Grey bar Blue bar
Share this:

Mon, 7 Apr 2014

SenseCon 2014

L1000617
What originally started as one of those "hey, wouldn't this be cool?" ideas, has blossomed into a yearly event for us at SensePost. SenseCon is a time for all of us to descend on South Africa and spend a week, learning/hacking/tinkering/breaking/building, together and in person.


A few years ago we made the difficult, and sometimes painful, shift to enable remote working in preparation for the opening of our UK and Cape Town offices. Some of you probably think this is a no-brainer, but the benefit of being in the same room as your fellow hackers can't be overlooked. Being able to call everyone over to view an epic hack, or to ask for a hand when stuck is something tools like Skype fail to provide. We've put a lot of time into getting the tech and processes in place to give us the "hackers in the same room" feel, but this needs to be backed with some IRL interaction too.


People outside of our industry seem to think of "technical" people as the opposite of "creative" people. However, anyone who's slung even a small amount of code, or even dabbled in hacking will know this isn't true. We give our analysts "20% time" each month to give that creativity an outlet (or to let on-project creativity get developed further). This is part of the intention of SenseCon: a week of space and time for intense learning, building, and just plain tinkering without the stresses of report deadlines or anything else.


But, ideas need input, so we try to organise someone to teach us new tricks. This year that was done by Schalk from House 4 Hack (these guys rocks) who gave us some electronic and Arduino skills and some other internal trainings. Also, there's something about an all-nighter that drives creativity, so much so that some Plakkers used to make sure they did one at least once a month. We use our hackathon for that.


Our hackathon's setup is similar to others - you get to pitch an idea, see if you can get two other team mates on board, and have 24 hours to complete it. We had some coolness come out of this last year and I was looking forward to seeing what everyone would come up with this time round.


L1000662


Copious amounts of energy drinks, snacks, biltong and chocolates were on supply and it started after dinner together. The agreed projects were are listed below, with some vagueness, since this was internal after all :)


  • pORTAL anonymous comms device - Sam & Dr Frans


Getting a modified version of Grug's pORTAL device working on a Beagle Bone and Rasperry Pi for us to use while traveling.

  • Video Conferencing - Craig and Marc


For video conferencing we normally use a combination of Skype, Go-To-Meeting, Google hangouts, or a page long gstreamer command piped over a netcat tunnel (I'm not kidding). Craig and Marc built an internal video conferencing solution with some other internal comms tools on the side.

  • SensePost Radar - Keiran and Dane


SensePost Radar
SensePost Radar


Keiran and Dane put our office discone antenna to good use and implemented some SDR-fu to pick up aeroplane transponder signals and decode them. They didn't find MH370, but we now have a cool plane tracker for SP.


  • WiFi Death Flag - Charl


Charl, so incredibly happy!!
Charl, so incredibly happy!!


Using wifi-deauth packets can be useful if you want to knock a station (or several) off a wifi network. Say you wanted to prevent some cheap wifi cams from picking you up ... Doing this right can get complicated when you're sitting a few km's away with a yagi and some binoculars. Charl got an arduino to raise a flag when it was successfully deauthed, and lower it when connectivity is restored for use in a wifi-shootout game.


  • Burp Collaboration tool - Jurgens, Johan & Willem


Inspired by Maltego Teeth, Jurgens set about building a way to have multiple analysts collaborate on one Burp session using a secure Jabber transport. He and Johan got this working well, and we will be releasing it and several other Burp apps during the ITWeb Security Summit in Johannesburg in May.

  • How to Pwn a Country - Panda and Sara


YMCA pwnage
YMCA pwnage


Panda (Jeremy) and Sara ended up building local Maltego transforms that would allow mass/rapid scanning of large netblocks so you can quickly zoom in on the most vulnerable boxes. No countries were harmed in the making of this.


  • Bender - Vladislav


While doing client-side engagements, we realised we needed our own payload to help us to better move from spear-phish to persistent internal network access. Earlier in the year, Vlad put our hacks into a professional SensePost beaconing payload he called Bender. During the hackathon he extended its capability in some key areas.

  • Oh-day stuffs - Georg and Etienne


He likes his ice-cream
He likes his ice-cream


gcp and et decided on some good ol'fashioned fuzz-n-find bug hunting on a commercial mail platform, and websense. Along the way they learned some interesting lessons in how not to fuzz, but in the end found some coolness.


  • 3d Printer - Rogan


Rogan finally got around to putting his 3D printer together! He hasn't printed an SP logo yet, but we're assuming this is the most logical first print.

  • Rogue AP - Dominic & Ian


In preparation for our BlackHat submission, singe and ian spent some time researching our new wifi attacks. This resulted in a key new finding and implementation of their new KARMA rogue-ap attack.

  • The challenge - Daniel


I too had to show that I still had tech skills (not all spreadsheeting you know) and created a challenge to send our peeps down the rabbit hole while pushing their skills but also awaken some old school hacking approaches.


L1000686


The hackathon went gangbusters; most of the team went through the night and into the morning (I didn't, getting old and crashed at 2am). Returning that morning to see everyone still hacking away on their projects (and a few hacking away on their snoring) was amazing.


Once the 24-hours was up, many left the office to grab a shower and refresh before having to present to the entire company later on that afternoon.


Overall this years SenseCon was a great success. Some cool projects/ideas were born, a good time was had AND we even made Charl feel young again. As the kids would say, #winning


 


 


 


 

Wed, 16 Jan 2013

Client Side Fingerprinting in Prep for SE

On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically phishing only). In preparation for the attack, I wanted to see what software they were running, to see if Vlad and I could target them in a more intelligent fashion. As this technique worked well, I thought this was a neat trick worth sharing.


First off the approach was to perform some footprinting to see if I could find their likely Internet breakout. While I found the likely range (it had their mail server in it) I couldn't find the exact IP they were being NAT'ed to. Not wanting to stop there, I tried out Vlad's Skype IP disclosure trick, which worked like a charm. What's cool about this approach is that it gives you both the internal and external IP of the user (so you can confirm they are connected to their internal network if you have another internal IP leak). You don't even need to be "friends", you can just search for people who list the company in their details, or do some more advanced OSINT to find Skype IDs of employees.


Once I had that IP, I went on a hunt for web logs that had been indexed by a search engine, that contained hits from that IP. My thinking was that I run into indexed Apache or IIS logs fairly often when googling for IPs or the like, so maybe some of these contained the external NAT IP of the target organisation. It took a fair bit of search term fiddling, but in the end I found 14 unique hits from their organisation semi-complete with User Agent information (some were partially obscured).


This provided me with the following stats:









Operating System


Win XP 8


Win 7 32 3


Win 7 64 3

Browser


IE 8 8


IE 6 3


IE 7 1


IE 9 1

Combination


Win 7 IE 8 4


Win XP IE 8 4


Win XP IE 6 3


Win 7 IE 9 1


Win XP IE 7 1


Granted, it could be that the same machine was present in multiple logs and the stats are skewed, but they are a large enough organisation that I thought the chances were low, especially as most of the sites who's logs I found were pretty niche. As validation of these results, later, once we had penetrated through to the internal network, it was clear that they had a big user base in regional offices still on Win XP and IE6, and a big user base at corporate offices who had been migrated to Windows 7 with IE8.


Unfortunately, the UserAgent didn't make it clear whether they had Acrobat or Java or what versions they were at. We thought of using some JavaScript to do such detection, but were under a time constraint, and went with trying to pwn them instead, with the thinking that if it doesn't work, we could retarget and at least get some debugging information.


Anecdotally, and to give the story an ending, it turned out that BlackHole and Metasploit's Browser AutoPwn were a bust, even our customised stuff got nailed by Forefront when the stager tried to inject it's payload at runtime, but an internal tool we use for launching modified meterpreter payloads worked like a charm (although, periodically died on Win7 64bit, so I'd recommend using reverse-http, you can restart sessions, and firing up a backup session to restart the other with).

Wed, 5 Dec 2012

SensePost Hackathon 2012

Last month saw the inaugural SensePost hackathon happen in our new offices in Brooklyn, South Africa. It was the first time the entire company would be in the same room, let alone the same continent, together and away from the pressures of daily work constraints. The idea was simple: weeks before the date, we sent out emails to everyone in the company (not just the tech teams but everyone) to think about ideas, tools, approaches or new business lines that they felt would make us even better at what we did.

Hackathons are used by many tech companies to give their employees breathing space to work on new ideas. Google and Facebook are big fans and Facebook's Like button was conceived as part of a hackathon. Getting everyone together at the same time was no mean feat, the term 'herding cats' springs to mind but on the week of 12th of November, all SensePost'rs were in our new offices and ready to break, build and develop.

Prior to the event, we asked everyone to think about what they wanted to work on. As mentioned above, there was no specific guideline as to what anyone could come up with, as you can't force creativity. After a brainstorming session, the following ideas were given and solutions made during the hackathon period*:

1. SensePost World App

A mobile application (multi-platform) that will streamline the process of receipts, expenses, travel requests, holiday leave etc.

2. SensePost IRC Bot

A IRC bot that will offer:

  1. Integration with our internal twitter clone
  2. SMS functionality to summon $person
  3. Location whereabouts functionality (who is in the office, who's at a client etc.)
  4. Cool links functionality
  5. SensePost short URL functionality
  6. Ability to call $username via Gtalk/Skype
3. SensePost SMS Gateway App

An application that allows us to utilise SMS from a company-wide perspective, including:

  1. Ability to receive OTP passwords to a central number
  2. Ability to send passwords to clients via web interface (for sales)
  3. Ability to send HackRack passwords to clients via web interface
Rogan decided to use kannel to interface with a GSM dongle in an Ubuntu server. This exposed a web API. Glenn then wrote a Python script to monitor for new mail arriving to a SensePost email address, which then dispatched SMSs via kannel.

4. Magstripe Hacking

Having moved into our new fancy offices, we decided to look at the current implementation of magstripe used to work out if we could read the data, clone the data and create free parking for us (at the same time, potentially looking for flaws in the magstripe implementation). The magstripes on the parking tickets were very unsual. Between the reader in the office, and Andrew Mohawk's more advanced ones, we could not get a consistent read. It is possible that the cards use an unusual arrangement of tracks. Typically there are 3 horizontal tracks at predefined heights. If the tracks are at unusual heights we may have been getting interference between said tracks. Andrew has tried to dissect one of the cards, but no luck yet.

Watch this space. 5. AV VirusTotal Project

Rather than submitting our payloads to VirusTotal (who then inform the vendors), we will create our own version that uses all vendors, to determine if our custom payloads could be detected.

6. SensePost Green Project

A project to make our business greener in approach and ideas. How responsibly were we using resources? What was our consumption of electricity and water like and could it be made better?

With teams created and everyone clear on what they had to do, 48-hours were given to create the above ideas. Food, drink, hardware and toys were provided. Vlad brought some amazing Russian Vodka and energy drinks were supplied.

Whilst the older farts faded quickly (I'll put my hand up, 1am and I was broken), the younger crowd went through the night and into the next morning. From simple ideas at first, fully-fledged solutions were designed and then developed in a short space of time. The idea was that once the hackathon 48-hour period was over, everyone would present the results and we'd head outside to our balcony to have a traditional SA braai (barbecue)

The cool thing about the hackathon was that some of the top ideas came from traditionally non-technical people, such as our finance wizard who came up with the idea of the SensePost world app. This was the outcome that we wanted: to prove that you don't need to be a heavy tech-orientated person to come up with meaningful projects or ideas.

Overall the 2012 Hackathon was a brilliant time had. Some amazing ideas have come to light, ones that will see us pushing offensive approaches and also ones that will have an impact on the way we work at SensePost.

For those thinking about running an internal hackathon, I'd say go for it. Giving people the space to work on ideas with likeminded colleagues will only bring benefits.

*There were other projects, but they won't see the light of day as of yet, so will remain confidential until the time is right.

Mon, 26 Nov 2012

Skype Passive IP Disclosure Vulnerability

When performing spear phishing attacks, the more information you have at your disposal, the better. One tactic we thought useful was this Skype security flaw disclosed in the early days of 2012 (discovered by one of the Skype engineers much earlier).

For those who haven't heard of it - this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an 'Add Contact' form.

Why is this useful?

1. Verifying the identity and the location of the target contact. Great when performing geo-targeted phishing attacks.

2. Checking whether your Skype account has not been used elsewhere :)

3. Spear phishing enumeration while Pen Testing.

4. Just out of plain curiosity.

To get this working, following these basic steps:

1. Download and install the patched version of Skype 5.5 from here (the patch enables the Skype client to save the logs in non obfuscated form)

2. Save the lines below as a Skype_log_patch.reg reg file:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Skype\Phone\UI\General]
"LastLanguage"="en"
"Logging"="SkypeDebug2003"
"Logging2"="on"
Once saved, run it to enable the Skype Debug Log File.

4. Start Skype.

5. Search for any Skype contact and click on the 'Add a Skype Contact' button, but do not send the request, rather click on the user to view their VCard.

4. Open the log file (it should appear in the same folder as Skype executable e.g. debug-20121003-0150)

5. Look for the PresenceManager line - you should see something similar to this - >

In the above image you can spot my Skype name, external as well as internal IP addresses.

The log will include similar credentilas for everyone listed as a "contact" under your Skype account, as well as many other fresh, genuine and useful information received directly from your local Skype tracker.

Thu, 8 Jan 2009

Hacking By Numbers Online - your thoughts?

We often get asked by students of our Hacking By Numbers courses if the course environments or at least the VMWare images are available after the training is over. As a result we've started to experiment with a model for offering our courses in an online environment. The idea would be to maintain the full numbers of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations. The approach we've been testing appears to show some promise, so we're hoping to ask some of you for your input and opinions.

The model we have in mind works like this:

1. Our slide decks have been ported to a Flash format with voice-overs blended in. This allows the students to browse through the materials, pause the presentation and move forward and backward as they please. The voice-over is by an experienced trainer and is presented in the same anecdotal style we use in our regular courses. There's also a transcript of the speaker's presentation that ensures students understand the trainer and allows them to copy and reuse text from the dialog.

2. The Flash slides are accompanied by the same lab sheets and accompanying answer sheets that are used in our regular training.

3. In order to complete the labs students connect to a Microsoft Terminal Server over the Internet. Each student has their own desktop that's pre-installed and configured with everything they'll need, including an SSH session to the Linux box that's needed for some of the labs. In this way the student walks right into a clean pre-configured environment with a full Windows and Linux toolset. All the targets, along with the classroom infrastructure like web and DNS servers, are available on virtual networks attached to the Terminal Server.

4. The course is broken up into a series of 'modules', where a module corresponds to a number of slides from the deck, followed by a lab exercise from the lab sheets. The students can work their way through the slides in the module then tackle the corresponding labs by logging onto the Terminal Server.

5. Although students work their way through the materials and labs on their own time, they are expected to complete each module within a certain amount of time. At the start and end of each module there is a trainer briefing that occurs via Skype. Students are given an overview of the materials and labs to follow and are given the opportunity to ask questions and make comments.

6. There is also an interim Skype briefing at fixed times at the start and end of each day. Finally, students have the opportunity to submit questions via email during the course of the day that will be dealt with by the trainer at the next briefing.  In this manner we envisage a two-day classroom being spread over a five-day or even a seven-day period.

So that's the basic approach. We've started by porting our Cadet Edition in this fashion because it had the least labs and (as a beginners course) seemed to make the most sense. There's a brief course summary of the course here. But before we take the course live, we're planning to take it for a few test runs and hopefully get some input and feedback from you. Basically, there are three questions we want to ask:

1. Have you done online training before? If you've done online courses, what are your observations? Did it work for you? What did you and didn't you like?

2. Do you think our online approach is a workable learning tool? Do you think our approach can work and would you be interested to attend a course presented in this manner?

3. What would you be prepared to pay for such a course? Here's some benchmark pricing for you to consider - A CEH course starts at $ 695.00 (normal pricing seems to be $ 895) - A SANS @Home hacking course starts at $3,275.00 - The Offensive Security Offsec 101 starts at $ 550.00 (and goes up to about $ 700, without 'options') - Our Cadet course retails at Black Hat from $ 2,200.00, with fully configured laptops provided Our total training content amounts to about 2 days. Given this, what do you think would be a fair price to pay for this course?

Finally, we're planning to hold a free online 'beta' of the course early in 2009. If you'd like to take part, please let us know by contact 'training@sensepost.com'