Archive for the ‘security’ Category

A Red Team exercise is lotsa fun not only because you have a more realistic engagement due to the broader scope, but also because you can encounter situations which you normally wouldn’t on a regular narrow scoped penetration test. I’m going to focus on pageant which Slurpgeit recently encountered during one of these red team exercises which peeked my interest.

Apparantly he got access to a machine on which the user used pageant to manage ssh keys and authenticate to servers without having to type his key password every single time he connects. This of course raises the following interesting (or silly) question:

Why does the user only have to type his ssh key in once?

Which has a rather logical (or doh) answer as well:

The pageant process keeps the decrypted key in memory so that you can use them without having to type the decryption password every time you want to use the key.

From an attackers perspective it of course begs the question if you can steal these unencrypted keys? Assuming you are able to make a memory dump of the running process you should be able to get these decrypted ssh keys. During this blog post I’ll be focusing on how you could achieve this and the pitfalls I encountered when approaching this.


One of the things that has always fascinated me is when you are watching some Hollywood movie and they talk about stuff like “rotating string cipher encryption with a strength of 228 bits”. Now this has always sounded both funny and interesting to me. Like what if you could convert data that is normally static into actual continuous rotating data? This morning it hit me, this is something we can actually accomplish with password hashes. We can rotate them continuously, without the user even noticing and hopefully make it harder for attackers to crack the hash. Which is the main goal of this “idea/solution” making it harder or hopefully impossible for attacker to crack the hash when they obtain it. Here is a PoC preview output, screenshot OTP and usage OTP don’t match because they were obtained at different times:


./ S3cretP4ssword 545130
 Current password hash:
 Login OK
./ S3cretP4ssword 545130
 Current password hash:
 Login Failed

Like you can see we attempt to login with the same credentials both times and yet the second time this fails. If you are impatient then you’ve probably guessed that this is due to the added 2FA data in the login credentials and as usual you can jump straight to the code on my github. Now if you are curious how this works and how you could set this up in a real life setup keep on reading, do note that I haven’t tested this yet on a real life environment however. The setup is actually one of the important parts for this to work and actually slow down or hopefully prevent an attacker from successfully cracking the obtained hashes.

Now after you’ve read that you are probably thinking “shut up already with those ‘uncrackable’ claims” and yeah you are correct. It can probably be cracked, but hopefully we can settle for the second best which is (tremendously) slowing down the attacker.

For the remainder of this entry we will be focusing on further protecting the stored hashes and not on how to protect the in transit plain text password. This since obviously if you have full control of a server where the SSL is terminated you could just intercept all passwords in plain text. This can be solved with fancy challenge-response protocols or maybe (in browser) public-key cryptography. For now, let’s dig further into this ‘continuous changing hashes’ concept.


We all know that sqlmap is a really great tool which has a lot of options that you can tweak and adjust to exploit the SQLi vuln you just found (or that sqlmap found for you). On rare occasions however you might want to just have a small and simple script or you just want to learn how to do it yourself. So let’s see how you could write your own script to exploit a blind SQLi vulnerability. Just to make sure we are all on the same page, here is the blind SQLi definition from OWASP:

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response.

You can also roughly divide the exploiting techniques in two categories (like owasp does) namely:

  • content based
    • The page output tells you if the query was successful or not
  • time based
    • Based on a time delay you can determine if your query was successful or not

Of course you have dozens of variations on the above two techniques, I wrote about one such variation a while ago. For this script we are going to just focus on the basics of the mentioned techniques, if you are more interested in knowing how to find SQLi vulnerabilities you could read my article on Solving RogueCoder’s SQLi challenge. Since we are only focusing on automating a blind sql injection, we will not be building functionality to find SQL injections.

Before we even think about sending SQL queries to the servers, let’s first setup the vulnerable environment and try to be a bit realistic about it. Normally this means that you at least have to login, keep your session and then inject. In some cases you might even have to take into account CSRF tokens which depending on the implementation, means you have to parse some HTML before you can send the request. This will however be out of scope for this blog entry. If you want to know how you could parse HTML with python you could take a look at my credential scavenger entry.

If you just want the scripts you can find them in the example_bsqli_scripts repository on my github, since this is an entry on how you could write your own scripts all the values are hard coded in the script.


During one of those boring afternoons I noticed that most embassy buildings seem to have more or less the same amount of visible physical protection, this made me wonder what the available options are if you’d want to protect your own house. These are just some quick notes after searching around the internet on another boring afternoon, most of the options have an additional wide variety of configuration possibilities. So if you decide to implement any of the mentioned options, please do some research yourself, since these are just some starting points and you should choose the appropriate configuration yourself.

Keep in mind that (as far as I know) most options discussed here can be bypassed. Like with all security measures you should base the choices you make on a layered approach. The sum of all the protective measures should buy you enough time to detect a break in and react before any valuables are stolen. Feel free to leave additional measures in the comments or how to bypass the measures in this article. Do keep in mind that these measures will be a lot less effective if they decide to break in while you are at home, also these security measure are not aimed at preventing social engineering attacks. As usual I’ve got no clue what the rules in your country are, so read up on them before you implement some of the following options.

Oh and if you want an example of how physical security measures can by bypassed then you’ll probably enjoy this article. It’s about one of the biggest ($100 million) diamond heists in Belgium and how the attackers bypassed ten physical security measures: The Untold Story of the World’s Biggest Diamond Heist


Quick POC to mitm RDP ssl

Posted: April 21, 2014 in general, security
Tags: , , ,

So the other day I stumbled upon this great article from Portcullis Labs. The article explains how you can man-in-the-middle an RDP SSL connection. This can be helpful in obtaining the user’s password, like Portcullis explains in their article. As far as I could tell they didn’t release their tool, so I decided to see if I could whip up a quick POC script with a twist of saving the entire decrypted stream to a pcap file. This would put you in the position to maybe retrieve more sensitive data then just the password. Turns out the only modification from regular SSL intercepting code is more or less the following:

    #read client rdp data
    #read server rdp data and check if ssl
    temp = serversock.recv(19)
    if(temp[15] == '\x01'):

Like you can see we just pass through the initial packet and then just check the response packet for the ‘SSL’ byte before we start intercepting. The output is pretty boring, since everything is saved to the file ‘output.pcap’:

sudo ./ 
waiting for connection...
('...connected from:', ('', 1044))
waiting for connection...
Intercepting rdp session from
some error happend
some error happend

You can ignore the errors, that’s just me being lazy for this POC. The output is saved in ‘output.pcap’ which you can then open with wireshark or further process to extract all the key strokes. If you want to play around with the POC you can find it on my github as usual. If you plan on extracting the key strokes make sure you look for the key scan codes and not for the hex representation of the character that the victim typed. In case you are wondering, yes , extracting the key strokes is left as an excersise for the user :)


I was under the impression that TrueCrypt installed a boot loader that was responsible for the pretty menu that you usually see when you boot. So to my surprise when I wanted to play around with it….it wasn’t. TrueCrypt actually uses a second stage to display that pretty menu. The traditional boot loader more or less just takes care of loading the second stage which sits compressed on the hard disk, if loading fails it will display some messages and that’s it. Since I still wanted to play around with it and preferably with the version actually sitting on my test machine’s hard disk I decided to dump it. The easiest way was to use Evil Maid, I modified the source slightly to prevent infection, it will still infect though if you omit a second argument :)

Here are the steps if you want to do it yourself:

  • Retrieve the first 64 sectors, for example with “FTK Imager” if you are under windows
  • Download the Evil Maid source
  • Apply this patch (patch <evilmaid.patch)
  • Run ./patch_tc <file_with_64_sectors> -f

This should look like this:

./patch_tc ~/Desktop/tc-full.dd -f
TrueCrypt EvilMaid patcher v0.1
TrueCrypt Boot Loader detected
PatchTrueCrypt(): Compressed loader size: 11877 bytes
PatchTrueCrypt(): Saved checksum 0x267DAC67
PatchTrueCrypt(): Loader memory size: 0x7000 (28672) bytes
PatchTrueCrypt(): Decompressing the boot loader
PatchTrueCrypt(): Decompression successful

The local directory where the executable patch_tc resides should now contain two files “sectors_backup” and “loader” which is the uncompressed second stage as you can see from a simple strings output:

strings -n 15 loader 
No bootable partition found
 TrueCrypt Boot Loader 7.1
    Keyboard Controls:
Boot Non-Hidden System (Boot Manager)
Skip Authentication (Boot Manager)
[Esc]  Cancel
Enter password
 for hidden system:
BIOS reserved too much memory: 
- Upgrade BIOS
- Use a different motherboard model/brand
Warning: Caps Lock is on.
Incorrect password.
If you are sure the password is correct, the key data may be damaged. Boot your
TrueCrypt Rescue Disk and select 'Repair Options' > 'Restore key data'.
Bootable Partitions:
, Partition: 
Press 1-9 to select partition: 
Your BIOS does not support large drives
 due to a bug
- Enable LBA in BIOS
Copying system to hidden volume. To abort, press Esc.
If aborted, copying will have to start from the beginning (if attempted again).
To fix bad sectors: 1) Terminate 2) Encrypt and decrypt sys partition 3) Retry
Copying completed.
Memory corrupted

So this is a *really* old blog post that I wrote a while back when I discovered, or at least so I believed, an XXE bug in the VMware vSphere client. I reported this to the VMware security team but they were not able to reproduce the part where you would use a UNC path to try and steal the credentials of an user. I then got busy and never continued to investigate why they were not able to reproduce it. Since the vSphere client is being replaced by a web client I decided it couldn’t hurt to release this old post, also the likely hood of this being exploited is pretty low.

Curiosity (from Latincuriosus “careful, diligent, curious,” akin to cura “care”) is a quality related to inquisitive thinking such as exploration, investigation, and learning, evident by observation in human and many animal species.  (Wikipedia)

As always a driving force behind many discoveries, as well as the recent bug I found in the VMware vSphere client (vvc). Not a very interesting bug, yet a fun journey to approach things from a different perspective. After my last post about a portable virtual lab I wondered what the vvc used as a protocol to communicate with the esxi server and if it could contain any bugs. So this time instead of getting out ollydbg I decided to go for a more high-level approach. Let’s see how I poked around and found the XML External Entity (XXE) (pdf)  vulnerability in the vvc.

I first looked in the directory of vvc, just to know the type of files that resided there, here is a screenshot:


Logically the file that drew my attention was the config file of which the following settings also seemed like they would come in handy:


Seems like if we want to tinker with the connection a higher time-out would give us more time and a higher verbosity level of logging could help us during the poking around. Enough looking around at this point let’s get more active.