Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - spike

Pages: [1]
1
Projects and Discussion / Re: Windows bully project
« on: February 26, 2016, 03:23:43 pm »
Huh. That's pretty cool. I would like to work on it with you. What language is it in? Pop in the #coding channel on IRC so we can talk about it.

2
Projects and Discussion / Re: Windows bully project
« on: February 25, 2016, 01:32:56 pm »
So, I'm going to create a scenario so that I understand what you are trying to say.

Walk up to a machine that is already on and running Windows. Plug in a USB with this tool and execute it. This tool would brute force the users password on the spot, without elevated privileges or if necessary run an exploit to acquire the necessary privileges. Is this right?

The important part of that scenario is that you do not want to turn off the machine or reboot into a linux environment. If we can reboot, then we can extract the SAM file, pillage the network, etc.

It's a cool idea, but I'm thinking about all the time it would take to create a tool like that. How does it brute force the password without elevated privileges? I still don't understand why this would be better than walking up to the running machine and executing a trojan. If I have an exploit that allows privilege escalation, I'm going to install a rootkit instead.

I would really like to see a POC. I'm curious how it would work.

3
Projects and Discussion / Re: Windows bully project
« on: February 25, 2016, 12:25:01 pm »
So I have a few questions, first is how is this different than ophcracks rainbow tables? If we are brute forcing a password, don't we also need a dictionary file?

You mentioned walking in with a USB and doing this. Time and the machine that you are working with really matters. If you only have a few minutes, and the target machine is a 2.0 GHz dual core, then simply extracting the SAM file and cracking it offsite with a gpu based tool like oclhashcat may be faster and safer. Yet still, maybe just walking out with the entire damn machine would be easier. Hell if I'm already physically on the network, then there are so many other possibilites other than sitting there and toiling away brute forcing some password.

This also seems like an aweful lot of work for just one password. Maybe it would be easier to walk in with a malicious USB that spawns a shell to your box, then keylog. We could get really creative and buy a fancy keyboard, modify it with a trojan, and mail it to the IT department.

As far as Windows security goes, Windows 10 has new security methods that make it more difficult to pull the passwords out of memory with tools like mimikatz. Here are the links to the limited amount of research that I have done.

Talks about the security methods:
https://adsecurity.org/?p=1535

Talks about a potential for a remote exploit:
https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files-wp.pdf

4
Tutorials / Harvesting Emails with SimplyEmail
« on: February 24, 2016, 01:10:37 pm »
Harvesting Emails with SimplyEmail

Collecting a list of emails is always a priority when doing reconnaissance on an organization, group, or even just an individual. Many times when you go whaling (phishing a single person, like an executive), the only way you can get your target to take a peek at your awesome website, is by coaxing them with an email.

Lots of folks already know about theHarvester for harvesting lists of emails. I always run a script that condenses the output from theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector. Today, we are going to take a look at a new email collection tool called SimplyEmail.

SimplyEmail improves on theHarvester by making the searches individual modules. This makes it significantly easier to add to. In version 1.2 (latest at time of writing) there are 26 modules including searches of:

* Github
* Google
* Yahoo
* Flickr
* PasteBin
* PGP
* Reddit
* Linkedin
* Exalead
* And more...

Install

Install by doing:

Code: [Select]
git clone https://github.com/killswitch-GUI/SimplyEmail.git
cd ./SimplyEmail
./Setup.sh
The Setup.sh file will pull down the dependencies and install them for you. Then we can test that it is installed by listing the modules with:

Code: [Select]
./SimplyEmail.py -l

Usage:

To then run all modules against your target do:

Code: [Select]
./SimplyEmail.py -all -e example.com
or in verbose.

Code: [Select]
./SimplyEmail.py -all -v -e example.com
If we add the -s flag for no scope, it will return any emails that are mentioned on the pages. Use this one carefully if you are doing a spear phishing engagement, it could have lots of false positives. Could be useful if going after a small org. You would have to manually verify that they are addresses for the people you are targeting afterwards.

Code: [Select]
./SimplyEmail.py -all -v -e example.com -s

One of the awesome options of SimplyEmail is -verify flag. This will look up the MX server and verify that the email is valid. Keep in mind that at this point you are sending packets to your target environment.

Code: [Select]
./SimplyEmail.py -all -v -verify -e example.com
Another interesting option is the -n flag. I'm not positive what this flag does, but I'm pretty sure that it creates an address name by mangling usernames and then testing it against the target MX server.

Code: [Select]
./SimplyEmail.py -all -v -verify -n -e example.com
Results:

Control group:
I selected an organization of interest to me and decided to do some test runs. My homebrew script that uses theHarvester, goog-mail, goohost, and metasploits auxiliary/gather/search_email_collector returned 46 emails. I normally only do manual false positive testing to make sure that the emails are valid. Accuracy varies.

SimplyEmail tests:
Running the tool, several errors popped up, especially ones from beautifulsoup. I don't think they effected the performance and were ignored. Also, I did not have a canar.io API key, so while running all of the modules, it was skipped over.

1. Running the following returned 62 emails:

Code: [Select]
./SimplyEmail.py -all -e example.com
2. Running with the -s option returned 148,104 results. However, they were emails from pretty much everywhere including hotmail, MIT, and verizon. Lots of potential false positives. Tens of thousands of them.

Code: [Select]
./SimplyEmail.py -all -v -e example.com -s
3. I ran with both of the following and didn't see much difference between them. I couldn't tell if the -n flag was useful but the -verify definitely got rid of some of the false positives. I ended up with 30 valid emails, that I didn't have to manually verify.

Code: [Select]
./SimplyEmail.py -all -v -verify -e example.com
./SimplyEmail.py -all -v -verify -n -e example.com

Conclusion:

For now, I am running both my homebrew and SimplyEmail to collect email lists, then comparing the output. I may try to either integrate it into my script or perhaps over time, as SimplyEmail becomes more feature rich, out right replace my script. The verbose flag was not very useful for simply scraping email, the tool is plenty verbose in it's default state. It may be more useful when developing a module. The following is the command that I recommend to run from now on when using SimplyEmail, play with the flags and see if anything reveals some missed data. If doing a blackbox test, remember that the verify option will send packets to the targets MX server. Remember, it's better to have one loud bang, than a long creaking noise. Don't keep verifying lists of emails, get a good list and run with it.

Code: [Select]
./SimplyEmail.py -all -verify -e example.com

5
Operating System / Re: OS Advice?
« on: February 21, 2016, 11:34:28 pm »
I use Linux on desktop, so I will talk about those. I've used slackware, puppy, opensuse, arch, blackarch, archbang, debian, kali, ubuntu, mint, and probably some others that I can't think of off the top of my head. I'll tell you that you should use what works for you. I primarily use my system for programming, security research, web browsing, and office activities. I don't have a need for gaming or video editing or whatever. The thing that's most important for me is having the libraries, repositories, and tools that I need for security and coding easily accessible.

That being said, I am currently on kali rolling. I wipe my drive with dban once every 3 months, and I quite simply don't want to deal with re-installing all the libraries, repositories, tools, etc. Install, harden, load up all my homebrew tools and configs, and I'm good to go in a day. I started learning security on a Backtrack VM so most of the tools and scripts that I use have been written with BT and Kali in mind. I also like the bad pass option in kali's full disk encryption.

I have tried doing this with Arch/BlackArch, but there is always something that just doesn't work quite right. Arch is my favorite out of those, I like it a lot because it's just a fun system and pacman makes it fairly easy to use, but as lots of Archers have said, troubleshooting is a big part that system. All ways tinkering with how it works. At this point I'm so tired of troubleshooting/ tinkering and I just don't feel like spending the time. I have bigger projects to work on.

If you use ubuntu/mint check out Pen Testers Framework by Dave Kennedy. Looks like a quick way to get up and rolling.

I even once knew a career criminal that used ubuntu studio because it had the photo editing tools and printer drivers he needed.

I like them all, use what works for you.

Pages: [1]