GhostPack was recently released by Will Shroeder. This is a great package of C# offensive tools. C# is a relatively untapped part of the offensive toolkit with some unique opportunities and challenges. It is great because it gives you a great API that you can live off of, it is sometimes a challenge as different versions aren’t always consistently installed across different organizations. In this post we are going to talk about applying a concept that I developed to one of these tools to reduce detection surface as much as possible. The tool we are going to look at is SafetyKatz which wraps normal mimikatz in C# which in turn wraps some unmanaged code using a PELoader technique created by Casey Smith. Essentially what this post boils down to is shrinking the on-disk footprint of SafetyKatz from about ~700KB to about 5KB and loading the rest over http or https using a technique I call .Net over .net.
TLDR:If you aren’t interested in the details and you have always wanted to run python on top of .Net in 5 lines of powershell or less, skip to the bottom for code snippets. If you want to figure out how that is possible read on…
I have been digging into .Net recently, trying to stretch the bounds of the .Net Framework and have a very cool discovery to share. Anyone who is interested in the offensive side of security is always looking to limit the amount of attack surface that is available to various security controls, when trying to get shells on boxes. This article will hopefully teach you a bit about the .Net framework, as well as about how to pull and load .Net assemblies over the Internet into a C# application or even more interestingly… PowerShell. The resulting C# applications are around 6KB. The resulting PowerShell applications are just a handful of lines of code. Imagine having all the power, benefits and extensibility of managed .Net code without the footprint. As an example, we are going to run (Iron)Python on top of .Net, over the internet. Here is how.
I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I originally wrote this article for Ubuntu 14.04 and it has been one of the most popular posts on this blog, so I have updated it and fixed a few things that have changed over the years. There is a screencast that accompanied the original post on YouTube outlining the process for 14.04. Largely the process is the same except for a few more dependencies(see the apt-get sections) and I cleaned up the testing with smbclient. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 16.04. If you do watch the screencast for 14.04, it is best viewed in HD!
Intro to Mimikatz
One of the most interesting tools in a penetration tester’s arsenal is mimikatz. Mimikatz is a tool that scrapes the memory of the process responsible for Windows authentication(LSASS) and reveals cleartext passwords and NTLM hashes that an attacker can use to pivot around a network. From that point they escalate privilege either by authenticating with the clear text credentials or passing the hash. Sounds deadly right? Most people have the reaction “Why hasn’t Microsoft come up with a solution to this?”.
If you Google the phrase “defending against mimikatz” the information you find is a bit lackluster. The best article I have found was this one(removed because is now spam). It has a lot of good suggestions like using the “Protected Users” group(SID: S-1-5-21-<domain>-525) available in recent versions of Active Directory and also limiting administrator usage, and taking advantage of not storing passwords in memory with a registry setting. You can limit the number of services running as system or remove debug privilege to help prevent an attacker from being able to run mimikatz. What this and other articles make you believe is that you need to have Windows 8 or 8.1 or 10 rolled out everywhere. What about the large number of Windows 7/2008 R2 machines out there? Well it turns out you can defend against mimikatz on these versions of Windows, here is how. Read Full Article
Intro to HSMs
Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today. They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities). They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with. This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results. Read Full Article
So if you know me you probably know that you rarely see me without headphones on. I am not really a collector of anything, except when it comes to heaphones. I own way more headphones than anyone should. My latest pair were a Christmas gift from my amazing wife, a pair of Bose Soundlink On Ear Bluetooth headphones(they are absolutely amazing).
The Problem With Standards
I love standards, they make everyones lives easier, but the problem with bluetooth is that it often shows its age. Anyone who has even a little bit of experience knows that bluetooth might be described as “finicky”. The way bluetooth deals with different devices is with different profiles. Read Full Article
I love SSH, coupled with byobu(an updated GNU screen) it is amazingly powerful. But sometimes it is really useful to be able to view a GUI application on the remote server end. Some people think that they need to use VNC to do this. VNC is terrible, and there is a better way.
Things you will need:
- An X capable SSH client
- A server that has a graphical environment installed on it
- Ubuntu Desktop is an easy example
- Gnome/KDE/XFCE/X11 etc.
- SSH server installed on the server
- A GUI application that you want to run over SSH
In my example I’m going to be connecting from a Windows computer, using MobaXTerm, to a Ubuntu Desktop machine, and running WireShark(yes I know about tshark).
Make sure sshd is installed on the Ubuntu machine.
$ sudo apt-get install ssh
Back on the Windows machine, we SSH to the Ubuntu machine. Notice that we are specifying -X which allows us to run X applications over SSH
$ ssh -X email@example.com
Then we run our application
That is Wireshark running on the remote Linux machine. Notice the GTK/Ubuntu looking buttons, and the Windows colored Window frame.
Thanks for stopping by!
Most IT people are somewhat familiar with Wireshark. It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more.
One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS. It used to be if you had the private key(s) you could feed them into Wireshark and it would decrypt the traffic on the fly, but it only worked when using RSA for the key exchange mechanism. As people have started to embrace forward secrecy this broke, as having the private key is no longer enough derive the actual session key used to decrypt the data. The other problem with this is that a private key should not or can not leave the client, server, or HSM it is in. This lead me to coming up with very contrived ways of man-in-the-middling myself to decrypt the traffic(e.g. sslstrip or mitmproxy).
Session Key Logging to the Rescue!
Well my friends I’m here to tell you that there is an easier way! It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. Read on to learn how to set this up. Read Full Article
When you put your credit card into a website what happens to it? The goal of this article is to explore some of the possible answers to that question.
With all the changes that are happening in the payment card industry these days, I’ve been thinking about security around it. EMV/Chip and PIN is coming and there are weird things happening around NFC/ApplePay/Google Wallet/Tap to Pay. There have also been a lot of breaches in the last year, that are really helping expose the weaknesses in how this data is stored and transmitted. This post is really more a thought experiment about how you store hashed information “securely”.
Have you ever wondered what would happen if you tried to connect to a website that was serving a certificate chain way longer than normal? I know, me too. Often times security research is about thinking outside the box, and this is just one of those times. Plus we might learn a few things along the way.
I’m new here. What is a certificate chain?
When you connect to a secure website, your browser uses a TLS certificate to verify the authenticity of the connection and to help set up the encryption of the connection. The way that you know that the certificate is valid is either because you have seen it before and saved it as a remembered certificate(this is common in a self-signed certificate situation or with SSH), in most cases someone else that you trust “signs” the website’s certificate. Allow me to use Star Trek The Next Generation characters(source) to illustrate how this works. If you meet Ensign Tony at Ten Forward, the next time that you meet him you will know who he is based on what he looks or sounds like. This is how self-signed certificates work.
Read Full Article