InfoSec

Quick Tip on E-mail Gathering

Here’s a quick tip for when you don’t have search engine API keys, theHarvester doesn’t work, and Burp Suite fails to grab all the e-mail addresses from the search engine results.

  1. Search for @example.com on Google
  2. Go to last page of results and click “repeat search with the omitted results included”
  3. Go through each page of results, select all, save as a plain text document (results1.txt, results2.txt, etc)
  4. Run grep -E -o "\b[A-Za-z0-9._%+-]+@example.com\b" results*.txt

This method, although manual and time consuming, avoids having to deal with HTML and obfuscation tricks and instead allows you to work with plain text.

This should work for other search engines as well.

Another pro tip: disable instant results and infinite scrolling deal, and set number of results per page to maximum allowed.

HTTP/1.1 — STOP; HTTP/1.0 — GO!

Here’s something I came across not too long ago that I thought was a bit odd. An externally accessible web server was being protected by what appeared to be Cisco’s web filtering technology. This was strange because it is the kind of thing one would expect to see on an internal network, restricting access to the outside world. Protecting servers that still require access from the Internet by authorized users is generally done by things like firewalls, IP address whitelists, and VPNs. I believe this was a case of misuse of technology. An attempt to make something work in a way that was not intended. However, that is my job and it is the opposite of what network/systems administrators should be doing when implementing solutions.

Access was denied and a scary sounding message “Access to this destination is not allowed due to a possible malware threat” was presented when trying to access the website:

Access Denied

malware detected! maybe…

I had not seen that before and my first thought was that maybe an IPS detected the vulnerability scan that ran the night before. That scenario would have been annoying but not surprising as the scans are quite noisy. Maybe my source IP got flagged as potentially dangerous? But, after a few checks, it turned out to not be the case. Must be some kind of content filtering setup with a generic message and possibly IP-based, I figured. Or, even worse, malware got planted during an earlier compromise and internal Cisco solution was flagging it but the administrators haven’t noticed.

Anyway…

I noticed that the test results I was getting back were inconsistent. Some were coming back with the “Access Denied” page, while others with something else entirely. A few manual checks later it became apparent that the Cisco solution was only filtering HTTP/1.1 requests that are normally used by browsers, and letting everything HTTP/1.0 through.

After ensuring all my applications and tools were set to use HTTP/1.0 for communications with this web sever, it turned into just a regular day at work. This is what was behind the content filtering wall:

ShoreTel's login interface

Beyond the wall.

The moral of the story here is two-fold. One, if you are setting up security controls, don’t rely on web content filtering solutions as a means of controlling access to your external websites. Two, if you are testing security, always poke with several different sticks and from several different angles even when you think “there’s no way that would work.”

Synapse 1.0 not Recognizing BlackWidow Ultimate Fix

I had an issue where Synapse 1.0 software was not recognizing my BlackWidow Ultimate. My guess is that firmware got updated at some point (probably when I installed Synapse 2.0 without realizing it wasn’t what I wanted) which made the keyboard incompatible with the old software. Razer’s support website told me that I should try updating the firmware:

My BlackWidow or BlackWidow Ultimate is not being detected is there anything I can do? The latest FW v1.04 should correct most of these problems.

Unfortunately, just like the Synapse 1.0 software, the firmware installer could not detect the keyboard either and therefore could not flash the firmware.

Fast-forward me messing around with Synapse 2.0. The keyboard’s firmware was now at the latest version and magically the Razer_BlackWidowUltimate_FirmwareUpdater_v1.04.exe could now detect the keyboard. However, the updater said that “Device is already has the target firmware” and prompted me if I wanted to continue. At first, I did not want to proceed, but later decided to do it anyway for science. To my surprise the updater showed that my current firmware version was 1.08 and the new one will be 1.04. Considering how I’ve come across multiple devices where downgrading firmware was not possible, my first thought was “Uh-oh, I just bricked my keyboard.” Fortunately the downgrade went fine and nothing was bricked. In hindsight, given how buggy Synapse 2.0 I found to be after my messing with it (maybe I’ll make a post about that too), all of the above wasn’t really all that surprising. After the flash I decided to give Synapse 1.0 another try and it worked! The keyboard was detected and I was able to create macros. Best of all, I didn’t need Synapse 2.0. Yay!

In short, if Synapse 1.0 and Firmware Updater 1.04 do not recognize BlackWidow Ultimate:

  • Try updating firmware to 1.08 and then downgrading to 1.04.

If that doesn’t work:

  • Install Synapse 2.0
  • Use the offline hack to get firmware up to date
  • Downgrade to 1.04
  • Install Synapse 1.0

Hope this helps.

Razer Synapse 2.0 Offline Mode Hack

Skip to bottom half for the instructions.

I have one of Razer’s keybords and have been happily using it for probably roughly two years with Synapse 1.0 drivers. A recent system upgrade required me to install keyboard drivers again to get all the functionality. I went ahead and got the latest drivers (Synapse 2.0 by this point) and discovered that they required online registration as well as always-on Internet connection. That didn’t sit well with me so I found and installed the old Synapse 1.0 drivers. It appeared to work right away and I didn’t bother checking the actual configuration software.However, a few days ago I needed to create a macro and found out that the old Synapse software didn’t recognize the keyboard (although the OS saw it just fine). After a bit of searching I found this little gem from Razer:

Can I use the Razer BlackWidow or Razer BlackWidow Ultimate with the legacy drivers? Legacy drivers for the Razer BlackWidow and Razer BlackWidow Ultimate are available. However, if you have already used your Razer BlackWidow keyboard with Razer Synapse 2.0, you will not be able to roll back to the legacy drivers. Razer Synapse 2.0 configures your keyboard in such a way that makes it only compatible with Razer Synapse 2.0 and not with the legacy drivers.

For gamers. By gamers.”, you say? Looking further I found out that Razer recently improved their offline mode in Synapse 2.0. So I installed the latest version of those to see what would happen if I tried to launch them and register for the first time without a connection to the Internet. As I suspected, the registration/logon process failed due to network issues and there was no way to enter offline mode right away. A bit more looking around and I figured out a way to force the software into Offline mode and trick it into thinking it is logged in. Here’s how:

  • Install Synapse 2.0 drivers
  • Open up “C:UsersUSERNAMEAppDataLocalRazerSynapseAccountsRazerLoginData.xml” (On Windows 7. Have not tested on other OS’s)
  • Change the contents to:

<?xml version="1.0" encoding="utf-8"?>
<RazerLogins xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<StayLoggedIn>true</StayLoggedIn>
<LastLoginAccount>hax@hax.com</LastLoginAccount>
<AllLogins>
<SavedCredentials>
<Username>hax@hax.com</Username>
<Password>hax@hax.com</Password>
<Mode>Offline</Mode>
</SavedCredentials>
</AllLogins>
<LastLoginDate>2013-06-02T16:01:00.7743658-06:00</LastLoginDate>
<Version>1</Version>
</RazerLogins>

  • Relaunch the software and you should be logged in and ready to go!

Hope this help. Thanks to pentestgeek.com for posting their source of RazerLoginData.xml file which saved me from actually having to register an account.

And Razer… you disappoint me. Needless to say, I will not be buying your products again unless you start doing the right thing.

Sincerely.

Computer$ in Domain Admins

The other day I came across a situation I have not seen before. One of the guys I work with gained access to a Windows 2008 box that was joined to a domain. The LSA secrets did not reveal anything useful, no domain users were currently logged on, and password reuse wasn’t the case here. However, and this is the interesting part, it turned out that the computer itself was part of the “Domain Admins” group. A quick migrate to a system process and “net user /add /domain” worked! Domain compromised and I am now looking into reasons for adding a host to administrative groups. I imagine it must be some lazy fix…

Similar projects to PastebinDorks

I haven’t really done any research into what’s available out there prior to creating PastebinDorks, but now I’m coming across more and more projects with similar ideas in mind. I thought I’d list them here (in no particular order):

I’m sure there’s more out there and I will post links as I find them.

PastebinDorks

One of my little projects I’ve been working on lately is PastebinDorks. The idea is simple: scan pastebin for potentially interesting information. More specifically, password dumps and releases of current hacking groups such as Anonymous. Writing the tool wasn’t hard (it’s just a few hundred lines of code right now); the actual challenge was and still is in differentiating valid data and junk such as debug logs. So far I’ve been working with just identifying false positives, but have not done anything about finding false negatives. That bit would require quite a bit of effort since I would have to go through each paste to verify it (and there are a lot of pastes).

What are the benefits of such a tool? From a security analyst/researcher perspective, it is important to stay current with user trends to provide valuable, up to date service. A dictionary attack is not very useful if it is not fine tuned. The bad guys already have these real world passwords since they are the ones who did the hacking in the first place. They are a step a head and I feel we need to catch up. Another reason is that one might want to monitor for leaks of their personal information, compromises of websites he is a member of, leaks from one’s organization, etc.

Anyway, just wanted to make this quick note. The tool is fairly stable right now (as in it’s been able to handle errors gracefully), but I’m still getting too many false positives. Also, it seems I’m missing some of the posts and need to play around with timing requests, although pastebin.com gets upset if I make them too frequently.