Monday, April 28, 2014

CONFidsence DS Teaser CTF 2014 - Writeup

This is a short writeup for the "CONFidsence DS Teaser CTF 2014". I didn't have too much time, so could solve only 2 of the 5 tasks. Here are the solutions:

Stegano50

This was a PDF file, with something hidden. I used pdfwalker from the Origami toolkit (on REMnux) to open it. After browsing the Objects, I found a hint, it said look for morse code. If we decoded the Base64 encoded string at the Keywords, it wasn't the flag :)


So I moved forward, and extracted a few streams decoded, and found the one contained the actual text seen when opening the file.



It contained additional stuff:

/F17 24.7871 Tf -397.717 -321.542 Td [(NoFlagHere!)-406(N)-1(oFlagHere!)-406(NoFlagHere!)]TJ

(...)

/F16 9.9626 Tf 579.515 466.917 Td [(Close)-333(-)-334(but)-333(still)-333(not)-334(here)-333(!)]TJ

(...)

/F16 9.9626 Tf 546.704 989.603 Td [(BABA)-333(BBB)-334(B)1(A)-334(BBA)-333(ABA)-333(AB)-334(B)-333(AAB)-333(ABAA)-333(AB)-334(B)-333(AA)-333(BBB)-333(BA)-334(AAA)-333(BBAABB)-333(AABA)-333(ABAA)-334(AB)-333(BBA)-333(BBBAAA)-333(ABBBB)-333(BA)-334(AAAB)-333(ABBBB)-333(AAAAA)-333(ABBBB)-333(BAAA)-334(ABAA)-333(AAABB)-333(BB)-333(AAABB)-334(AA)1(AAA)-334(AAAAA)-333(AAAAB)-333(BBA)-333(AAABB)]TJ

This AB stuff looked like a morse code. The dashes represented the end of the letters. Let's beautify it:

BABA BBB BA BBA ABA AB B AAB ABAA AB B AA BBB BA AAA BBAABB AABA ABAA AB BBA BBBAAA ABBBB BA AAAB ABBBB AAAAA ABBBB BAAA ABAA AAABB BB AAABB AAAAA AAAAA AAAAB BBA AAABB

-.-. --- -. --. .-. .- - ..- .-.. .- - .. --- -. ... --..-- ..-. .-.. .- --. ---... .---- -. ...- .---- ..... .---- -... .-.. ...-- -- ...-- ..... ..... ....- --. ...--

I used the following website to decode: http://www.lexilogos.com/keyboard/morse.htm

CONGRATULATIONS,FLAG:1NV151BL3M3554G3

Crypto100

This was interesting custom Lotto script. After analysing it, it had 3 main issues which led to solution:

1. It used AES in ECB mode, which means that the same plaintext's ciphertext will always be the same.
2. The following function, generated the same salt with very high (~20%) probability (I didn't get into the details why).

e.g.: it made 999# --> 999#000000000000

def randomExtend(block):
limit = 10**(16-len(block))
# salt
rnd = random.randrange(0, limit)
# mix it even more
rnd = (rnd ** random.randrange(10, 100)) % limit
# append it to the block
return block + ('%0'+str(16-len(block))+'x')%rnd

3. We could see unlimited number of plaintext - ciphertext pairs.

With that if we have enough samples, we will find for each number the salt with all 0s, which will repeat again later, and because of ECB it will be the same, so we will now the actual number, if we build up a database. I made a script, which did this task. At the end I got the flag, cause I won enough times:


Friday, April 25, 2014

Book: RTFM - Red Team Field Manual

I came across this book a few weeks, ago, and heard so many good things about it, that I ordered it. It turns out to be really great, it's a ~90 page collection of pure commands, syntax, tables (e.g.: subnets, ASCII table, user agents, etc....), tips and tricks, some basic scripts, and literally anything related to pentesting. It comes really handy especially if you run into a case when you don't have Internet access.

Probably the best 9$ I ever spent, I really recommend it to everyone. :-)



You can order it from Amazon: http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504

Thursday, April 24, 2014

Radare Summer Of Code 2014

I already wrote about the radare reverse engineering framework (and not yet finished), and here is a quick note. The developers of radare would like to get external people to contribute to the project, so they announced the "Radare Summer of Code 2014":

http://rada.re/rsoc/

They also started crowdfunding for the RSoC:

http://rada.re/y/?p=crowdfunding

So if you want to contribute to a great security project this is your opportunity :)

Tuesday, April 22, 2014

BitLocker test image

I posted the test image I created under the "Other" section if someone wants to practice decrypting BitLocker encrypted drives.

http://theevilbit.blogspot.hu/p/other.html

Using dislocker to mount BitLocker encrypted devices on Linux

dislocker is a free utility, which can be used to mount BitLocker encrypted volumes on Linux. Here is a quick guide how to use it. I installed it on Kali Linux, but it can be installed anywhere.

To download the application visit:
http://www.hsc.fr/ressources/outils/dislocker/download/
http://www.hsc.fr/ressources/outils/dislocker/download/dislocker.tar.gz

Once downloaded extract the file:

root@kali:~# tar -xvf dislocker.tar.gz 

We have to options for comiling: w/ or w/o FUSE. Basically if we use FUSE we will be able to mount it, and browse it, if not, then the only way to check the contents is to decrypt the full drive, which is not that efficient. So let's go for FUSE here. Edit the Makefile, and set __RUN_FUSE to 1 and __RUN_FILE to 0:

dislocker/src/Makefile

# Choose between one of them (done automatically by using `make fuse' or `make file')
__RUN_FUSE = 1


Then compile the app:

root@kali:~/dislocker/src# make
gcc -Wall -Werror -Wextra -Wconversion -DPROGNAME=\"dislocker\" -DVERSION=\"0.3\" -D_FILE_OFFSET_BITS=64 -I/usr/include -I. -L/usr/lib64 -D__ARCH_X86_64 -D__RUN_FUSE -DFUSE_USE_VERSION=26 -c -o outputs/fuse/fuse.o outputs/fuse/fuse.c
In file included from ./dislocker.h:28:0,
                 from outputs/fuse/fuse.c:33:
./outputs/fuse/fuse.h:32:19: fatal error: fuse.h: No such file or directory
compilation terminated.
make: *** [outputs/fuse/fuse.o] Error 1

If you get the error above you will need the FUSE header files, to install those run:

apt-get install libfuse-dev

and then compile dislocker, it should be good now.

root@kali:~/dislocker/src# make
root@kali:~/dislocker/src# make install

Once it's installed let's the help:


For decryption you can use the recovery key (decryption key), the user supplied password or the bekfile.

I created a VHD test image for this, here are the details:

root@kali:~# fdisk -l

Disk /dev/sdb: 104 MB, 104857600 bytes
255 heads, 63 sectors/track, 12 cylinders, total 204800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6fa418dc

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1             128      198783       99328    7  HPFS/NTFS/exFAT

I will need to decrypt /dev/sdb1. First I will try it using the decryption keys. The steps are to read the volume, and then mount it with fuse. When we first read in the volume (decrypt) we will get a single file, called "dislocker-file", which can be mounted later. There is a single file on my test drive.

root@kali:~# dislocker -v -V /dev/sdb1 -p275374-090651-082764-392205-130460-581966-062942-402083 -- /mnt/tmp
root@kali:~# ls /mnt/tmp/
dislocker-file
root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis
root@kali:~# ls /mnt/dis/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis/my\ super\ secret\ file.txt.txt 
You got it!


The process is very similar if we use the actual password, which is "password" in this case.

root@kali:~# dislocker -v -V /dev/sdb1 -upassword -- /mnt/tmp2root@kali:~# mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis2
root@kali:~# ls /mnt/dis2/
my super secret file.txt.txt  $RECYCLE.BIN  System Volume Information
root@kali:~# cat /mnt/dis2/my\ super\ secret\ file.txt.txt 
You got it!


Kali - OpenVAS - Basic usage

OpenVAS is a very powerful vulnerability scanner, management tool. It's updated daily with feeds, so called Network Vulnerability Tests (NVTs), which are defining the various vulnerabilities and used at scanning. Right now it's about 36k NVTs.

This is just a very quick intro on how to use OpenVAS on Kali Linux. For the test I used the Kioptrix 2014 VM.

Menu: Vulnerability Analysis -> OpenVAS


To start with we need to run the "openvas initial setup". This will take a couple of minutes to run, once it will ask for defining the "admin" password, I set it to be "toor" - just to not to forget :) I had to rerun it couple of time, to get it successful. We can verify the setup with the "openvas check setup". I only got the following error even after setup:

ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db)
FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.

But the advise on the FIX solved it. After setup openvas will be started already, so if we try to start it again with "openvas start" we will get an error.

The "openvas feed update" will update the NVTs.

To start using the application, run "openvas-gsd", which is the GUI front end for the app (gsd: Greenbone Security Desktop). We will be asked for the login as seen below. Here you give the password specified during installation, the user is admin.


Once it's loaded we can go to the Target tab at the bottom to define the machine we want to test. We also need to select the ports to test against, if we want our custom list we can define it at the "Port List" tab.


We will see the newly added target:


After that we can go to the Tasks tab, and can create a new task, which will be the actual scan. We can define the target, and a few other options, if any of the offered one are not good for us, we can create our own, at the specific tab at the bottom (Escalators, Schedules, Slaves, Scan Configs).


Once the task is created we need to press the run button to actually start it. We can track the progress with pressing the refresh button. Even a full and deep scan should finish in 5-10 minutes, it's pretty fast.


During the scan the report is already available, and it will be updated periodically, once it's finished we can export it to several formats, and it does a really great job with formatting. I tried PDF and it was awesome.


You can download the software from here: http://www.openvas.org/

Tuesday, April 8, 2014

CVE-2014-0160 - Heartbleed

This year is very interesting in terms of serious SSL bugs. It started with Apple's CVE-2014-1266:

Now we have OpenSSL's CVE-2014-0160. Because of a wrong implementation of the heartbeat extension (around for 2 years) someone can extract a memory snapshot of the process from the server up to 64k. As the memory area is random, it's always different what you can get out, but it can leak possible sensitive information, like private key, username, password, etc... Vulnerable / non-vulnerable versions:
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
Here is a writeup about the issue, with technical details: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Test your server: http://filippo.io/Heartbleed
Test your server 2 (you can find here vulnerable servers as well): https://www.ssllabs.com/ssltest/

Snort rules and some more links: http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

Python script for testing made by Jared Stafford (not available from the original site anymore, so use Google cache):
http://webcache.googleusercontent.com/search?q=cache:JNXilaDKzjIJ:s3.jspenguin.org/ssltest.py+&cd=1&hl=hu&ct=clnk&gl=hu

An example for the output of the script:


3 serious SSL bugs within 3 months. I'm really curious how the year will continue.

Update 1: The python script works with TLS 1.1, and it can give false negatives with sites on TLS 1.0. You need to update bytes "03 02" to "03 01" in the heartbeat and the hello in order to work with TLS 1.0.

Update 2: Mass scan results

Update 3: NMAP NSE script also hardcoded to TLS 1.1 (it's based on the original Python script)

Update 4: My updated script went to exploit DB: http://www.exploit-db.com/exploits/32764/
Metasploit module:
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb

Wednesday, April 2, 2014

RDP Man-in-The-Middle attack

I wanted to try the following attack in my lab, described here: http://www.oxid.it/ca_um/topics/apr-rdp.htm

This seems to be a pretty old one, but works very well on Windows XP SP3, which is quite common today. I don't want to go into the details how this works, it's described very well in the article above, but the main point is that the private key used to sign the server's public key is know! so you can easily create your own signed key. Here are the steps how to try this:

You will need 3 Windows machines to reproduce it. One is the attacker, where you run Cain, and the other two are the client and server. As a preparation enable RDP access on one of the Windows machines, and setup a user with password.

Create new user via CLI:

net user /add username password

To enable RDP access on XP, go to My Computer -> Properties -> Remote tab, and select "Allow users to connect remotely to this computer"

Then start Cain, go to Sniffer, press the small NIC button to start sniffing, and press the "+" sign to add hosts. Add your network range to scan for available hosts.


Once the scan completes, you will see the hosts on the network.


Then go to the APR tab at the bottom, and press the blue "+" sign to add hosts. Select the two hosts (client, server), which you want to spoof.


After that we are ready, press the yellow radioactive button to start poisoning, and with this you are MiTM between the two hosts. There are plenty of stuff you can do this way, but I will look on the "APR-RDP" now.


Let's open an RDP connection. If you do it from a Windows 7 machine, you will get the following warning:


Ignore it, and login via the RDP session. Type in your username and password. You will see that Cain captured an RDP traffic, and it automatically performs MiTM.


Once we logged in, we can view the file created by Cain (on the right side of the columns). Look for "Key pressed", you can follow one by one, what the client was typing in, and thus recover its password.


That's it.