First let me say B-Sides DFW was a lot of fun. DFW seems to have a good security community and they come together and put on a nice con. I also got to hang out with my co-worker @integgroll who lives down there and @HackerHuntress who flew down there from Chicago land like myself. And finally I got to hang out with my old boss @Network232 and I finally got a chance to see his talk. Overall, good time and a good con.
Now many asked me for my slides on my Obfy Talk. There isn't much to them since it was mostly a demo. I Demo's using Obfy to gain access to a windows workstation running a popular current corporate AV software package and showed that same AV package detect and delete the same payload when built normally using only Metasploit tools.
For those who wanted them, there are my slides.
Obfy Talk Slides
Monday, November 4, 2013
Friday, October 4, 2013
Obfy Update and News
I updated Obfy so it now makes an rc file for you to match the payload you created assuming you didn't select a custom file. So now if you use Obfy to create a payload, you can run msfconsole -r obfy.rc and the listener to handle the payload will be setup for you.
Also, I'm giving a demo of Obfy at B-Sides DFW on Nov 1st. If you are there say hi. I don't know if the talks will be filmed but if they are I'll post a link to it.
Also, I'm giving a demo of Obfy at B-Sides DFW on Nov 1st. If you are there say hi. I don't know if the talks will be filmed but if they are I'll post a link to it.
Saturday, August 31, 2013
Update to kaliupdate.sh
I totally revamped my kali update script. From looking at the activity here and my github page, that is the thing most people seem to be using. It requires switches now. So ./kaliupdate.sh -a does everything, or you can select just -p to update the packages and MSF but not wait for things to compile, etc. I also testing the script on a fresh Kali install and I noticed packages were missing required to compile nmap. I must have had those installed and didn't notice. I fixed that so now /opt/nmap-svn/nmap will really run. Although the packaged version on Kali is pretty current so I almost never run it anyway. But have the most current scripts in the /opt/nmap-svn/scripts directory does come in handy.
So put if fresh like this:
git clone https://github.com/secjohn/kali-scripts.git
Or if you have it already go into the kali-scripts directory and run:
git pull
Then run the script and the help will tell you what switches to use.
I hope you like it.
So put if fresh like this:
git clone https://github.com/secjohn/kali-scripts.git
Or if you have it already go into the kali-scripts directory and run:
git pull
Then run the script and the help will tell you what switches to use.
I hope you like it.
Wednesday, August 28, 2013
Crypter support for Obfy
If you are following along at home, you now know that crypter
http://nullsecurity.net/tools/binary.html
is great. And you followed along here to
get it working with smbexec: http://secjohn.blogspot.com/2013/08/encrypting-payloads-with-smbexec-on.html
And of course you saw my post on Obfy here and are using it
too right? http://secjohn.blogspot.com/2013/08/introducing-obfy.html
Well then you are in luck.
I just added crypter support to Obfy as well. So if you follow the directions in my
encrypting payloads with smbexec post and compile crypter.exe and run updatedb
so the locate command finds it, Obfy will now see it and ask you if you want to
use it on the payload you just made. If
you say yes you will get two exe files, the original one and the one put through
crypter. Have fun testing each out.
The updated version of the script can be found here: https://github.com/secjohn/obfy
If you used git to download it originally as in git clone https://github.com/secjohn/obfy.git
then simply running git pull in the obfy directory will get you up to date.
Tuesday, August 27, 2013
Fake AP on Kali Linux
At the time of this post there is a lot of wrong information
on how to setup a fake AP on Kali Linux.
This seems to be mostly because Kali Linux uses the isc-dhcp-server
package and not dhcp3. Right now SET’s
fake AP doesn’t work due to this. I’m
sure that will be fixed soon, @dave_rel1k puts a lot of effort into that tool
which is why it is so great. But for
right now, it doesn’t work for setting up a fake AP. So if you google around you find videos about
Websploit like this one: http://www.youtube.com/watch?v=DXGj2vxdzvo
Well that doesn’t work either for the same reason. How frustrating is that? I found two tools that do work with some
setup. Easy-Creds and PwnSTAR. While both worked I decided I liked Easy-Creds
better but I’ll help you get both going now.
Easy-Creds:
Setup:
Check the github page and see if Brav0Hax added the
install.sh script there yet https://github.com/brav0hax/easy-creds. If so, download everything from github. If there is no install.sh file download the
tarball from there: http://sourceforge.net/projects/easy-creds/files/easy-creds-v3.7.3.tar.gz/download. Untar the file and run the install.sh script.
Two things will fail but that is OK. First, it tries to install and older version
of lilssl, no worries. The other is the
dhcp3 server. So manually run apt-get
install isc-dhcp-server. Now in case you
played with dhpc3 or another script that I mentioned above, make sure there is
no /etc/dhcp3 directory. If there is
delete it or things won’t work. The
directory isc-dhcp-server uses is /etc/dhcp and there is a dhcpd.conf file in
there, that is the one you will use.
Now download the current version of the easy-creds.sh script
from github https://github.com/brav0hax/easy-creds
and copy if over the version that you installed with install.sh (probably
/opt/easy-creds/easy-creds.sh).
Run updatedb one last time for good luck.
Run updatedb one last time for good luck.
The cool thing about this install script is it always setups
FreeRADIUS-WPE for you all automated, which is another whole blog post.
Note: the version
at the top is 3.8-dev. If you are
running something older things won’t work.
I found if you don’t do this the AP you setup is a bit flaky
and karmetasploit won’t work, and you want that to work now don’t you? Finally, in the Prerequisites &
Configurations menu select 5 and add at0 to the INTERFACES in the file it opens
up as so:
Remember to save the file when you exit. Now you are ready to go.
Create a Fake AP:
Simply pick FakeAP Attacks from the main menu, select the
one you want, and fill in the info it asks for.
In almost all cases its example is exactly what you want to use. It is as easy as that. The Static attack will
setup an AP with a name that you set, if you are testing it that is the easiest
to use for a test so you can connect to it and make sure everything is
working. The EvilTwin will simply
respond to whatever clients ask for, which is probably what you want to do for
real, but can be harder to test.
Brov0Hax has some good videos for this tool, here is a good
one for setting up the Static AP:
PwnSTAR:
Setup:
First, do everything I just told you to do in the setup of
Easy-Creds. That is right, that tool’s
setup automates things and it is all the same requirements. So if you skipped that tool, go back and
start from the beginning.
Next, run Eterm, select Background, Pixmap, None. Then Eterm, Save Them Settings and Save User
Settings. You may not have to do this,
but for me the Eterm pop up windows all had messed up backgrounds that made it
impossible for me to read the text. It
was crazy annoying, if that happens to you, that is how you fix it.
Download the script from here: https://code.google.com/p/pwn-star/downloads/list
I also recommend reading the README.txt as well.
Create a Fake AP:
Run the script and pick and option and go through the
menu. It is almost that easy since you
set things up for Easy-Creds:
You just lost your Internet connection. In another windows bring it back up and don’t
move on until you can ping google.com or things won’t work. I found I just needed to do a dhclient eth0
and everything was all fixed. I don’t
know why this happens.
Conclusion:
Both tools do slightly different things. Easy-Creds has the handy install script which
helps a lot with setting things up for both tools and it doesn’t kill your LAN
connection like PwnSTAR does. The one thing PwnSTAR does that Easy-Creds
doesn’t is it offers a “Both” option for Evil Twin where it will both broadcast
a specific SSID and respond to whatever the client ask for. I like that.
Easy-Creds looks like it is one or the other only. Other than that Easy-Creds seems cleaner and
seems to work more consistently. Overall
that is the tool I would recommend you use right now. I’m sure SET and Websploit will update their
tools as well before too long and they will start working again. Until then, you now know what to do.
Friday, August 23, 2013
Encrypting Payloads with Smbexec on Kali Linux with Hyperion Crypter
So smbexec https://github.com/brav0hax/smbexec
is great, you should already know that.
If you don’t, play with it on your Kali Linux box/image and now know it
is great. Once you have a windows hash
for a password you can use smbexec to do all kinds of things, including get you
a meterpreter session on the box. Yes,
you can already do this inside msfconsole but all stock metasploit payloads now
get picked up by AV. Smbexec already
does a good job working around this issue.
But you can take it one step future.
Note this in the smbexec readme:
v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it
will encrypt your payload after obfuscation. (uncomment line 46)
What does that mean?
Well check out Hyperion http://nullsecurity.net/tools/binary.html. This is a cool little tool that will encrypt
your executable with a weak key it does not keep and then brute forces the key
at execution time. This is amazingly
effective at bypassing AV. So what that
note in the readme means, is if smbexec sees crypter.exe on your system it will
use it on the payloads it makes making it even less likely AV will pick them
up. There are a few things you will need
to do in order to get this working since the download page linked above for the
tool is source code only. So let’s get
it working.
Use smbexec to make a backdoor.exe payload to make sure
everything is working with it first. Run
smbexec, select option 2, and 2 again.
Pick a payload out your IP and watch it work. If things are working you will get no errors
and when you exit the tool you will find a backdoor.exe file in the directory
smbexec made. If this doesn’t work
download the tool from github and run the install.sh script. If it still doesn’t work and you are running
Kali on 64 bit, make sure you don’t have mingw packages installed other than binutils-mingw-w64
gcc-mingw-w64 mingw-w64 mingw-w64-dev.
If you have those and 32 bit versions or others, remove the other ones
and try again.
Now that you are sure smbexec is working, let’s get setup to compile
crypter.exe.
If you are running the 64 bit version of Kali, we need to
switch your version of Wine to the 32 bit version. To do it run these commands from a shell:
dpkg –add-architecture i386
apt-get update
apt-get install wine-bin:i386
If you are already running the 32-bit version of Kali Linux,
skip that part, you already have the right version of Wine.
Now let’s install the Windows g++ compiler. Download this file: http://sourceforge.net/projects/mingw/files/Installer/mingw-get-inst/mingw-get-inst-20120426/mingw-get-inst-20120426.exe/download
Copy this exe file you just downloaded to the /root/.wine/drive_c/users/root/Desktop
folder. Now in the Applications menu
select System Tools, Wine Uninstaller. In
the Wine Uninstaller program click the Install button, tell it to see all
files, find that exe file on your desktop and tell it to install. It is mostly a click next install but you do
need to click on C++ and the MinGW Developer Toolkit when it prompts you, leave
C checked of course. Everything else the default is fine. This will hang at the end for a long time,
just wait it out and it will finally finish with an error that means nothing.
If that all worked at a command line you should be able to
go to the /root/.wine/drive_c/MinGW/bin directory and see the g++.exe
file. If so, we are good to go.
Download Hyperion from here: http://nullsecurity.net/tools/binary.html Put all the contents of this download in a
/opt/crypter directory. Make sure
/opt/crypter/Src is a directory. If it
isn’t fix that, you probably left things under the default Hyperion-1.0 directory or something. You can simply rename the default
directory it unzips to crypter and move that dir to /opt if you like. Technically you can put it anywhere you like and call the dir anything you want. But the rest of the directions are assuming you are using /opt/crypter. If you want to use something else just alter the paths in the upcoming commands.
Now cd into the /root/.wine/drive_c/MinGW/bin
directory and run the following commands:
wine ./g++.exe -static /opt/crypter/Src/Crypter/*.cpp -o
crypter.exe
mv crypter.exe /opt/crypter
updatedb
locate crypter.exe
That -static switch part is required, without if the file
give dll errors when you try to use it.
If all that worked you now have the crypter.exe file in
/opt/crypter and locate found it.
Now next time you generate a payload with smbexec as we did
above, you will see it encrypt it. You
can also use crypter.exe simply using the wine crypter.exe command at your
shell on any payload file you want to.
Enjoy and never let AV kill your shell. Never.
Friday, August 9, 2013
Introducing Obfy
Are you sick of AV products killing any payload made by
Metasploit when doing a pen test? Me
two. First let me say, if you have a
password or a hash, you should use smbexec: https://github.com/brav0hax/smbexec
Seriously, use smbexec to collect more hashes and work your way up to domain
admin without any AV problems. Done.
But what if you don’t have a password or a hash yet, but you
have something else, say a reliable exploit picked up on a scan but the reverse
shell isn’t popping and you think it is due to AV. Well thanks to the EXE::Custom option in
Metasploit now, you have more options.
Do a show advanced in the module you want to use, and if you see
EXE::Custom you are in business. More
info on it can be found here: http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/
In a nutshell, set EXE::Custom to the file you want to be the payload, setup
the multi/handler listener set to the correct payload and port in another
window, and run the exploit and watch it connect back.
One option is to use a custom shell, like the kind I have
here: https://github.com/secjohn/ruby-shells. But that is the worst case scenario, we want Meterpreter
and we want it now. That is where Obfy
comes in.
Obfy is a simple Ruby script that runs on Kali and BackTrack
Linux and will make the payload for you, decompile it, alter the assembly code
to change the signature to fool AV, and compile it for you. Then that executable can be used with
EXE::Custom and you are off to the races.
I got the idea from Royce’s blog post here: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/. But I hate doing things manually, so I
automated it.
The magic in Obfy is in the valuables that randomly pick
which assembly code to inject at specific places. The public version of the tool right now has
only very simple commands, far more simple than explained in the blog post
linked above. Code like, push edi, pop
edi. Adding a bunch of those all over
the place doesn’t seem like it should work, but it totally does. However, since I made this public I doubt it
will work for long as new signatures will be made over time for this. So I highly recommend reading Royce’s blog
post, watching Security Tube’s Linux Assembly Primer if you need to http://www.securitytube.net/groups?operation=view&groupId=5
and adding some of your own code there to make it unique to you (and submitting
the code back to github to help others).
But I could be wrong this may work forever as is, time will tell.
Now, some AV software like MS SE will still see this. Therefore there is one more step I
recommend. Run your payload through
ditto: https://github.com/mubix/ditto
and copy the resources from a normal file like calc or notepad. Using Obfy and then ditto will get you past
most things. If it doesn’t work either revert back to the custom shell I linked
above and kill AV, or you have something else messing with you and you may need
to sign the executable. Also remember to
always try the HTTPS version of the payload to get past IDS, but I digress.
Anyway, I’m excited to see how many people use this and if
anyone contributes assembly code to it to help make it better and keep it
working. So here is the link:
Enjoy and provide feedback as always.
Friday, May 3, 2013
Dealing with being underpaid in InfoSec
I was part of a twitter conversation today with @BurbSecWest @jjarmoc @HackerHuntress which this tweet sums up. It was all about how to deal with the situation where you are underpaid and new jobs are offering you less than you are worth because they are simply offering you a percentage more than what you are currently making, which is far less than where you should be. Now in that conversation I said the better option is to simply not let yourself be that underpaid in the first place. That is still the best advice. But let's say it is too late for that. There is my advice:
First, figure out why you are being underpaid. Is it because you changed locations and didn't know the market, are you able to do a job more senior than the one you current have, etc? If it is something like that then once you get the offer, explain that. Explain how this job isn't a side step and you are underemployed, or whatever the case may be. Most of the times making an offer to a percentage of the candidates current salary is only a strict rule if it is a lateral move. If you can make the case that it isn't for whatever reason, then that rule should relax and you should be able to get yourself more money. Now wait until you have an offer though, or you may be talking yourself out of a job by making your current job sound less than what it really is.
Now if you have no good reason and you simply let the market pass you by while you weren't looking, it isn't as easy. The first step is to tell your boss what you now know. Even if they won't get you to where you want to be every bit helps, and until you leave it is still money. Even if you get a small raise this way you should still move on. Either your boss isn't aware enough to know you are underpaid, or is aware and is fine with it. I don't care which it is, you deserve a better boss. Now when you get an offer, be honest. Tell them you know you are being underpaid and this offer while more money is still less than you are worth. See what they say. If they say that is the policy and they can't give you too much more than you already make then ask if they will work to help get you to where you should be over the next two years or so. If you think about it, it really isn't a good idea for a company to underpay their employees, it just causes turnover. Managers really get together and call out who is underpaid and they give them bigger raises than normal to get them up to where they should be so they won't leave. Your best hope is to find a company that will do that. You won't get any of that in writing and the HR person won't like talking about that at all, talk to the hiring manager about it. If you can't get that, then you will have to hop two or three jobs to get where you should be. But once you are there be picky and find a good place and stay there for a long time. No one likes hiring someone who switches jobs every year. And try not to let yourself fall so far behind again.
Good luck, and feel free to keep the conversation going.
First, figure out why you are being underpaid. Is it because you changed locations and didn't know the market, are you able to do a job more senior than the one you current have, etc? If it is something like that then once you get the offer, explain that. Explain how this job isn't a side step and you are underemployed, or whatever the case may be. Most of the times making an offer to a percentage of the candidates current salary is only a strict rule if it is a lateral move. If you can make the case that it isn't for whatever reason, then that rule should relax and you should be able to get yourself more money. Now wait until you have an offer though, or you may be talking yourself out of a job by making your current job sound less than what it really is.
Now if you have no good reason and you simply let the market pass you by while you weren't looking, it isn't as easy. The first step is to tell your boss what you now know. Even if they won't get you to where you want to be every bit helps, and until you leave it is still money. Even if you get a small raise this way you should still move on. Either your boss isn't aware enough to know you are underpaid, or is aware and is fine with it. I don't care which it is, you deserve a better boss. Now when you get an offer, be honest. Tell them you know you are being underpaid and this offer while more money is still less than you are worth. See what they say. If they say that is the policy and they can't give you too much more than you already make then ask if they will work to help get you to where you should be over the next two years or so. If you think about it, it really isn't a good idea for a company to underpay their employees, it just causes turnover. Managers really get together and call out who is underpaid and they give them bigger raises than normal to get them up to where they should be so they won't leave. Your best hope is to find a company that will do that. You won't get any of that in writing and the HR person won't like talking about that at all, talk to the hiring manager about it. If you can't get that, then you will have to hop two or three jobs to get where you should be. But once you are there be picky and find a good place and stay there for a long time. No one likes hiring someone who switches jobs every year. And try not to let yourself fall so far behind again.
Good luck, and feel free to keep the conversation going.
Thursday, May 2, 2013
USB GPS on Kali Linux
Quick technical post here. I'm digging Kali Linux but some things that just worked on BackTrack take extra effort to get working on Kali. This is one of them. My USB GPS device just always worked on BackTrack, and didn't on Kali. So I dug into it and got it working, and thought I would share what I found.
First you need to install the packages:
apt-get install gpsd gpsd-clients
Then plug in your GPS if it isn't already and test that it is working and you know what device it is:
gpsd -D 5 -N -n /dev/ttyUSB0
First you need to install the packages:
apt-get install gpsd gpsd-clients
Then plug in your GPS if it isn't already and test that it is working and you know what device it is:
gpsd -D 5 -N -n /dev/ttyUSB0
You should see GPS stuff scroll on the screen. You may have to break out of it and try a second time to see it. If ttyUSB0 isn't correct for you, figure out which one works, you need to know.
Then configure gpsd to auto detect the device with this command:
dpkg-reconfigure -plow gpsd
Answer the questions, this where why you tested it and made sure you know the correct device.
Finally for it to start working properly for me I had to reboot and then plug the GPS in, but that may just be because I'm running it in a VM or just unlucky. So at this point if it is working, great. If not, reboot with the device unplugged and then plug it in after you login and it should start working fine.
Wednesday, March 27, 2013
chromium_fix.sh added to Kali-Scripts
As the title says, I added a script called chromium_fix.sh to https://github.com/secjohn/kali-scripts. Chrome won't run as root unless you point it to a different home directory. Which is annoying on Kali since you run as root. That change gets blown away every time the package is updated, which is more annoying. So enter this script. It will setup chromium to run as root. Use it every time the package is updated. I decided to use the Debian package using apt-get install chromium instead of downloading the Chrome deb from Google and installing it, which is what I did for BlackTrack. So far it is updated far less often so this annoying feature isn't as bad. If a few people ask for it I'll make a chrome_fix.sh script as well, it is an easy change. Enjoy.
Tuesday, March 26, 2013
Kali Linux and Update script
If you are one of the few people who read this, you may know I have a BackTrack Linux update script here: https://github.com/secjohn/backtrack-shell-scripts. Well Kali Linux is the new version of BackTrack now and with it there are some new and exciting changes.
Gone are the days where you have to do so many steps to keep things updated. Unlike BackTrack, the Kali packages are going to be kept very current, weekly, or even daily if you go with the bleeding edge option. So most of the steps I took in my BackTrack update script are no longer needed. Also, they won't work in Kali anyway. Most of the tools don't have the git or svn info in the directories so updating them that way doesn't work in Kali. Given then I have made a new repo: https://github.com/secjohn/kali-scripts
It is a much shorter and simpler script. It updates the packages on the system, then manually updates Metasploit, Nessus if you have it, puts an SVN version of Fuzzdb in the /user/share/fuzzdb dir and compiles the SVN version of nmap in /opt/nmap-svn.
Those last two items may not be needed, time will tell. Fuzzdb is already on there and I don't know how often it gets updated anymore. The version of nmap on Kali is really close to the SNV version and when I compared the script directories the SVN one only had a few extra scripts in it. So that may not be needed anymore either and I don't overwrite the packaged nmap. If you want to use the SNV nmap call it directly, or just use the scripts in the directory with the installed nmap.
Time will tell how this goes or what other scripts I add. Feedback and additions and ideas are always welcome.
If you haven't switched over to Kali yet, you should. Seriously, it is nice.
Gone are the days where you have to do so many steps to keep things updated. Unlike BackTrack, the Kali packages are going to be kept very current, weekly, or even daily if you go with the bleeding edge option. So most of the steps I took in my BackTrack update script are no longer needed. Also, they won't work in Kali anyway. Most of the tools don't have the git or svn info in the directories so updating them that way doesn't work in Kali. Given then I have made a new repo: https://github.com/secjohn/kali-scripts
It is a much shorter and simpler script. It updates the packages on the system, then manually updates Metasploit, Nessus if you have it, puts an SVN version of Fuzzdb in the /user/share/fuzzdb dir and compiles the SVN version of nmap in /opt/nmap-svn.
Those last two items may not be needed, time will tell. Fuzzdb is already on there and I don't know how often it gets updated anymore. The version of nmap on Kali is really close to the SNV version and when I compared the script directories the SVN one only had a few extra scripts in it. So that may not be needed anymore either and I don't overwrite the packaged nmap. If you want to use the SNV nmap call it directly, or just use the scripts in the directory with the installed nmap.
Time will tell how this goes or what other scripts I add. Feedback and additions and ideas are always welcome.
If you haven't switched over to Kali yet, you should. Seriously, it is nice.
Friday, February 15, 2013
BackTrack Linux Update Script
I use BackTrack Linux a lot. All the time really. And in-between engagements I like to update the tools I use. The normal apt-get update doesn't really update many of the tools I use. And I like to automate things. So I created a simple shell script to do this. I updated it recently and I already have some more tools in mind to update it again. But what I would really like is comments and even code from others who do the same thing to help make it better and more useful for even more people. I find it interesting what other people see as important enough to update.
I used shell on purpose, to keep it simple and accessible to anyone. A shell script is just running the commands you would normally run on the command line. If you can't handle that then maybe BackTrack isn't what you should be running. I kept the script as simple as possible and over did the comments again to keep it accessible and allow for easy re-use of code for people who don't do a lot of shell scripting.
You can find my update script here: https://github.com/secjohn/backtrack-shell-scripts
I would love your commits here, or if you are a github type person make a branch and give me a pull request and get your code in the script. Just don't break anything.
I used shell on purpose, to keep it simple and accessible to anyone. A shell script is just running the commands you would normally run on the command line. If you can't handle that then maybe BackTrack isn't what you should be running. I kept the script as simple as possible and over did the comments again to keep it accessible and allow for easy re-use of code for people who don't do a lot of shell scripting.
You can find my update script here: https://github.com/secjohn/backtrack-shell-scripts
I would love your commits here, or if you are a github type person make a branch and give me a pull request and get your code in the script. Just don't break anything.
Subscribe to:
Posts (Atom)