Blog
dwn – a docker pwn tool manager experiment
Years ago I learnt docker basics because I just couldn’t get that $ruby_tool to install. The bits of progress I’d make usually left my host’s ruby install in shambles. With docker though, I had quick reproducible build & run environments I could clean up easily without leaving a mess behind. The more I used docker, the more I’ve come to love it, and today it’s become a natural part of my daily workflow. It’s not without its flaws though, so in this post I want to show you an experiment of mine where I tried to write a docker pwn tool manager. A “docker-compose for hackers” if you will, called dwn (/don/). You can find it here: https://github.com/sensepost/dwn.
Android Application Specific Proxies, Easy Mode
In this post I want to share two things. First, a quick primer on how you would you go about navigating the source code when contributing to objection, and secondly an application specific proxy feature I added to it. Introduction While on holiday I wanted to look into a certain mobile application that dealt with medical information. I was mostly interested in the data that was sent and received by the application so this meant proxying the traffic into Burp. I did not have a test device with me, so I had to use my personal device. This being my personal device meant that once I had the proxy set, certain applications would cease to function normally (especially those with SSL pinning) as Burp was in the middle.
Duo Two-factor Authentication Bypass
It’s too easy when hacking, to assume something is invulnerable and not interrogate it. This was the case for me when it came to Duo’s two-factor authentication solution. However, we were able to discover two variants of the same 2FA bypass. These rely on redirecting a victim’s push notifications to an attacker-controlled device, to authorise access to a victim account. Interactions with Duo had this fixed in record time, and were easily some of the best vendor/researcher interactions we’ve ever had. If you’re looking for their technical guidance around this, you can find it here.
sconwar – sensecon 2020
Much like other events in 2020, our annual internal hackathon took a remote format this year, sporting over 120 hackers from across the globe. We had many challenges available during the conference which included a password cracking challenge, a discord bot challenge and a programming challenge. This post will talk about the programming challenge called sconwar. You can get the source code for it here.
incubation Admittedly I was really nervous about the idea for a hacker hackathon in general, but we can only become better hackers by understanding technologies better, more specifically, understanding them by using them. I often hear people say they want to get into programming, for which there are many options, but more often that not the drive ends with “well, what do I code?”.
DualSense Reverse Engineering
Ciao belli!
On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few days earlier in the US, Japan, and Canada. Of course, Play Station 5 came together with a new Wireless Controller, this time named DualSense. I wanted to see if I could continue my PlayStation controller adventures on this new device, following on my previous work.
A few SONY installations available in London for the release of the PlayStation 5. DualSense Wireless Controller The DualSense Wireless Controller presents new features such as:
sensecon 2020 ex post facto
When we finally decided on a date, sensecon 2020 was little over a month away. Unlike our public client events, internally sensecon is a three day conference filled with trainings, a hackathon and a ton of fun. Traditionally we would have had the hackathon in person, but this year our only option was to do it remotely. Overall we had a blast, both in the preparation phase but also during the conference. It was the largest one we had to date, consisting of over 120 Orange Cyberdefense hackers from 8 countries around the globe! This blog post will be a reflection on these three days filled with incredibly exciting hacks, talking about how we got there, how it went and what we had learned along the way. All while I recover from a little sleep deprivation.
Szensecon Discord Bot
We have written a lot about SenseCon by now, but there is one more thing we can talk about! In this post I want to detail the Discord bot and associated challenges that we built. We were going to use Discord as our main communication channel and wanted a way to ensure that it was only accessible to Orange Cyberdefense hackers in an automated way.
This was a good opportunity to look into writing a Discord bot. If you are looking for the source code, you can find it here.
thumbscr-ews – a python EWS tool
Something I have found myself doing more and more often is using Exchange Web Services (EWS) to bypass 2FA. I do this so that I could look through mail for accounts I have compromised. The 2FA bypass is due to a common misconfiguration which can leave EWS unprotected, and has been known about for ages, mostly from the Black Hills post in 2016. However, most of the tooling appears to be written in PowerShell, and being the lazy person I am I prefer not to start up a Windows VM when I want to see if I can access a persons email. Hence I started just using a small script around the amazing exchangelib where I would just retrieve the top 10 emails using the example provided in the help documentation. I was doing this often enough that I decided to make a more useful tool.
More On Foreign Hashes
This is an update on this previous post on foreign NT hashes where I got things a little wrong by believing the source encoding matters for an NT hash. It doesn’t really, let me show you why.
I spent a bit of time exploring further, in particular, I took it down to a test case. Jameel gave me his name as a password in Arabic:
Included as a picture because WordPress is messing with my UTF8.
“echo d8acd985d98ad9842031|xxd -ps -r” can give it to you straight That’s Jameel1 in Arabic. It’s encoded in UTF8 in most places, whose bytes are:
Pass-the-hash WiFi
Thanks to a tweet Dominic responded to, I saw someone mention Passing-the-hash when I think they actually meant relay. The terminology can be confusing for sure, however, it made me realise that I had never Passed-the-hash with a Wi-Fi network.
So having learnt my lesson from previous projects I first made sure this was possible for NT -> MSCHAP by looking at the RFC.
8.1. GenerateNTResponse() GenerateNTResponse( IN 16-octet AuthenticatorChallenge, IN 16-octet PeerChallenge, IN 0-to-256-char UserName, IN 0-to-256-unicode-char Password, OUT 24-octet Response ) { 8-octet Challenge 16-octet PasswordHash ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName, giving Challenge) NtPasswordHash( Password, giving PasswordHash ) ChallengeResponse( Challenge, PasswordHash, giving Response ) } Looks like you can! As you can see in the above, the ChallengeResponse is created using the NT hash and not the password. I then checked wpa_supplicant to see if this was not a feature already, and it turns out it is! Looking at the wpa_supplicant configuration file it says: