Here Hold This: Loading malware with legitimate Win32 applications

I do not often talk about OS specific topics. Even more rarely is that OS Windows. I am, after all, an OS agnostic with a "slight" lean towards Linux. Sometimes though, there is a method that is just too good to pass up writing about. "Here, Hold This" is the name I gave to a tactic for Windows post-exploitation persistence in which you cause a legitimate program run at boot to call your Malware startup routine. The exact method has been around pretty much since the inception of the Windows NT model. It takes advantage of the Windows DLL location search order to trick the program into loading a malicious DLL it believes to be legitimate.

Station to Station Encryption in Python

Alice and Bob are looking for a more secure way to communicate than HTTPS. Sure, HTTPS is good for securing their messages against basic eavesdroppers. However, they want to secure their communication, even if someone steals their server's private key. Furthermore, Alice and Bob want to make sure that if an encryption key for any communication is broken it does not compromise the rest. The method they settle on is called the "Station To Station Protocol".

DarkDuino Payload 1: Powershell DnE

The first payload I came up with for the DarkDuino was a simple powershell payload to download a given file off the network and then to execute it. I will co over the code in detail below. This is the main loop in a sketch uploaded to an Arduino Micro Microcontroller. At a high level what happens is, when connected to a target system and pinButton is pressed (brought to GND) the DarkDuino fires off a powershell command to download a python file and execute it. It does assume the network allows local area network traffic on port 80 or 443 if you're using HTTPS (and you should be!). It also assumes that the system has the python executable in it's PATH. here is the commented code:

SSHCommander Use Case 0: Example MITM Network Build

SSHCommander is a tool I am working on to help manage large clusters of systems using the SSH protocol. It is currently setup to use Public/Private key encryption to protect against eavesdropping, brute force password cracking, and repetitive stress injuries from typing commands across 50+ nodes.

Pyzano for Data Backup

Pyzano (https://github.com/dreilly369/PyzanoFSIC) is a tool I use for a lot for file system tasks. From monitoring for unauthorized changes, to creating malware signatures for Host-based Intrusion Detection Systems (HIDS). Today though, I want to write about Pyzano's ability to be used as a lightweight data backup and file sharing system.

Session Hijacking

Session Hijacking allows an attacker to masquerade as the victim on websites where the session has been successfully exploited. To accomplish this I will put a redirection proxy in-between the victims web browser and the website. An aptly named “man-in-the-Middle” attack. The goal is to trap an authentication cookie and use it on the attack machine to impersonate the victim on the website later

Building a DarkDuino Tool

This tool is what can be referred to as a “Force Multiplier”. It is not itself an exploit. Nor does it take advantage of any security flaw which is likely to go away. In fact, it is really just a programmable keyboard. Computers trust keyboards, so by default computers trust the DarkDuino tool. The only security lapse needed is for someone to walk away, leaving their system unlocked for a minute.

Scripted RFIDler Proximity Card Grabber

Using the RFIDler to clone a card manually was relatively easy to get a grasp on. Still, to understand how to automate the process of capturing different cards, the examples from the RFIDler site will help. Take a look at https://github.com/ApertureLabsLtd/RFIDler/wiki/plotting
The steps there describe how to use the plotting library to discern tag modulation types. The key takeaway (for now) is that all the tag modulation raw data can be captured as ASKRAW. It goes on to describe the method of looking at the data plot and figuring out what the modulation scheme is. We will use this method later to determine what types of cards we captured data for and to reprint them onto clones.

RFIDler is better than your fiddler

As promised here is my in-depth write up on integrating the RFIDler into my setup. It has not been hard, but there are some definite lessons I have learned.
First let me start by describing what the tool is. The RFIDler is a Software Defined (SD) Low Frequency Only(LFO) Radio (R) (SDLFOR). It is from Aperature Labs. Mine came as an exposed circuit board with n exposed coil antenna.

Roll your own Pwnie On a Samsung Galaxy Tab 3

If you have ever researched a Pwnie Express device for penetration tests you may have been floored, like I was, by the price/performance ratio. On my recent trip to Defcon23 I stopped at the Pwnie Express table to play with the Pwn Pad https://www.pwnieexpress.com/product/pwn-pad-2014-penetration-testing-tablet/ . Let me start by saying they have taken the idea and put a fit and finish I will never be able to achieve on my own. they have a slick interface and tie all the apps together in a logical and attractive (to me) manner.

However, I do not need slick, I break fit, and I scuff finishes. So rather than pay a lot more than I felt comfortable with I set out to build my own version. Total investment was $100.00 and about 3 hours of my time. Here is how you can make your own:

DEFCON 23 in the books

Defcon 23 was last week in Las Vegas, NV. It was my first year going, but certainly will not be my last. There is no adequate way to describe the number of things brought together in one (actually two) place(s). Not knowing anyone at the convention, I was worried I would spend most of my time on my own searching for things to keep myself entertained. I was wrong. So so wrong. A huge thank you to the folks from DEFCON for keeping an amazing event going.

Now let me go over some of the things I picked up while I was there: