SensePost Blog http://www.sensepost.com/blog doing the web 2.0 thing... en SensePost Training Wed, 4 Mar 2015 11:16:00 +0200 http://www.sensepost.com/blog/11916.html
sensepost_blackhat
Over those years, we've trained thousands of students in the art of offensive and defensive security through our Hacking by Numbers courses.


Our courses are taken directly from the work we do. When we compromise networks, or applications with new techniques, they're turned into modules in the appropriate course. We also don't use trainers; every course is given by one of our analysts to keep it authentic.


For our fifteenth year, we've decided it was time to retire the ‘Hacking by Numbers' name and just call it was it really always has been: SensePost Training.


We've also simplified the path to offensive security mastery with our artisanal, fair trade, hand crafted training courses:


sensepost_training_flow


Beginner


The beginner course lies at the start of the journey. This course doesn't assume anything of the student other than desire to learn. The course will present the background information, technical skill and basic concepts to get a student going in the field of information security (we can't bring ourselves to say “cyber”).


Students will start at learning how to use the command line interface for Linux to get the best out of an offensive Linux tool-set, then delve into networking fundamentals and vulnerability discovery and finally, learn how to exploit common weaknesses within the network, application, mobile and wireless arenas.


The course will serve those wanting to understand the offensive security world as well as those looking to join it. It's a fun course with plenty of hands on exploitation and owning stuff. For more information, visit Blackhat's USA training page here.


Journeyman


‘A journeyman is an individual who has completed an apprenticeship and is fully educated in a trade or craft, but not yet a master' Wikipedia.


The Journeyman layer is where you learn the trade in order to become a master. This layer is where our decade and a half of experience in gaining access to everything from ships to data centers is most evident. Each of the journeyman courses are hands on, fully interactive and teach the latest approaches and techniques for exploiting everything! We've completely revamped the courses and our analysts typically add new techniques as they happen, sometimes even during the course.


The journeyman series contain several courses focused on specific areas of specialisation, from hacking networks and applications, to securing code, to signals (wireless) and advanced second order compromises (spec ops).


If you are looking to expand your skill-set then these courses are for you.


Master


At the top of the learning tree is our brand new Master course. This course is aimed at those students who've completed one or more of the Journeyman courses, or are working senior penetration testers. Nmap's man page, Metasploits internals, or network pivoting should not be new concepts.


This course sets about teaching students how to hack like an APT; with strong offensive focus drawing on the techniques employed in recent industry hacks. Students will be thrown into environments they've never seen before, and forced to rely on wits, or shown how to turn the mundane into the extraordinary.


To learn more about this course being offered at Blackhat USA, head over to here.


Conclusion


When you love what you do, you love showing others how to do it; training is at the heart of what we do at SensePost. Using our decade of BlackHat training experience, we've put a lot of thought into creating some awesome courses for our fellow hackers. We hope to seeing you in one at BlackHat USA Las Vegas 2015.

]]>
Improvements in Rogue AP attacks - MANA 1/2 Mon, 23 Feb 2015 11:28:00 +0200 http://www.sensepost.com/blog/11823.html At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk "Manna from heaven" and released the MANA toolkit. I'll be doing two blog entries. The first will describe the improvements made at a wifi layer, and the second will cover the network credential interception stuff. If you just want the goodies, you can get them at the end of this entry for the price of scrolling down.


Introduction


This work is about rogue access points, by which we mean a wireless access point that mimics real ones in an attempt to get users to connect to it. The initial work on this was done in 2004 by Dino dai Zovi and Shaun Macaulay. They realised that the way wifi devices probe for wireless networks that they've "remembered" happens without authentication, and that if a malicious access point merely responds to these directed probes, it can trick wireless clients into connecting to it. They called this a KARMA attack.


Additionally, Josh Wright and Brad Antoniewicz in 2008 worked out that if you man in the middle the EAP authentication on secured networks, you could crack that hash and gain access to the network yourself. They implemented this in freeradius-wpe (wireless pwnage edition).


However, KARMA attacks no longer work well, and we wanted to know why. Also, the WPE stuff seemed ripe for use in rogue access points rather than just for gaining access to the original network. This is what we implemented.


Changes in Probing


After a significant amount of time poring over radio captures of the ways in which various devices probed, and informed by our previous work on Snoopy, we realised two things. The first is that modern devices, particularly mobile ones, won't listen to directed probe responses for open, non-hidden networks if that AP didn't also/first respond to a broadcast probe. What this means is that our rogue access point needs to implement the same. However, the challenge is, what do we respond to the broadcast probe *with*?


To overcome that, we took the existing KARMA functionality built by Digininja, ported it to the latest version of hostapd and extended it to store a view of the "remembered networks" (aka the Preferred Network List (PNL)) for each device it sees. Then when hostapd-mana sees a broadcast probe from that device, it will respond with a directed probe response for each network hostapd-mana knows to be in that device's PNL. This is based on our finding, that wifi clients don't have a problem with a single BSSID (i.e. AP MAC address) to have several ESSIDs (aka SSID aka network name).


Practically, suppose there are two devices, one probing for a network foo, and the other probing for two networks bar and baz. When device1 sends a broadcast probe, hostapd-mana will respond with a directed probe response for foo to device1. Likewise when device2 sends a broadcast probe, hostapd-mana will respond with two directed probe responses to device 2, one for bar and one for baz. In addition, the "normal" KARMA functionality of responding to directed probes will also occur. Practically, we found this significantly improved the effectiveness of our rogue AP.


iOS and hidden networks


iOS presented an interesting challenge to us when it came to hidden networks. A hidden network is one configured not to broadcast its ESSID in either its beacons or broadcast probe response. Practically, the only way a client device can know if the hidden network it has remembered is nearby is by constantly sending out directed probes for the network. This is why hidden networks aren't a very good design, as their clients need to spew their names out all over the place. However, when observing iOS devices, while they could join a hidden network just fine, they seemed to not probe for it most of the time. This had us constructing faraday cages, checking other factors like BSSID and geolocation to no avail. Until we realised that iOS will not probe for any hidden networks in its PNL, unless there is at least one hidden network nearby. So, if you'd like to maximise your rogue'ing, make sure you have a hidden network nearby. It doesn't even need to be a real network; use a mifi, use airbase-ng or just create another hostapd network.


Limits in probing


Modern mobile devices probe for networks on their PNL *significantly* less than laptops or older devices do. In an ideal world, manufacturers would change the implementation to never probe for open network, and only wait for a response to a broadcast, effectively limiting these attacks to requiring pre-knowledge, common networks or being performed in the vicinity of the actual network. Actually, a patch was pushed to wpa_supplicant to limit the stupid probing behaviour Android does in low power mode a few months ago, this will make it into Android proper sometime soon. Also, iOS has significantly reduced how often it probes.


There are two ways to work around this. The first is manual; go for a common network. The rise of city-wide wifi projects makes this somewhat easy. Or if you're going for a corporate network, just do some recon and name one of your access points after that. But, we wanted to make things work better than that. The default behaviour of hostapd-mana is to build up a view of each devices PNL and only respond to broadcasts with networks specific to that device. However, we can remove that limitation and build a global PNL, and respond to each broadcast with every network every device has probed for. We call this loud mode, and it's configurable in the hostapd-mana config. This relies on the fact that many devices, particularly laptops and older mobile devices still probe for networks a lot. It also relies on the fact that many devices have networks in common (have they been in the same city, same airport, same conference, same company, same pocket etc.). This works *very* well in less crowded areas, and you'll get a much higher number of devices connecting.


However, in busy areas, or if your antenna is large enough, you'll quickly exceed the capacity for your average wifi device to respond fast enough to all of the devices, and as the number of response probes grows exponentially with each new device, even in quiet areas over time, this problem crops up (but didn't on stage at Defcon miraculously). So, it's *good enough* for now, but needs an in-kernel or in-firmware implementation with some network ageing to scale a bit better (one of the many opportunities for extending this work if you're up for some open source contribution).


Auto Crack 'n Add


freeradius-wpe is great, it provides a nice way to grab EAP hashes for clients that don't validate certificates presented via EAP's that implement SSL (PEAP, EAP-GTC, PEAL-TTLS). However, the patches are for freeradius v1 and, much like the KARMA patches for hostapd, have aged. But, hostapd contains a radius server, and so we could port the freeradius-wpe work to that, something we based off some initial but incomplete patches by Brad Antoniewicz. So hostapd-mana will also let you grab EAP hashes without needing another tool.


However, the KARMA attacks only work against open wifi networks. EAP networks are increasingly common (especially corporate ones) and we wanted to be able to have a go at getting devices probing for those to connect to our rogue AP. To do this, we modified hostapd-mana to always accept any EAP hash, but send it off for cracking. It simply writes these to a file, from which the simple python tool crackapd (included) will grab it and send it off to another process for cracking. Currently, we use asleap (also by Josh) and the rockyou password list, but these can all be easily modified. For example, to use CloudCracker and its incredibly optimised MS-CHAPv2 cracking setup.


The net result is pretty great for simple EAP hashes. The device will try and connect, and fail as we don't know enough to do the challenge response right. But after the hash is cracked, when it retries to connect (something a device will keep doing) it will succeed (and you'll have your first creds). For simple hashes, this is transparent to the user. Of course, very complex hashes will only work if you crack them in time. Worst case scenario, you leave with hashes.


Conclusion


So that's what we built into hostapd-mana. You get improved KARMA attacks, a modern hostapd version, an integrated hash stealer, and the possibility of rogue'ing some EAP networks. You can get the full toolkit at MANA toolkit on GitHub or our hostapd-mana at hostapd-mana on GitHub.


The next blog entry will cover what we did once we got a device to connect.


The Goodies


The Defcon talk:


The supporting slide deck with more information:


The final toolkit: MANA toolkit on GitHub You can also get this on Kali with "apt-get install mana-toolkit"


The modified hostapd (for hackers or people who want to build their own setup): hostapd-mana on GitHub

]]>
Demonstrating ClickJacking with Jack Fri, 20 Feb 2015 11:05:00 +0200 http://www.sensepost.com/blog/11105.html Jack is a tool I created to help build Clickjacking PoC's. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack


To use Jack, load Jack's HTML,CSS and JS files using the method of your choice and navigate to Jack's index.html.


jackHome


Jack comes with three additional pages; sandbox.html, targetLogin.html and targetRead.html. targetRead.html can be used to demonstrate Clickjacking that reads values from a page and sandbox.html is used to display the Clickjacking demonstration. Jack by default loads the "Read" html page with default CSS and Styles.


Jack allows you to configure a few parameters (X&Y positions, Style tags) that can be used to demonstrate Clickjacking. In this example, we will demostrate Clickjacking using the Google Gruyere as a target https://google-gruyere.appspot.com/211539457592/.


To load your target into Jack, paste the target URL in the URL field in the configuration section and click Load as shown below:


jackWithOptions


Once Jack has loaded the target, you can specify the coordinates of your input fields and button. Jack allows you to overlay two inputs and one button (usually username & password with a submit) which can be configured. The Apply buttons allow you to apply the inputs to the elements in the index.html page, the values are automatically loaded when View is clicked. To view what your Clickjacking demo looks like with the current configuration, click the big green View button as shown below.


gruyLoaded


Positioning is crucial and we try Jack with some test values such as (161,215), (161,255) for our inputs and (322,291) for the button and view the result below by clicking View:


gruyOverloaded


We now need to overlay our Clickjack inputs and buttons over the actual targets inputs and login button and make them look #legit. From our reconnaissance of the target url, we have the following style information that can help us make our inputs and button look #legit:


Input Style =

outline:none; box-shadow:none;border: none !important;height:
22px;width: 222px;background-color:#fffffcc;font-family: sans-serif;
font-size: 14pt;

Button Style=
font-family: sans-serif; font-size: 14pt;background-color: #ffffff;

These styles are inputted into the Style inputs provided in the Configuration section with our coordinates of the inputs and button as shown below:


jackWithOptions


We view the above configuration by clicking View as shown below:


payload


The View now looks rather legit, so what now? Jack displays the username and password inputs when the login button is clicked as shown below (you can change the JavaScript payload that is executed in the provided input box):


result


The generated final page (sandbox.html) can either be used locally for your report screenshots, or copied (along with /static and /resources) to a web server of your choice.

]]>
Commercial Snoopy Launch! [ ShadowLightly ] Sat, 17 Jan 2015 16:26:00 +0200 http://www.sensepost.com/blog/11640.html Hello world!


We've been busy squireling away on a much requested project - a commercial Snoopy offering. We've called it ShadowLightly, and we'd like to invite you to join the beta explorer program. We're going to offer ten 3-month trials to the site (you'd need to buy sensors / build your own), and in return we'd ask that you help us debug any issues. To apply, please email explorer@shadowlightly.com - introduce yourself, and tell us a little about why you'd like to join the program.


To those who missed the Snoopy party: it's a distributed, tracking, profiling, and data interception framework. It's all open source and you can run your own setup for non-commercial purposes. Here's some more info:
http://www.sensepost.com/blog/10754.html
http://www.sensepost.com/blog/11042.html


How does this ShadowLightly thing work? You'd create an account on our ShadowLightly.com site, register your sensors, run your sensors uploading their data to our server, and then explore the data in both the website and in Maltego. We've built TDS transforms to query the remote data.


Here's a video which may explain it all better:


ShadowLightly Demo


We're looking forward to working with you!

]]>
Are you the intern we've been looking for? Mon, 3 Nov 2014 09:15:00 +0200 http://www.sensepost.com/blog/11355.html
intern


 


We're looking for an intern to join our newly formed 'Innovation Centre' arm of SensePost/SecureData. Have a read below for some more information, and drop us a mail if you're interested or would like some more info (glenn@sensepost.com).




The purpose of the Innovation Centre is to offer an incubation hub through which new ideas, concepts and other technical and business innovations can be collected & captured and then rapidly described, prioritised researched, prototyped, tested, advocated and transitioned into the business.


About the Intern Position:


The ideal candidate should have a computer science or similar background, but equivalent work experience or self taught candidates will also be considered. The following specific requirements are required:


* Familiarity with at least one scripting language, preferably Python
* Fundamental understanding of networking
* Linux experience
* A positive attitude with a capable problem solving capabilities


The following points would be seen as a bonus:
* Strong computer science degree
* Industry experience (e.g. holiday internship).
* Web development capabilities
* Security knowledge / experience
* Experience with embedded or similar systems (e.g. Pi, Arduino, etc)


Whilst SensePost is an information security company, this specific internship does not directly relate to an info-sec position, but the projects worked on will relate to info-sec. The internship is for placement in the Innovation Centre. Day to day tasks are likely to include:


* Writing PoC scripts
* Providing support to InnoCentre analysts (e.g. writing Maltego plugins, debugging issues, testing new hardware/software).
* Liaising with partners/clients

]]>