The Hassle Exploit

The catching up (troubles of my mere existence)

It’s been a long time again. I can say from the WordPress Editor UI, that has had some changes (it’s totally not recognizable). Things have changed in many ways, but I’m still Penetration Testing for food (and accommodation sometimes). I also bought a wok (that’s totally irrelevant).

As I said, I’m still Penetration Testing. Mostly big companies. I try to secure their money and assets, so people that want them won’t get them. I arguably am like Peter Pan’s villain – I’m securing rich people’s stuff, so poor people won’t get them without paying, having sex with them (that’s not the majority of my projects) or allowing a permission in their Android phones

So, I have this controversial job, most of the time, probably the same with my readers (at least during the day). We could be considered “Captain Hooks” of some sort. I’ll let my psychologist know about my identity crisis. Or my mom.

The subject looks like it needs a post of its own, so moving on…

The Warmup

So yeah, I pentest a lot, it’s a job and I am pleased doing it. The thing that gives me the  most chills is Red Teaming.

Oh boy, Red Teaming is the real thing. Attack simulation and such, from physically opening a door, to phishing and vishing, to NTLM relaying, to DAing a Domain (or a bunch o’ them), to displaying dickpics in all ATMs of the country before dispensing money. I mostly skip the last part (or flash them for a brief second – like Tyler Durden’s appearances).

But my favorite part is phishing. I love people, in a philosophical sense. I love them with their defects (as a race), with their ambitions and fears. That’s what made me come up to here (not sure if it’s considered “up” anyway), and that’s what motivates me in life. Looking for ways to fool them really got me from the beginning. I’m one of them (us?) myself, and that helps a lot, too.

 

The Real Topic of the Post

By now, I’m not sure what I really am gonna write below. I was planning to introduce you to the Wormnest tool. Something I made to serve payloads with style, but that’s gonna be technical (you know HTTP headers, Python Development, Reverse Proxies and TLS certs), so I’m leaving it for some other time. *Fixing the title*. So, let’s continue with our next guest:

 

Hassle in Social Engineering

Most social engineering projects start with setting up a Mail Server. And setting up a Mail Server is a hassle. I don’t like hassles. Fuck hassles (Taxes are a hassle – Fuck taxes). Plus, when you set everything up (it’s not that difficult, it’s just a hassle), you will still be Greylisted anyways in most cases, that shows how badly designed the Mailing Protocol is (for 2018), etc-etc.

Setting up a phone number is not that bad anyway. You just buy it, or get your company to buy it. And background checking a telephone number is so much more hassle than checking an SMTP server… It is 1000 times more difficult to get a mobile phone number blacklisted than an SMTP server. And re-deployment is as easy as “buy another number”. And the cost is less.

Actually, its all about avoiding hassle. And in a totally different meaning. The “hassle” is an exploit to Human Psychology. And it’s obvious when you think of it.

Hassling as an Exploit

Well, you know how your country’s law enforcement system works. Right? Exactly, you have no clue. What about the tax system? Yep, thought so. And, of course you know the Terms and Conditions of Gmail. I mean you are using it all the time. Well, that’s a “No“, right. Then you have been exploited (like most of us).

Hassle is a bad thing. Creates bad feelings in a lingering way. The feelings create an experience, and the experience breaks into our behavior (from time to time).

We all avoid hassle, as this experience has formed our behavior into avoiding it. So, the exploit lies into putting hassle in things that you want people to avoid. That’s an old one. But a golden one.

The Bible’s “Have faith and doubt not” is just the payload (do you remember the color notation it’s gonna come in handy here). The exploit for that is hassle.

Hassling vs Troubling

Well, hassle and trouble are very different. SO VERY DIFFERENT. And the difference lies in the below example:

Example to show the difference between hassle and trouble:

There are 2 countries, with the following rules for murder with intention:

Country 1: A Murderer will go to jail for 15 years.

Country 2: A Murderer will have to sign a form based on Law 2142/2014, and then provide it to local authorities. After that, he/she is going to receive the form based on Law 3354/2011 by postal service, complete and sign it, along with 3 of his/hers victim’s blood family members and provide this form to the ministry of Law Enforcement. After receiving Law Enforcement final report on the case, and providing it to local authorities, he/she is free of charges.
Ones that not comply will go to jail for 20 years.

In the second country, add the fact that the Ministry of Law Enforcement is open only 10:00 to 13:00 all weekdays except Mondays, and that the one accountant that handles such cases is on vacation in Bahamas for an indefinite period of time.

I don’t know about you but I’d prefer to live in Country 1. Not because I like jailing laws, but because it is clear that if you perform murder, to stay free, you have to escape. Not complete written forms, that none informs you were to find (and it’s probably fruitless to ask the Murder Community here…), and wait in queues.

In the bottom line: in the first country if you are a murderer you are in trouble. In the second country you are in hassle.

Defying the Laws of Tradition

Fighting against trouble, is always easier than fighting against hassle. The second one takes more courage in the long run. There is no real enemy in there, so you have nothing clear to fear, yet you feel disappointed, as the things you are trying to achieve never really get fulfilled. Yet, nothing virtually is there to prevent you. Hence, it’s easier to surrender when putting a fight against hassle, with the illusion that you could achieve the goal given more time/patience/etc.

The only won fight against hassle, that I’m aware of, is in Margaritaville (a South Park episode).

Hassle in Phishing

This exploit doesn’t need any serious setup (nowhere near a valid SMTP server). It is easy to pull off. You just have to introduce someone into a hassle-inducing situation. And then carefully place your payload in a shortcut/gateway you provide. It’s as simple as that. Most installers do it that way:

 

  • Customize before installation (for advanced users)
    (Too much hassle, to find the correct settings)
  • Express Install (hassle free!)
    (Installs Google Chrome and other rootkits along with the main software)

So, a Mail Social Engineering Scenario could be the following:

From: Outlook Security <outlook@example.com>
To: Victimious John <victim@example.com>

Outlook Security Notice – 12/10/2018

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network. It is highly recommended to inform your IT Administrator, showing this email and the mail threads received by that host the last 7 days.

To fix the issue yourself, please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660 ¹.

Thank You
The Outlook Security Team

[1]: Create URLs like this automatically using Wormnest (shameless plug)!

Breakdown of the victim’s psychological aspect

Outlook Security Notice – 12/10/2018

It has a date, and no “Dear X,” it must be formal and serious.

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network.

Defender is an Antivirus, it probably knows more about my computer than me (spoiler alert: it does). I don’t know what a PUP is, but googling it is too much of a hassle.

It is highly recommended to inform your IT Administrator,

This creep that sweats and swears in every situation that includes computers? Oh, well…

showing this email and the mail threads received by that host the last 7 days

He’s gonna get mad at me when he sees that I use the corporate email in buying shaving stuff in shop.workingmother.com with discount (well, I googled “working mother shop” and it existed).

To fix the issue yourself,

Yeeeeees?

please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660

I’m so eager to eat whatever this link brings in my computer

Thank You
The Outlook Security Team

I thank you “Outlook Security Team“, have a nice day!

Bonus points:

Actually mentioning the IT Administrator gets points in the non-phishing direction…

 

Hassle in Vishing (The something-wrong-with-your-mail Scenario)

– Hello is that John Victimious

– Yes, it’s me. Who is calling?

– My name is John Smith (who else?). I’m calling on behalf of your corporate mail provider.

– Google?

– Yes, Google Corporation <Receivers Country name here>.

– Oh, is there something wrong?

– Well, not exactly. Can you please login to a page and give me what you see?

– I’m a bit busy now, can I sent you an email when I manage?

– You can’t send me an email, you have to call at <phone number>, ask for email verification support, wait 8-9 minutes as it is the mean waiting time, then describe the situation and wait for someone to handle the case. Plus, it has to be done today, because it’s probable that you’ll have trouble logging into your email tomorrow.

– Oh, never mind. What is the website?

– It is google.yolose.com. Y, O, L, O, S, E.

– Ok, I’m in. Do I just login here and tell you what I get?

– Exactly!

– OK, gimme a sec. *types the creds* hmm… Yes. I see a green tick, saying that “The account has been verified against <TargetCompany>

– Great! You’re set! Thank you for your time!

See? Just introducing some hassle will bend most defenses. Plus…

Hassle is a recognized attribute of dealing with Authorities

One of the reasons we really get overwhelmed with hassle situations, is because we have met hassle in the past and had a negative experience, as said before. But, hassle in our lives has been introduced in a quite specific way. And that’s when Dealing with Authorities. The paperwork in most countries is so staggering that creates hassle for even the simplest of tasks.

That’s another good reason to use hassle in your Social Engineering. You give the impression of authority, even without being yourself aware of that!

 

Final Thoughts

Really Generic/Philosophical…

It’s not humanity that sucks, it’s its systems. It became (humanity) so big, so fast, that people didn’t have the time to develop really sane ways of co-existing (in groups of more than 150 in the same community e.g: cities). That’s where ideology and common ideas come into play, to unite the 150+ people that are forced to live so close together.

But, as all projects with tight deadlines, communities are full of bugs. And some become security vulnerabilities. And people end up being massively exploited as they carry their common (vulnerable) traits.

The Hassle Vulnerability is not a new one. It is being exploited by lawyers and tax makers for years now. But to patch it, a new community needs to be build. A community that won’t be so obviously based on it

 

Advertisements

Between an Incident Response and a Break-up

Long time again… Sometimes I feel like I am gathering inspiration for too long, and it starts defusing after a while.

There is a perfect timing – a sweet spot – for writing a poem or a python package. If you miss it  that’s it, you missed it… You need to gather your inspiration all over again…

It’s been almost a year since my first post (Dating as a form of Penetration Testing). It is time for a break-up parallelization. Here we go!

 

Incident Response as a form of a Break-up

The Setup

Sometimes bad things happen. Those bad things vary in type, but a security incident in a company can be a very bad thing. A Bad like Jesse James thing. A company can lose thousands of $ or because of a spear-phishing campaign, or a compromised account on the database server.

A break-up, in the other hand is a more straightforward thing. You gotta get separated from someone or something beloved (I won’t forget the moment I gave up my ThinkPad, for my corporal machine).

For a guy the beloved thing is his girlfriend (or even his boyfriend), for a sys admin it’s the rootkit‘d File Server (he spend days and mojo building).

And you gotta get separated for sure… The Relationship/Server is no good anymore. It actually does more harm than good

Going Deeper

Technically speaking, there are several phases, both on an incident response, and on a break-up. And if you think of it hard enough, they seem to be the same phases…

SANS documents the Incident Response Phases in the GCIH cert material as follows:

  • Identification
  • Containment
  • Eradication (Cleaning Up)
  • Recovery
  • Lessons Learned

Hell, doesn’t this sound awfully familiar already?

So, let’s shine! Our star tonight: the Separated & Hacked SysAdmin

 

Identification

I don’t actually feel the same way I used to with her. I feel nothing when I touch her… I don’t care if I will be seeing her tonight or not

# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 19356 648 ? Ss May20 0:02 /sbin/init
root 2 0.0 0.0 0 0 ? S May20 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S May20 0:03 [migration/0]
[...]
root 4108 0.0 0.0 11716 548 ? S May20 0:02 /usr/sbin/.httpd
apache 37008 0.0 0.0 213148 11328 ? S May21 0:04 /usr/sbin/httpd

It is this time! The shivers you get. The mindblow. The spine that tingles a bit. The urge to cry… The realization that you have no tears…

It happened on Monday. It had to be about 19:something. Stayed at work late and had to come at her place for the night. The moment he was typing the ps command (for no reason, like every Linux guy who is bored in front of the #), he was thinking of his girlfriend…

Stayed late just to have some time alone. Didn’t have work to do. Didn’t need to be at work at all. But, for some reason he couldn’t get his head around the forthcoming sleepover. It ‘d be the same thing again. The same meal, the same sex, the same “Calvin and Hobbes” comic in the WC… He wouldn’t do it.

Then he grasped the ps output. Couldn’t actually believe what he was staring at. At first he was like “Hey, my httpd ain’t running as root. I fixed the config two days ago“. And then he went: “what the fuck is this bro?” (he loves P.C. Principle from South Park).

After the shock he had two phone calls to make. More like three. The first one was to his girlfriend. Talked about the incident. He couldn’t come over… He was somewhat hopeful for this. Somewhat… Sometimes digital forensics are better than sex. But that night… That night anything was better than sex!

And then he called the Incident Response team, and his best friends. Ordered pizza from the office to his home (that makes it four phone calls). Arranged a meeting for tomorrow morning with the Incident Response guys and headed for home were his friends were also heading after the Bromance Alarm.

He had to figure out both issues the following day. How comes he can’t see her face in his mind?. How this rogue process was planted? He had to get his shit together…

 

Containment

SANS got me on this again! SANS explains the Containment Phase as “to stop the bleeding“. SANS guys must be really experienced with break-ups apart from sleuthkit.

So, the sys-admin guy broke-up the next morning. He was the smart type of guy – he didn’t depress his feelings. He felt like so and he broke-up!

Ironically, he did so over the phone, while the Incident Response guys were unplugging the Ethernet from his server (after gathering live memory dumps of course)…

The containment phase began the same evening. He gathered the gang again and went to a Pub. Got almost wasted with just beers and nachos. Then he introduced himself to a stranger, while his friends were constantly provoking him, like high-schoolers (do we –men– actually ever escape the high-school age?). Told everything to her, while constantly burping like Rick from Rick and Morty.

He knew nothing about what was going to happen next… He knew nothing about the Nightingale Syndrome that the woman was under. To make a long story short, after almost crying on her arms, they got pre-laid in the Pub’s WC and completely laid in her place…

She became his “rebound girl” for a while. He slept over in her house for almost a week. He went home to pick up things like toothbrush and clothes. Too many memories in there… It was time for…

 

Eradication

The Friday Night was a bummer. All day Friday in work he was trying to remove the malware from the compromised server. There were also, crontabs, services, even a kernel mod was found by the forensics team…

He kept removing shit and more shit kept spawning. Rogue binaries in /root/bin/ and bogus entries in lsmod output… All day Friday he was removing malware…

Then he got home. A Friday evening. His friends were all busy and he kind of missed his ex.

What follows is often seen in movies and teenager video-clips. He got his zippo and went to the bathroom with all the pictures he had from the previous holidays they did together. He set them on fire on the bathtub. Later he brought presents and all romance-shit card-postals and letters from the Erasmus era. Her old sunglasses, her toothbrush, 3 pairs of socks… He kept burning stuff all night and more kept spawning…

 

Recovery

He took days burning stuff and drinking Mountain Dew or Dr. Pepper. He also made a new friend – the pizzaboy. Gained some weight, stopped going out, lost the NBA finals. He was a mess for some time…

 

Then, suddenly one morning, he woke up motivated! Went for a walk before work by himself. Had some push-ups before putting his jeans on. It was time to finally recover…

Went to work and rebuilt the whole server. LDAP authentication, public key only authentication on SSH, remote sys-logging, etc.

Then he got home. Cooked a meal for himself, after a long time. Brewed some coffee. Checked out Hacker News from his Android, like he used to, even before he met his ex.

Later that day, he went to the Pub, alone. Got some beer and sat by the window, alone. Nothing happened. None talked to him and he talked to no one. He did some thinking, all by himself.

Before going to bed, ’round midnight, he remembered he loved Kerouac and Burroughs. Their books were on the shelf collecting dust for too long. It had been years since he last read his favorite books. Goddammit, what had happened to him…

Fell asleep while reading the Junky, feeling nostalgic. It was the first day for the rest of his life…

 

Lessons Learned

He went to work earlier that morning. Determined. Whatever fucked that server up wouldn’t happen again. At least wouldn’t without him noticing

Utilized syslog everywhere. Everywhere! Even to the coffee machine. Spent countless hours setting up Kibana, added a Suricata to the firewall appliance and FINALLY created VLANs!

The thing went personal. This was not just his company’s network, it was his personal fortress

 

He stayed up late at work, and when he got home, he got a beer and did some more thinking. Why did he abandon everything while being with his ex-girlfriend? Why did he give up all the music he used to like? His favorite books? His friends? His role as linux-guru sys-admin?

Felt a bit desperate on why he left everything for her. Couldn’t understand why he lost the best bits of himself just by being with her… He wouldn’t do that again.

The thing went personal. He was not just a body and soul looking forward to mate again, he was his personal fortress

 

 

 

Highly inspired by “\”How To Break Up\” Tales Of Mere Existence” and my life.

Thanks for reading my 12th article.

 

 

 

Reinventing the Wheel for the last time. The “covertutils” package.

A colleague reviewed my article and found it hopeless. I could definitely blame him, but he is a real rock when it comes to reporting, teaching and lecturing about security topics.

So I revised my article, according to his remarks, which mainly were: “You are describing a damn protocol – add some PICTURES goddammit!”. Enjoy…

 

The motivation

Those last months I came across several Github projects with RAT utilities, reverse shells, DNS shells, ICMP shells, anti-DLP mechanisms, covert channels and more. Researching code of other people gave me the ideas below:

Those things have to support at least an encryption scheme, some way of chunking and reassembling data, maybe compression, networking, error recovery. (To not mention working-hours operation-empire agent, certificate pinningmeterpreter and unit identification-pupyRAT).

And they all do! Their authors spent days trying to recreate the chunking for the AES Scheme, find a way to parse the Domain name from the exfiltrating DNS request, recalculate IP packet checksums and pack them back in place, etc…

And then it got me. A breeze of productivity. That crazy train of creation stopped just before my footnails. The door opened…

What about a framework that would handle all those by itself?

A framework that would be configurable enough to create everything from a TCP reverse shell, to a Pozzo & Lucky implementation.

A framework without even the most stable external dependencies, that uses only python build-ins

And all those without even thinking of encryption, message identification, channel password protections and that stuff we hate to code.

Then I started coding. Easter found me coding. Then Easter ended and I was still coding. Then I didn’t like my repo and deleted it altogether. I recreated it and did some more coding. Spent a day trying to support Python 3 and gave up after 10 hours of frustrated coding.

And finally it started working. The “covertutils” package was born. A proud python package! And here it is for your amusement:

https://github.com/operatorequals/covertutils

And here are the docs:

https://covertutils.readthedocs.io

Let’s get to it…

 

Basic Terminology of a backdoor

So let’s break down a common backdoor payload. In a backdoor we have mainly two sides. The one that is backdoored and the one that uses the backdoor.

The host that is backdoored typically runs a process that gives unauthorized access to something (typically OS shell). This process and the executable (binary or shellcode) that started it is the “Agent“.

The host that takes control of the backdoored machine typically does so using a program that interacts with the Agent in a specific way. This program is the “Handler” (from exploit/multi/handler anyone?)

Those two have to be completely compatible for the backdoor to work. Noticed how the Metasploit’s exploit/multi/handler asks for the payload that has been run to the remote host, just to know how to treat the incoming connection. Is it a reverse_tcp VNC? a stageless reverse_tcp_meterpreter?

Examining the similarities of those two (agents and handlers) helped me structure a python API, that is abstract, easy to learn, and configurable.

 

The covertutils API

All inner mechanics of the package end up in 2 major entities:

  • Handlers
    Which are abstract classes that model Backdoor Agent’s and Handler’s behavior (beaconing, silent execution, connect-back, etc).

    Attention passengers: The Handler classes are used to create both Agents and Handlers.

  • Orchestrators
    Which prepare the data that has to travel around. Encryption, chunking, steganography, are handled here.

With a proper combination of those two, a very-wide range of Backdoor Agents can be created. Everything from simple bind shells, to reverse HTTPS shells, and from ICMP shells to Pozzo & Lucky and other stego shells.

 

The data that is transferred is also modeled in three entities:

  • Messages
    Which are the exact things that an agent has to say to a handler and vice-versa.
  • Streams
    Arbitrary names, which are tags that inform the receiver for a specific meaning of the message. Think of them almost like meterpreter channels with the only difference that they are permanent.
  • Chunks
    Which are segmented data. They retain their Stream information though. When reassembled (using a Chunker instance) they return a (Stream, Message) tuple.

The Orchestrator

Orchestrators can be described as the “objects that decide about what is gonna fly through the channel“. They transform messages and streams to raw data chunks. Generally they operate like follows:

orchestrator.png

The chunks can then be decoded to the original message and stream by a compatible Orchestrator instance. They are designed to produce no duplicate output! Meaning that all bytes exported from this operation seem random to an observer (that hasn’t a compatible Orchestrator instance available). This feature is developed to avoid any kind of signature creation upon the created backdoors, when their data travel around networks…

The code that actually is needed for all this magic is the following:

>>> message = "find / -perm -4000 2>/dev/null"
>>> sorch = SimpleOrchestrator("Pa55w0rd!", streams = ['main'])
>>> chunks = sorch.readyMessage( message, 'main' )
>>> 
>>> for chunk in chunks :
...     print chunk.encode('hex')
... 
a3794050e26ad5935a1c
179083d79cad047be0a7
eb8bb3340b73ddc5eedb
af82b3a2a0f913a37a2f
3b0ddf0f365973dd4ae3
>>>

And to decode all this:

>>> sorch2 = SimpleOrchestrator("Pa55w0rd!", streams = ['main'], reverse = True)
>>> 
>>> for c in chunks :
...     stream, message = sorch2.depositChunk( c )
... 
>>> stream, message
('main', 'find / -perm -4000 2>/dev/null')
  • Note the reverse = True argument! It is used to create the compatible Orchestrator. Same objects are not compatible due to duplex OTP encryption channel.

 

The Handler

Handler‘s basic stuff is declared in an Abstract Base Class, called BaseHandler. There, 3 abstract functions are declared, to be implemented in every non-abstract subclass:

  • onMessage
  • onChunk
  • onNotRecognised

When data arrive to a Handler object, it uses the passed Orchestrator object (Handlers get initialized with an Orchestrator object) to try and translate it to a chunk. If it succeeds the onChunk(stream, message) method will be run. If the received data can’t be translated to a chunk then the onNotRecognised() will run.
Finally, and if the raw data is successfully translated, the Orchestrator will create the actual message when the last chunk of it is received. The onMessage(stream, message) method is run when a message is fully assembled.

The combined idea of a backdoor can be seen in the following image (fullscreen might be needed):

covertutilsbasicbackdoor.png

 

The Internals

How Streams are implemented

The Idea

Data needs to be tagged with a constant, for the handler to understand that it is meant to consume it. As a handler may receive data that is irrelevant, not sent from the agent, etc…

The problems in this idea are several. Bypassing them created the concept of the stream.

First of all, the constant has to be in a specific location in the data, for the handler to know where to search for it. That brings as to the second thing:

If a constant is located at a specific data offset, it defines a pattern. And a pattern can be identified. Then escalated to analysts. Then blacklisted. Then publicly reported and blocked by public anti-virus products.

So for the tagging idea to work well, we mustn’t use a constant. Yet the handler has to understand a pattern (that can’t be understood by analysts). Considering that both the Agent and Handler share a secret (for encryption), the solution is a Cycling Algorithm!

The StreamIdentifier Class

When sharing a secret, infinite secrets are shared. If the secret is pa55phra53 then we share SHA512(“pa55phra53“) too. And MD5(“pa55phra53“). And SHA512(SHA512(“pa55phra53“)). And MD5(SHA512(“pa55phra53“+”1”)). You get the idea.

So the StreamIdentifier uses this concept to create tags that are non-repetitive and non-guessable. It uses the shared secret as seed to generate a hash (the StandardCyclingAlgorithm is used by default, a homebrew, non-secure hasher) and returns the first few bytes as the tag.

When those bytes have to be recognized by a handler, the StreamIdentifier object of the handler will create the same hash, and do the comparison.

The catch is that when another data chunk has to be sent, the StreamIdentifier object will use the last created hash as seed to produce the new tag bytes. That makes the data-tag a variable value, as it is always produced from the previous tag used plus the secret.

A sequence of such tags is called a Stream.

Multiple Streams

Nothing stops the implementation from having multiple streams (in fact there is a probability pitfall, explained below…)! So instead of starting from “pa55phra53″ and generate a single sequence of, let’s say, 2 byte tags, we can start from “pa55phra531″, “pa55phra532”, “pa55phra533” … and create several such sequences (streams).

The StreamIdentifier will, not only identify that the data is consumable, but will also identify that a tag has been produced from “pa55phra531″, or “pa55phra533”. This can used to add context to the data. Say:

  • Everything produced from “pa55phra531 will be for Agent Operation Control (killswitch, mute, crypto rekeying, etc)
  • Everything produced from “pa55phra532 will be run on a OS shell
  • Everything produced from “pa55phra533 will be shellcode that has to be forked and run
  • Goes on and on…

Now the messages themselves do not need to follow a specific protocol, like:

shell:uname -a
asm:j
 X�Rh//shh/bin��̀
control:mute

they can be raw (saving bytes on the way), relying on the stream for delivering the context (when writing a RAT’y agent several features have to implemented, streams come in handy with this).

The streams are named with user-defined strings (e.g “shell”, “control”, etc) to help the developer.

 

The Pitfall

Tags have to be small. They shouldn’t eat to much of the bandwidth. They are like protocol headers in a way. Not too small to be guessable or randomly generated from a non-agent, not too big to be a small part of the raw data.

When implementing a tone of features using streams (say 8 features), using a 2-byte tag (it is the default) will create a small chance of collision. Specifically a 1/2341 chance (still more probable than finding a shiny pokemon in Pokemon Silver – 1/8192).
And to make things worse: this chance is not for the whole session, but per sent chunk (as tags are cycling for every chunk), so it is quite high!

The Solution

Well, maths got us down. For so many features, a new byte (3 byte tags) will minimize the chances tremendously. There is also an option to make the tags constant. This way the above chance counts for the whole session, making a collision quite hard.

 

Handler Types

At time of writing, there are several Handler Classes implemented. Each modelling a specific backdoor behavior.

  • BaseHandler
    This is the Base Class that exposes all abstract functions to the sub-class.
  • FunctionDictHandler
    Gets a (stream -> function) dict and for every message that arrives from stream x, the corresponding function is called with message as argument.
  • InterrogatingHandler
    This handler sends a constant message across to query for data. This is the way the classic reverse_http/s agents work. They periodically query the handler for commands, that are returned as responses. Couples with the ResponseOnlyHandler.
  • ResettableHandler
    This Handler accepts a constant value to reset all resettable components to initial state. The One Time Pad key, the stream seeds the chunker’s buffer, etc.
  • ResponseOnlyHandler
    This is the reverse of the InterrogatingHandler. It sits and waits for data. It sends data back only as responses to received data. Never Ad-Hoc.
  • StageableHandler
    This is a FunctionDictHandler that can be extended at runtime. It accepts serialized functions in special format from a dedicated stream, to add another tuple in the function-dict, extending functionality.

 

Orchestrators

The objects that handle the raw data to (stream, message) conversion are the Orchestrators.

They have some basic functionality of chunking, compression, stream tagging and encryption. They provide 2 methods, the readyMessage(message, stream) and the depositChunk(raw_data). The first one returns a list of data that are ready to be sent across (tagged, encrypted, etc), and the second one makes the Orchestrator try to consume data received and returns the (stream, message) tuple.

 

End of Part 1

The whole package includes several features that are not even mentioned in this article (Steganography, Data ManglingStegoInjector and DataTransformer classes-, etc), that while implemented, aren’t properly documented yet, so their internals may change.

They will be the subject of another post, along with a Pozzo & Lucky implementation using only coverutils and Raw Sockets.

 

I the mean time, there are some Example Programs for you to play around!

Feedback is always appreciated…

 

A Git Tutorial of Human Psychology

In Image and in Likeness

Catching Paragraph
that uses several seemingly irrelevant pieces of information to hook the reader.

Bible says that [G|g]od created humans “In Image and in Likeness“. While I am not that huge fan of Bible, I do believe that some things are not randomly written in this book.

In Image and in Likeness” is the only way to structure, design, and create something. No wonder, that God created people “In Image and in Likeness” himself. He couldn’t do it any other way…

 

Git is no Εxception

Creating Git Version Control was also a miracle (thanks again Linus). And it was created to resemble human nature and psychology as well. I don’t claim that the author and developers had this in mind when they started their codebase, but I do believe that they couldn’t help it.
Humans are doomed to duplicate themselves. With more than one ways…

 

Today’s Proof of Concept

All Git operations have human-side equivalents. Equivalents that resemble life choices and personal mind tricks. Branching, committing, rebasing, all are ways a person feels and acts about things.

 

The Childhood

Git init

Let there be light” (this is the last biblical reference, promise).
We can parallelize a person as a git repo. So here is what happens when a person is born:

God@Earth# NEW_PERSON="person-$(date +%s)-3"
God@Earth# mkdir $NEW_PERSON; cd $NEW_PERSON;
God@Earth# chroot . start_life $NEW_PERSON &

(the start_life executable starts by setting UID != 0, to avoid creating a new god.
This was the bug that created the Titans, Pantheon, Egyptian Gods and more, in the early years of development)

Because god runs Linux, and that’s for sure…

Then the person has its own process… It is alive! And this is what happens…

$ ls
$ ls -a
. ..
$ git init
Initialized empty Git repository in /.git
$

Here, we have a new proje… person! All initialized and ready to fulfill its life goals…

 

Git add

As a new project, at first, a person adds everything that is inside the directory inside the repo. And this isn’t always good…

$ ls
mother.love    old_sister.love    father.love    mother.tongue    mother.bad_habits    father.drinking_problem
$ git add *
$ git status
On branch master

Initial commit

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)

    new file:   mother.bad_habits
    new file:   father.drinking_problem 
    new file:   mother.love
    new file:   old_sister.love
    new file:   father.love
    new file:   mother.tongue
$

A child sucks everything in its environment to slowly develop a personality. And carries all added things with it. But a personality isn’t actually created before the…

Initial Commit

And here we have the end of Childhood… A child with a discrete personality is a teenager. Almost not a child anymore…
And here is the line that differentiates the two:

$ git commit -m "Built personality PoC"
[master (root-commit) 46ae33f] Built personality PoC

 6 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 father.love
 create mode 100644 mother.love
 create mode 100644 mother.tongue
 create mode 100644 old_sister.love
 create mode 100644 father.drinking_problem 
 create mode 100644 mother.bad_habits
$

The Early Years

git commit

A commit happens every time a personal decision is made. As the commit is the most common command in git, it is also the most common mental condition in a person’s life. You commit every time consequences of your actions will affect you as a person. Just like a commit in git. It is a command that defines a state of you.

The .gitignore file!

A teenager starts to be more selective when adding things to his/her life. Tries to evaluate whether something is crucial for its development, or not.
A typical example of this is the following:

$ echo "mother.*" > .gitignore
$

This way a teenager permanently ignores all changes on its mother behavior, effectively carving its own way. One can add things to the .gitignore file as experience comes:

$ echo "*.assholes" >> .gitignore
$

Here we added the line to ignore all assholes, and prevent them from changing our life.

 

git branch

There are circumstances that you have to treat like a whole new person. There are events that need a whole fresh you when you first get into them, like relationships or hobbies. Events that every change they do to you, won’t affect you in other aspects of your life.

Let’s say that the teenager we left of, is a boy and is now ready to meet his first love “Lily”:

$ git status
On branch master
Untracked files:
  (use "git add <file>..." to include in what will be committed)

    lily.love
$

He is going to be a boyfriend, trying to leave the rest of his life intact. He has to create a new life branch.

$ git branch boyfriend_of_lily
$

git checkout

Now, every time he is with Lily he can just:

$ git checkout boyfriend_of_lily
$

and develop his relationship with her. Adding some Lily-specific files, or changing some already created ones. Also all commits done when with Lily, will affect their relationship only, not the rest of his life (hopefully).

People have countless branches. Think about hobbies, jobs and people that need a specific version of us to operate us expected… I do not treat my colleagues like my parents and I don’t cook with the same attitude I play basketball.

Sometimes, a hobby, a person, a general condition becomes so vital to us that is not “yet another thing” we do. It is something special, something really important to us… When this time happens for one of our branches we have to…

git merge

Here is why git shines. When we have a great hobby, that really means a lot to us, we have to merge it into our master branch.

$ git checkout master
$ git merge hobby_that_defines_you

after that, our hobby is included in the master branch, meaning that is an essential part of ourselves.

Problems start when some branches of ours that we want to merge to our master branch, have changed our inner selves in such a way that contradicts our personality.
When this happens we have the most serious first world problem:

 

The Merge Conflict…

Let’s say that:
as a person you are cheerful and generally happy, but then you met that goth girl, that  hates smiling and always wears that ring with the skull on it that gives you the creeps.

You are yourself when out with your friends, and you checkout to your Emo branch when with your goth girl! Great, that’s what branches are all about. But then you have to go to a party, were both your friends and your girlfriend will be there. Trying to merge those two branches raises the issue:

$ git checkout party_with_friends
$ git merge goth_girlfriend
Auto-merging attitude
CONFLICT (add/add): Merge conflict in attitude
Automatic merge failed; fix conflicts and then commit the result.
$
$ cat attitude
<<<<<<< HEAD
Happy and ready for the party!
=======
Look like I hate myself.
>>>>>>> goth_girlfriend

This issue has to be resolved. The way to resolve it is to get to that file and remove anything that doesn’t really belong to you.

I believe that all psychological problems start with such conflicts. When merging, back to master, incompatible branches of our egos… This is because the heavy development has to be done in master branch. The heavy development and commiting has to be in ourselves. While gaining experience we learn when to merge. We also learn when to…

 

git rebase

When a huge event like a marriage, a job, a loss, a break-up happens, our whole life is then defined by it. Our personal history can be split to before the event and after the event periods. We can remember being completely different before the event.

But now that the event has happened and we have plenty of commits on its branch, it is really easier to adopt our master branch on the branch of the new event, than checkout again to our old and dusty self – master branch.

This is when a rebase happens. When we need to redefine ourselves on top of another event. Notice the difference with the merge. Merge puts some additional things to our master. Rebase redefines our master to include the additional things historically.

 

Concluding

And the list goes on!

  • git cherry-pick, when we try to keep only the good stuff from a situation of ours,
  • git blame when we try to find when we made the wrong choice and what went wrong,
  • git tag when we accomplish something memorable.

The next time I get across someone that believes that computer science is far away from the human nature (there is such argument), I ‘ll answer 2 words (kinda)

$ git --help

*mic drop*

 

Information Gathering is not enough. Information storing and sharing is better. Meet GatherOS …

I ‘ve been absent for a while, switching jobs and analyzing personal goals couldn’t be postponed any longer. Now I am back to the grid! And I got a new tool too!

 

Why Gathering is a hell of a job…

Information about the target is what keeps the wheel spinning. More info, more attacks, more successful attacks, more shells, moar powah.

That applies perfectly for Vulnhub VMs and 3-4 hours CTFs, but the problem is obvious with assessments that require a team. The scalability isn’t exactly great when Information Gathering has to be done for a network and several hosts. Actually it ‘s a pain. If you have been there you know, if you haven’t, here are several examples:

- Hey, I started a minus A nmap for the slash 24
- Shit man, I am at 56 percent on the nmap.
- Ok, I control-c'd, what switches?
- Top 100, finished, come to see the results.
(Whole team leans towards a single monitor)
- OK OK, I GOT A SHELL (yelling)
- Great, what user? (yelling)
- wou wou data (www-data)
- What kernel?  (yelling)
- 3.8
- Distro?
- Ubuntu 14.04
- Check SUIDs!!!   (yelling)
- Hey buddy, stop yelling, I know what to do!
- I am not your buddy, pal
- I am not your pal, guy
- I am not your guy, friend
- I am not your...
...
- I uploaded the file!
- Good, what is the name?
- not *under* a *under* backdoor *dot* php (not_a_backdoor.php)
- Are you a moron? This is a Tomcat shit, why php?
- Who told me that?
- I told you before. (yelling)
- Oh, fuck you! You said that it 's Apache (yelling)
- Yes, it 's "Apache Tomcat" (yelling)
***Slap***

Generally Info-gathering with a team is a mess. Been there several times, yelled like this, got slapped twice, been to jail for ten long years, because I killed a guy who misinterpreted 1/* for */1 in a crontab file and then the whole team spent an hour on facebook as we missed to start our handler on time.

Tools have tried to bridge the gap. Most of them fail badly for inexperienced teams as they need an amount of seriousness to work. Dradis falls flat under this category. It is great but you have to learn to use it. Who has time for that shit? Life is short. People still use metasploit.

 

GatherOS: not the nasty shit you’re waiting for…

Two things are more essential than just gathering. They are sharing and storing. GatherOS handles them both neaty.

The Idea is simple. You got a Reverse/Bind Shell, SSH, physical access to a system (be it Linux or –for the love of god– Windows). There are some basic stuff you have to run on the shell to understand what kind of machine you semi-pwned.

If you like keyboard, you remember the commands (cat /etc/passwd, cat /etc/*release, crontab -l, etc) but you will miss at least one (uname -a).

If you once liked keyboard you have a script with nice and dandy output.
So you python -m SimpleHTTPServer 8080 the script and then you go for the download from the pwned machine:
wget: command not found.
OK, cool. You netcat to your machine and start typing the HTTP Request:

GET /scroipt.sh HTTP/1.1


404 Not Found

Mistyped the script name…

You whisper something on the classic “fuck” pentester’s dialect and open the script with gedit copy-pasting all the commands to the reverse shell. Hating yourself.

After half an hour a colleague asks you: “what was the MAC for the 172.16.47.128 ?“.
You have no idea, you are still copy-pasting…

 

What GatherOS does…

First things first. GatherOS resides here: https://github.com/operatorequals/gatheros
and has been the subject of about 2 rewrites. Also available with pip.
Just pip install gatheros and the commands will be in your PATH (like magic)!

Now the juicy stuff!

gatheros-exec

The heart of the package!

It’s a simple python module that gets a special formatted JSON file input containing OS commands, and runs them against a shell (be it reverse/bind/ssh/local). Then it stores the output in a JSON file.

 

gatheros-show

The reason GatherOS exists

This module consumes JSON files created by gatheros-exec and fires up a flask web application, nicely presenting the command outputs for everyone to see and admire!

 

A showcase!

$ gatheros-exec -o /tmp/$(uname -r).json local
[waiting less than a minute...]
$ ls -lh /tmp
Total 1-rw-r--r-- 1 unused unused 110K Feb 6 13:10 4.9.0-kali1-amd64.json

And done! GatherOS ran the default InfoGathering scenario (built-in) against the local machine. For SSH on port 1022 it would be:

$ gatheros-exec -o /tmp/$(uname -r).json ssh uname@localhost -p1022

 

Now that there is a GatherOS file we could present it with gatheros-show at port 8086 (default is 8085):

$ gatheros-show /tmp/4.9.0-kali1-amd64.json -p8086

Woah! A Firefox spawned with this:

This slideshow requires JavaScript.

Let’s see the MAC now!

gatheros_3

As you may have recognized the default Information Gathering Scenario is heavily based on the rebootuser’s Cheatsheet that I believe it is the complete Cheatsheet out there! I can’t, but thank this site as well as it’s references for providing so useful commands for eager privilege escalators!

A Windows Scenario will also be ready in a later release!

 

Storing the Info!

Just zip the JSON files for later use!
gatheros-show will always serve you whichever JSONs you feed it.

 

Why “Information Gathering scenarios” ?

Well, those JSONs aren’t just lists of grouped commands. They contain a whole logic on which commands should run in case some others fail to run, based on a dependency oriented model.
This aspect of GatherOS can be used to automatically launch local-root exploits and other goodies as well, and it will be explained in a later post, when some more development will have taken place!

Stay tuned, it ‘s gonna be huge!