Blog
A new look at null sessions and user enumeration
Hello,
TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it.
Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems.
For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default.
Some of these shares allow one to access the complete storage device on remote systems. For example, C$ will allow one to access the C Drive. Another share, Admin$, allows one to access the Windows installation directory. To be able to mount these shares however, one needs to be an administrator on the remote system.
Cracking Efficiency Measurements & Common Substring Attack
This was an epic week for password cracking, we had lots of new hashes and lots of competition to see who could crack the most the fastest.
BLUF: I put together a cracking technique, and tested it against other techniques, generating some insight into the best performing cracking techniques. Rockyou with hob064 rules won, but my technique came a close second, and had a faster crack speed. Get the script here.
Linux Heap Exploitation Intro Series: Set you free() – part 1
Intro (part 1) Hello and welcome to the final post of our Intro to exploitation series! We have learned the basics about how the memory management as per the ptmalloc2 allocator works. It was a basic but enough approach to have a good starting point. However, there are a few concepts and attack scenarios that, due to existing a lot of information about these, I have kept long distance from “unsafe unlink“, “malloc (des)malleficarum” and techniques alike. These weren’t either basic enough or outdated and wanted to learn and note down the most basic and known exploit primitives: Use-after-invalidation (incl. Use-after-free), overflows (incl. Off-by-one) and double-free.
tip toeing past android 7’s network security configuration
In late Jan, someone opened an Github issue in the objection repository about Android 7’s Network Security Configuration. The issue author included a blogpost from the NCC group about this very topic which included some very helpful bits of information (which you should totally read).
Naturally, I wanted to enhance objection to be able to get past this new security feature, so the testing began. I installed a Burp CA as one would normally do for assessments as well as a small test application with certificate pinning disabled and quickly realised that literally no network traffic was passing through. Inspecting the output of adb logat, one would see messages such as the following for our failed requests:
Fixing up Net-Creds
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug.
A while back on an internal assessment, I was having a hard time getting a high-privileged user account.
This was the third assessment SensePost has done for the client, and they have implemented several of our recommendations. In particular, Responder wasn’t providing me with any hashes even though I was connected to the same network segment as several users, including some administrators. The client has a strict policy of only using the latest operating systems, i.e. Windows 10, and had disabled NBNS and LLMNR.
5 Min Security: Popular Phishing Techniques in 2017/2018
This article is for non-technical people who want to keep themselves and their companies safe from realistic threats. Short and sweet.
In 2017 we saw a number of phishing techniques used successfully. This was largely due to the release of a handful of highly effective methods which are still being used. In this article we’ll cover what these are.
Dynamic Data Exchange (DDE) Payloads – CVE-2017-0199 / CVE-2017-8759 A technique that results in remote access without the use of macros. DDE is a protocol in MS Office products which allows applications to share data between each other. Some functions provided by this protocol allow the execution of commands, which can be abused by attackers to download malware.
Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!
Intro Hello again and welcome to the third of our series. On today’s blog post we are going to see what is and how can we abuse a double free(). We are also going to take advantage of leaks that happen when doing double free()‘s and see some examples of code execution using said leaks – we are making our execution ride on frees!
As a last note, we are going to step things up a notch in this blog post and we are going to be using gdb as it will be crucial from now on. Sadly, ascii art doesn’t cut it anymore.
building the bsidescpt17 rfchallenge
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I went about trying to build a challenge for it. Unfortunately I was not able to able to attend the con itself, but still had the privilege to contribute in some way!
The first question you may have could be: “But why RFCat?”. Truthfully, some people that are way better at this hacking thing than me (and that were also primarily responsible for this years BSides badge hardware) came up with this idea: “Wouldn’t it be cool to have a cc1111 chip on the badges?”. The cc1111 chip is RFCat compatible, so naturally this would be the goto firmware to use for the chip. With this in mind, I got invited by @elasticninja to see if I would be interested in building an RFCat based challenge and without hesitation agreed! So there we were.
gowitness – a new tool for an old idea
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to be precise. While it is possible to scan ranges like that with things like masscan, nmap and the likes, I was interested in web interfaces for this particular client as I quickly came to realise that they had a large amount of third party web services exposed with default login credentials left unchanged. Nessus would tell me that “there is a web interface running there”, but I wanted more in terms of what is running.
A distinguisher for SHA256 using Bitcoin (mining faster along the way)
This post assumes a passing familiarity with what a Distinguishing Attack on a cryptographic hash is, as well as the high level composition of Bitcoin block headers and mining them.
tldr:
To distinguish between an ideal random permutation hash and SHA256, hash a large amount (~2^80) of candidate 1024 bit blocks twice, as done in Bitcoin. Ensure that the bits of the candidate blocks are sparsely set (much fewer than the 512 mean expected), according to the Bitcoin protocol, discarding candidate blocks that do not meet the Bitcoin “difficulty” standard (where the resultant hashes start with a the large number of 0’s). With the remaining set of valid input candidates (467369 when this analysis was done), observe a particular set of 32 bits in the input block (located where Bitcoin has the nonce, input bits 607-639). Note that the mean number of bits set in the nonce field is skewed to the left, i.e. fewer than the expected value of 16 bits set (estimated mean 15.428).