Security Cons & Twitter - Oh the value! New to infosec?

Hi all,

This blog post is about Security Cons and Twitter and the new realisation in value I am finding.

Depending on how you use them, there is enormous value in attending conferences and having a "vocal" twitter account.

1. You will meet heroes.

1. Great for self belief
2. Gain new mentors

1. You will meet others above, below and similar in skill level.

1. Great for motivation, inspiration, finding new passions
2. Make new friends

1. You will gain new ideas and motivation.

1. Great for keeping the daily grind going

1. You will find belief in yourself

1. Self belief is the most important in anything you do.
2. You will see your life beyond that of the work cubicle and your day to day activities.

The caveat:

Learning is very lonely, people can help, guide, lead you to the water as they say. However you must LEARN and UNDERSTAND it yourself. To start learning is hard, to create habit is hard, but it must be done. People, conferences help with to keep pushing, to feel part of a community, but nothing changes that you must grind those hours (how many is individual) in order to build those technical skills.

TL;DR: Go to Conferences, contribute on twitter == profit.

My reasons are based on my personal experiences below:

RUXCON:

Back in 2013 I was fortunate enough to be funded by my employer to attend Ruxcon, a security conference in Australia. I was super excited and it lived up to all my hopes. Not only were there technical talks where I could learn things, I was around people who enjoyed the very same thing I did, security/hacking!  This is important because at the time security was looked down on, due to the lack of engagement opportunities of bringing money in, "go do internal audit" was the response.

I was lucky enough to hang out with @thecolonial, @egypt, @troyhunt and many others that one in infosec would typically look up too. The realization that these people are just like you and I, they love to chat, love to share knowledge is mind blowing. Mind blowing because there is a invaluable amount of knowledge that can come from them, just from a simply chat over a beer.

In addition to knowledge sharing, people at cons inspire you, everyday people have very different and great ideas that it is very hard for inspiration not to rub off on you. You could be like me, stuck in a job that infosec is not a popular topic, so losing motivation can happen easily.

DerbyCon:
I was lucky enough to gain a ticket to DerbyCon (next week), I have already connected with people I am looking forward to meet, I have gained advice on introducing myself to people. I have booked to attend the DerbyCon family dinner. I am super excited! Enthusiasm is an all time high. These times are needed to help get your through the tough lonely nights of study.


Twitter:
I did not know many people in infosec within my community, reaching out to those on twitter and receiving near real time responses is very important. Twitter helps me to feel that I am part of a caring, breaking the limits community.

I listen to 3 amazing podcasts, and the hosts reply on twitter! You ask questions, debate what they said and get a feel for how and where you are in relation to infosec.

Anyone new to infosec I always tell them to listen to:

1. Defensive Security Podcast
2. Down the Security Rabbit Hole Podcast
3. Brakeing Down Security Podcast

Some people on twitter have certs I hope to achieve one day, to interact with them lowers the belief that those certs are only for rockstars.

A fellow OSCP:
I moved countries, and had a lot of things happen. I had people tell me my learning curve is longer than most people and that their instincts tell them I am not and never will be technical. That is a punch in the guts, especially when your self beliefs are already that you have a learning disability.

An OSCP joined the team, we caught up (over beers of course) and helped change my self beliefs. Chatting about their story, sharing mine, understanding that everyone starts at a different stage, which a different baseline was beneficial. It was not fixed overnight, however enough changed in me to decide once again to keep going.

Quickly evading AV– simple and basic

Hi all,

So I have been reading “The Hacker Playbook” found here and was on the topic of evading AV. I was also looking at my OSCP course guide as I am starting the labs again soon and was on AV, so I thought why not test it out instead of just knowing the theory!

The Hacker Playbook goes through using powersploit and executing a command which can download scripts from there and run them in memory, one example is using a keylogger and having it execute in memory. Pretty sweet.

Pyinstall and all sorts of techniques were explained, most of you would be aware of the veil-framework. So I thought I would try and inject a payload into an executable via msfvenom and see if AV would pick it up, if so I would try and see if I could evade AV.

 

Testing AV evasion

My setup is simple a Kali box and a Windows VM with Free AV installed, nothing enterprise size.

So I decided to follow this tutorial from Insecurety (note the 2012 date). It is old, but with security being behind in certain areas and what not it was worth giving it a shot.

The idea of injecting into a payload is explained in the post quite clearly as “By backdooring a legitimate executable, we can effectively hide our “evil” code amongst a pile of “good” code, and backdoor it in an undetectable manner. This means antivirus software will have a hard time finding our backdoor – or at least that is what we hope.”

The key points being; hiding the malicious code amongst good code, the only problem is that the malicious code does not interrupt the execution of the program so it can easily be detected.It would be like trying to hide a ‘B’ in front of or behind  a line of ‘A’s. The 3 B’s being malicious code to launch a reverse shell for example.

 

• Example: AAAAAAAAAA
• Example of not interrupting the execution: BBBAAAAAA
• Example 2: ‘ AAABAAAAAAABAAAAABAA’

 

The example of not interrupting the execution shows the B stand out like a sore thumb, so an AV would simple just scan a normal executable and if the malicious code is all together as one, it could be flagged as malicious.

Whereas in the example 2 the malicious code is broken up, making it harder for the AV to detect the malicious code as being a reverse shell.  This is a most basic example and it is how I visualize the process of simply injecting malicious code into a normal executable say putty.exe

So following the Insecurety  tutorial I created a reverse https meterpreter shell using putty.exe. I think copied it onto a shared folder to then move it onto my windows testing machine. I dropped the exe onto the windows machine and thought oh it worked, but after a few seconds it scanned the exe and found it to be malicious (my low ram may be the cause of the delay). I did not have to execute it, it was picked up before that.

 

Avast picked it up a a trojan. I did a quick goole for win32 swrort and found from Lavasoft it detects as: “Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).” Aka a backdoor.

Example of AV warning:

So I wanted to delve deeper and see if I could bypass basic AV. Since you need those l33t skillz. “The Hacker Playbook” in the startup phase has you install the veil-framework and also discusses it in the evade AV section. So without reading more I jumped on to install Veil and wanted to follow the steps in Veil for creating a payload to evade AV.

I am a BIG fan of Python and heard much about p2exe and pyinstaller, so I wanted to create a Python executable that launched a meterpreter reverse HTTPS payload (staged version). The same payload used in the Insecurety blog post, so I could bypass with the same reverse shell.

So I followed the steps thought Veil, which is very simple.

I created a python meterpreter reverse shell via HTTPS encrypting communications, and used pyherion (encrypts the data, I may do some more reading and post for how it works).

 

You can see the options and output below:

 

So I did the same again having a new executable, nothing to do with putty.exe this time, but I wanted to use the same payload which my AV has the signature for and will detect. I dropped it on to my windows machine and nothing happened, *yes its on the machine*.

 

I setup a msf multi handler listener to catch it. I had to choose the payload to be

windows/meterpreter/reverse_https (the staged version). I believe if you do not set a payload it by default expects the non staged version of the windows meterpreter reverse https payload.

Setting the payload:

msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > exploit

I double clicked the executable to launch it, the Free Avast popped up with a ‘DEEP INSPECTION’ and thought crap its picked it up, but no! It allowed it to execute.

 

Catching the reverse shell from my python executable with my meterpreter shell :

 

 

 

So that was a fun adventure, and it did not take too long to complete. Feel free to add any comments on what you have done or more in-depth explanation on the how and why of the evasion.

Priv_checker Recon script && Free material

 

 

Hi All,

Been a while since posting. Gone through a lot in a YEAR, but I think that will be for another posting. I am more excited about some scripts I have been working on.

I am planning to take the OSCP challenge in June so I thought I would automate some things. So far automating the checking for privilege checking on windows and Unix boxes and automating recon.

 

Python Privilege Checker

The first I would like to present is my Python privilege checking script. This one I gained the idea off of a blog for an OSCP review. Which can be found at Securitysift. Also @securitysift.

He writes it in Python as well, and as I am a great fan of Python I decided to write it in the same language.

My focus is that the output is to be reviewed by me so I did not need to create a HTML template. As it is for when being on a box I wanted to use native windows/Linux command to create text files for my output.

The most basic flow of my script is:

• Check if Linux or Windows OS
  • If Linux: run all Linux system commands
  • If Windows: run all Windows command

 

The code is on Pastebin for the month. I am figuring out an easier way to highlight my python code.

I have also created a start of a batch file in case the windows box does not a) have python installed or b) does not allow me to run executables (py installer). A shell script is almost in the making in case I find my self on a Unix box unable to run python scripts.

http://pastebin.com/zfDihegh

 

 

 

Recon script

I also gained the idea from the same blog from @securitysift.

My recon script at the moment does a simple nmap scan on all ports, parses the output from an XML file and runs other nmap scans based on the ports it finds. I wanted to use the GREP format so as to not copy cat @securitysift but found that it is difficult to parse GREP and XML was much easier. So why re-invent the wheel.

The code again can be found here:

http://pastebin.com/8pGG4fG6

 

My code is in draft, aka work in progress. It does not run other scripts off every port nor does it run every tool for the main ports. I thought I would work on it more when I am in the labs  and can see what more I need, or even if any problems are arising.

@securitysift did the great idea of having separate python scripts that the main executes, so that they can be used individually if needed, for example dns_recon.py is a script focused on dns. Mine at the current time does not do that. As the focus is oscp I feel that its not necessary, but for real work who knows, or for team exercises @securitysift module based scripts would be great.

 

 

 

Mentioning of Free material

#Infosec is great for sharing resources and most people you would consider l33t are really open to questions as long as you have done some research or considered options. Obviously there are exceptions to every rule and not all people are so open, but in generally I feel it is a great community.

A shout out I want to do is for Cybrary.IT. You may have seen their funding campaign or presence on twitter (@cybraryIT).  Go to their courses list at http://www.cybrary.it/courses/ and you will see a gigantic list of FREE material. You will notice that have Network Administration and Systems administration and a BIG focus on  security, which I really like.

So say for aspiring pentesters (yes I am still one) they have a great source of foundational material as well as post exploitation (once you get on a box). Many skilled pen testers / red teamers already have had experience in Admin experience so do not discount the other ‘not so infosecy courses’.

 

The one course I like is the Penetration Testing course, you could follow this and learn a LOT of stuff. It covers basics like footprinting yes, but the way it is white boarded in the video really helps you gain the concepts. Having a quick look at additional study material includes other free and not free materials (as shown below). Their recommendations are valid, I am currently working through TheHackerPlaybook and its great.

 

Just a little shout out to them, if you are wanting to upskill or learn a little more, hit Cybrary.IT up. Its free, its good quality, just be consistent keep at it and push through. So many materials I have that I jump from and too, I am finally learning to stick to one! This is a great path.

 

Testing the hooking in Beef

 

 

COPY PASTE FROM THEIR WEBSITE BELOW:

Recommended Additional Study Material

• Penetration Testing: A Hands-On Guide by Georgia Weidman
• HackThisSite
• America’s Cyber Future: Security and Prosperity in the Information Age
• The Hacker Playbook
• Free CEH Study Guide
• Member Contributed Content:
  • Vulnerabilities vs Penetration Testing (pptx) – By Michael Lassiter Jr.
  • Information Security & Cyber Security White Paper (pdf) – By Michael Lassiter Jr.
• Free Sponsor White Papers:
  • Three Ways Companies Can Avoid DDoS Attacks *NEW*
  • Know Your Enemy: 5 Ways Identity Theft Can Occur *NEW*
  • Network Security Report: The State of Network Security in Schools *NEW*
  • Protecting Your Website With Always On SSL
  • How to Secure Multiple Domains with SSL