Tools
gowitness – a new tool for an old idea
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to be precise. While it is possible to scan ranges like that with things like masscan, nmap and the likes, I was interested in web interfaces for this particular client as I quickly came to realise that they had a large amount of third party web services exposed with default login…
Outlook Home Page – Another Ruler Vector
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two vectors used in Ruler, namely rules and forms. These were patched with KB3191938 and KB4011091 respectively. This puts us back into the cat and mouse game of attack versus defence, with attack needing to find a new vector.…
Recreating certificates using Apostille
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for. An example might be that a mobile app is doing cert pinning, based on attributes of the signing certificate, such as the Canonical Name (CN), serial number, or Issuer, or that you are intercepting an embedded app that only supports a particular algorithm. Whatever the reason, it’s a fairly complicated…
NotRuler – Turning Offence into Defence
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool. The goal behind the project was to highlight the command execution potential around weak credentials when combined with Exchange and Microsoft Outlook. That goal has largely been met, with the ability to now demonstrate that compromising user credentials can be much more than “just” reading email. Microsoft has also been…
objection – mobile runtime exploration
In this post, I want to introduce you to a toolkit that I have been working on, called objection. The name being a play on the words “object” and “injection”. objection is a runtime exploration toolkit powered by Frida, aimed at mobile platforms. iOS only for now, objection aims to allow you to perform various security related tasks on unencrypted iOS applications, at runtime, on non-jailbroken iOS devices. Features include…
Outlook Forms and Shells
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go to attack method for RedTeams lately. This attack has typically relied on using Outlook Rules to trigger the shell execution. Although Ruler makes accomplishing this really easy, it has, up until now, required a WebDAV server to host our shell/application. In most cases this is not an issue, but once…
Liniaal – Empire through Exchange
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we want to fly below the radar and ensure our access doesn’t get detected or blocked by traditional network based solutions. To this end, communicating directly through an Exchange server can be very beneficial and solve both challenges. Ruler provides us with a means of getting a shell on an internal network.…
Pass the Hash with Ruler
We are taking Ruler and the abuse of Exchange on a road trip to Germany in March. Troopers have accepted our talk, “Ruler – Pivoting through Exchange” and we are looking forward to sharing the exciting extras that we’ve been building into Ruler, along with some secrets for using Exchange in your recon, exploitation and post-exploitation phases. https://www.troopers.de/events/troopers17/779_ruler_-_pivoting_through_exchange/ A while back I was asked (I think by @singe, but there…
XRDP: Exploiting Unauthenticated X Windows Sessions
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions. We recently presented these at BSides Cape Town. X also known as the X Window System is currently in its 11th version, hence the name X11. X is a basic windowing system which provides a framework for drawing and moving windows on a display device as well as interaction with a mouse and…
Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities
In this blog post I am going to describe a new tool (Rattler) that I have been working on and discuss some of the interesting anomalies found while building it. Rattler can be found on our Github repo and was recently discussed at BSides Cape Town. Rattler helps identify which application DLL’s are vulnerable to DLL preloading attacks. In a nutshell, DLL preloading attacks allow you to trick applications into…