sábado, 2 de maio de 2020

Pentest reporting: Making the boring faster, easier, and more professional

As you know a pentester does not live only of hacking, breaking, and destroying things. 
After these pleasant activities, the results of your job must be prepared and presented.
This is the reporting time. Most of the technical professionals find it boring, annoying, and repetitive. And they are right! LOL That was my motivation to write this post.

Let’s start taking a look at Serpico.  
https://github.com/SerpicoProject/Serpico
The developers named it as SimplE RePort wrIting and COllaboration tool. In my judgment, the tool is powerful and makes the tasks incredibly easier for the professional.
Unfortunately, like any other tool, Serpico has some limitations like IF statements inside a table in the report template. For me, it did not well.  But of course, it is not a roadblock. The idea here is to not explain how to user Serpico, it will be your homework since the documentation is fully available on the link above. Pay attention to how the Serpico META Language works in depth.

Also, the text editors are your allied(or enemy) to perform this task. They also have limitations, principally when it is necessary to manipulate tables. The Microsoft Word  (in my case) is not able to create dynamic tables, for example, table conditionally formatted.

Serpico without difficulties generates tables like that for your report:
Vulnerability name
Impact
Exploitability
SQL Injection
4
3
Command Injection
4
4
Server Information Leak
1
8

Serpico stores the Impact/Risk and exploitability as numbers, from 0 Informational to 4 Critical.

But some times the template approved by your customer/company requires the impact, and the exploitability(whatever) must be the word related to the number. For example, the impact 4 must be the word Critical, and the exploitability 8 must be Very Easy. Also, the cell must be colored accordingly to a predetermined rate like impact 1, the cell must be blue, and exploitability 8 must be green.
For this given table, making these changes are easy, but imagine if you have a table with dozen vulnerabilities. Coloring these cells, and change the text becomes boring and annoying.

To solve it, a macro is required.

Sub colourExploitability()
Dim ce As Word.Cell
If Selection.Information(wdWithInTable) Then
  For Each ce In Selection.Tables(1).Range.Cells
      If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And (ce.Range.Italic) Then
      If Val(ce.Range.Text) = 5 Then
        ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
        ce.Range.Text = "Very Easy(5)"
      End If
      If Val(ce.Range.Text) = 4 Then
        ce.Shading.BackgroundPatternColor = wdColorRed
        ce.Range.Text = "Easy(4)"
      End If
      If Val(ce.Range.Text) = 3 Then
        ce.Shading.BackgroundPatternColor = wdColorOrange
        ce.Range.Text = "Moderate(3)"
      End If
      If Val(ce.Range.Text) = 2 Then
        ce.Shading.BackgroundPatternColor = RGB(146, 208, 80)
        ce.Range.Text = "Difficult(2)"
      End If
      If Val(ce.Range.Text) = 1 Then
        ce.Shading.BackgroundPatternColor = wdColorGreen
        ce.Range.Text = "Very Difficult(1)"
      End If
       If Val(ce.Range.Text) > 5 Then
        ce.Shading.BackgroundPatternColor = wdColorBlue
        ce.Range.Text = "WRONG VALUE"
      End If
      End If
  Next
End If

End Sub

Basically what this macro does is:

Sweeping the table

Check if the cell is numeric and italic ( My conditions. Of course, you can change it)
If IsNumeric(Left(ce.Range.Text, Len(ce.Range.Text) - 1)) And (ce.Range.Italic)

Check if the number matches my other condition.
 If Val(ce.Range.Text) = 5

If matched, it changes the cell value and background-color.
 ce.Shading.BackgroundPatternColor = RGB(192, 0, 0)
 ce.Range.Text = "Very Easy(5)"

Notice the BackgroundPatternColor it’s possible to use RGB colors as above or predefined colors listed here:  
https://docs.microsoft.com/en-us/dotnet/api/microsoft.office.interop.word.wdcolor?view=word-pia


Save the macro and create a shortcut to execute it. Click on the table, press the shortcut, and see the magic happens.

Another tip to make your job faster is to Create Drop-Down List Content Controls.
By default, it's not possible to add custom fields to Serpico. For example, if you need to add an OWASP category to each vulnerability.

After you create this control and position it in the right place(in the template), Serpico will generate it for each vulnerability you have added to the report. You just need to select the proper category after the report being generated.

If you are looking for more professional documents, my friend Julio created a really great repository of public reports. https://github.com/juliocesarfort/public-pentesting-reports

Also, thanks to my other friend Pedro, he added a chart feature, as Serpico is open source.
https://www.linkedin.com/in/pedro-cavalcante-975a61b3
Conclusion:
After some time using Serpico and applying these tricks, it's possible to reduce between 60-80% of the time reporting. It means this time can be converted to more cool activities like destroying some applications.  

quinta-feira, 9 de abril de 2020

Kali Linux Troubleshooting – Is my issue Kali related, generic issue, or lack of knowledge?


If you are reading this post, I presume you are a security professional or at least wanna be one. If you want to start in security please refer to this post http://blog.dclabs.com.br/2016/05/wanna-be-pentester.html In this post, I will give you some tips to understand if the issue you are facing while running Kali is related to Kali, generic, or lack of knowledge issues. Also, this post is based on statistics from the Kali IRC channel. More than 75% of the questions asked on the channel are not Kali related.


First of all, you must understand the Kali support policy:

“While Kali Linux is a Penetration Testing Linux distribution, we do not provide penetration testing support, or even tool usage support, as some might expect. We limit our support to Kali Linux operating system and packaging issues and encourage users to search for answers to their penetration testing related issues in better suited support channels.”
Source: https://www.kali.org/community/

To be clear from the beginning: Just because you are running Kali, it does not mean your issues are Kali related. The people are on the channel to help you for free. So, don't be an idiot.

As you can notice if you don’t know how to use some tool, its not a Kali issue. Check the tool documentation. If you are too lazy to read it, jump off the boat right now. To be a good security professional there are no shortcuts. Get your ass on the chair and read!

As you should know, Kali is based on Debian testing(and maybe some packages may be imported from Debian Unstable and/or Debian Experimental). In this case, it is a good idea to keep a Debian testing machine installed on your VMware/Vbox. The main reason for keeping it is: If the issues are reproducible in Debian testing, it's clear, it's not Kali specific issue.

Following some examples of questions to clear your mind before asking for help on official Kali channels:

"I'm new on Kali, how to..."

It does not matter if you are new to Kali. The only thing that matters is if you are familiar with Linux itself or not. If not: https://kali.training

"I'm trying to install libpXYX:i386, but I get unable to locate the package. The libpXYZ seems to already be installed. How can I install the 32-bit version?"

As you can see, it's a lack of knowledge using dpkg and apt commands. Googling the string apt add i386 architecture, the first result will give a step-by-step how to fix it. So, IT'S NOT A KALI ISSUE.

"Hello, I would like to analyze the incoming RDP connection on my server. How should I do?"

It's more than clear that this question should be asked in some network forum/channel and not in the Kali channel. Kali has nothing to deal with your incoming connections. So, IT'S NOT A KALI ISSUE.

"Hi, when I run arachni it hangs before start scanning and shows some library errors. I have tested in other distros like Ubuntu, Debian and it works fine."
This case seems to be a Kali issue since it happens ONLY in Kali!

"What is the Nmap command to enumerate shared folders?"

As explained at the beginning of the post, "...we do not provide penetration testing support, or even tool usage support..." So, IT'S NOT A KALI ISSUE.

"Is my wifi card Alfa Xyz123 supported by Kali?"

As explained before, Kali is based on Debian testing. You must check if Debian supports it.
If somehow, your driver works in Debian and not in Kali, then you have a Kali issue, otherwise, IT'S NOT A KALI ISSUE.

"The copy and paste is not working in Kali running in Virtualbox"

Is it not working only for Kali or to all other VM's also?

"When I execute the Metasploit against the target the shell does not open.",
How to create a user, how to change password, how to change to the text terminal, how to execute the tool, how to install..., how to remove..., how to update, the av is blocking...

All these above questions are not relevant to be asked on the Kali official channel since they are generic Linux questions. Kali indeed has all the setup and security tools, but in the end, it's a just Linux based on Debian.

If you know how to use Linux properly, these questions will disappear from your mind.

The best way to ask:
But, before asking, make sure you have googled it and spent a good amount of time researching for the solution or answer you are looking for.

After that, provide detailed information, like steps to reproduce the issue, errors, logs (use Pastebin for it), kernel version, tool version and etc.

I guess you know how to proceed from here. (:

terça-feira, 10 de março de 2020

Bruteforcing Linux Disk Encryption (LUKS)

Hi guys! I decided to write this article for a few reasons.
Several Bruteforcing Linux Disk Encryption articles are unclear, not accurate, and missing steps.

To start this post, I will describe a scenario that happened a few months ago.
An unsatisfied IT contractor encrypted all virtualized servers from a company and asked for the ransom.

So let's start with the technical part.

First of all, you need to recognize the hypervisor used by the virtualized machine since the disk is not in RAW format. Each hypervisor has a different command to perform this action. In this case, let's suppose it was VirtualBox. If you try to crack the password directly running the hashcat against the VDI file even following the hashcat documentation, it won't work.

You need to convert the VDI file in the RAW format first(VBox 6.1):

vbox-img convert --dstfilename "<fullptah_of_ouputfile_disk.raw>" --srcfilename "<fullpath_of_encripted_file.vdi>" --srcformat VDI --dstformat RAW --variant Standard

*Depending on the disk size, it can take a long time to finish, and there is no progress indicator during the process. You must wait until the prompt is released.

Now, let's extract the encrypted partition(LUKS) from the RAW disk.

binwalk -D 'luks_magic:lukspartiton.raw:' disk.raw

*Depending on the disk size, it can take a long time to finish, and there is no progress indicator during the process. You must wait until the prompt is released or check if the file created by binwalk already has more than 2 megabytes. As the extraction is quite fast probably you are going to see a big file, it's not a problem.

The binwalk will create a directory named _disk.raw.extracted, inside this directory, where you can find the extracted file, the name should be something like F500000.lukspartiton.raw

After this process, according to the documentation, hashcat needs about 2 megabytes to identify everything it needs to crack the password. 512 blocks of 4097 bytes, or in other words, at least 2097664 bytes from the beginning of the RAW partition disk are required. (Reference: https://hashcat.net/forum/thread-6225.html)

You can generate this piece of the file using the famous Linux command dd, but you also can use tools like FTK or any other tool able to manipulates disk files and extract the LUKS partition. Just make sure if the generated file has the appropriate headers and size at the end of the process.

dd if=F500000.lukspartiton.raw of=encriptedheader.crack bs=512 count=4097


To check if your piece of file image is ready to be cracked, you can use the Linux command "file" or check with some Hex editor for the strings LUKS.


root@Anubis:/cript# file encriptedheader.crack
encriptedheader.crack: LUKS encrypted file, ver 2 [, , sha256] UUID: XXXXXXXX-3d7f-4760-aec6-XXXXXXXXXXXX

Also, you can check running the "strings" command
. The expected return should be like the following:

root@Anubis:/cript# strings encriptedheader.crack | grep -i luks LUKS

{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2i","time":4,"memory":713834,"cpus":2,"salt":"<REDACTED>"}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":512}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":65997,"salt":"<REDACTED>","digest":"<REDACTED>"}},"config":{"json_size":"12288","keyslots_size":"16744448"}} {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2i","time":4,"memory":713834,"cpus":2,"salt":"<REDACTED>"}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":512}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":65997,"salt":"<REDACTED>","digest":"<REDACTED>"}},"config":{"json_size":"12288","keyslots_size":"16744448"}}

At this point, if you have read the documentation, you can recognize if the hashcat supports the disk encryption by checking the parameters 'encryption,' 'type,' and 'hash' from the strings command output.
Double-checking the file size before starting the Bruteforce.

root@Anubis:cript# ls -al

total 4604 
drwxrwx--- 1 root vboxsf 0 Mar 10 2020 . 
drwxr-xr-x 3 root root 4096 Feb 23 22:00 .. 
-rwxrwx--- 1 root vboxsf 2097664 Mar 10 2020 encriptedheader.crack 

Now you are sure and ready to start the cracking. 

I used this syntax for hashcat, but of course, you can change according to your needs.


hashcat -m 14600 -O -a 0 -w 3 encriptedheader.crack example.dict -o crackedpass.txt


If everything is fine, you will see this output. hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce MX130, 512/2048 MB allocatable, 3MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) UHD Graphics 620, skipped.
* Device #3: Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: example.dict
* Passwords.: 128416
* Bytes.....: 1069601
* Keyspace..: 128416

Cracking performance lower than expected?

* Update your OpenCL runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework


[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: LUKS
Hash.Target......: encriptedheader.crack
Time.Started.....: Tue Mar 10 12:31:13 2020 (23 secs)
Time.Estimated...: Tue Mar 10 12:51:19 2020 (19 mins, 43 secs)
Guess.Base.......: File (example.dict)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      107 H/s (4.22ms) @ Accel:2 Loops:256 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 2304/128416 (1.79%)
Rejected.........: 0/2304 (0.00%)
Restore.Point....: 2304/128416 (1.79%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:45312-45568
Candidates.#1....: 0611soep -> 078112025
Hardware.Mon.#1..: Temp: 70c Util: 98% Core:1032MHz Mem:2505MHz Bus:4

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>


Otherwise, if you receive the error:

Hashfile 'encriptedheader.crack': Invalid LUKS version
No hashes loaded.

It indicates the file was not created properly. Double-check the file size and the headers.
Or, the hashcat is not compatible with the LUKS version that the disk was encrypted with.

Have a nice cracking!


UPDATE:
You can limit binwalk's output using `--size $((2**22))` and make it halt on the first match with `--count 1`. I also recommend using `qemu-img dd` to limit how much of the input image you process.

Tip from: https://twitter.com/PEdrArthur