Domain Fronting

I came across a really interesting technique for using high-trust domains as redirectors to a censored/forbidden site.  During a security assessment, these could be setup to redirect C2 traffic from your target network to a server under your control (normally inaccessible).  The nuts and bolts of it are discussed in this write-up that’s almost two years old, but still relevant – https://www.bamsoftware.com/papers/fronting/.

The basic definition of Domain Fronting is a “general-purpose circumvention technique based on HTTPS that hides the true destination of a communication from a censor.”  Content delivery networks (CDN’s) allow users to create accounts with them that include a high-trust domain (Google, Microsoft, Amazon, and others).  You can use domain fronting by making the DNS query and SNI HTTPS destination host headers point to such a “high-trust” domain (e.g., a0.awsstatic.com), which can then forward it to the actual domain you want to visit encrypted within your HTTPS traffic as part of the HTTP Host Header.  Censors will be unable to block your traffic without some serious collateral damage that could prevent access to these otherwise “high-trust” domains.  This isn’t a free service, but it’s by no means cost prohibitive.

Recently Raphael Mudge provided a nice video and write-up of using this technique with Cobalt Strike.  Instead of paraphrasing it all, here are the links:

• High-reputation Redirectors and Domain Fronting
• Video: Domain Fronting and High-trust Redirectors with Cobalt Strike

 

SSH Config

If you use ssh a lot and you’re not in a Windows environment to use PuTTY, create a file – .ssh/config – with the following information:

Host myHost

HostName x.x.x.x
User userName

Host myHost2

HostName y.y.y.y 
User userName2

LibreOffice Base to View Access DB

This is a summary of a post found on askubuntu.com.  Useful for opening up an acquired accdb file on Debian/Ubuntu.

One-time setup:

1. Make sure LibreOffice Base is installed – sudo apt-get install libreoffice-base
2. Download UCanAccess and extract it – http://ucanaccess.sourceforge.net/site.html
3. Launch LibreOffice (not Base, just the main launcher)
4. Tools > Options > Advanced > Class Path
5. Add Archive: /root/Downloads/UCanAccess-3.0.7-bin/loader/ucanload.jar
6. Close LibreOffice Launcher

Per-Database setup:

1. Launch Base
2. Connect to an existing DB (JDBC)
3. Datasource URL – jdbc:ucanaccess:///path/to/.accdb/file
4. JDBC driver class – net.ucanaccess.jdbc.UcanloadDriver
5. Next, leave blank
6. Finish/Save

Spear Phishing Setup with IceDove/Thunderbird

For spear phishing I’ve recently found quite a few benefits with using IceDove on Kali (similar to Thunderbird, same settings below should apply). If you register a domain name with namecheap.com, you can get free email for two months, WHOISGuard is free, and Premium DNS is an extra $5, a rather inexpensive setup.  Adding a new account is pretty straightforward as well.  However, when you add the account, you have to set up your name as the email address at first.  Once it’s setup, you can go back and change it to display whatever name you want.

Once that’s setup, you can also change how the email address actually appears in your target recipient’s mailbox.  The following will show up as coming from bill.gates@microsoft.com.  If the person chooses to reply (or look closer at the email headers), the reply message will be sent to the Reply To address (and will be displayed in the To address of the reply email):

One other beneficial feature is the Send Later Add-on (Tools > Add-ons) that will allow you to queue up emails to be sent at whatever odd hours are required to get your phish in the desired email box at a reasonable time in the target time zone:

Format Long String for VBA with Python

The following python script was useful when I had a long payload that I needed to add into a VBA macro.  It takes the string and then breaks it up into lines that can be added to the VBA.  VBA rules won’t let you have more than 25 line continuations and there’s also a certain length of string that can be in there as well.  The solution largely came from one of the responses here – http://stackoverflow.com/questions/9475241/split-python-string-every-nth-character .  The ‘320’ value is the number of characters I decided to make each line, you could easily make the script figure out how many characters per line were needed to keep within VBA’s boundaries.

text = "superlongstringtobreakup"

def split_by_n( seq, n ):
    """A generator to divide a sequence into chunks of n units."""
    while seq:
        yield seq[:n]
        seq = seq[n:]

commandlist = list(split_by_n(text,320))

f = open('powershell32_vba.txt', 'w')

for line in commandlist:
    f.write('& "' + line + '" _\n')

PowerShell Empire on AWS

I ran into quite a few issues setting up PowerShell Empire on an amazon ec2 server in the free tier.  The following commands took quite a bit of research to figure out.  Hopefully they will be usefull to others in the near future.

sudo pip install flask
sudo pip install --upgrade pip (beware, this broke pip, had to then use easy_install)
sudo yum install python27-pyOpenSSL.x86_64
sudo easy_install pyopengl* (not sure if necessary, but came across it on a post and things started working)
sudo easy_install pydispatcher
sudo easy_install iptools
git clone https://github.com/Hypernode/M2Crypto.git
sudo yum install swig
sudo yum install openssl-devel
sudo yum install gcc
./fedora_setup.sh build
sudo python setup.py install
sudo ./empire

OSINT Gathering

The following is the process I’ve followed for gathering intel during security assessments I’ve participated in.  OSINT gathering shouldn’t require you to send any packets to your target organization and as such, can usually be done in advance to an assessment date.

People OSINT

1. Run theharvester and Maltego against the target domain (likely email domain) to generate a list of email addresses for importing into Recon-ng.
   • python theHarvester.py -d <targetDomain> -b all -v -f <outputFile>
   • import into Recon-ng using import/list
2. Run the following Recon-ng modules to check which users have been involved in any public credential leaks:
   • hibp_breach
   • hibp_paste
3. I use Recon-ng as the basis for storing the majority of the data gathered.  I’ll create a separate workspace for each assessment and start by uploading the results from step one and then run salesmaple to finish up the email address gathering.  I haven’t had much success with the Facebook or LinkedIn modules, so tend to do that research more manually.
4. For gathering intel on particular individuals (more for social engineering components of a security assessment), Michael Bazzell’s books and website have been invaluable.  Specifically his centralized search portal.  I highly recommend you at least watch the Free Video to get an idea of the power of some of the search tools in the portal.
   • The “Custom Search Tools” are what I’ve used the most.  The Facebook search tool can pull out all sorts of information that Facebook makes difficult to access if you are not friends with someone.  You do have to have to be logged into a Facebook account for this tool to work, and as a warning, whatever your account name is will likely show up on the target’s Facebook page suggesting that they become friends with you (and vice-a-versa); you may want to create an anonymous account (a good precaution for searches you make on any tools that require an account).
   • The Search Engines Tools is great for searching for a person’s name or other identifying information across a number of search engines (you do need to make sure you allow pop-ups if you want the results for each browser to be displayed in separate tabs, otherwise you can only search one at a time).
   • The Person Search, Username Search, Pastebin Search, Document Search, and others have been very useful.
5. An additional resource for researching a specific person is any database that your Library has access to.  I can login to several different premium background search databases through different public library portals free of charge.
6. Some premium services cost very little per month and are another resource (e.g., intelius.com, pipl.com, spokeo.com)
7. Some other resources for gathering information on individuals
   • Search for Amazon wishlists
   • wigle.net
   • echosec.net
   • articles published by local newspapers

Technology OSINT

1. Searching whois for netblocks belonging to the target organization is good place to start.  Be creative with how you search for the target entity’s name, often times the names are truncated or just different altogether.  You can use an asterisk (*) in your searches as a wildcard.  Recon-ng does a decent job at querying whois [whois_miner], provided you have a variety of company names to search by in your companies table.
2. Load any known domains into your Recon-ng db (or use modules to populate them) and run the following modules:
   • netblocks-hosts/reverse_resolve
   • google_site_web
   • yahoo_domain
   • baidu_site
   • bing_domain_web
   • hosts-hosts/resolve
   • pgp_search
   • salesmaple
   • census_2012 (dated, but could be useful)
   • xssed
   • xssposed
   • netcraft
   • ssl_san
   • punkspider
   • builtwith (this is best run if you redirect the output to a text file and then use some sed/awk magic to strip out the technologies in use, otherwise this data doesn’t get stored in the db)
   • vpnhunter
3. Maltego is a great resource.  Running any of their machines on various entities can provide a wealth of information.
4. Censys.io is another resource and relatively new.  It has an API and Recon-ng has a module for it, but it wasn’t working at the time of this post.  You can get scan data on your target without sending any packets.

Kali Linux Issue Starting Metasploit/Postgres

When trying to start Metasploit from the Application menu or starting postgresql from the command line I got the following error:

“Starting PostgreSQL 9.1 database server: main[….] The PostgreSQL server failed to start. Please check the log output”

I was also running low on available space in my VM too, so clearing out the /tmp directory and running ‘apt-get clean’ seemed to help.  I updated the /usr/sbin/update-rc.d file and commented out postgres in the black list and wrote it in enabled in the white list section.  Then, after rebooting, I just had to start postgres manually:

su postgres -c "/usr/lib/postgresql/9.1/bin/postgres -D /etc/postgresql/9.1/main/" &

PwnPad Installation Tutorial thru Kali VM

I attended the Pwnie Express PwnPad Installation class at DerbyCon 3.0 and found out how to install the PwnPad image on my Nexus7 (16GB, 1st generation, WiFi only) thru a Kali VM image.  I won’t write out the entire process, just the differences from their installation document.

Unfortunately you can’t just “apt-get install adb fastboot” you have to add some french repositories and install a few other packages to get it going.  The following commands should get you through that (many thanks to the Kali developer that attended the DerbyCon class for this!) –

1. mkdir /opt/android && cd /opt/android
2. echo “deb-src http://debian.ens-cachan.fr/ftp/debian/ sid main contrib non-free” >> /etc/apt/sources.list
3. apt-get update
4. apt-get -y build-dep android-tools
5. apt-get -y source –build android-tools
6. dpkg -i android-tools-*.deb
7. cd ~
8. rm -rf /opt/android
9. sed -i ‘s/.*cachan\.fr.*//’ /etc/apt/sources.list

At command #6 I kept getting a “no space left on device” error, but running “apt-get clean” fixed that issue for me.  Once that’s done, you should be good to go.  Prep the USB drive like it says and follow the remaining instructions.

Once installed, open a root shell and hit enter a couple times, then type ‘yes’ when prompted to setup your ssh keys with a blank password (needed to run some of the scripts on the device).  Be sure to install the latest updates from pwnieexpress.com (it’s easiest to just browse there on your tablet and then copy/paste the wget command into a shell on the device.

Using RatProxy in Windows (Updated)

These instructions are largely copied from a post by SecureIdeas, but there were enough issues that I had to work through that I thought I’d post what was successful for me.   Using these instructions I was able to successfully install ratproxy on Windows XP SP3 and Windows 7 SP1, both 32-bit systems running in VMware Workstation.

Install Cygwin

1. Download the Cygwin installer from http://www.cygwin.com.
2. Run the Setup.exe installer.
3. Follow the on screen prompts, using the default is fine, until the Utilities screen appears.  Select the following packages:
   1. Select make from the devel package.
   2. Select gcc-core from the devel package.
   3. Search for “openssl” and select the following from the net package.
   • openssl-devel
   • libopenssl
   • openssl
4. Complete the installation.  This may take some time as it downloads all of the packages needed.

Install ratproxy

1. Download the package from http://code.google.com/p/ratproxy/.
2. Unzip the downloaded ratproxy distribution file into the Cygwin directory.  If cygwin was installed to C:\cygwin then ratproxy should be unzipped to C:\cygwin\ratproxy. 
3. Update Flare (used to decompile flash objects):
   1. For the latest instructions open the readme file in the \ratproxy\flare-dist directory.
   2. Open the URL for the Windows distribution and save the file.
   3. Unzip the file into the \ratproxy\flare-dist directory.
4. Open a Cygwin bash by double-clicking the C:\cygwin\Cygwin.bat file.
5. Navigate to the ratproxy directory.  If installed at C:\cygwin\ratproxy, type cd ../../ratproxy and press enter.
6. Type make and press enter.
   1. If you receive an error that looks like this: “ratproxy.c:1635: error: incompatible type for argument 2 of ‘waitpid'” the ratproxy.c file needs to be modified.
   2. Open ratproxy.c and modify line 1635 “while (waitpid(-1,&x,WNOHANG) > 0);” to be “while (waitpid(-1,(int*)&x,WNOHANG) > 0);“.
   3. run the make command again. This should run successfully.
7. Add cygwin to your path.
   1. Right-click “My Computer” and select “Properties”.
   2. Select “Advanced system settings” and then select “Environmental Variables”.
   3. Find the “Path” variable under “System Variables” and edit it.
   4. Add “;C:\Cygwin” (without the quotes) to the end of the “Variable Value”.

Before actually running ratproxy (after following the instructions on installing it), make sure that the following .dll files are in the ratproxy directory:

• cygcrypto-1.0.0.dll (if that’s the version of OpenSSL you installed)
• cyggcc_s-1.dll
• cygssl-1.0.0.dll
• cygwin1.dll
• cygz.dll

Simplify Running ratproxy

Also, I highly recommend using a batch file to simplify running the proxy, so you don’t have to remember which flags you like to use (just know that the batch file has to be located in the ratproxy directory, if you want it elsewhere, just create a shortcut).

Sample .bat file running RatProxy through Burp listening on 8080 (browser proxy points to RatProxy on 8081):

@echo off

rem default values
set logfilename=""
set domain=""

rem set base log file name and target domain
:setfilename
 set /p logfilename=Enter base log file name: 
 if %logfilename%=="" goto setfilename
 
:setDomain
 set /p domain=Enter target domain (www.domain.com): 
 if %domain%=="" goto setDomain

rem Run ratproxy
start "" "C:\cygwin\ratproxy\ratproxy.exe" ^
-w /cygdrive/c/temp/rp-logs/%logfilename%.log ^
-v /cygdrive/c/temp/rp-traces -d %domain% -p 8081 ^
-P 127.0.0.1:8080 -lextifscgjm