Auteur: MSX

Categorieën
Linux

Pyinstaller – fixing dropbox.rest.RESTSocketError – Dropbox python API SSL issue

When playing around with the python dropbox API to upload files, I ran into issues when trying to make a single executable using pyinstaller.

The error I received was similar as shown below:

pyinstaller-dropbox

I figured it had to do with the trusted-certs  file used by the dropbox API to validate its SSL connection to the dropbox servers.

To overcome this issue, I had to perform the below steps:

  1. First browse to your dropbox API folder and copy the trusted-certs.crt to another location

    In my case this was C:\Python27\Lib\site\packages\dropbox\

Copy trusted-certs.crt to d:\

   2. Stay in the dropbox api folder and open the rest.py file using your favorite editor program.

 3. Within rest.py file look for the section that starts with:

TRUSTED_CERT_FILE = pkg_resources.resource_filename(__name__, ‘trusted-certs.crt’)

change this to:

def resource_path(relative_path):

“”” Get absolute path to resource, works for dev and for PyInstaller “””

try:

# PyInstaller creates a temp folder and stores path in _MEIPASS

base_path = sys._MEIPASS

except Exception:

base_path = os.path.abspath(“.”)

return os.path.join(base_path, relative_path)

TRUSTED_CERT_FILE = (resource_path(‘certs\\trusted-certs.crt’))

This will ensure that the dropbox API will look in the %temp% directory which the standalone .exe creates at runtime.

  4. Now you have to recompile rest.pyc so the dropbox API and pyinstaller use the changes made

Open python in CMD and run the following command (change the file path to fit your setup)

>>> import py_compile

>py_compile.compile(‘C:/Python27/Lib/site-packages/dropbox/rest.py’)

5. The final step is to create a pyinstaller .spec file in which you tell pyinstaller to copy and include the                        trusted-certs.crt file in the %temp% directory where it also writes files needed by the program at run time.

Do the following:

Run pyinstaller using the “yourprogram.py” file which you like to convert into a single exe file

In my case this is:

D:\pyinstaller find-copy.py

This will create a find-copy.spec file within the running directory (d:\). Copy and rename this file to something else like           myprog.spec.

Open myprog.spec and modify the following. Make sure the trusted-cert.crt path reflects your situation!

a = Analysis([‘find-copy.py’],

pathex=[‘D:\\’],

binaries=None,

             datas=[(‘d:/trusted-certs.crt’, ‘certs’)],

hiddenimports=[],

hookspath=None,

runtime_hooks=None,

excludes=None,

win_no_prefer_redirects=None,

win_private_assemblies=None,

cipher=block_cipher)

  6. You are no ready to re-run pyinstaller but this time specifying the myprog.spec file

In my case this looks like this:

Pyinstaller –F myprog.spec find-copy.py

  7. If all went well you should now have a working .exe file which copies and finds the required trusted-certs.crt         file needed by the dropbox API

Enjoy 😉

Categorieën
Hacking Windows

An easy way of creating your own Trojan

An easy way of creating your own Trojan

In this article I will describe how you can easily create your own Trojan for demos or other fun purposes. The tools used in this article are the following:

  1. The Veil-Evasion Framework & Kali server;
  2. C or C# source code of a program of choice;
  3. Visual Studio or any other development solution;
  4. Windows 8.1 with AV client machine & RSA ECAT agent.

The steps we will follow are listed below and are worked out in more detail in separate paragraphs:

  1. Create a payload in C# code with the Veil-Evasion Framework;
  2. Copy the created payload to your machine that has for example Visual Studio installed;
  3. Include the payload and re-assemble the C# source code program;
  4. Test your newly created Trojan.

Step 1 & 2 Veil-Evasion Framework

The Veil-Evasion Framework is a very nice solution which allows pen testers to create payloads & executables within a few clicks. https://www.veil-framework.com/framework/veil-evasion/

In this example we will be using the framework to create an encrypted reverse https metasploit payload in C# code.

  1. Install Veil-Evasion on your Kali Linux distribution
  2. Start Veil-Evasion

1

  1. Select Payload cs/meterpreter /rev_https

2

  1. Set LHOST & LPORT to fit your own environment, make sure to enable the Arya crypter & issue the generate command to create the payload

3

  1. Provide your preferred file name

4

  1. Veil has now created an encrypted payload in C# code which we will use is step three of this process.
  2. Copy the created file (calculator-payload.cs) file to your machine running Visual Studio

Step 3 include payload & re-assemble program of choice

In this example we will add the created payload to the C# source code of a calculator program. The source code used will be made available for download.

  1. Open the calculator-payload.cs with notepad++ or any other file editor

5

Notice the System requirements (System.Collections.Generic, System.Text, System.IO etc.) and the class & static void parts of the program.

  1. Open the source code of your choice or use the attached calculator source code

6

Once Visual Studio opens it should look similar as shown below:

7

Now we need to make sure the program includes all required system namespaces. For this we need to add all system namespaces that are not included in the original source code. In this case this will look as shown below:

8

Notice that System.Text, System.IO & System.Reflection are added

9

Now we need to add our code in both the Static class and Static void parts of the original program:

This can be done by coping and pasting the code from the notepad session as shown in step 1.

Once you are done the result should look similar as shown below:

10

When you copy the code in after the Application.Run part, the program will run normally and start Form1() as expected. Once this form is closed, the program will execute the payload before shutting down.

  1. Assemble your new Calculator application

Before we assemble the modified source code you can change the assembly name or Icon to whatever you like. In this case I will make sure the program gets assembled with the name Calculator-Demo.exe and will use the Windows Calculator symbol as an Icon.

11

Once done, click on Build Solution or F7 in Visual Studio and make sure the outcome does not state any errors:

12

Your newly created Trojan is now ready to be tested.

Step 4. Test your newly created Trojan

To test your Trojan we will need to do the following:

  1. Copy the Calculator-Demo.exe to a victim machine
  2. Start a metasploit https reverse handler on the attackers machine
  3. Execute the calculator
  4. Check for a successful metapreter connection

Step 1. Copy the Calculator-Demo.exe

In this example I will copy the Calcultor.Demo.exe to a fully patched Windows 8.1 system which is running a TrendMicro antivirus & RSA ECAT agent.

13

When I scan the copied file with AV no issues are detected:

14

Step 2. Start a metasploit https reverse handler on the attackers machine

The attacker will be the same machine which we used to create the payload with. When creating the payload Veil-Evasion also created a handler file which we can use to easily startup the https listener

First we need to browse the the veil-output/handlers directory.

15

After this we can start the metasploit console with a –r command so that the configuration variables within the handler file are loaded.

This will startup a metasploit handler and should look similar as shown below:

16

Step 3. Execute the calculator

Now we need to go back to the victim’s machine and execute the calculator

17

As you can see the calculator starts as expected. To execute the payload the program needs to be closed. When doing this AV still does not detect anything..

Step 4. Check for a successful meterpreter  connection  

When we go back to our attacker machine we should see a successful meterpreter session

18

Let’s interact with this session and start a keylogger

19

When we check the victims machine type something and dump the keystrokes on the attackers machine, AV still does not notice anything..

20

21

When we check the RSA ECAT server however all activities are detected.

  1. Execution and migration of Calculator-Demo.exe to notepad.exe

22

Network connection & IOC to attacker’s machine:

23

Use of floating code (keylogger) in memory

24

Conclusion

Building a Trojan does not have to be difficult, AV is dead and RSA ECAT rules 😉

Categorieën
DNS Linux

How to resolve DNS queries using different DNS servers & without DNS forwarding

If you ever run in the issue were you have two different DNS servers that are both responsible to resolve different records and you are not allowed to configure DNS forwarding. You can use the following procedure on your Linux, Unix based distro:

 

  1. cd /usr/bin
  2. cp nslookup nslookup.orig
  3. rm nslookup
  4. vi nslookup
#!/bin/bashHOSTNAME=${1}

if [[ $HOSTNAME = 192.168.2* ]]; then

/usr/bin/nslookup.orig $HOSTNAME 192.168.2.110

elif [[ $HOSTNAME = *rsa.lab ]]; then

/usr/bin/nslookup.orig $HOSTNAME 192.168.2.110

else

/usr/bin/nslookup.orig $HOSTNAME 8.8.8.8

fi
  1. chmod 777 nslookup

As a result, internal IP addresses staring with 192.168.2.* and hostnames containing *.rsa.lab where resolved by the DNS server with IP 192.168.2.110 whilst everything else got resolved by the DNS server with IP 8.8.8.8.

Categorieën
Wireshark

How to extract files from network traffic using Wireshark

  1. Install Wireshark and start to capture network traffic
  2. Download a .exe file which in this example is putty.exe
  3. When the file is downloaded to your machine stop the capture process
  4. Search and identify the session related to the download activity (hint look for GET activities)

wireshark-1

 

 

 

 

 

  1. Right click the session and select Follow Stream
  2. Instead of selecting the entire conversation, select only the traffic originating from the webserver in this case 46.43.34.31:80 -> 192.168.178.34:64491

wireshark-2

7. Click Save as and save is as for example dump

8. Now open the dump file using your favorite HEX editor & remove the HTTP header which in below screenshot is the red part:

 wireshark-3

  1. After you have remove the HTTP Header info you file should start with MV

 wireshark-4

  1. Save the file as dump.exe

wireshark-5

  1. See the result, you have now obtained the .exe from network traffic

 wireshark-6

Categorieën
Wireshark

How to change the timestamp of pcap files

Sometimes you need to change the timestamp of a previous recorded PCAP file. To do so follow the steps below:

1. Download and install wireshark

2. check the current timestamp of you pcap file – in my case this was the following:

pcap

3. Browse to the http://www.timeanddate.com/ site to calculate the time difference in seconds between the recorded & current time.

In this case this was the following:

time

4. Execute  the editcap.exe program of Wireshark to create a new PCAP file containing a current timestamp:

c:\Program Files (x86)\Wireshark>editcap.exe -t 83585803 -F pcap Lab5.pcap x:\TEST3.pcap

5. Open the new PCAP file in wireshark to confirm the change in date & time

Time-New

 

 

Categorieën
Hacking Windows

Misuse Utilman.exe on Windows systems and obtain NT Authority rights

Most windows systems (Vista, Windows 7, Window 8 etc.) allow you to access the Utilman.exe “Ease of Access” application on the login page. As the end-user has not yet logged in, Windows will start this application using NT Authority rights.

So if you are able to boot a Windows machine with for example a Kali image and no drive encryption is applied. You can easily replace the Utilman.exe with cmd.exe or your own payload and have it run with  NT Authority rights by clicking on the Ease of Access icon on the logon page.

Want to know how? Just follow the steps below:

1. Boot you windows machine with for example Kali or any other Live CD.

2. Browse to the Windows System32 folder of you Windows machine and locate the Utilman.exe

Utilman-1

3. Rename the orginal Utilman.exe to for example Utilman-old.exe

Utilman-2

4. Browse to the Windows System32 folder of you Windows machine and locate CMD.exe

Utilman-3

5. Make a copy of CMD.exe and rename it to Utilman.exe

Utilman-4

6. Boot you Windows machine as normal.

7. Click on the Ease of Access button and check put the Command Prompt.

Utilman-5

Categorieën
Hacking Printers

Capture and re-print print-jobs on your network

Recently I was asked to audit a network printer environment to find out if it was possible to capture and re-print print-jobs of other network users.

This was actually more easy then I thought.

Check out the steps below:

In this example the following IP’s are used:

Victims Windows Desktop: 10.34.50.100
Central Printer server       :  10.34.6.91
Network Printer                 :  10.34.48.3
Attacker Kali Laptop         :  10.34.50.102

Scenario: a victim Windows Desktop user summits a print-job to a central printer server. The victim walks to the nearest network printer and uses a personal code or RFID card to identify him or herself on the printer. The printer gets the pending print-jobs of the central printer sever and starts printing them.

In order to capture the summited print-job you can do one of the following:

  1. Perform a ARP-Spoof attack between the victims desktop and the central print server so that traffic directed to the central print server gets intercepted by your machine.
  2. Perform a ARP-Spoof attack between the central print servers and the network printer so that traffic directed to the printer gets intercepted by your machine.
  3. Place a small managed switch between the network printers UTP cable connection and the UTP wall socket and create a SPAN port.

Step 1: Capture print-jobs

During my test I choose option three. Whatever you choose the aim is to capture the raw print-job packets that is send to either the print server or the network printer.

Once you have captured the packets, open it with Wireshark:

printer-1

Step 2: Create a Wireshark filter

In order to filter out the traffic you are looking for, you must create a Wireshark filter. In my case this was the following:

ip.addr == 10.34.0.91 && ip.addr == 10.34.48.3 && tcp.port == 9100

10.34.0.91 = the central printer server
10.34.48.3 = the local network printer
9100 = printer port used

When you appy the filter you should get something like this:

printer-2

Step 3: Follow the TCP stream to obtain the raw packets

Now that you have filtered the interesting traffic it is time to select any TCP session entry, right click on it and select the “Follow TCP Stream” option. Once this is done you will see that all TCP packets related to one print-job are combined together.

This will look like this: (notice the print and user information)

printer-3

Step 4: Export the captured data

Once you have combined all TCP packets it is time to export the information to a new .pcap file. You do this by selecting all traffic between the two selected sources from the dropdown menu, select Raw and click on Save As

printer-4

Step 5: Print the captured print-job to your own printer

Now that you have a raw packet file containing a print-job you are ready to replay or resend this information to you own network printer. In my case I used netcat  on Kali for this.

printer-5

Step 6. Walk to you printer and collect you treasure

printer-6.png

If you don’t like to send the captured data to a network printer you are also able to convert it to PDF format using a PCL converter program.

Want to know how? read the easy steps below:

1.  Download and install “VeryPDF PCL Converter” which is available in a free trial version;

2.  Open the PCL Converter tool, import the captured RAW data and select the output destination;

3. Click start and a PDF file will be opened.

Categorieën
Backdoors Hacking

How to create a powershell meterpreter payload which is not detected by AV

This guide shows how easy it is to create a backdoor which is not detected by AV

To create the backdoor we use SET which is a pentest automation tool available within the BackTrack distribution.

The steps to follow are the following:

– Startup SET

start set

– Select option 1

set option 1

– Select option 10

set option 10

– Select Payload option 1

set payload 1

– Provide the IP address and port number you like to connect back to

set provide loopback ip and port

– Start the listener to start accepting connections

set start listener

– Browse to the payload and save the txt file a .bat file

set browse to x86 payload

 

set save as test.bet

– Use BAT-to-EXE converter to create a .exe file

set compile bat to exe

– Copy the file over to you victim and execute is

– Check meterpreter is able to establish a new session

set metasploit session created

– Proof that AV on the victim machine is running and up-to-date

set AV enabled

Enjoy

Categorieën
DDoS Hacking

How to perform a DDOS Attack on a DHCP Server

This DDOS attack will send DHCP discover messages until all available DHCP IP addresses within its scope are saturated. Once this attack is completed you could launch a rouge DHCP server and start poisoning DHCP clients with your router or DNS server information.

A tool which allows you to perform this attack is called  Yersinia. This program is included in the well-known Linux penetration tool distribution BackTrack which is available for download on the following site:

http://www.backtrack-linux.org/

Steps to perform:

  • Download BackTrack & Start your distribution
  • Check that the DHCP Server has not leased all available addresses yet

DDOS DHCP 2

  • Login BackTrack and open a terminal window
  • Type yersinia –G to start the graphic interface of  Yersinia

DDOS DHCP 1

  • Click on the DHCP tab
  • Click on the Attack tab and select the Sending DHCP Discover Packets option

DDOS DHCP 4

  • Click OK and watch the amount of requests send

DDOS DHCP 5

  • Click on the List Attacks tab
  • Click on Cancel all Attacks

DDOS DHCP 6

  • Go back to you DHCP server and check if the amount of leased IP addresses has increased

DDOS DHCP 7

Categorieën
Microsoft CA PKI

How to export “non-exportable” certificates from the Microsoft Certificate Store

Recently I found a tool that allows you to search and export certificates from the Microsoft certificate store that are marked as non-exportable. Although this program can be considered a hack-tool and might not work after Microsoft has released a patch for it, it is still a very powerful tool.

The program that allows you to do this is called mimikatz and is available for download using the link below:

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z

Apart from exporting certificates, this tool can do a lot more interesting stuff such as dumping windows logon passwords in clear texts, inject programs or services and edit GPO settings. Some of these functions will be discussed in other articles but for now, let export some certificates. To do so follow the steps below:

  • Check you have a certificate in your personal user or computer store that is marked as not exportable:

check nonexportable

  • Download and unpack the mimikatz tool using the link mentioned earlier
  • Open a command prompt and browse to the directory where you have unpacked mimikatz and start the 32bit or 64 bit version
  • Run the following command to list the certificates in your certificate stores:

Crypto::exportCertificates

crypto-export-KO

  • Check that the certificate you have identified in step 1 is listed and that the .pfx output shows KO. This is to verify that the certificate is indeed not exportable (yet).
  • To change the .pfx status you must apply the priviledge::debug command and run the CAPI & CNG patches . You do this by executing the following commands:

Privilege::debug

Crypto::patchcng

Crypto::patchcapi

Raise prviledges patch capi

Cappatch

  • Now run the Crypto::exportCertificates command again and check that the .pfx status shown earlier has changed to OK

crypto-export-OK

  • Finally you only need to browse to the directory where you are running the mimikatz tool from and check it has exported a .pfx file with the name of the certificate you have identified during step 1.

listed

  • Now you are able to copy the .pfx file to another machine and install it. Make note that the .pfx files are protected with mimikatz as password

Import pfx