Monthly Archives: December 2015

Hack Naked TV: December 10, 2015

The lost episode! YouTube flagged this video as inappropriate, removed the video, and put our YouTube channel in bad standing. Now you can view the video for yourself, and see just how "bad" the content is to cause YouTube to flag us YET AGAIN for so-called "inappropriate" content. YET AGAIN, we have filed an appeal and are waiting to get our YouTube channel back in good standing. In the mean time, many features of our YouTube channel have been disabled, including the ability to upload videos longer than 15 minutes. This really puts a cramp in our style, and is an example of just how bad a job of YouTube is doing policing videos and channels.

dnscat2 0.05: with tunnels!

Greetings, and I hope you're all having a great holiday!

My Christmas present to you, the community, is dnscat2 version 0.05!

Some of you will remember that I recently gave a talk at the SANS Hackfest Summit. At the talk, I mentioned some ideas for future plans. That's when Ed jumped on the stage and took a survey: which feature did the audience want most?

The winner? Tunneling TCP via a dnscat. So now you have it! Tunneling: Phase 1. :)

Info and downloads.

High-level

There isn't a ton to say about this feature, so this post won't be particularly long. I'll give a quick overview of how it works, how to use it, go into some quick implementation details, and, finally, talk about my future plans.

On a high level, this works exactly like ssh with the -L argument: when you set up a port forward in a dnscat2 session, the dnscat2 server will listen on a specified port. Say, port 2222. When a connection arrives on that port, the connection will be sent - via the dnscat2 session and out the dnscat2 client - to a specified server.

That's pretty much all there is to it. The user chooses which ports to listen on, and which server/port to connect to, and all connections are forwarded via the tunnel.

Let's look at how to use it!

Usage

Tunneling must be used within a dnscat2 session. So first you need one of those, no special options required:

(server)

# ruby ./dnscat2.rb
New window created: 0

[...]

dnscat2>
(client)

$ ./dnscat --dns="server=localhost,port=53"
Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = localhost

Encrypted session established! For added security, please verify the server also displays this string:

Encode Surfs Taking Spiced Finer Sonny

Session established!

We, of course, take the opportunity to validate the six words - "Encode Surfs Taking Spiced Finer Sonny" - to make sure nobody is performing a man-in-the-middle attack against us (considering this is directly to localhost, it's probably okay :) ).

Once you have a session set up, you want to tell the session to listen with the listen command:

New window created: 1
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Encode Surfs Taking Spiced Finer Sonny

dnscat2> session -i 1
[...]
dnscat2> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80

Now the dnscat2 server is listening on port 8080. It'll continue listening on that port until the session closes.

The dnscat2 client, however, has no idea what's happening yet! The client doesn't know what's happening until it's actually told to connect to something with a TUNNEL_CONNECT message (which will be discussed later).

Now we can connect to the server on port 8080 and request a page:

$ echo -ne 'HEAD / HTTP/1.0\r\n\r\n' | nc -vv localhost 8080
localhost [127.0.0.1] 8080 (http-alt) open
HTTP/1.0 200 OK
Date: Thu, 24 Dec 2015 16:28:27 GMT
Expires: -1
Cache-Control: private, max-age=0
[...]

On the server, we see the request going out:

command (ankh) 1> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80
command (ankh) 1>
Connection from 127.0.0.1:60480; forwarding to www.google.com:80...
[Tunnel 0] connection successful!
[Tunnel 0] closed by the other side: Server closed the connection!
Connection from 123.151.42.61:48904; forwarding to www.google.com:80...

And you also see very similar messages on the client:

Got a command: TUNNEL_CONNECT [request] :: request_id 0x0001 :: host www.google.com :: port 80
[[ WARNING ]] :: [Tunnel 0] connecting to www.google.com:80...
[[ WARNING ]] :: [Tunnel 0] connected to www.google.com:80!
[[ WARNING ]] :: [Tunnel 0] connection to www.google.com:80 closed by the server!

That's pretty much all you need to know! One more quick example:

To forward a ssh connection to an internal machine:

command (ankh) 1> listen 127.0.0.1:2222 192.168.1.100:22

Followed by ssh -p2222 root@localhost. That'll connect to 192.168.1.100 on port 22, via the dnscat client!

Stopping a session

I frequently used auto-commands while testing this feature:

ruby ./dnscat2.rb --dnsport=53531 --security=open --auto-attach --auto-command="listen 2222 www.javaop.com:22;listen 1234 www.google.ca:1234;listen 4444 localhost:5555" --packet-trace

The problem is that I'd connect with a client, hard-kill it with ctrl-c (so it doesn't tell the server it's gone), then start another one. When the second client connects, the server won't be able to listen anymore:

Listening on 0.0.0.0:4444, sending connections to localhost:5555
Sorry, that address:port is already in use: Address already in use - bind(2)

If you kill a session from the root window with the 'kill'
command, it will free the socket. You can get a list of which
sockets are being used with the 'tunnels' command!

I realize this is super awkward.. don't worry, it'll get
better next version! Stay tuned!

If you know which session is the problem, it's pretty easy.. just kill it from the main window (Window 0 - press ctrl-z to get there):

dnscat2> kill 1
Session 1 has been sent the kill signal!
Session 1 killed: No reason given

If you don't know which session it is, you have to go into each session and run tunnels to figure out which one is holding the port open:

dnscat2> session -i 1
[...]
command (ankh) 1> tunnels
Tunnel listening on 0.0.0.0:2222
Tunnel listening on 0.0.0.0:1234
Tunnel listening on 0.0.0.0:4444

Once that's done, you can either use the 'shutdown' command (if the session is still active) or go back to the main window and use the kill command.

I realize that's super awkward, and I have a plan to fix it. It's going to require some refactoring, though, and it won't be ready for a few more days. And I really wanted to get this release out before Christmas!

Implementation details

As usual, the implementation is documented in detail in the protocol.md and command_protocol.md docs.

Basically, I extended the "command protocol", which is the protocol that's used for commands like upload, download, ping, shell, exec, etc.

Traditionally, the command protocol was purely the server making a request and the client responding to the request. For example, "download /etc/passwd" "okay, here it is". However, the tunnel protocol works a bit differently, because either side can send a request.

Unfortunately, the client sending a request to the server, while it was something I'd planned and written code for, had a fatal flaw: there was no way to identify a request as a request, and therefore when the client sent a request to the server it had to rely on some rickety logic to determine if it was a request or not. As a result, I made a tough call: I broke compatibility by adding a one-bit "is a response?" field to the start of request_id - responses now have the left-most bit set of the request_id.

At any time - presumably when a connection comes in, but we'll see what the future holds! - the server can send a TUNNEL_CONNECT request to the client, which contains a hostname and port number. That tells the client to make a connection to that host:port, which it attempts to do. If the connection is successful, the client responds with a TUNNEL_CONNECT response, which simply contains the tunnel_id.

From then on, data can be sent in either direction using TUNNEL_DATA requests. This is the first time the client has been able to send a request to the server, and is also the first time a message was defined that doesn't have a response - neither side should (or can) respond to a TUNNEL_DATA message. Which is fine, because we have guaranteed delivery from lower level protocols.

When either side decides to terminate the connection, it sends a TUNNEL_CLOSE request, which contains a tunnel_id and a reason string.

One final implementation detail: tunnel_ids are local to a session.

Future plans

As I said at the start, I've implemented ssh -L. My next plans are to implement ssh -D (easysauce!) and ssh -R (hardersauce!). I also have some other fun ideas on what I can do with the tunnel protocol, so stay tuned for that. :)

The tricky part about ssh -R is keeping it secure. The client shouldn't be able to arbitrarily forward connections via the server - the server should be able to handle malicious clients securely, at least by default. Therefore, it's going to require some extra planning and architecting!

Conclusion

And yeah, that's pretty much it! As always, if you like this blog or the work I'm doing on dnscat2, you can support me on Patreon! Seriously, I have no ads or monetization on my site, and I spend more money on hosting password lists than I make off it, so if you wanna be awesome and help out, I really, really appreciate it! :)

And as always, I'm happy to answer questions or take feature requests! You're welcome to email me, reply to this blog, or file an issue on Github!

SANS Hackfest writeup: Hackers of Gravity

Last weekA few weeks ago, SANS hosted a private event at the Smithsonian's Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called "Hackers of Gravity" to work on while we were there!

We worked in small teams (I teamed up with Eric, who's also writing this blog with me). All they told us in advance was to bring a phone, so every part of this was solved with our phones and Google.

Each level began with an image, typically with a cipher embedded in it. After decoding the cipher, the solution and the image itself were used together to track down a related artifact.

This is a writeup of that scavenger hunt. :)

Challenge 1: Hacker of Tenacity

The order of the challenges was actually randomized, so this may not be the order that anybody else had (homework: there are 5040 possible orderings of challenges, and about 100 people attending; what are the odds that two people had the same order? The birthday paradox applies).

The first challenge was simply text:

Sometimes tenacity is enough to get through a difficult challenge. This Hacker of Gravity never gave up and even purposefully created discomfort to survive their challenge against gravity. Do you possess the tenacity to break this message? 

T05ZR1M0VEpPUlBXNlpTN081VVdHMjNGT0pQWEdaTEJPUlpRPT09PQ==

Based on the character set, we immediately recognized it as Base64. We found an online decoder and it decoded to:

ONYGS4TJORPW6ZS7O5UWG23FOJPXGZLBORZQ====


We recognized that as Base32 - Base64 will never have four "====" signs at the end, and Base32 typically only contains uppercase characters and numbers. (Quick plug: I'm currently working on Base32 support for dnscat2, which is another reason I quickly recognized it!)

Anyway, the Base32 version decoded to spirit_of_wicker_seats, and Eric recognized "Spirit" as a possible clue and searched for "Spirit of St Louis Wicker Seats", which revealed the following quote from the Wikipedia article on the Spirit of St. Louis: "The stiff wicker seat in the cockpit was also purposely uncomfortable".

The Spirit of St. Louis was one of the first planes we spotted, so we scanned the QR code and found the solution: lots_of_fuel_tanks!

Challenge 2: Hacker of Navigation

We actually got stuck on the second challenge for awhile, but eventually we got an idea of how these challenges tend to work, after which we came back to it.

We were given a fragment of a letter:

The museum archives have located part of a letter in an old storage locker from some previously lost collection. They'd REALLY like your help finding the author.

You'll note at the bottom-left corner it implies that "A = 50 degrees". We didn't notice that initially. :)

What we did notice was that the degrees were all a) multiples of 10, and b) below 260. That led us to believe that they were numbered letters, times ten (so A = 10, B = 20, C = 30, etc).

The numbers were: 100 50 80 90 80 100 50 230 120 130 190 180 130 230 240 50.

Dividing by 10 gives 10 5 8 9 8 10 5 23 12 13 19 18 13 23 24 5.

Converting that to the corresponding letters gave us JEHIH JEWLMSRMWXE. Clearly not an English sentence, but it looks like a cryptogram (JEHIH looks like "THERE" or "WHERE").

That's when we noticed the "A = 50" in the corner, and realized that things were probably shifted by 5. Instead of manually converting it, we found a shift cipher bruteforcer that we could use. The result was: FADED FASHIONISTA

Searching for "Faded Fashionista Air and Space" led us to this Smithsonian Article: Amelia Earhart, Fashionista. Neither of us knew where her exhibit was, but eventually we tracked it down on the map and walked around it until we found her Lockheed Vega, the QR code scanned to amelias_vega.

Challenge 3: Hacker of Speed

This was an image of some folks ready to board a plane or something:

This super top secret photo has been censored. The security guys looked at this SO fast, maybe they missed something?

Because of the hint, we started looking for mistakes in the censoring and noticed that they're wearing boots that say "X-15":

We found pictures of the X-15 page on the museum's Web site and remembered seeing the plane on the 2nd floor. We reached the artifact and determined that the QR code read faster_than_superman.

Once we got to the artifact, we noticed that we hadn't broken the code yet. Looking carefully at the image, we saw the text at the bottom, nbdi_tjy_qpjou_tfwfo_uxp.

As an avid cryptogrammer, I recognized tfwfo as likely being "never". Since 'e' is one character before 'f', it seemed likely that it was a single shift ('b'->'a', 'c'->'b', etc). I mentally shifted the first couple letters of the sentence, and it looked right, so I did the entire string while Eric wrote it down: mach_six_point_seven_two.

The funny thing is, the word was "seven", not "never", but the "e"s still matched!

Challenge 4: Hacker of Design

While researching some physics based penetration testing, you find this interesting diagram. You feel like you've seen this device before... maybe somewhere or on something in the Air and Space museum?

The diagram reminded Eric of an engine he saw on an earlier visit, we found the artifact on the other side of the museum:

Unfortunately there was no QR code so we decided to work on decoding the challenge to discover the location of the artifact.

Now that we'd seen the hint on Challenge 2, we were more prepared for a diagram to help us! In this case, it was a drawing of an atom and the number "10". We concluded that the numbers probably referred to the atomic weight for elements on the periodic table, and converted them as such:

10=>Ne
74=>W
... and so on.

After decoding the full string, we ended up with:

new_plan_schwalbe

We actually made a mistake in decoding the string, but managed to find it anyways thanks to search autocorrect. :)

After searching for "schwalbe air and space", we found this article, which led us to the artifact: the Messerschmitt Me 262 A-1a Schwalbe (Swallow). The QR code scanned revealed the_swallow.

Challenge 5: Hacker of Distance

While at the bar, listening to some Dual Core, planning your next conference-fest with some fellow hackers, you find this interesting napkin. Your mind begins to wander. Why doesn't Dual Core have a GOLDEN RECORD?! Also, is this napkin trying to tell you something in a around-about way?

The hidden text on this one was obvious… morse code! Typing the code into a phone (not fun!), we ended up with .- -.. .- ... - .-. .- .--. . .-. .- ... .--. . .-. .-, which translates to ADASTRAPERASPERA

According to Google, that slogan is used by a thousand different organizations, none of which seemed to be space or air related. However, searching for "Golden Record Air and Space" returned several results for the Voyager space probe. We looked at our map and scurried to the exhibit on the other side of the museum:

Once we made it to the exhibit finding the QR code was easy, scanning it revealed, the_princess_is_in_another_castle. The decoy flag!

We tried searching keywords from the napkin but none of the results seemed promising. After a few frustrating minutes we saw the museum banquet director and asked him for help. He told us that the plane we were looking for was close to the start of the challenge, we made a dash for the first floor and found the correct Voyager exhibit:

Scanning the QR code revealed the code, missing_canards.

Challenge 6: Hacker of Guidance

The sixth challenge gave us a map with some information:

You have intercepted this map that appears to target something. The allies would really like to know the location of the target. Also, they'd like to know what on Earth is at that location.

We immediately noticed the hex-encoded numbers on the left:

35342e3133383835322c
31332e373637373235

Which translates to 54.138852,13.767725. We googled the coordinates, and it turned out to be a location in Germany: Flughafenring, 17449 Peenemünde, Germany.

After many failed searches we tried "Peenemünde ww2 air and space", which led to a reference to the German V2 Rocket. Here is the exhibit and QR code:

Scanning the QR code revealed aggregat_4, the formal name for the V-2 rocket.

Challenge 7: Hacker of Coding

This is an image with a cipher on the right:

Your primary computer's 0.043MHz CPU is currently maxed out with other more important tasks, so converting all these books of source code to assembly is entirely up to you.

On the chalkboard is a cipher:

We couldn't remember what it was called, and ended up searching for "line dot cipher", which immediately identified it as a pigpen cipher. The pigpen cipher can be decoded with this graphic:

Essentially, you find the shape containing the letter that corresponds to the shape in that graphic. So, the first letter is ">" on the chalkboard, which maps to 'T'. The second is the upper three quarters of a square, which matches up with 'H', and the third is a square, which matches to E. And so on.

Initially we found a version that didn't map to the proper English characters, and translated it to:

Later, we did it right and found the text "THE BEST SHIP TO COME DOWN THE LINE"

To find the artifact, we googled "0.043MHz", and immediately discovered it was "Apollo 11".

The QR code scanned to the_eleventh_apollo

And that's it!

And that's the end of the cipher portion of the challenge! We were first place by only a few minutes. :)

The last part of the challenge involved throwing wood airplanes. Because our plane didn't go backwards, it wasn't the worst, but it's nothing to write home about!

But in the end, it was a really cool way to see a bunch of artifacts and also break some codes!

XXX is Angler EK


Snipshot of MonterAV Affiliate


As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.

XXX Control Panel
Login Page.


XXX is Angler EK ( it's the real name of its most documented instance at least)

Angler EK / XXX  IE sploit only Stats on 2015-07-25
(for some reason Flash Exploits were not activated on that thread)
Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)

You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :
Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.

Snipshot of "The Transition" after Paunch's Arrest

But Angler was around before the Reveton team started to use it.

Here is one used against Ukrainian that i captured  in August 2013

2013-08-27 - Exploit Kit unknown to me at that time
Ancestor of Angler EK as we know it
[Payload here is most probably Lurk]
when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.

A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitors

So the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.

This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march

2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits
[Payload here is most probably Lurk]

Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014

Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!

Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)

Read More :
Police Locker land on Android Devices - 2014-05-04
Paunch's arrest...The end of an Era ! - 2013-10-11
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurity
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - Securelist

Post publication Reading :
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]
Is it the End of Angler ? - 2016-06-11
How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Hack Naked TV – December 4, 2015 – The Banned Episode

The lost episode! YouTube flagged this video as inappropriate, removed the video, and put our YouTube channel in bad standing. Now you can view the video for yourself, and see just how "bad" the content is to cause YouTube to flag us YET AGAIN for so-called "inappropriate" content. YET AGAIN, we have filed an appeal and are waiting to get our YouTube channel back in good standing. In the mean time, many features of our YouTube channel have been disabled, including the ability to upload videos longer than 15 minutes. This really puts a cramp in our style, and is an example of just how bad a job of YouTube is doing policing videos and channels.

CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits




One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446

Angler EK :
2015-12-14
CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)
Angler EK exploiting Flash 19.0.0.245 via CVE-2015-8446
2015-12-14


Sample in that pass : b5920eef8a3e193e0fc492c603a30aaf
Sample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522



Fiddler sent to VT.
(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)

Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a stream
f5c1a676166fe3472e6c993faee42b34
d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)
and after that performing Adfraud


Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645


Post publication readings :
(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Hack Naked TV: December 2, 2015

Welcome to another episode of Hack Naked TV recorded December 2nd 2015. Today Aaron talks about Dell root certificate fiasco, Hacking Back being reviewed by the government, the LANDesk breach, new tool releases, and more!

For a full list of stories, visit our wiki here.

MASSCAN Web Interface

A couple of weeks ago, we had the opportunity to scan and map a large IP address space covering just over 3 million hosts. Our tool of choice for this was the fast and capable masscan, which is packaged in Kali. While masscan has several convenient output formats, such as binary and XML, one feature we were missing was an easy way to search our results. We quickly whipped up a little web interface that would allow us to import and search within a masscan XML output file. This feature proved very useful for us - as once we identified a specific vulnerable pattern on a machine, we could easily cross reference this pattern with over the millions of discovered hosts in our database.

Nuclear Pack loads a fileless CVE-2014-4113 Exploit



Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro