Thursday, July 14, 2016

Passively monitoring devices with a Snoopy Raspberry Pi drone

I was recently distracted from a Blog project I had recently begun working on (Bypassing just about any paywall or firewall - coming soon) after reading a comment in /r/netsec. I thought monitoring rouge devices around my home and getting alerts was a really cool idea. So I began working with the skeleton python code /u/gindc had used for his alert system. After a few google searches I found myself down a rabbit hold of custom scripts on Github built (far better than I could) for this very purpose. I settled on trying something built by Sensepost called Snoopy-NG.
Snoopy-NG was packed full of features, plus it plugged into Maltego so you would get pretty bubble relation charts based on the relation of the device. The idea behind it was to see what beacon probes the devices around your drone were beaconing out and see if there was a correlation with other devices. For instance if two people had the same Starbucks network stored in their phone, Snoopy would see the relation and correlate that both had been to the same place. On top of that it had other more malicious features, like creating a rouge AP and utilizing Karma to pull in devices. There are other features, but I haven't had time to play around with them.
Since the Snoopy-NG project seems to have been abandon in early 2015, a lot of things had to be modified or removed, as I am not good enough to fix, so I took the easier route of just not using those features (MITM framework integration).

I had ordered two Raspberry Pi 3's in an unnecessary splurge and had not really put them to use yet, so I decided to use one as my drone. I also had two Alfa AWUS051NH wireless cards and two high gain antennas that had been collecting dust and decided to re-purpose them as my Raspberry Pi drone's antenna (I was sad to learn that the built in wifi on the Pi 3 does not support packet injection, Ea. no monitor mode). I then stood up an Ubuntu server on my cloud provider (LOVE CloudAtCost - super cheap! And you can part your servers out and build multiple on the fly! Just wait until they have an 80/90% off special) as my C2 data server.
I did a "git clone" on the server and was able to run the install.sh with little to no dependency issues. On the Pi I had far more issues - I initially was using the Kali image built for the Pi, but after multiple problems, I assumed it was because of dependencies that couldn't be satisfied with the Kali arm image and went back to the Ubuntu Mate image built for the Pi; but experienced the same issues. So in hindsight I would have kept the Kali image instead of using the Ubuntu Mate image, but since it was now working on Mate, I decided to roll with it and pull any extra dependencies I needed. I then did a git pull on the Pi:

Some notes on the Pi install of Snoopy-NG -
1. You will need to remove ~/snoopy-ng/includes/mitm.py (I was getting a python six import error: "importerror: cannot import name range six.moves", and after some research I found that because the mitm.py built for Snoopy was deprecated and thus did not play well anymore with python six - so I removed it)
2. Because of the mitm.py removal, you will need to nano ~/snoopy-ng/plugins/mitmproxy.py and comment "from includes.mitm import *
3. Before you run install.sh, edit it and comment out a line towards the end: pip install https://sourceforge.net/projects/pylibpcap/files/latest/download?source=files#egg=pylibpcap and add these two lines under it:
wget http://http.kali.org/kali/pool/main/p/python-libpcap/python-libpcap_0.6.4-1_armhf.deb
dpkg -i python-libpcap_0.6.4-1_armhf.deb

Once the install has completed without error, its pretty simple from here on out. On the server side run:
# snoopy_auth --create [DroneName]
# snoopy -v -m server
And once that is up and running, on the drone run:
# snoopy -v -m wifi:mon0=True -s http://:9001/ -d [name of drone from server] -l [location-can be anything] -k [keyWithoutBrackets]

You should see data being transmitted to the Snoopy sever:


And here is a screenshot of both of them in action:



* I highly recommend using screen to run all of these - that way you can close out your terminals and return to the screen session later by running "screen -RD". You can exit your screen session by pressing CTRL + a + d (hold control then press "a" then while still holding CTRL letting up on "a" press "d")

Back to the server (not if you go with cloud at cost, they do not install a GUI - you will need to install one to run Maltego) - I fired up Maltego and imported the Snoopy-NG .mtz conf file:

1. In Maltego, click the odd looking spaceship button in the upper left corner next to save - Go to import - click on import configuration - scroll to and click next on: /snoopy-ng/transforms/snoopy_entities.mtz
2. After the import - scroll to the machines tab and click "Run Machine" - then scroll to and select one of the two snoopy options

* Some more notes: I noticed that the drone was seeing quite a bit but Maltego was not displaying them, so I edited some of the machine properties:

1. Click on "Manage Machine" highlight (do this for both Snoopy machines) one of the two snoopy machines and click on the three dots - comment out using // anything that says "delete()" and for any field that contains a number, add 30 (or more)
2. I am not at all familiar with Maltego, I have no idea what the purpose of the delete() entries were for, as I wanted to see as many devices as possible - I am hoping a Maltego expert can chime in. I was just poking around with the configs.

This should produce a pretty graph of all the devices around you!



Now you can see all the devices in your area, what networks they connect to, what networks their phones are beaconing out, and if any of those devices have been on the same networks! I never did create the alerts for new devices because of this snoopy rabbit hole I went down, but I figured I would share this information with the community in hopes of revitalizing this project. Perhaps I will jump back on that alert system later and update this blog...

So how do you prevent being seen? You really cant. There are some steps you can take to somewhat prevent being seen, such as disabling auto connect to wifi on your phone so that its constantly not looking for saved networks (I don't even do this out of laziness). You can set your router to not beacon out the SSID - Note: In doing this you will have to manually enter your network in the device you are trying to connect to it. And in hiding your SSID, your network can still be seen, but only when a device is trying to connect to it and only if you are monitoring with a wifi card in monitor mode. So it is very unlikely people will find it.


Thursday, December 31, 2015

Bypassing GoGo In-flight for free internet

This entry is going to be short, as the techniques I am going to show you either require a VPS (or an at home ssh server with a public IP) or an iPhone (iPhone trick not much of a hack, but it works).

Both of the methods were tested recently, December.2015, on a two hour flight.

On my initial flight to visit the family, I connected to the GoGo In-Flight just to play around and see what was going on in the internal network. I knew that I could listen on the network and steal someones MAC address, but I think that is a cheap trick, so I was looking for other ways to bypass.

I did an "ifconfig" found the gateway server, did a full port scan on it (WAY too long to complete) then then reverted to the nmap default top 1000k ports.

Found 53, 443 and 3128 to be up. It looks like they were using Squid Proxy for their gateway with 3128 being used for the http/https traffic. I made some attempts to connect to my VPS on the flight down, but since I didn't have it configured for these ports, I had no luck.

Port 3128 results:
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 2.6.STABLE14
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: HEAD
|_http-server-header: squid/2.6.STABLE14
|_http-title: Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=XXX.XX.131.145&PORT=54273&RPORT=54272

The captain came on and told everyone to put away all electronic devices, so close!

Fast forward to the trip back. I set SSH to listen on 53, 443, and 3128 on my VPS. I had also done some research and found people were able to connect via 53 and 443 over ssh, as they are not using DPI. I had no such luck

On 53 I was able to make a full TCP connection, but was not able to pass the SSH cert to the VPS (used -vvv to see where SSH was hanging up).

On 443 I was not able to leave the network at all (SYN SENT - on netstat)

On 3128 I was able to ssh into my VPS port 3128! Jackpot! The proxy was not inspecting traffic on this port. so I ran the following SSH command to create a SOCKS5 Proxy on my machine:

ssh -D 3128 root@VPS.IP -p 3128

Now I went into my browser network settings, checked "use proxy server" and under "socks" (may be an option for socks 4 and 5, if so use 5) I entered my localhost and port (127.0.0.1:3128) and saved.

VIOLA! I was able to browse the entire flight for free!




Now I know I mentioned needing an iPhone, while I dont own one, I was able to convince my more ethical friend to try some steps I read in a blog that ended up working also:

1 - Connect to the GoGo Wifi
2 - Browse to the GoGo Movie library (free or paid, it doesnt matter, you wont be paying)
3 - Click on a movie and it will bring you to a page to download the GoGo app
4 - Enter the Captcha Code to access the app.
5 - Submit it
6 - Do not close the browser now! Open a new tab and start browsing the web. If you leave the auth window active, you will retain your authentication cookie! You can browse as much as you'd like now. Once you close out the browser window, you will lose your session.

Enjoy your free wifi!

Thursday, September 24, 2015

Quick pivoting lession

UPDATE 2/9/2016:

I was never able to finish this, and I lost the screen captures from when I was accessing a set of VM's I used for this tutorial. I have since found a better tutorial then my own here:

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

Sorry about that!

So I have been playing around in the OSCP labs, and as you may have heard, pivoting into different boxes becomes key as you "unlock" different parts of the network. As someone who doesn't pivot too often (I experiment with/test applications and setups, pivoting is a more Red Team tactic) this became quite confusing after a while, so I did a brain dump for myself. I decided to also share it with you.

Lets begin:

So you need some sort of access to the box, in the example I have provided, I have escalated to system privileges, however I was able to pivot using the meterpreter "portfwd" command on a box I had low level privileges to. However, what I am about to show you may not work, I already had all the screen captures when that idea popped into my head.

First obtain reverse meterpreter, I did so using via HP Power Manager running on port 80:



Next assign the payload using "set payload windows/meterpreter/reverse_tcp" - A breakdown of this:

Windows - we are exploiting a windows box
Meterpreter - we have deployed a reverse shell using meterpreter
Reverse TCP - listening for a "callback" shell

There are so many options between slashes, for instance if you were to type windows/ then hit [TAB], metasploit would list all options you have under windows/, meterpreter being one of them. For every "shash" you can do this.

So anyway, once you have executed the exploit, we can move onto pivoting:


Monday, August 31, 2015

Quick Hindsight Run-through (browser forensics)

Review of Obsidian Forensics' "Hindsight" -

I was looking for a tool that would quickly produce "translated" browser search results; I know there are many tools that will export browsing history, and you can even import the users profile into your current version of chrome (or one from Portableapps.com). I wanted something quick that would dump the information I needed into an easy to read table, enter Hindsight.

Hindsight is a tool used for browser forensics, specifically targeting Google Chrome. With Hindsight having access to the machine the browser is located on is not necessary, if you have copied/saved the "Default" folder from within the users Chrome Profile you can point Hindsight at it.

Chrome Profile Locations:

Windows:
%LOCALAPPDATA%\Google\Chrome\User Data\

Mac:
~/Library/Application Support/Google/Chrome/

Linux:
~/.config/google-chrome/

To run a basic query on Hindsight, you can just run hindsight.exe from the command prompt and it will go after the current users profile. To target a specific user, you will need to use the -i switch:

Example:
hindsight.exe -i "C:\Users\[User Profile]\AppData\Local\Google\Chrome\User Data\Default"

It should produce something like this:


Once completed, it will dump a spreadsheet by default into the directory you ran Hindsight from. You can change the output with the -o switch (Choices: SQLite and JSON).

The spreadsheet has multiple categories, including time spent on the specific website! Here is a screenshot I pulled from one of my test profiles:



Hindsight will also include all cookies found; but keep in mind that Chrome recently began encrypting cookies, and without the users windows logon password you will not be able to view portions of the cookie. See here:


Here are cookies that are not encrypted:



However there are tools that are being built to get around this, I have not tried this one yet but I am not sure it will work with the newer versions of Chrome, as the older ones used one specific encryption instead of a unique, machine based key:

http://stackoverflow.com/questions/21496209/cookie-issue-with-chrome-33-beta

Hindsight download:

https://github.com/obsidianforensics/hindsight