Thursday, July 17, 2014

Physical Pentest Tactic: Be Modest With The Car

This may seem like it's obvious to some people but i've heard some stupid stories.

I'm going to make this simple. When renting a car for your physical pentest, don't get the mustang. Don't get any car that is going to attract attention. Get a bland car in a bland color. Something like a gray Toyota Camry or boring SUV.

Why get an SUV if you are only one person? Dumpster diving. I cant tell you how much more crap an SUV can hold than a midsize car.

I once had to go back to the client site 3 times to get as much stuff as the SUV could hold on another site. You never want to do that. You want to get in, get what you need, and get out. The longer you stay in a particular location, the higher your chances of getting caught.

Therefore, get a bland, boring looking SUV if you can. Otherwise get a midsize car. Avoid compacts if you are planning on doing any dumpster diving.

EDIT:

Another aspect of choosing a car that is actually very important for night operations - Make sure all the lights can be turned off quickly and manually.

Few things are more annoying than pulling up to a spot and turning off the car only to have the lights linger on for a minute or so while you awkwardly stare off waiting for them to switch off.

The best option would be the ability to have all the lights off (interior and exterior) while the car is still on. But for most cases, its better to leave the car engine off.

Physical Pentest App - Scanner Radio

Police scanners can get expensive. Especially since today most police stations are moving over to digital (trunked) communications. I had bought a Yaesu VX8DR so i wouldnt have to worry about missing a frequency. Well it turns out it doesnt do trunking comms so i was fucked... Well, not so much.

A free alternative, although time delayed is using an android app called "Scanner Radio". Most locations in America have a entry for their county or city or whatever for dispatch.

I love having it in my ear while a case a place or do car recon. It's pretty simple, if you hear about a report for a suspicious vehicle in your area, move to another location.

I use the app whenever there is trunked comms for the area my target is in. There is however a delay, and that delay is dependent on what location you are in. I know in Chicago its about a 60 second delay between what happens on the radio and what comes through the app. You have to remember that the audio has to be received by the equipment, transmitted to the servers, relay over the cell network to your phone. That can take a bit.

The best solution is a realtime radio. The second best is the app. It's better than nothing.

Physical Pentest Tactic: Try Everything

It takes a certain kind of person to do a physical pentest well. They have to have balls. They have to be willing to take risks normal people wouldn't take. And most importantly, that risk taking should be accompanied by a level of curiosity. The thought of "I wonder whats behind this door" or "I wonder where these stairs go" are a huge portion of discovering potential vulnerabilities.

We all like to think that a "properly done" pentest includes a holywood-esque layout of the building with every exit and entry points with real time updates of the guard patrols and all that fancy movie crap. The reality is that is extremely rare. The recon you do beforehand can only give you a certain picture of whats happening.

1. Do they have guards?
2. Do they have guards all night long?
3. Do they guards patrol? outside? regular intervals?
4. Are there guard changes? what time?
5. IS THERE A CLEANING CREW? do they exit the building often to throw out trash?
6. etc, etc.

One of the physical tests I was on we were lucky enough to have multiple people (usually they are all solo). After doing internal recon and figuring out the security system and how it works, and where it was placed and all that stuff we decided to check out the place more up close and personal.

We determine that the security system in place supposed to work based off of sounds. If it detected the sound of someone walking around or breaking the window or something like that, the audio was supposed to be pumped back to the monitoring station to determine if it was an intruder or something accidentally hit the window. The whole system was created to reduce false positives and having the police called out when it was actually nothing.

Well we wanted to test how sensitive the system was just be fore we hightailed it out. So as we were done checking out the rest of the building, we were all in the SUV and drove up to the last door to see if the alarm would trip if we rattled the door. My friend got out of the car and firmly pushed on the door. Me with my binoculars was watching the LEDs on the alarm system for a change from green to blinking red, meaning it went off. Well, after the push the lights didnt go off. We dont him to really go at it, shake the door hard. He pushed really hard, and then pulled really hard to do the motion over and over again and holy shit. THE DOOR OPENED. That door, the door we saved for last was the one door in the whole place that was unlocked completely. The hilariousness and elation faded quickly as I saw the LED go from green to blinking red. From reading the alarm system documentation we had about 30 seconds to GTFO before the cops were called.

After a bout of screaming because my friend thought we told him to go inside when in fact we told him to get inside the car (lmfao, that was funny beyond belief). We got in the car and got out of the area. Found a dark parking lot to park that allowed us to see the target from across the street. We waiting, scrunched down in our seats. It's amazing how many cars are out driving around at 3am. After about 6 minutes i hear on the police radio that there was a burglar alarm set off at the location. Less than a minute later the cop shows up checking out the place. Then another cops shows up.

The moral of the story: never assume a door is locked. CHECK EVERYTHING.

Physical Pentest Gear: The Clipboard

I've done several physical pentests in the past (and current) and one piece of gear that never ceases to amaze me on how useful it is is the clipboard. I'm not talking about your grandfather's clipboard. I'm talking about today's modern clipboard. It has wifi for auto note taking and a camera to transmit pictures. Ok i'm just messing with you it doesn't have all that. But it still is incredibly useful.

I was doing a physical one day and was on the social engineering portion of the test, AKA: me walking around the office trying to get sensitive documents. I came across an empty cubicle that was being used to store a bunch of bankers boxes (think stereotypical cardboard boxes with the handle holes and tops). Well, I peeked inside one of the boxes and giggled at what I found. Thousands of documents with handwritten credit card info dating back several years. That was in one box. One box of about 2 dozen.

I took a couple snapshots with my camera but couldn't get a good photo because of the lighting/not enough time. So I grabbed a couple documents (they were old, just as a PoC) and took a picture of the pile of boxes. The clipboard I was carrying was perfect to quickly stash these papers:

http://www.amazon.com/Saunders-SlimMate-Plastic-Clipboard-00558/dp/B00290OG6I/ref=sr_1_3

Any clipboard with a similar compartment will do. You can stash a surprising amount of documents in those things. Waaaay more than you need to prove your point.

Once I was back at the hotel I took much better shots, included it in the report and when everything was done and over, I securely mailed the documents back to my point of contact. That "Sensitive Documents Not Stores Securely" finding was a small finding in an otherwise juicy report and that clipboard made my life way easier during the entire SE portion of the test.

There is also the added benefit of having a clipboard in your hand subconsciously insinuates to other people that you are a person of authority, a decision maker, someone that should probably be treated a little better than any old average joe. That thought tends to arise from two different personalities.
1. The person wants to suck up to you (the teachers pet syndrome)
2. I don't want to get in trouble (the teachers ruler syndrome)

There is a third personality type who is tends to hate authority figures but you can usually defuse those types of people by being very confident and most importantly - very polite/kind. Kindness in authority figures tends to be fairly disarming to the vehemently authority-opposed.

So there you go, just like an EDC (every day carry), every object in your blackbag should have multiple uses. I'd suggest adding a compartment clipboard to yours asap.

It may seem like a small and insignificant addition at first, but I guarantee that you will be happy you bought it.

Wednesday, July 16, 2014

Ruby - What quarter a date is in

I have a report i have to generate every week and it requests all items of a particular status since the begining of the current quarter. Everyone like to say "Just use activerecord!". Fuck you.

Here is the simple ruby code that will do it:

require 'Date'
def whatQuarter(date)
  thisYear = Time.new.year #just a filler year
  if    (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) #date range for quarter1
    return 'Q1'
  elsif (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date)
    return 'Q2'
  elsif (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date)
    return 'Q3'
  elsif (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date)
    return 'Q4'
  end
end
def sameQuarter?(date1, date2)
  if whatQuarter(date1) == whatQuarter(date2)
    return true
  else
    return false
  end
end


I'm sure there is something retarded about that code but it seems to work for me :/

EDIT:

I shortened everything and made it easier on the eyes:

require 'Date'
def whatQuarter(date)
  thisYear = Time.new.year #just a filler year
  case    
    when (Date.parse("#{thisYear}-01-01")..Date.parse("#{thisYear}-03-31")).cover?(date) then return 'Q1'
    when (Date.parse("#{thisYear}-04-01")..Date.parse("#{thisYear}-06-30")).cover?(date) then return 'Q2'
    when (Date.parse("#{thisYear}-07-01")..Date.parse("#{thisYear}-09-30")).cover?(date) then return 'Q3'
    when (Date.parse("#{thisYear}-10-01")..Date.parse("#{thisYear}-12-31")).cover?(date) then return 'Q4'
  end
end

def sameQuarter?(date1, date2)
  whatQuarter(date1) == whatQuarter(date2) ? true : false
end

Tuesday, July 15, 2014

LM Hashing Policy - Changes to the same password

No password set for account:
  blah1(current):1019:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Password of 'Password1' when LM is allowed
  blah2(current):1021:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::

Password of 'Password1' when LM is disabled
blah3(current):1020:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

Basically if LM is disabled then the machine will substitute a "blank" value for the LM field (aad3b435b51404eeaad3b435b51404ee) and then continue on normally with the NTLM portion.

If the password is larger than 14 characters, the LM portion will have the blank value (aad3b435b51404eeaad3b435b51404ee). This is regardless of whether or not LM is disabled.

LM hashing is enabled/disabled by the existence of a DWORD reg key 'NoLMHash' in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa that is set to '1'

Monday, July 14, 2014

Transferring Files Using Netcat

It's probably one of the most well known and simplest ways of transferring files in an emergency. You simply pipe a file to a listening netcat service and have the client output the connection to a file.

Start/Share the file:

nc -l 5678 < file.blah

That line will start listening for connections on port 5678. Once a connection is made, it will spit out the contents of file.blah to the client. If you have the following netcat line listening on the "client" side then it will spit the contents it gets to a file:

nc example.com 5678 > file.blah

i like to md5 check the file afterward to make sure network gnomes didn't mess up the data somehow.

Pretty simple and straightforward.

Friday, July 11, 2014

Netcat with SSL

Recently i needed to troubleshoot some requests to an HTTPS server. Instead of going through the hassle of setting up mitmproxy to middle the SSL connection, I just decided to point to to an empty listening port. After all, all I really needed was to see what GET requests it was making.


You can set up a netcat like server that supports SSL using ncat (the tool that comes with nmap).

ncat --ssl --listen 4443

If you want it to stay open after the first connection, append '--keep-open' to the end. And if you want some verbosity to whats going on, add '-vv' to get more info.

There are supposedly a bunch of different ways to get a netcat like interface for SSL but ncat gave me the least trouble.

Wednesday, July 9, 2014

Encodings (personal notes)

This is not supposed to be pretty, just for me:

ENCODINGS N' SHIT

From hex to string
print("\x41") #will print "A" since 41 is the hex of capital A
  A

From string to hex
"A".encode("hex")
  41

From hex to string (again)
"41".decode("hex")
  A

  encoder/decode supports hex, base64, utf-8, rot13, and a bunch others (https://docs.python.org/2/library/codecs.html#standard-encodings)

URL encode:
import urllib
urllib.quote_plus("HOLA\":!@$")
  HOLA%22%3A%21%40%24

Wednesday, July 2, 2014

Python script to grab the title of a page

#!/usr/bin/env python
import urllib2
import sys
from BeautifulSoup import BeautifulSoup
#expects "http://example.com" as argument

try:
    urllib2.urlopen(sys.argv[1])
except urllib2.HTTPError, e:
    print sys.argv[1], '--- HTTPERROR'
    quit()


soup = BeautifulSoup(urllib2.urlopen(sys.argv[1]))

if soup.title:
  print sys.argv[1], "--- ", soup.title.string
else:
  print sys.argv[1], '--- NULL'