Howto
Wifi Hacking & WPA/2 PSK traffic decryption
When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I’m going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I’ll be teaching at BlackHat Las Vegas soon.
Windows Domain Privilege Escalation : Implementing PSLoggedOn in Metasploit (+ a bonus history module)
There are multiple paths one could take to getting Domain Admin on a Microsoft Windows Active Directory Domain. One common method for achieving this is to start by finding a system where a privileged domain account, such as a domain admin, is logged into or has recently been logged into. Once access to this system has been gained, either stealing their security tokens (ala Incognito or pass-the-hash attacks) or querying Digest Authentication (with Mimikatz/WCE) to get their clear-text password. The problem is finding out where these user’s are logged in.
Client Side Fingerprinting in Prep for SE
On a recent engagement, we were tasked with trying to gain access to the network via a phishing attack (specifically phishing only). In preparation for the attack, I wanted to see what software they were running, to see if Vlad and I could target them in a more intelligent fashion. As this technique worked well, I thought this was a neat trick worth sharing.
First off the approach was to perform some footprinting to see if I could find their likely Internet breakout. While I found the likely range (it had their mail server in it) I couldn’t find the exact IP they were being NAT’ed to. Not wanting to stop there, I tried out Vlad’s Skype IP disclosure trick, which worked like a charm. What’s cool about this approach is that it gives you both the internal and external IP of the user (so you can confirm they are connected to their internal network if you have another internal IP leak). You don’t even need to be “friends”, you can just search for people who list the company in their details, or do some more advanced OSINT to find Skype IDs of employees.
HTTPS via WinAPI
Hijacking SSL sessions initiated by the browser is a trivial task. The challenge comes when trying to intercept SSL traffic in applications such as Dropbox or Easynote. These apps create additional measures to verify certificates and their integrity, hence not very friendly to perform with Burp.
One quick solution to the above problem is hiding one level above (or below :) the OSI layer. Live API monitoring // hooking can be used to capture and manipulate HTTP/S “traffic” before it being placed on the wire, more or less the same way are used to doing it in Burp.
Decrypting iPhone Apps
This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to analyse.
Requirements:
1) Jailbroken iPhone with OpenSSH, gdb plus other utilities (com.ericasadun.utilities etc. etc.)
2) An iPhone app
3) On your machine:
otool (comes with iPhone SDK) Hex editor (0xED, HexWorkshop etc.) Ida – Version 5.2 through 5.6 supports remote debugging of iPhone applications (iphone_server). For this article, I will use the app name as “blah”.
Criticism, Cheerleading, and Negativity
[Alex Payne] has an excellent post up titled “Criticism, Cheerleading, and Negativity“. It’s a 2 minute read, but its worth it:
”
We understand well the idea of being in favor or something, or against something, but we don’t particularly understand how criticism fits into this dichotomy.
..
The reason a person is critical of a thing is because he is passionate about that thing. In order to have a critical opinion, you have to love something enough to understand it, and then love it so much more that you want it to be better. Passion breeds critical thinking.
Two quick links on “how your app got hacked, even though it looked ok”
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)”
and the 2nd, a welcome-back-to-the-blogosphere-tptacek post on the matasano blog: [Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!]
/mh
PS. for those going, man i wish someone would break down the important crypto stuff for me in a way thats understandable without being patronizing, there is Chris Eng and his owasp talk on [Cryptography For Penetration Testers]
On Hiring Staff – The T-Shirt Method..
Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you think you have it, you dont. There is still way too much left to chance and way too much that you just dont know. To avoid this, companies that care about preserving their culture will sometimes adopt a “default deny” approach. It’s ok to miss a potentially good hire rather than to take on a bad one. This isn’t silly geek risk aversion.. It’s because one bad hire can do amazing damage to a culture (an area bad hires can be amazingly productive in).
SQL Server 2005 – Where the $%#@ is that stored proc ?
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba’s)
Essentially i was tryign to track down something in sp_addserver.
The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called.
For the life of me though, i could not track down sys.sp_MSaddserver_internal.
Turns out the answer is reasonably well documented [SQL Books Online], with 2005 – MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]
DNS Tunnels (RE-REDUX)
On a recent assessment we came across the following scenario:
1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver
2) The box is firewalled only allowing 53 UDP ingress and egress
3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ
So we want to tunnel from the SensePost offices to Target Company’s internal machines, with this pretty restrictive setup. How did we accomplish this?