2012
07.16

SSL & stunnel

When connecting to port 995 (e-mail SSL accepted server) using a raw TCP connection, nothing will happen since it’s expecting SSL “commands”. So we could type anything we want after the connection is made, and nothing will happen. What we need to do is, encapsulate our “traffic” in SSL. This can be done using stunnel. Visit the author’s site, and have a look around.
If it’s not installed on your Linux distribution then I recommend doing so. There’s also a Windows version as well which I also suggest getting if you want to test out creating a netcat session between 2 machines using an stunnel.

Let’s see how we can go about creating a simple chat session between 2 machines with netcat and stunnel. First let’s setup our listening machine to accept SSL connections on a specified port. Lets start by configuring our client machine to accept traffic on a given port, take that traffic and encapsulate it SSL and sent to socket accepting SSL connections.
First open up stunnel’s config file (I’m my Linux machine as client) and add/modify the following:
…/stunnel.conf

client = yes

..
[netcat client]
accept = 5555
connect = -Listening IP-:4444
...

Any traffic entering port 5555 will be encapsulated and sent to port 4444 on the target IP as SSL traffic.
Now let’s setup the stunnel service on our listening machine, in this case the Windows system.
../stunnel.conf

client = no
...
[netcat server]
accept = 4444
connect = 7777

...

So now that we have stunnel setup on both machines, let’s start the connection using netcat.
From our listening system, or serve:

C:\>nc -vlp 7777

And now, let’s connect from our Linux system:

Linux~# nc -nv 127.0.0.1 5555


If everything went according to plan, the Linux box connects to local port 5555 which is then encapsulated and sent to the listening’s IP address which is expecting an SSL conneciton. One should be able now to “chat” between the two systems. One can also receive a reverse-shell this way, or connect to a pop3 mail server which only accepts SSL connections on the default port 995.

_________________

Update 16-12-2011:
This was written some time ago, and things may have changed. Although everything is still relevant you may need to change or adjust your sTunnel settings on you Linux and Windows machine.

Update 16-07-2012:
Due to a change in ownership, the new hosting company uses content filtering for “security reasons”. This means many of my previous posts can no longer be displayed. So I’m re-posting them avoiding the “bad” words..

2012
02.08

Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:
1) It’s possible to get root remotely [ Edit: sorry not what I meant ]
1a) It’s possible to remotely compromise the machine
2) Stays within the target audience of this site
3) Must be “realistic” (well kinda…)
4) Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.
I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Read More >>

2011
12.24

Merry Christmas and Happy New Year

Another Christmas is soon about us, another year is almost near.
Would like to thank everyone we hold dear.
You have all made Kioptrix what we are,
Everyone near and far.

We had planned to stay small but fair,
Without tearing out much of our hair.
We have succeeded in continuing on for another year,
Thank you very much, it gives us tears.

For everyone who has supported us in the past,
Let’s hope the relationship lasts.
We have met many new faces because if this.
And to them we wish holiday bliss.

—-

Thank you for keeping Kioptrix alive well during 2011. Personally I never expected our blog to be so popular. As I’ve said many time before “difficulty is relative to everyone”, so is success. And consider this past year, as well as this whole project of ours a success.

Merry Christmas & Happy New Year.
Be good & stay safe guys.

Thank you,
Steven
aka loneferret

2011
12.10

After seeing a Tweet about dumping password hashes from a live Windows 2008 Domain Controller, I was intrigued. Reading a post from Tim Tomes (LaNMaSteR53), I figured I’d give it a shot and if successful show my findings (with pictures). It’s an ingenious method of getting the hash values. This attack falls into the “post-exploitation” category. Even more so seeing administrative or system privileges are needed.

Firstly, we’ll need a few things to get this going. VSSOwn is a great script created by Tomes and Mark Baggett. In a nut shell, it will help us create a volume shadow copy of the windows domain controller’s drive from which the NTDS and SYSTEM files will be extracted. Yes you read right, we’ll be getting what we need from VSS. On Windows 2008 & 7 this feature is always on by default. Periodically taking backups of our system drive which also includes NTDS, SYSTEM the SAM files. VSSOwn has other interesting features, I strongly recommend checking out Tomes’ and Baggett’s talk from Hack3ercon 2.

Second item on our list will be another tool to retrieve the hashes once we’ve recovered our system files. Csaba Barta, a Hungarian researcher, has developed an open source tool to parse NTDS.dit files. Right now his tool only seems to work on NTDS files from 32bit domain controllers. This is why our target is a Win2008 R1. Let’s hope he gets the 64bit soon. The tool runs on Linux and installs great on BackTrack 5. With our groceries finished, we can now move along and recover our password hashes.

Read More >>

2011
11.07

Another Hackfest has come and gone…

Well Hackfest third edition, Quebec’s largest and best Information Security Conference, has come to past. Like years previous this one was amazing.  The talks were full of life and content that kept you glued to your seat. The CTF games at the end of each day were simply works of networking art (trying to get the network diagram atm).  Unfortunately, due to a degenerative disease called “aging” I couldn’t participate in the events. Perhaps next year… who knows.

A major part of this conference were the people attending. Most, if not all, are hackers at heart willing to talk, share ideas and opinions. One could basically strike up a conversation with practically anyone.  Same goes with the speakers. The beauty of these types of Cons., is that you can actually hear yourself (and others) speak. No need to text message the guy in front of you just to say “Hi…”.

For a second year in a row, Hackfest has exceeded all expectations breaking every record they could think off. Attendance was up (300++), pre-registration was up, t-shirt sales were up and CTF participation was up.  It showed too… You’ve should’ve seen the organizers, zombies really do exist.

I have to thank all the sponsors such as Slow Cow, Offensive Security, The Laval University for helping these guys put up a great event. Leaving some important ones out I’m sure, but just going by memory from what I saw/heard over there…

With this all said and done, I unfortunately don’t have any pictures of the event and it’s memorable moments. Please take the time to visit the site and have a look around. This convention is worthy of your attention. And if you live near the Quebec boarder, say Ottawa, Vermont, Boston (yes it’s not that far) consider doing the trip next year. Quebec City really is a beautiful place to visit…