Spear Phishing Setup with IceDove/Thunderbird

For spear phishing I’ve recently found quite a few benefits with using IceDove on Kali (similar to Thunderbird, same settings below should apply). If you register a domain name with namecheap.com, you can get free email for two months, WHOISGuard is free, and Premium DNS is an extra $5, a rather inexpensive setup.  Adding a new account is pretty straightforward as well.  However, when you add the account, you have to set up your name as the email address at first.  Once it’s setup, you can go back and change it to display whatever name you want.

Once that’s setup, you can also change how the email address actually appears in your target recipient’s mailbox.  The following will show up as coming from bill.gates@microsoft.com.  If the person chooses to reply (or look closer at the email headers), the reply message will be sent to the Reply To address (and will be displayed in the To address of the reply email):

One other beneficial feature is the Send Later Add-on (Tools > Add-ons) that will allow you to queue up emails to be sent at whatever odd hours are required to get your phish in the desired email box at a reasonable time in the target time zone:

PowerShell Empire on AWS

I ran into quite a few issues setting up PowerShell Empire on an amazon ec2 server in the free tier.  The following commands took quite a bit of research to figure out.  Hopefully they will be usefull to others in the near future.

sudo pip install flask
sudo pip install --upgrade pip (beware, this broke pip, had to then use easy_install)
sudo yum install python27-pyOpenSSL.x86_64
sudo easy_install pyopengl* (not sure if necessary, but came across it on a post and things started working)
sudo easy_install pydispatcher
sudo easy_install iptools
git clone https://github.com/Hypernode/M2Crypto.git
sudo yum install swig
sudo yum install openssl-devel
sudo yum install gcc
./fedora_setup.sh build
sudo python setup.py install
sudo ./empire

Kali Linux Issue Starting Metasploit/Postgres

When trying to start Metasploit from the Application menu or starting postgresql from the command line I got the following error:

“Starting PostgreSQL 9.1 database server: main[….] The PostgreSQL server failed to start. Please check the log output”

I was also running low on available space in my VM too, so clearing out the /tmp directory and running ‘apt-get clean’ seemed to help.  I updated the /usr/sbin/update-rc.d file and commented out postgres in the black list and wrote it in enabled in the white list section.  Then, after rebooting, I just had to start postgres manually:

su postgres -c "/usr/lib/postgresql/9.1/bin/postgres -D /etc/postgresql/9.1/main/" &

PwnPad Installation Tutorial thru Kali VM

I attended the Pwnie Express PwnPad Installation class at DerbyCon 3.0 and found out how to install the PwnPad image on my Nexus7 (16GB, 1st generation, WiFi only) thru a Kali VM image.  I won’t write out the entire process, just the differences from their installation document.

Unfortunately you can’t just “apt-get install adb fastboot” you have to add some french repositories and install a few other packages to get it going.  The following commands should get you through that (many thanks to the Kali developer that attended the DerbyCon class for this!) –

1. mkdir /opt/android && cd /opt/android
2. echo “deb-src http://debian.ens-cachan.fr/ftp/debian/ sid main contrib non-free” >> /etc/apt/sources.list
3. apt-get update
4. apt-get -y build-dep android-tools
5. apt-get -y source –build android-tools
6. dpkg -i android-tools-*.deb
7. cd ~
8. rm -rf /opt/android
9. sed -i ‘s/.*cachan\.fr.*//’ /etc/apt/sources.list

At command #6 I kept getting a “no space left on device” error, but running “apt-get clean” fixed that issue for me.  Once that’s done, you should be good to go.  Prep the USB drive like it says and follow the remaining instructions.

Once installed, open a root shell and hit enter a couple times, then type ‘yes’ when prompted to setup your ssh keys with a blank password (needed to run some of the scripts on the device).  Be sure to install the latest updates from pwnieexpress.com (it’s easiest to just browse there on your tablet and then copy/paste the wget command into a shell on the device.

Using RatProxy in Windows (Updated)

These instructions are largely copied from a post by SecureIdeas, but there were enough issues that I had to work through that I thought I’d post what was successful for me.   Using these instructions I was able to successfully install ratproxy on Windows XP SP3 and Windows 7 SP1, both 32-bit systems running in VMware Workstation.

Install Cygwin

1. Download the Cygwin installer from http://www.cygwin.com.
2. Run the Setup.exe installer.
3. Follow the on screen prompts, using the default is fine, until the Utilities screen appears.  Select the following packages:
   1. Select make from the devel package.
   2. Select gcc-core from the devel package.
   3. Search for “openssl” and select the following from the net package.
   • openssl-devel
   • libopenssl
   • openssl
4. Complete the installation.  This may take some time as it downloads all of the packages needed.

Install ratproxy

1. Download the package from http://code.google.com/p/ratproxy/.
2. Unzip the downloaded ratproxy distribution file into the Cygwin directory.  If cygwin was installed to C:\cygwin then ratproxy should be unzipped to C:\cygwin\ratproxy. 
3. Update Flare (used to decompile flash objects):
   1. For the latest instructions open the readme file in the \ratproxy\flare-dist directory.
   2. Open the URL for the Windows distribution and save the file.
   3. Unzip the file into the \ratproxy\flare-dist directory.
4. Open a Cygwin bash by double-clicking the C:\cygwin\Cygwin.bat file.
5. Navigate to the ratproxy directory.  If installed at C:\cygwin\ratproxy, type cd ../../ratproxy and press enter.
6. Type make and press enter.
   1. If you receive an error that looks like this: “ratproxy.c:1635: error: incompatible type for argument 2 of ‘waitpid'” the ratproxy.c file needs to be modified.
   2. Open ratproxy.c and modify line 1635 “while (waitpid(-1,&x,WNOHANG) > 0);” to be “while (waitpid(-1,(int*)&x,WNOHANG) > 0);“.
   3. run the make command again. This should run successfully.
7. Add cygwin to your path.
   1. Right-click “My Computer” and select “Properties”.
   2. Select “Advanced system settings” and then select “Environmental Variables”.
   3. Find the “Path” variable under “System Variables” and edit it.
   4. Add “;C:\Cygwin” (without the quotes) to the end of the “Variable Value”.

Before actually running ratproxy (after following the instructions on installing it), make sure that the following .dll files are in the ratproxy directory:

• cygcrypto-1.0.0.dll (if that’s the version of OpenSSL you installed)
• cyggcc_s-1.dll
• cygssl-1.0.0.dll
• cygwin1.dll
• cygz.dll

Simplify Running ratproxy

Also, I highly recommend using a batch file to simplify running the proxy, so you don’t have to remember which flags you like to use (just know that the batch file has to be located in the ratproxy directory, if you want it elsewhere, just create a shortcut).

Sample .bat file running RatProxy through Burp listening on 8080 (browser proxy points to RatProxy on 8081):

@echo off

rem default values
set logfilename=""
set domain=""

rem set base log file name and target domain
:setfilename
 set /p logfilename=Enter base log file name: 
 if %logfilename%=="" goto setfilename
 
:setDomain
 set /p domain=Enter target domain (www.domain.com): 
 if %domain%=="" goto setDomain

rem Run ratproxy
start "" "C:\cygwin\ratproxy\ratproxy.exe" ^
-w /cygdrive/c/temp/rp-logs/%logfilename%.log ^
-v /cygdrive/c/temp/rp-traces -d %domain% -p 8081 ^
-P 127.0.0.1:8080 -lextifscgjm

Logging Attack Traffic

When performing a test, it is important that you log all your activity so that you have proof of what you were doing, in case anything goes awry (and it is not your fault!). Here are a couple methods of logging activity:

• Wireshark: before you start capturing data, in the Capture Options window select “Use multiple files” and in the “Next file every” field specify the upper limit of the file size that you desire (a new file will be created once the current file reaches that limit) – see image below.

• Tshark (found in the c:\program files\wireshark directory): c:\program files\Wireshark\tshark.exe -i [interface] -w [base file name] -b filesize:[file size in KB]  -p [this flag restricts monitoring to current VM, otherwise all VM traffic will be captured]
  • This option doesn’t put as much strain on your machine as using Wireshark does

• tcpdump: tcpdump -i [interface, use ‘tcpdump -D’ to get list] -w [base file name] -C [file size in MB]
  • Another low resource option

Extracting Certs and Keys from .pfx and using with sqlmap

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

1. Extract private key:

   • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem

2. Extract certificate:

   • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem

3. Remove password from private key:

   • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

• sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.

VxWorks Debugging with BT5r3

I had to make a few modifications to the code referenced here in order to get it running in Backtrack 5 r3.

Download and extract the tarball

1. Download the tarball, extract to an easy to locate directory (e.g., /pentest/forensics/vxworks/).
2. Navigate to the directory and extract the files (‘tar zxvf filename.tar.gz’)

In the vxworks_mem_search.rb file, make sure the that you put the entire location to the vxworks_collide file in line 4, e.g.,

• require ‘/dir/dir/…/vxworks_collide’

To help with encoding issues, place the following at the beginning of the file

• # encoding: UTF-8

And then at the line where the file is reading the memory_data (“memory_data = File.read(input_file)”) add the following right after the closing parenthesis:

• .force_encoding(“ISO-8859-1”).encode(“utf-8”, replace: nil)

Save the file.

Run the file with the following command:

• ruby vmworks_mem_search.rb lookup.txt dump.mem (where dump.mem is the memory dumped using the corresponding metasploit exploit module)

nessusrc

I was given a nessusrc file to run with and not much explanation.  I was able to successfully run a few scans, but nothing too exciting came from them.  I thought (naively) that if I were to install some vulnerable webapps on the VM (Mutillidae or Damn Vulnerable Web App) I would get some more interesting results; of course I was wrong.  I figured it probably had something to do with the plugins that were running and other settings defined in the nessusrc file, so this is my attempt at explaining what I find.

Renaud was kind enough to reply to someone else’s question on the same topic.  He described the sections of the nessusrc file as follows:

SERVER_PREFS: these are the options which are sent back to the nessus daemon. They are all documented on the nessusd side – see /usr/local/etc/nessus/nessusd.conf

SCANNER_SET: the list of port scanners that are enabled by the user. You can merge this section within PLUGIN_SET, because scanners are plugins

PLUGIN_SET (currently absent in my file): the list of plugins which are enabled/disabled. The format is <id> = [yes|no].

SERVER_INFO: is un-necessary, it simply contains information about the last nessusd you connected to (this is used for XML export)

PLUGINS_PREFS: acts like the SERVER_PREFS section, except that very few options are thoroughly documented. However the most important ones (like SMB password) should be self-explanatory.

He also points us to update-nessusrc, which is a Perl script written to simplify the loading of plugins in your scans.  The script is dependent on several Perl modules, some of which are not included in the base Perl package.  TheGeekStuff.com provided a guide that helped me get through manually installing the necessary modules I was missing.  (Beware if you have just installed the basic Perl module, you will be missing some modules that the ones listed as requirements for update-nessusrc are dependent on – HTML-Parser, HTML-TagSet, URI, and possibly a few others.)

For those new to Perl, when configuring the update-nessusrc script to work with your setup, make sure you enclose the host address, user_name, and user_pass in single quotes.  Not enclosing them in quotes got me a “open_sock_opt_hn: invalid socket address” error and an hour of searching for what that meant.

Security Tools

The following are a few tools of which I am currently aware.  I’ve used some, and plan to dive deeper into each of them, and hopefully discover others along the way.  I’ll republish this list as I get further along.

1. Backtrack – live CD, combination of Auditor and WHAX, tons of security/forensics tools
2. Helix – live CD, can also run as an application in Windows, forensic tools
3. SecurityDistro – more live CD’s with loads of security tools
4. WebGoat – a tutorial on web security
5. p0f – OS fingerprinting tool, for profiling your targets
6. MetaSploit – ” useful information to people who perform penetration testing, IDS signature development, and exploit research”
7. KeePass – “a free open source password manager, which helps you to manage your passwords in a secure way”
8. Wigle.net – Wireless Geographic Logging Engine