wigle wifi wardriving

the wigle wifi android app simply records all the wifi access points your phone sees as you are walking/driving about

you can upload your results to the shared wigle master database (https://wigle.net/), or just keep them to yourself, locally

you can query the db for open hotspots, or filter by security type

when you first run the app, every few minutes it has an annoying robot voice giving you stats (new networks detected, battery status, etc).  it also plays sounds when networks are found.  these can all be turned off (settings, and settings -> speech configuration)

the wifi scan interval has a few settings: stationary, slower than 8kph and faster than 8kph.  pretty cool

the databases can also be exported to kml, and then loaded into google earth.  i’ve previously parsed the exported kml into various layers (open, wep, wpa, cell stations…).  interesting geeky fun!

the app itself also has google maps integration, and a search facility (for example to find the nearest open hotspot)

 

# references
https://play.google.com/store/apps/details?id=net.wigle.wigleandroid&hl=en

installing kali nethunter on a nexus 5

the nexus 5 is easily my favorite phone, and i would still use it now were it not for one showstopper: battery

it’s truly DREADFUL.  about half a day of reasonable use

it’s been lying around unused for about a year, and so now it’s time to put it to good, or at least interesting, use

i’ll be experimenting on it without using a sim card, not connected to any google account, and definitely not entering any personal info onto it!

# download and unzip android studio (note: you can also just install the CLI tools, but i did it this way)
https://developer.android.com/studio/index.html

# install android studio
https://developer.android.com/studio/install.html
Downloads/android-studio/bin/studio.sh
“I do not have a previous installation of Studio…”
Next, Next, Next, Finish
…wait for downloading/installing to complete
Finish

# put adb/fastboot in the path
export PATH=$PATH:$HOME/Android/Sdk/platform-tools

# download nethunter
https://www.offensive-security.com/kali-linux-nethunter-download/

# download the nethunter-supported stock ROM for device (e.g. 6.0.1 M4B30Z, Dec 2016, for Nexus 5)
https://developers.google.com/android/images?hl=en

# download the correct (and latest) TRWP image for device (e.g. 3.0.3-0 for Nexus 5 as of Dec 16)
https://twrp.me/Devices/

# download the latest SuperSU (bottom of page)
http://forum.xda-developers.com/showpost.php?p=64161125&postcount=3

# clone/download-and-unzip the nethunter linux rootkit
https://github.com/offensive-security/nethunter-LRT
unzip nethunter-LRT-master.zip

# set up the nethunter linux rootkit
cd nethunter-LRT-master
mv ../hammerhead-m4b30z-factory-625c027b.zip stockImage/
mv ../twrp-3.0.3-0-hammerhead.img twrpImage/
mv ../BETA-SuperSU-v2.67-20160121175247.zip superSu/
mv ../nethunter-hammerhead-marshmallow-3.0.zip kaliNethunter/

# enable developer options on the phone
press settings -> about phone -> build number rapidly until debugging enabled

# enable debugging on the phone
settings -> developer options -> usb debugging

# generate an adb rsa key
adb keygen adbkey

# plug the phone into computer usb
should be usb 2.0, not 3.x

# approve the adb key on the phone
adb shell
(accept adb key on phone)

# unlock phone
./oemUnlock.sh
– select ‘yes’ with volume button
– press power button

# restart phone
– use volume buttons to select ‘start’
– press power button
(wait a while)

# note
if android doesn’t restart properly, turn phone off (long power button press) and back on again

# setup the phone
skip/next all the screens

# make a clean usb connection
unplug from usb and back in again

# enable developer options on the phone (for the 2nd time)
settings -> press “about phone” rapidly until debugging enabled

# enable debugging on the phone (for the 2nd time)
settings -> developer options -> usb debugging

# approve the adb key on the phone (for the 2nd time)
adb shell
(accept adb key on phone)

# flash nexus stock
./stockNexusFlash.sh
(wait a while)

# note
if android doesn’t restart properly, turn phone off (long power button press) and back on again

# setup the phone (for the 2nd time)
skip/next all the screens

# make a clean usb connection
unplug from usb and back in again

# enable developer options on the phone (for the 3rd time)
settings -> press “about phone” rapidly until debugging enabled

# enable debugging on the phone (for the 3rd time)
settings -> developer options -> usb debugging

# approve the adb key on the phone (for the 3rd time)
adb shell
(accept adb key on phone)

# setup the phone (for the 2nd time)
skip/next all the screens

# customize script
gedit twrpFlash.sh
remove ‘-p’ from lines ~50 and ~55 (adb push -p)

# install custom recovery, supersu and nethunter
./twrpFlash.sh
– wait a while
– if/when ‘Starting AROMA INSTALLER’ appears on terminal, configure phone
– (i checked all boxes on all screens apart from supersu, which is already installed by twrpFlash)
– wait a long time
– if phone freezes on “checking for chroot” step, tap the end of the progress bar a few times, which should prompt the process to finish and the phone to reboot

# connect to internet
configure wifi as usual

# allow untrusted apps
settings -> security -> unknown sources (turn on / allow)

# download nethunter update
applications -> nethunter
(accept all security prompts)
menu -> check app updates
update
(accept / continue / etc)
(downloaded)

# uninstall nethunter
settings -> applications -> nethunter -> uninstall

# install new nethunter
downloads -> tap on downloaded apk

# finish
(reboot phone)

at first glace, what has nethunter got in it? (i don’t know what some of them even are)

  • services
    • sshd
    • dnsmasq
    • hostapd
    • openvpn
    • apache
    • metasploit
  • mac changer
  • custom commands
    • including wifite… i think i need a wifi dongle for this
  • vnc manager
  • hid attacks
  • duckhunter hid
  • bad usb mitm attack
  • mana wireless toolkit
  • mitm framework
  • nmap
  • metasploit payload generator
  • searchsploit
  • pineapple connector
  • wardriving (appears non functional to me)

# references
https://github.com/offensive-security/nethunter-LRT
https://www.reddit.com/r/NetHunter/comments/4igtq4/nethunter_installation_hanging/

building metasploitable 3

i’ve not used metasploitable before, so this is my first time with one of their vms

i understand that previous iterations were distributed pre-built, which one merely downloaded and started

unfortunately metasploitable 3 is built from the ground up, by downloading and installing win2k8 and then scripting the download, installation and configuration of everything thereafter

i experienced a few problems with this approach

  1. you have to install dependencies
  2. it takes a hell of a long time
  3. there is sometimes no feedback at all on how long a certain stage will take
  4. it downloads masses of stuff, and if one of those downloads is on a go-slow, you could be waiting a long, long time

example: i decided to try out metasploitable 3.  2 hours later i was still waiting to try out metasploitable 3 :/  it had taken a long time already, but now it was stuck on downloading ‘manage engine’ with no feedback other than the url.  i tried downloading the url in my browser, and saw the problem: estimated completion time for a 128MB download: 10 hours!  this is not a problem my internet connection (i checked), it’s the server.  and for all i know it’s even throttling only the people (of which presumably there are a great many) who are building metasploitable 3, and who therefore are not even ‘real customers’, but sucking up their bandwidth

i ^C-ed and tried again with the last command, and to my amazement it recovered from where it left off. unfortunately it was still going to go incredibly slowly because of the server…

all in all… this way of doing things does not seem at all great

progress so far:

# following the document at…
https://github.com/rapid7/metasploitable3/blob/master/README.md

# install packer (note: ~/bin is already in my PATH via .bashrc)
https://www.packer.io/intro/getting-started/setup.html
https://www.packer.io/downloads.html
(select and download)
unzip packer*.zip
mv packer ~/bin

# install vagrant
https://www.vagrantup.com/downloads.html
(select and download)
sudo dpkg -i vagrant_1.9.1_x86_64.deb

# install vagrant-reload
https://github.com/aidanns/vagrant-reload#installation
vagrant plugin install vagrant-reload

# install and build metasploitable3
# note: the installation script barfed for me because it said i needed virtualbox 5.1.x+
# since i only had 5.0.24 and didn’t want to upgrade in case i broke something else, i simply
# modded the installation script to downgrade the minimum version required to what i actually had
# (seems to work fine, i had no errors at all)
git clone https://github.com/rapid7/metasploitable3.git
cd metasploitable3
build_win2008.sh <– takes a long time

# at some point during the install it will spit out an address you can rdp to, to see what is going on
rdesktop 127.0.0.1:5977

# start the vm
vagrant up <– takes a VERY long time because of a slow download

…to be continued. right now the vm ‘seems to be working’ but i’ve got shaky confidence in whether everything installed ok, because of the long downloads, aborts, retries etc… i will happily take a pre-built image from somewhere if i can find one (although it’s not on vulnhub).  i don’t mind a dodgy backdoored copy, since i can just run it in a private virtualbox network

stegano banner ad malware

what interesting malware this is!

i guess it’s particularly interesting to me because of the stego aspect: my final year uni project was an app which could stuff hidden data into images (particularly animated gifs), with a slider-bar controlling the tradeoff between payload capacity and image quality, pre-injection.  various tricks were used to minimize distortion.  i wish i’d retained a copy of the source!

also the paranoid nature of stegano, and the researchers’ ability to dissect it anyway, makes me wonder how the reverse engineers are doing their jobs.  do they perhaps have to have a custom rootkit that hides all the vm and monitoring-related files/processes from the malware?

note: i later found out from a clever guy (jaanus kaap @ clarified security) who works with malware that it’s quite usual to reverse engineer the malware, find out where it is doing its checks, and simply bypass them…

modern av evasion with shellter

i’d used shikata-na-gai and hyperion in the oscp labs with good effect, but in reality they are totally busted by modern and up-to-date AV

so i was pleased to be introduced to shellter.  i haven’t yet used it a lot, but it’s already the obvious choice for the future!

it can very effectively hide something from AV by taking any 32 bit payload and injecting it into any 32 bit PE.  in the training scenario i used it in (putty with a meterpreter revshell), virustotal counted 3 of about 50 AV engines detecting it, with 2 of those being suspected false positives.  amazing!

the two main use cases are:

  1. non-stealth mode: simply to get past AV and execute the payload (e.g. a privesc).  in this case the enveloping legit app is not executed, only the embedded evil app is
  2. stealth mode: perform a client-side attack without the target being any-the-wiser (e.g. trojan a legit app).  in this case the enveloping app works as intended, and the embedded evil app goes about its business in the background

in stealth mode, if a msfvenom payload is used, it must have EXITFUNC=thread, otherwise killing the established session will also kill the enveloping app

shellter seems to weave the evil app into the code of the original app, and also tries to run out the clock on an AV’s process monitoring sandbox

the website says it doesn’t make use of code caves, nor does it add/modify PE sections!  it’s funny how i’m just about to learn all about all that stuff in the osce, and yet they are already pretty much obsolete, it would seem.  still, it’s nice to get in at the ground level and build up – more complete knowledge that way

still, however good shellter is right now, you can bet your bottom dollar that AV engines will catch up, and new techniques will be needed.  how wonderful and interesting the world of computer security is!

hands on hacking essentials (hohe) @ clarified security

i attended hands-on hacking essentials training @ clarified security

the training was given by taavi sonets, and it lasted 2 days.  the other attendees were sysadmins and devs from larger companies

first on the menu was an introduction to hacking history, with some funny and scary stories thrown in

then it’s straight into some action!  they have a nice ‘scoring server’ which supplies targets and sub-goals with point values, gives hints (which subtract points), and into which one enters proofs.  you get extra points for being first in the group to complete a goal

i’d say there were 3 main parts to the course

first up is ‘old school’ hacking: no frameworks, no GUIs, basically no modern convenience tools – just command line.  having completed offensive security’s oscp course i’m very familar with this style of penetration and its considerable frustrations, since that course aims to teach you the fundamentals and what’s ‘under the hood’ of all the niceties that are available nowadays.  i’ve been told that some professional penetration testers who were ‘raised’ solely on today’s convenience tools actually have trouble with the oscp because it’s so low level (relatively speaking)

next up is an introduction to modern tooling as applied to solitary targets – we’re talking metasploit and armitage.  i’d used the msfconsole only a handful of times before in the oscp, apart from reverse shell handling with meterpreter of course, because the oscp tells you to avoid it (and its use is heavily restricted in the exam, so better not to rely on them at all!). however, i had separately followed offensive security’s ‘metasploit unleashed’ free online course and played around, so i was in pretty familiar territory there

my first look at armitage was the day before the course, viewing the instructional videos created by the tool’s creator.  i was pretty blown away.  and it was 10x better to actually use the thing in the course and marvel at the convenience it affords.  sure, it’s got some bugs and idiosyncracies, but it’s free, and is just generally awesome.  apparently it is a pita to manage its relationship with metasploit though, and end user fixups are sometimes needed to make them work properly together.  the same author also created ‘cobalt strike’, a pro (paid) tool designed for red teams which i’m told has no metasploit dependency AT ALL!  it’s worth pointing out that we didn’t cover armitage’s team support capabilities in this course.  this is probably covered on one of clarified’s more advanced courses, and using cobalt strike instead

the last part of the course lasted all of day 2, and was almost exclusively working with armitage to perform a network takeover of a phony company with 3 internal networks – the usual suspects of recon, exploitation of various sorts (remote, client side, watering hole, …), privilege escalation, evading or pwning firewalls, pivoting and port forwarding, network sniffing, credential extraction, pass-the-hash…  the other 10% was concerned with necessary support tools along the way for backdooring/trojaning, antivirus avoidance (modern avoidance that actually works well!), and so on.

so although i was familiar with pen testing ‘the old school way’, from rooting and looting 60 machines in the the oscp, i picked up a heap of interesting and useful stuff from this course about more modern tooling

regarding the competitive aspect of the course, namely the points, i made many mistakes.  firstly, i did not ‘play to win’ at first.  i took one hint just to see how it would make the scoring server behave!  i took another one with a mis-click… more points lost.  i also got way ahead of the actual class instruction and took some hints because they were pretty much necessary in order to continue without instruction (for example the goal was vague enough that one could be ferreting around all over the place for hours trying to find a piece of information, whereas the hint narrowed it down nicely). the rest of the group were pretty much following along with the actual instruction, and so were getting spoon-fed answers – no hints required at all

on day two i started to play competitively, took only a few hints, and completed everything ahead of the game – racking up those bonus points for being first to achieve a goal, to offset the necessary hint cost.  i also managed to achieve a goal which apparently had not been completed by anybody else for about a year!  i was pleasantly surprised by that.  anyway, despite my game-playing not being totally on-point, i managed to get first place, and won a mug :-p

everybody agreed it was a great course: “eye opening”, “scary”, “fun”, “got what i came for”, “highly educational”, “very interesting”, etc.  people were generally in agreement that the course was quite fast-paced, which is a lot better than it being too slow

thanks to taavi and clarified security!

registration challenge for the osce

the osce has a registration challenge at fc4.me

there are two main parts to the challenge

the first part is to find a string that will let you log in, and should be trivial for just about anyone who works with computers

the second part is also trivial with an intuitive guess and some experience gained during the OSCP.  it also gave me an excuse to dig into some stuff i didn’t know, and which will no doubt be useful for the OSCE

i hope and trust that not finding the challenge at all taxing bodes well for me…  although i’m fine with it being damned hard too 😀

my experience of the pwk and oscp

in the pwk course they give you a pdf and some videos.  the pdf contains quite a few exercises to perform.  i probably spent 2 weeks just learning from the course material, doing exercises, and doing ‘extra mile’ learning based on ‘getting all interested’ in certain things and taking diversions.  i wasn’t in this just to pass the exam, i had a huge thirst on for ‘all the things’ related to penetration testing

then i started on the labs, which took about 6 weeks.  i fully compromised all 56 boxes in the 4 subnets.  it was amazingly good fun, crammed with nonstop interesting learning, with periods of maddening frustration.  sometimes the solution to a problem was very cunningly hidden, sometimes i just couldn’t see the wood for the trees for a while, and on one occasion i genuinely felt that a box simply wasn’t fair, hehe

i do love a challenge though, and i’ll simply persist until i win.  failure was not an option, and i knew i couldn’t leave the lab with even a single box unconquered, although i’ve read that some people take the exam after 20-30 machines.  as i said before, i wasn’t just in it for the letters after my name, i wanted to squeeze every drop of knowledge and goodness out of the experience that i could

after completing the labs i booked my exam, only to find that the nearest date was 3 weeks away!  i spent about a week re-penetrating all 56 machines and compiling my lab penetration test report.  i’ll say that this re-penetration was well worthwhile because on the second time around with a machine i was often able to refine my technique based on stuff i’d learned since the first

then i spent a week organizing my copious notes, compiling and playing with various exploits in the lab (mostly privescs), and creating a fresh kali VM with everything i needed for the exam installed on it, scripting it up in the process

in the last week before the exam i played around with tools like dradis and beef, did most of the ‘metasploit unleashed’ course, tarted up my course exercises document, ran through some drills that i thought would be useful for the exam, and started reading books on pen testing and social engineering

in the exam itself you get a variety of targets with points values. there are 100 points available in the exam and an extra 10 points available for documentation (5 for lab/exercises and 5 for the penetration test report).  you have to get at least 70/100 to pass. they don’t give out the scores, but i know i got 90/110.  i was a bit disappointed not to get full marks in the exam, but such is life, and the exam was tough

during the exam i got sucked into a few rabbit holes, and at one point i became concerned i wasn’t going to pass.  but i dug deep, gritted my teeth and just kept going. at the end of it i really felt a sense of accomplishment at having persisted so assiduously and overcome what seemed like impossible obstacles on occasion

it’s hard to describe how enjoyable and rewarding i found the oscp to be!

i’m now doing some prep study for the osce, which i aim to complete within 2 months

a brief look at beef

even though i’ve been using a kali for a while, i’d not gotten around to playing with beef (browser exploitation framework) because it simply didn’t work out of the box, and i had other stuff to do.  but i got around to it

first thing was to install a fresh copy:

# install and run beef
git clone git://github.com/beefproject/beef.git
cd beef
bundle install
./beef -x
http://127.0.0.1:3000/ui/panel
beef/beef

beef works by injecting control scripts into a browser, either by the victim visiting a malicious page, or being XSS-ed on a legit domain into biting on the ‘hook’

the browser stays hooked while on the same page, or on the same domain if you upgrade the hook.  control over the browser stops when the victim leaves the page/domain.  i’m not yet clear whether the hook persists and reactivates automatically when they revisit the same page/domain, or whether one would have to rehook them (with the same XSS, for example)

the hook in the victim’s browser polls the C&C server, getting new commands and sending responses to executed ones

some interesting ‘read only’ attacks i successfully carried out while the browser was hooked:

  • mine all the links on the victim’s loaded page
  • get cookies, localstorage content
  • get unsubmitted form field values, including autocompleted entries
    • my FF on kali had autofilled the page with credentials from another webapp, which beef promptly retrieved, which means i will shortly be turning autocompletion off on all my browsers
  • render the victim’s browser window content to the attacker, or show the html

some of the more aggressive attacks that worked were:

  • playing a sound
  • clickjacking with an invisible div that follows the cursor
  • rewriting or clickjacking hrefs on the page to go where one wants
  • redirecting the tab location
  • using the victim’s browser to issue web requests, and examining the responses (of course it sends the victim’s cookies along with the request)
  • some social engineering attacks of varying persuasiveness, but were all great as POCs
    • ‘clippy’ appearing in the bottom right of the screen saying the victim should upgrade by installing sofware
    • a facebook popup asking to re-enter credentials (probably a lot of people would fall for that if they were hooked on that domain)
    • redirect to an amazon look-alike page for entering credit card details

stuff that didn’t work so well:

  • get system info
    • => although this was a ‘green’ command, meaning it should be invisible to the victim, my browser showed me no less than 3 java applet warnings before it successfully executed. i doubt even my 90 year old gran would have clicked ‘OK’
  • get visited url(s) via timing attack
    • => made the hooked tab go batshit crazy
  • social engineering attacks that prompt the user to install a browser extension
    • => although the notification to install looked 80% legit, for FF at least, the world has moved on.  FF will now only install signed (by Mozilla) extensions after they have performed a security review. great stuff mozilla!

other stuff i didn’t try, or couldn’t get working:

  • using the victim’s browser to perpetrate exploits on various bits of hardware and software that i don’t possess
  • even though as victim i was perusing a page with forms on it, i couldn’t get xssrays to give me any output at all; i’ve no idea yet whether it’s broken or there just weren’t any xss on that page
  • i didn’t get into the ‘beef bind interactive shell’.  or, more accurately, i played around with it very briefly and it wasn’t intuitive enough that i got anything useful out of it.  some other time!

of course i was familiar with xss before, and had exploited browsers with it to gain shells via buffer overflow, but it’s quite remarkable what other stuff an attacker can do with your browser without your knowledge and consent after you get hit with one, and without any such critical browser vulnerability as a buffer overflow needing to be present

tcpdump for windows

i didn’t know about this cool tool before, so when i wanted to capture network traffic on a compromised machine i was often reduced to

  1. creating a temporary account with admin privs
  2. disabling the firewall
  3. fixing the registry to allow rdp
  4. rdp-ing in
  5. using a sniffing tool that required full installation of the winpcap drivers

hardly stealthy!

i normally used wireshark in the beginning.  there’s a wireshark portable, but that actually works by installing/uninstalling winpcap every time it’s used…

then there’s the command-line utility windump, but that also requires winpcap to be installed, and not only do i not want to have to install something, but i couldn’t find a command-line-only installer for winpcap anyway

enter https://www.microolap.com/products/network/tcpdump/

it has the necessary drivers precompiled into it, so you just transfer the exe and run it, then exfiltrate the cap back to kali and view it using your local wireshark (or whatever tool)

wonderful

# example usage
tcpdump -D (to get interface numbers to use with -i)
tcpdump -i 1 -w dump.pcap “not arp”