesn't work in Kali.  Given then I have made a new repo:  https://github.com/secjohn/kali-scripts

It is a much shorter and simpler script.  It updates the packages on the system, then manually updates Metasploit, Nessus if you have it, puts an SVN version of Fuzzdb in the /user/share/fuzzdb dir and compiles the SVN version of nmap in /opt/nmap-svn.

Those last two items may not be needed, time will tell.  Fuzzdb is already on there and I don't know how often it gets updated anymore.  The version of nmap on Kali is really close to the SNV version and when I compared the script directories the SVN one only had a few extra scripts in it.  So that may not be needed anymore either and I don't overwrite the packaged nmap.  If you want to use the SNV nmap call it directly, or just use the scripts in the directory with the installed nmap.

Time will tell how this goes or what other scripts I add.  Feedback and additions and ideas are always welcome.

If you haven't switched over to Kali yet, you should.  Seriously, it is nice.

Friday, February 15, 2013

BackTrack Linux Update Script

I use BackTrack Linux a lot.  All the time really.  And in-between engagements I like to update the tools I use.  The normal apt-get update doesn't really update many of the tools I use.  And I like to automate things.  So I created a simple shell script to do this.  I updated it recently and I already have some more tools in mind to update it again.  But what I would really like is comments and even code from others who do the same thing to help make it better and more useful for even more people.  I find it interesting what other people see as important enough to update.

I used shell on purpose, to keep it simple and accessible to anyone.   A shell script is just running the commands you would normally run on the command line.  If you can't handle that then maybe BackTrack isn't what you should be running.  I kept the script as simple as possible and over did the comments again to keep it accessible and allow for easy re-use of code for people who don't do a lot of shell scripting.

You can find my update script here:  https://github.com/secjohn/backtrack-shell-scripts

I would love your commits here, or if you are a github type person make a branch and give me a pull request and get your code in the script.  Just don't break anything.