Tools
Kwetza: Infecting Android Applications
This blog post describes a method for backdooring Android executables. After describing the manual step, I will show how to do the same with a new tool, Kwetza, that I’m releasing today.
Infecting Android applications provides a great way to determine the impact and affect of the malicious activities we see in the wild, from ransomware to practical jokes. This not only provides you with an entry point onto user devices, but also allows you to see how devices, users and anti-virus behave in these situations.
MAPI over HTTP and Mailrule Pwnage
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through brute-forcing OWA instances or a phishing page. The only issue I had with this was the fact that you needed to setup a local instance of the mailbox, which at times could be time consuming and also felt like overkill.
Handling Randomised MAC Addresses in MANA
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired by Brad Antoniewicz’s work being the coolest from a pwnage perspective.
DET – (extensible) Data Exfiltration Toolkit
Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control.
To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration Toolkit (DET) to help both penetration testers testing deployed security devices and those admins who’ve installed and configured them, to ensure they are working as expected and detecting when sensitive data is leaving the network.
Sensepost Maltego Toolkit: Skyper
Collecting and performing Open Source Intelligence (OSINT) campaigns from a wide array of public sources means ensuring your sources contain the most up to date information relating to your target. Skype, with over 300 million users, can be a vital source if used correctly.
The above graphic shows over 70 million active members and over 500 million users that have registered!.
As with all things online, many users leak sensitive information about themselves that those with the right skills, could harvest.
(local) AutoResponder
When doing internals, usually an easy first step is to use Responder and wait to retrieve NTLM hashes, cracking them and hoping for a weak password.
The problem is that sometimes fancy cracking rigs might not be available, it might be a mess to copy/paste all those hashes, send them, wait for an answer where you could already do some work locally, without any effort. We’re all lazy, and I’m even more lazy. That’s why I decided doing this project.
AutoDane at BSides Cape Town
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and in South Africa specifically; one of the common first goals of many internal penetration tests is to get Domain Administrator (DA) level access. To assist with this, a plethora of tools and techniques exist, from the initial “in” through to elevation of privilege and eventually extracting and cracking all domain credentials.
Wadi Fuzzer
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments, we have been able to crash 25-33% of the utility programs on any version of UNIX that was tested.” [1]
Those were the original words in one of the first fuzzing studies where Prof. Barton Miller was first to use the term ‘fuzzing’
One can see the importance of fuzzing as one of the techniques used to test software security against malformed input leading to crashes and in some cases exploitable bugs.
Hi Jack!
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k
To the point, once upon a time there was a tool called Jack which attempted to make ClickJacking PoC’ing a tad sexier and made it’s way to Black Hat EU 2015 Arsenal.
Some time has passed now since Jack was first released and was time for Jack to get some attention alas a new version of Jack has been released and can be found here, https://github.com/sensepost/jack .
[Another] Intercepting Proxy
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and websockets. Apart from the login sequence, all communication happened through websockets. Now intercepting websockets can be done in Burp and you can modify the requests/responses as you wish. There were however multiple issues with this.
Polling – the webapp did a ‘ping’ request and if this was held up (intercept in burp) the app would timeout and I had to start from scratch. This timeout period was relatively aggressive, so by the time I finished modifying a request, the app had timed out and my changes meant squat. Intercept/Replace rules- ping messages were irritating and Burp had no way to not intercept these. It also wasn’t possible to configure out replace rules. And according to this, it isn’t coming to Burp anytime soon… https://support.portswigger.net/customer/portal/questions/11577304-replace-text-in-websocket-operations Replay/Intruder – there is no way to replay a websocket request in Burp. This also means no Intruder :( At this junction, three options were available to me. Use ZAP (which does have intercept rules but not replay/replace/intruder). Use Internet Explorer and force the app into non-websocket mode or write a custom proxy. So the choice was obvious, write a custom proxy.