Thursday, December 31, 2015

Bypassing GoGo In-flight for free internet

This entry is going to be short, as the techniques I am going to show you either require a VPS (or an at home ssh server with a public IP) or an iPhone (iPhone trick not much of a hack, but it works).

Both of the methods were tested recently, December.2015, on a two hour flight.

On my initial flight to visit the family, I connected to the GoGo In-Flight just to play around and see what was going on in the internal network. I knew that I could listen on the network and steal someones MAC address, but I think that is a cheap trick, so I was looking for other ways to bypass.

I did an "ifconfig" found the gateway server, did a full port scan on it (WAY too long to complete) then then reverted to the nmap default top 1000k ports.

Found 53, 443 and 3128 to be up. It looks like they were using Squid Proxy for their gateway with 3128 being used for the http/https traffic. I made some attempts to connect to my VPS on the flight down, but since I didn't have it configured for these ports, I had no luck.

Port 3128 results:
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 2.6.STABLE14
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: HEAD
|_http-server-header: squid/2.6.STABLE14
|_http-title: Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=XXX.XX.131.145&PORT=54273&RPORT=54272

The captain came on and told everyone to put away all electronic devices, so close!

Fast forward to the trip back. I set SSH to listen on 53, 443, and 3128 on my VPS. I had also done some research and found people were able to connect via 53 and 443 over ssh, as they are not using DPI. I had no such luck

On 53 I was able to make a full TCP connection, but was not able to pass the SSH cert to the VPS (used -vvv to see where SSH was hanging up).

On 443 I was not able to leave the network at all (SYN SENT - on netstat)

On 3128 I was able to ssh into my VPS port 3128! Jackpot! The proxy was not inspecting traffic on this port. so I ran the following SSH command to create a SOCKS5 Proxy on my machine:

ssh -D 3128 root@VPS.IP -p 3128

Now I went into my browser network settings, checked "use proxy server" and under "socks" (may be an option for socks 4 and 5, if so use 5) I entered my localhost and port (127.0.0.1:3128) and saved.

VIOLA! I was able to browse the entire flight for free!




Now I know I mentioned needing an iPhone, while I dont own one, I was able to convince my more ethical friend to try some steps I read in a blog that ended up working also:

1 - Connect to the GoGo Wifi
2 - Browse to the GoGo Movie library (free or paid, it doesnt matter, you wont be paying)
3 - Click on a movie and it will bring you to a page to download the GoGo app
4 - Enter the Captcha Code to access the app.
5 - Submit it
6 - Do not close the browser now! Open a new tab and start browsing the web. If you leave the auth window active, you will retain your authentication cookie! You can browse as much as you'd like now. Once you close out the browser window, you will lose your session.

Enjoy your free wifi!

Thursday, September 24, 2015

Quick pivoting lession

UPDATE 2/9/2016:

I was never able to finish this, and I lost the screen captures from when I was accessing a set of VM's I used for this tutorial. I have since found a better tutorial then my own here:

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

Sorry about that!

So I have been playing around in the OSCP labs, and as you may have heard, pivoting into different boxes becomes key as you "unlock" different parts of the network. As someone who doesn't pivot too often (I experiment with/test applications and setups, pivoting is a more Red Team tactic) this became quite confusing after a while, so I did a brain dump for myself. I decided to also share it with you.

Lets begin:

So you need some sort of access to the box, in the example I have provided, I have escalated to system privileges, however I was able to pivot using the meterpreter "portfwd" command on a box I had low level privileges to. However, what I am about to show you may not work, I already had all the screen captures when that idea popped into my head.

First obtain reverse meterpreter, I did so using via HP Power Manager running on port 80:



Next assign the payload using "set payload windows/meterpreter/reverse_tcp" - A breakdown of this:

Windows - we are exploiting a windows box
Meterpreter - we have deployed a reverse shell using meterpreter
Reverse TCP - listening for a "callback" shell

There are so many options between slashes, for instance if you were to type windows/ then hit [TAB], metasploit would list all options you have under windows/, meterpreter being one of them. For every "shash" you can do this.

So anyway, once you have executed the exploit, we can move onto pivoting:


Monday, August 31, 2015

Quick Hindsight Run-through (browser forensics)

Review of Obsidian Forensics' "Hindsight" -

I was looking for a tool that would quickly produce "translated" browser search results; I know there are many tools that will export browsing history, and you can even import the users profile into your current version of chrome (or one from Portableapps.com). I wanted something quick that would dump the information I needed into an easy to read table, enter Hindsight.

Hindsight is a tool used for browser forensics, specifically targeting Google Chrome. With Hindsight having access to the machine the browser is located on is not necessary, if you have copied/saved the "Default" folder from within the users Chrome Profile you can point Hindsight at it.

Chrome Profile Locations:

Windows:
%LOCALAPPDATA%\Google\Chrome\User Data\

Mac:
~/Library/Application Support/Google/Chrome/

Linux:
~/.config/google-chrome/

To run a basic query on Hindsight, you can just run hindsight.exe from the command prompt and it will go after the current users profile. To target a specific user, you will need to use the -i switch:

Example:
hindsight.exe -i "C:\Users\[User Profile]\AppData\Local\Google\Chrome\User Data\Default"

It should produce something like this:


Once completed, it will dump a spreadsheet by default into the directory you ran Hindsight from. You can change the output with the -o switch (Choices: SQLite and JSON).

The spreadsheet has multiple categories, including time spent on the specific website! Here is a screenshot I pulled from one of my test profiles:



Hindsight will also include all cookies found; but keep in mind that Chrome recently began encrypting cookies, and without the users windows logon password you will not be able to view portions of the cookie. See here:


Here are cookies that are not encrypted:



However there are tools that are being built to get around this, I have not tried this one yet but I am not sure it will work with the newer versions of Chrome, as the older ones used one specific encryption instead of a unique, machine based key:

http://stackoverflow.com/questions/21496209/cookie-issue-with-chrome-33-beta

Hindsight download:

https://github.com/obsidianforensics/hindsight