Evil SSDP: Spoofing the SSDP and UPnP Devices

TL; DR

Spoof SSDP replies and creates fake UPnP devices to phish for credentials and NetNTLM challenge/response.

Disclaimer

Table of Content

  • Introduction
    • What is SSDP?
    • What are UPnP devices?
  • Installation
  • Spoofing Scanner SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Office365 SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Password Vault SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Microsoft Azure SSDP
    • Template Configuration
    • Manipulating User
  • Mitigation

Introduction

What is SSDP?

SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.

What are UPnP devices?

UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.

Now that we understood the basic functions of SSDP or UPnP, let’s use it to manipulate the target user in order to steal their credentials.

Installation

The Evil SSDP too was developed by initstring. This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.

In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.

Spoofing Scanner SSDP

Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.

Template Configuration

To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.

After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.

Manipulating User

The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.

Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.

Grabbing the Credentials

As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.

Spoofing Office365 SSDP

In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.

Template Configuration

As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.

As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.

Manipulating User

As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.

Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.

Grabbing the Credentials

As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.

Diverting User to a Password Vault SSDP

Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.

Template Configuration

As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.

Manipulating User

Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.

As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.

Spoofing Microsoft Azure SSDP

While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.

To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.

Manipulating User

Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.

After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.

This concludes our practical of this awesome spoofing tool.

Mitigation

  • Disable UPnP devices.
  • Educate Users to prevent phishing attacks
  • Monitor the network for the password travel in cleartext.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Hack the Box: Writeup Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: Writeup and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set : Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Pentesting Methodology

Network scanning

  • Nmap

Enumeration

  • Web Source code

Exploit

  • Unauthenticated SQL injection

Privilege Escalation

  • PATH Environment

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

From this scanning result, we found that port 80 is open where the /writeup/ entry in the robot.txt has been shown. Besides, port 22 is also open for ssh.

Enumeration

As a result, we looked at the victim IP in the web browser and welcomed a web page shown in the image below.

Then we explore the URL below to examine /writeup as enumerated above.

It was a simple web page where we didn’t find any remarkable clue, so we were thinking about checking the source code of the page.

Well, thankfully! We found the description of the CMS used to build the website from inside the source code.

Without any delay, we have googled for CMS Made Simple-2019 Exploit and fortunately found the Exploit DB link to exploit the SQL Injection vulnerability.

Exploit

We just downloaded the python script from the ExploitDB and gave ALL permission. When things are set, we run the following command to obtain the credential from inside the database by exploiting unauthorized SQL injection.

As a result we found salt value, username, email address, password hashes and its password.

Since we have found the login credential, we can use it to access the ssh shell.

Booom!! We successfully got the host machine shell and found the user.txt file as shown in the below image. Now it was time to obtain the higher privilege shell by escalating the privilege of the user jkr.

Privilege Escalation

It was time to post enumeration to determine the concealed process running on the host machine. We try to enumerate the services running as root that can be abused, and to do this, we have to use pspy64 to identify the services running, because the manual approach failed to identify all processes running in the background.

Therefore, we downloaded the pspy64 script in the host machine inside /tmp directory and assign full permissions then ran it to identify processes running of the machine. 

So, we found that a suspicious process was underway, which was executing the following command:

We’re trying to break down in order to analyze what’s going on in the current phase.

Here we saw “sh -c /usr/bin/env” command was running to create an empty environment to set up the PATH variable in which you can observe that “/usr/local/sbin” was at the top which means it will be given the highest priority.

All the scripts in /etc/update-motd.d using run-parts, then stores all output in /run/motd.dynamic.new

Interestingly, we found that the above command was running when jkr connects to ssh to access the server, so we can assume that every time we connect to ssh as jkr, the script will run with the help of the command.

Thus we check the permissions for /usr/local/sbin and note the ownership as root:staff, then we checked for user_id and luckily find that jkr is the member of staff group.

Since /usr/local/sbin is being set as the priority path, hence we can try to write a malicious file inside the /usr/local/sbin/ with a name as run-parts.

So, in our local machine we write a script, to change the password for user root and save it as run-parts,

Then transfer this file on the host machine using HTTP python server.

Let’s download the malicious script to the host machine inside the /tmp directory and give it full permission to copy it to “/usr /local/sbin” as shown in the image below.

when everything is done then we need to logout and then again login with ssh as jkr so that our malicious script gets execute as said above.

Booom! Booom! We’ve got the root flag, as soon as you connect to ssh again, the running process will run our malicious run-parts script, which will modify the root user password, and then you can switch the user as root and catch the root.txt flag.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Steal Windows Password using FakeLogonScreen

In this article, we are going to focus on a tool that caught my attention. This is a tool that creates a fake Windows Logon Screen and then forces the user to enter the correct credentials and then relay the credentials to the attacker. It can work in different scenarios.

This tool was developed by Arris Huijgen. I have already talked about the working of the tool. It doesn’t do much other than that.  To better understand the working of this tool, I will be performing a practical on the said tool using the systems configured as depicted.

Download the executables for the practical by clicking here.

Table of Content

  • Configurations used in Practical
  • Scenario
  • Payload Creation
  • Starting Listener
  • Uploading the FakeLogonScreen Executable
  • Credentials Entering on Target Side
  • Grabbing the Credentials
  • Additional Information
  • Mitigations

Configurations used in Practical

Attacker:

    OS: Kali Linux 2020.1

    IP: 192.168.1.13

Target:

    OS: Windows 10 (Build 18363)

    IP: 192.168.1.11

Scenario

There is a system that is connected to the same network as the attacker and the attacker is hunting for the credentials of the Target System. The Information that the target already has is the IP Address and the knowledge of the OS system. This kind of information is quite easy to get by.

Payload Creation

Now, to get started I used the msfvenom tool to craft a payload according to the OS of my Target System. I provided my Kali’s IP Address as the LHOST. As the target machine was running Windows, I made my payload an executable file that can be executed easily. After crafting the payload, I ran a Python One-liner to create an HTTP server which will host the payload at the port 80 of the target machine.

Now in a real-life scenario, the attacker will use some kind of Social Engineering Attack to manipulate the target user to download this malicious payload on their system. This can be done long before performing the actual attack.

Starting Listener

Since we have our payload ready and hosted. Now we need to start a listener where we will receive our session from the payload. After setting up the proper configuration, I went straight up to the Target Machine and executed the payload. Again, this is a lab environment demonstration. Real-Life Scenarios will vary. 

Uploading the FakeLogonScreen Executable

After getting the meterpreter session, we upload the FakeLogonScreen.exe to the Target System. This executable can be found in the directory that is cloned. After successful upload, we get onto the command line of the target machine using the shell command. Now we run the executable as shown in the image given.

Credentials Entering on Target Side

As soon as we ran the executable through the shell, all the current windows on the Target System get minimized and a login screen pops up as shown in the image given. This seems a pretty real logon screen. The target user assumes that there must be an accidental log off. So, to assume his/her work, the target user unknowingly enters the credentials.

Now to demonstrate that the password is checked, we first entered the wrong credentials. The Logon Screen gave back an error “The password is incorrect. Try again”. This proves that the target user has to enter the valid credentials to get through.

Next, we entered the valid credentials and we see that all the minimized windows are restored back to the way they were.

Grabbing the Credentials

Let’s head back to our attacker machine to see if we were able to grab those passwords. As shown in the image given below, we see that the FakeLogonScreen listener works similar to a key logger. We first entered the “wrong password” in the password field to check the false cases. Then we entered the correct password “123” and we successfully grabbed the password for the target user.

Additional Information

I contacted the author of this tool to find out how effective this tool works in multiple desktop setups. When executed in multiple desktop setups, all the other desktop screen turns black. Also if the target user has configured a customized background, then that customized background is shown. This is a plus point in an office environment as those systems have a custom company image for Logon Screen.

We also have another executable in the zip file we downloaded earlier. It is named “FakeLogonScreenToFile.exe”. This file works in a similar way but along-with displaying the password, it stores the password at the following location:

%LOCALAPPDATA%\Microsoft\user.db

This tool also works on Windows 7. Although it has reached its EOL still there are a huge number of systems that are running Windows 7 on the Production. If required, it can be found inside the “DOTNET35” directory.

You can also integrate this tool to work with Cobalt Strike. Check out here.

Mitigations

  • Verify Download Sources.
  • Monitor the AppData Directory for the user.db file.
  • Properly check all the links in the Logon Screen.
  • Implement a Password Change Policy of a shorter duration.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Connect The Dots:1 Vulnhub Walkthough

Today we are sharing another CTF walkthrough of the vulnhub machine named “Connect the Dots” with the intent of gaining experience in the world of penetration testing. The credit goes to “Sumit Verma” for design this machine and the level is set to intermediate.

You can download it from here: https://www.vulnhub.com/entry/connect-the-dots-1,384/

According to the author: The ultimate goal of this challenge is to get root and to read the “user and root” flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Penetration Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP

Exploiting

  • Decoding JSFuck
  • Login to SSH

Privilege Escalation

  • Capability

Walkthrough

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying host IP and this we have 192.168.1.102as our host IP.

In our next step, we love to use nmap for network ports enumeration, thus we run the following command:

With the help above command, we were able to identify open ports and services running across those port. Majorly we take a look at port 80 for HTTP, 2049 for NFS and 7288 for SSH.

Enumeration

Thus, we navigate to a web browser and browse the target IP in the URL and is greeted with the webpage shown in the below in the image.

Unfortunately, I didn’t find any loophole or clue on the home page thus I surf for the given hyperlink “SIRRON” and that redirect to index.html page which similar as a home page but changes can be noted in its source code.

So by exploring the source code of index.html page, we found a username “norris” and a path for a web directory “/mysite”.

We first explore to my /mysite and found some scripts, here bootstrap.min.cs looks suspicious to us thus we download it in our local machine and explore the file.

Exploiting

So, we have found the JSfuck code after exploring the file, and we need to decode it to read this file.

Here, it’s a bit tricky to decode it, if you’re trying to decode the entire contents of the file, you won’t be able to decode the text. You have to remove “var =” and ” “ from the entire content and try to decode the remaining code.

So we visit www.jsfuck.com and paste the code needed to be decoded and as a result, the string that will reveal user Norris password will be given as shown in the image.

Thus, we used the above-enumerated credential to log in to SSH and successfully compromised the host machine and found our 1st flag user.txt as shown in the image below.

 Since we’re at the initial foothold and now it’s time to escalate the privilege to get the root.txt file.

Privilege Escalation

Thus, we explored further and looked for weak service configuration such as SUDO and SUID permission but found nothing related to it. After spending some more time, we saw capability with +ep permission is set on tar program with the help of given below command.

Now it was time to exploit the given permissions on the tar program, so we created the “raj.tar” archive for the / root / root.txt file, and then extract the generated tar file from the current directory as shown below.

As a result, we’ll have the root directory in our current directory, so we’ll be able to read the root.txt file as shown.

Conclusion: By solving this VM you will learn about JSfuck encoding and decoding and Linux capability privilege escalation read more from here.

Author: Ahmed is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here