Tools
Noooooooooo Touch!
TL;DR I presented this work at Insomni’hack, if you’d prefer to watch the recording of that then you can find it here: https://www.youtube.com/watch?v=Nvw_BH7jPzE
Imagine you’re on a physical engagement, standing outside an office door. You need an access card but you don’t have one (yet). You notice that there’s a pattern where employees need to tag in, but to leave they just wave their hand and the door swings open. You pull a torch out of your backpack and switch it on. There’s no visible light but a subtle vibration assures you that it’s on and working. You shine it through the glass door, pointing it at a bookshelf, a chair or wall on the inside, like trying to line up a shot in pool. Within about 5 seconds… pop! The door swings open, there’s nobody else in sight and you walk right in. Not even a fingerprint left behind. It turns out, this scenario isn’t as farfetched as you might think.
PsExec’ing the right way and why zero trust is mandatory
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work with during my first ever SenseCon.
The Sensecon is an internal conference that lasts 3 days during which we meet people, share knowledge and have fun. There is also a day long hackathon during which we work on hacking subjects we are interested in.
For that hackathon, we wanted to dig into PsExec.exe in order to see if it is possible to communicate with it via a python script and thus not depend anymore on a windows system. Spoiler alert, we were able to! But for some reasons, the project died in a private repo.
hash-cracker – password cracking done effectively
Intro I wrote a tool to help with cracking of hashes, today I finally decided to blog about it. The idea was to take what I’d learned about common patterns in passwords, and put my experience into practice to make password cracking more efficient on future engagements. Below is a short history of how we got to where we are, as well as some examples of how to use it.
Covert Login Alerting
Intro For the longest time I had the idea to implement a notification system that would alert me if someone ever logged in (or tried to login) to an SSH server or XSession on a machine I controlled, using known compromised credentials that were obtained via a data breach or a canary password. In this post I am going to show you how I implemented just that using Canary Tokens.
Waiting for goDoH
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain Name System as a covert communication channel for data exfiltration is not a new concept. We’ve used the technique for many years at SensePost, including Haroon & Marco’s 2007 BH/DC talk on Squeeza. In the present age this is a well understood topic, at least amongst Infosec folks, with a large number of resources, available, online that aim to enlighten those that may not be familiar with the concept. There are also practical techniques for detecting DNS Tunnelling on your network.
punching messages in the q
We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below. Built a tool, punch-q, so you don’t have to go through the same, and included some info for blue teams, including an osquery extension.
Depending on how old a version you are working with, or which document you read online, you might know IBM’s Message Queue solution as MQSeries, Webshere MQ or IBM MQ. The latter being the latest name it got around 2014 with the release of version 8. Nonetheless, in the last few months I have come across a number of distinct instances of MQ, each used in their own interesting ways for arbitrary systems integrations. Be it for simple messages being passed around or to facilitate file transfers, MQ played a significant role when it came to the overall business processes these companies had. In order to help me understand the technology better, I discovered some prior research by the folks at MWR, with a very informative talk done at Defcon 15 called MQ Jumping. A subsequent white paper was released and is definitely worth a read.
Mallet, a framework for creating proxies
Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware is interesting to look at, one can often find vulnerabilities at a network layer too. With many of the non-HTTP-only proxies having fallen out of maintenance or requiring a significant amount of custom code to be written for each unique protocol encountered, we decided to build a tool to make such work easier.
A new look at null sessions and user enumeration
Hello,
TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it.
Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems.
For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default.
Some of these shares allow one to access the complete storage device on remote systems. For example, C$ will allow one to access the C Drive. Another share, Admin$, allows one to access the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote system.
tip toeing past android 7’s network security configuration
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue author included a blogpost from the NCC group about this very topic which included some very helpful bits of information (which you should totally read).
Naturally, I wanted to enhance objection to be able to get past this new security feature, so the testing began. I installed a Burp CA as one would normally do for assessments as well as a small test application with certificate pinning disabled and quickly realised that literally no network traffic was passing through. Inspecting the output of adb logat, one would see messages such as the following for our failed requests:
Fixing up Net-Creds
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug.
A while back on an internal assessment, I was having a hard time getting a high-privileged user account.
This was the third assessment SensePost has done for the client, and they have implemented several of our recommendations. In particular, Responder wasn’t providing me with any hashes even though I was connected to the same network segment as several users, including some administrators. The client has a strict policy of only using the latest operating systems, i.e. Windows 10, and had disabled NBNS and LLMNR.
Page 1 of 9
Next