This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label Webserver. Show all posts
Showing posts with label Webserver. Show all posts

BeRoot - Windows Privilege Escalation Tool

April 18, 2017  , , , , , , , , , ,  


BeRoot(s) is a post exploitation tool to check commun Windows misconfigurations to find a way to escalate our privilege. 

A compiled version is available here.

It will be added to the pupy project as a post exploitation module (so it will be executed all in memory without touching the disk).

Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.

Run it
|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


usage: beRoot.exe [-h] [-l] [-w] [-c CMD]

Windows Privilege Escalation

optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)
All detection methods are described on the following document.

Path containing space without quotes
Consider the following file path:
C:\Program Files\Some Test\binary.exe
If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\binary.exe
Following this example, if "C:\" folder is writeable, it would be possible to create a malicious executable binary called "Program.exe". If "binary.exe" run with high privilege, it could be a good way to escalate our privilege.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
How to exploit:

The vulnerable path runs as:
  • a service: create a malicious service (or compile the service template)
  • a classic executable: Create your own executable.

Writeable directory
Consider the following file path:
C:\Program Files\Some Test\binary.exe
If the root directory of "binary.exe" is writeable ("C:\Program Files\Some Test") and run with high privilege, it could be used to elevate our privileges.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
How to exploit:
  • The service is not running:
    • Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.).
  • The service is running and could not be stopped:
    • Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.

Writeable directory on %PATH%
This technic affects the following Windows version:
6.0  =>  Windows Vista / Windows Server 2008
6.1  =>  Windows 7 / Windows Server 2008 R2
6.2  =>  Windows 8 / Windows Server 2012
On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:
- Directory where the binary is located
- C:\Windows\System32
- C:\Windows\System
- C:\Windows\
- Current directory where the binary has been launched
- Directory present in %PATH% environment variable
If a directory on the %PATH% variable is writeable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "IKEEXT" service which loads the inexistant "wlbsctrl.dll".
How to exploit: Create a malicious DLL called "wlbsctrl.dll" (use the DLL template) and add it to the writeable path listed on the %PATH% variable. Start the service "IKEEXT". To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:
Create a file as following:
C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1
Use the "rasdial" binary to start the IKEEXT service. Even if the connection failed, the service should have been started.
C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt

MS16-075
For French user, I recommend the article written on the MISC 90 which explain in details how it works.
This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here
Here are some explaination (not in details):
  1. Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)
  2. Start an HTTP server locally
  3. Find a service which will be used to trigger a SYSTEM NTLM hash.
  4. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing)
  5. Start this service
  6. Our HTTP Server start a negotiation to get the SYSTEM NTLM hash
  7. Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)
  8. Clean everything (stop the service, clean the regritry, etc.).
How to exploit: BeRoot realize this exploitation, change the "-c" option to execute custom command on the vulnerable host.
beRoot.exe -c "net user Zapata LaLuchaSigue /add"
beRoot.exe -c "net localgroup Administrators Zapata /add"

AlwaysInstallElevated registry key
AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
How to exploit: create a malicious msi binary and execute it.

Unattended Install files
This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml
How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like:
<UserAccounts>
    <LocalAccounts>
        <LocalAccount>
            <Password>
                <Value>RmFrZVBhc3N3MHJk</Value>
                <PlainText>false</PlainText>
            </Password>
            <Description>Local Administrator</Description>
            <DisplayName>Administrator</DisplayName>
            <Group>Administrators</Group>
            <Name>Administrator</Name>
        </LocalAccount>
    </LocalAccounts>
</UserAccounts>

Other possible misconfigurations
Other tests are realized to check if it's possible to:
  • Modify an existing service
  • Create a new service
  • Modify a startup key (on HKLM)
  • Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks"

Special thanks

Read More

BrainDamage - A fully featured backdoor that uses Telegram as a C&C server

March 15, 2017  , , , , , , , , , , , , ,  


A python based backdoor which uses Telegram as C&C server.

                           /\
                          /_.\
                    _,.-'/ `",\'-.,_
                 -~^    /______\`~~-^~:

  ____            _       _____                                   
 |  _ \          (_)     |  __ \                                  
 | |_) |_ __ __ _ _ _ __ | |  | | __ _ _ __ ___   __ _  __ _  ___ 
 |  _ <| '__/ _` | | '_ \| |  | |/ _` | '_ ` _ \ / _` |/ _` |/ _ \
 | |_) | | | (_| | | | | | |__| | (_| | | | | | | (_| | (_| |  __/
 |____/|_|  \__,_|_|_| |_|_____/ \__,_|_| |_| |_|\__,_|\__, |\___|
                                                        __/ |     
                                                       |___/      

--> Coded by: Mehul Jain(mehulj94@gmail.com)
--> Github: https://github.com/mehulj94
--> Twitter: https://twitter.com/wayfarermj
--> For windows only

  ______         _                       
 |  ____|       | |                      
 | |__ ___  __ _| |_ _   _ _ __ ___  ___ 
 |  __/ _ \/ _` | __| | | | '__/ _ \/ __|
 | | |  __/ (_| | |_| |_| | | |  __/\__ \
 |_|  \___|\__,_|\__|\__,_|_|  \___||___/
                                         

--> Persistance
--> USB spreading
--> Port Scanner
--> Router Finder
--> Run shell commands
--> Keylogger
--> Insert keystrokes
--> Record audio
--> Webserver
--> Screenshot logging
--> Download files in the host
--> Execute shutdown, restart, logoff, lock
--> Send drive tree structure
--> Set email template
--> Rename Files
--> Change wallpaper
--> Open website
--> Send Password for
    • Chrome
    • Mozilla
    • Filezilla
    • Core FTP
    • CyberDuck
    • FTPNavigator
    • WinSCP
    • Outlook
    • Putty
    • Skype
    • Generic Network
--> Cookie stealer
--> Send active windows
--> Gather system information
    • Drives list
    • Internal and External IP
    • Ipconfig /all output
    • Platform

Setup
  • Telegram setup:
    • Install Telegram app and search for "BOTFATHER".
    • Type /help to see all possible commands.
    • Click on or type /newbot to create a new bot.
    • Name your bot.
    • You should see a new API token generated for it.
  • Dedicated Gmail account. Remember to check "allow connection from less secure apps" in gmail settings.
  • Set access_token in eclipse.py to token given by the botfather.
  • Set CHAT_ID in eclipse.py. Send a message from the app and use the telegram api to get this chat id.
bot.getMe() will give output {'first_name': 'Your Bot', 'username': 'YourBot', 'id': 123456789}
  • Set copied_startup_filename in Eclipse.py.
  • Set Gmail password and Username in /Breathe/SendData.py

Abilities
  • whoisonline- list active slaves
    This command will list all the active slaves.
  • destroy- delete&clean up
    This command will remove the stub from host and will remove registry entries.
  • cmd- execute command on CMD
    Run shell commands on host
  • download- url (startup, desktop, default)
    This will download files in the host computer.
  • execute- shutdown, restart, logoff, lock
    Execute the following commands
  • screenshot- take screenshot
    Take screenshot of the host of computer.
  • send- passwords, drivetree, driveslist, keystrokes, openwindows
    This command will sends passwords (saved browser passwords, FTP, Putty..), directory tree of host (upto level 2), logged keystrokes and windows which are currently open
  • set- email (0:Default,1:URL,2:Update), filename (0: Itself, 1: Others), keystrokes (text)
    This command can set email template (default, download from url, update current template with text you'll send), rename filenames or insert keystrokes in host.
  • start- website (URL), keylogger, recaudio (time), webserver (Port), spread
    This command can open website, start keylogger, record audio, start webserver, USB Spreading
  • stop- keylogger, webserver
    This command will stop keylogger or webserver
  • wallpaper- change wallpaper (URL)
    Changes wallpaper of host computer
  • find- openports (host, threads, ports), router
    This command will find open ports and the router the host is using
  • help- print this usage

Requirements

Screenshots






For educational purposes only, use at your own responsibility.


Read More

filtron - Filtering reverse HTTP proxy

March 10, 2017  , , , , ,  



Reverse HTTP proxy to filter requests by different rules. Can be used between production webserver and the application server to prevent abuse of the application backend.
The original purpose of this program was to defend searx , but it can be used to guard any web application.

Installation and setup 
$ go get github.com/asciimoo/filtron
$ "$GOPATH/bin/filtron" --help

Rules
A rule has two required attributes: name and actions
A rule can contain all of the following attributes:
  • limit integer - Defines how many matching requests allowed to access the application within interval seconds. (Can be omitted if 0 )
  • interval integer - Time range in seconds to reset rule numbers (Can be omitted if limit is 0 )
  • filters list of selectors
  • aggregations list of selectors (if filters specified it activates only in case of the filter matches)
  • subrules list of rules (if filters specified it activates only in case of the filter matches)
  • disabled bool - Disable a rule (default is false )
  • stop bool - Finish request validation immediately and skip remaining rules (default is false )
JSON representation of a rule: 
{
    "name": "example rule",
    "interval": 60,
    "limit": 10,
    "filters": ["GET:q", "Header:User-Agent=^curl"],
    "actions": [
        {"name": "log",
         "params": {"destination": "stderr"}},
        {"name": "block",
         "params": {"message": "Not allowed"}}
     ]
}
Explanation: Allow only 10 requests a minute where q represented as GET parameter and the user agent header starts with curl . Request is logged to STDERR and blocked with a custom error message if limit is exceeded. See more examples here .

actions
Rule's actions are sequentially activated if a request exceeds rule's limit
Note: Only the rule's first action will be executed that serves custom response

Currently implemented actions

log
Log the request

block
Serve HTTP 429 response instead of passing the request to the application

shell
Execute a shell command. cmd (string) and args (list of selectors) are required params (Example: {"name": "shell", "params": {"cmd": "echo %v is the IP", "args": ["IP"]}} )

filters
If all the selectors found, it increments a counter. Rule blocks the request if counter reaches limit

aggregations
Counts the values returned by selectors. Rule blocks the request if any value's number reaches limit

subrules
Each rule can contain any number of subrules. Activates on parent rule's filter match.

Selectors
Request's different parts can be extracted using selector expressions.
Selectors are strings that can match any attribute of a HTTP request with the following syntax: 
[!]RequestAttribute[:SubAttribute][=Regex]
  • ! can negate the selector
  • RequestAttribute (required) selects specific part of a request - possible values:
    • Single value
      • IP
      • Host
      • Path
      • Method
    • Multiple values
      • GET
      • POST
      • Param - it is an alias for both GET and POST
      • Cookie
      • Header
  • SubAttribute if RequestAttribute is not a single value, this can specify the inner attribute
  • Regex regular expression to filter the selected attributes value

Examples
IP returns the client's IP address
GET:x returns the x GET parameter if exists
!Header:Accept-Language returns true if there is no Accept-Language HTTP header
Path=^/(x|y)$ matches if the path is /x or /y

API
Filtron can be configured through its REST API which listens on 127.0.0.1:4005 by default.

API endpoints

/rules
Loaded rules in JSON format

/rules/reload
Reload the rule file specified at startup


Read More

[Malcom] Malware Communication Analyzer

August 20, 2013  , , , , , , ,  


Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:
  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'

The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Check the wiki for a Quickstart and some nice screenshots.

In the near future, it will also become a collaborative tool (coming soon!)

Read More
Subscribe to: Posts (Atom)