#offsec

Hello everyone, it's been a while. :) Just wanted to share something I've been working on with you all.

I've developed a recon script for infrastructure testing which works off a CIDR or a list of IPs. It splits given IPs into groups of 64 (as nmap performs TCP scans on hosts in groups of 64,) launches nmap scans on each group as background processes and then merges the results together once every group has been scanned. The theory behind this is that port scans on over 64 hosts will complete in the time it takes to scan one group of 64 hosts.

From here, it analyses the port scan results and launches service-specific scans. It also creates lists of IPs by service, making any extra checks applicable to all hosts found with a specific service open.

You can find it here. It's still lacking a bit in documentation and usability- there's tools you need to install that I haven't noted down anywhere- but it's 80% tools found on an average Kali Linux build anyway. ^^ I do also want to improve the service scan scripts and see if there's anything I can add to them. Recently got it up and running fully so thought I'd share it.

Otherwise, I am working my way through Burp Suite Academy right now. My plan is to post a review on it here when I've covered what I want to there. Been slacking on it a little since starting work but I'm working on that.

EDIT: Still problems with the analysis section- I had a run through where everything was picked up but there's an issue stopping all hosts and services being picked up. Working on this.

Finished the first part of my keylogger.

It’s 100% not perfect and I can imagine it not running as smoothly on keyboards of a different layout; honestly as this is just a PoC I’m pretty happy with where it is and proceeding forward with it in it’s current form.

It turned out to be more involved than expected- originally I had it working in a loop with GetAsyncKeyState (https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate) but this was using 20% of my CPU when investigated- while this had no negative effect on my laptop personally, it probably wouldn’t be ideal on laptops with weaker CPUs.

This is when I came across Windows hooks (https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks) To put it simply, Windows hooks are very similar to JavaScript event listeners- you know, listening for clicks on a specific button and similar? 

The code here is the first step in the process. I used 2 kinds of Win32 functions here as the Win32 API is pretty retarded as I couldn’t setup an event hook for a change in the foreground window through WindowsHookEx: while low level event hooks (denoted by _LL)  do not need to be put into a DLL and then loaded into another C program through WindowsHookEx, a majority of other event hooks do.

WinEventHook, however, doesn’t have this limitation. In order to avoid having to create a separate program just to load in the hooks from a DLL, I simply used the two different functions. This wouldn’t work if I wanted the callbacks to interact; I don’t so yeah. xD

These are the callbacks I created for the two events. I created a keyLogger class with virtual methods which provides the code for returning characters corresponding to keypresses and returning the active foreground window (literally just the window the user is currently interacting with.)

This is my returnChar method- pretty self explanatory. I decided to just use the integer value of the inputted character to determine certain punctuation that was inputted. Unfortunately, I am limited to UK keyboard testing only so I can’t say how well this works on a US keyboard layout! 

The shift key also proved to be a huge issue- for some reason I get an accented a before the shift key is registered as being pressed down. For the sake of simplicity, I simply noted this when encountered as either shift or an accented a (though this may not be needed now that I’m outputting when shift is pressed with a key!)

This is the method for returning the currently active window. Pretty self explanatory.

That’s pretty much it! I have the code in a repo here https://github.com/CourtneyJane2904/keylogger if anyone’s interested. 

My next step will be setting this up to run on startup and to run as hidden as physically possible with the permissions of the user. 

After that there’ll be a focus on sending the data to a remote server and finally looking into the obfuscation and encryption of the program if it flags up Windows Defender. 

Thinking of delivering it through a malicious word document in my PoC scenario but I honestly haven’t decided yet! 

I recently finished (didn't take the test, I was just stumbling through the course, open mouthed and scared) the ineffable WEB-300: Advanced Web Attacks and Exploitation, from the magnanimous OffSec, which is the preparation course for the Offensive Security Web Expert certification (OSWE). The image is a very cool digital black widow spider, which makes sense, because the course is teaching you how to be an attacker on 'the web'.

As scared as I am of spiders, I am enamored by this course. Enough to stare at it for two years then finally take it and complete it over one grueling year. It covers things like: Blind SQL Injection - setting things up in a program called Burpsuite, to repeatedly try sending various things, then clicking a button, and seeing how a website answers, whether it gives us info or errors (which is more info!)

Authentication Bypass Exploitation - skirting around the steps that websites use to make sure you are who you say you are, like taking a 'reset password' click of a button, knowing some admin's email, and getting a database to spit out the token so we can get to the website to reset the password before the admin.

and Server-Side Request Forgery - making a server (someone else's computer in charge of doing real work instead of messing around with a human) ask its connections and resources to get something for you.

Now I know what you're probably thinking: Holy cow, where to even start? If you're not thinking that, congratulations. If you are, I've the answer: Tools. No spider is eating flies without sensing, lurking, biting... this metaphor to say: No one's doing it by hand with no help.

So what tools are helpful? How do you know what's good, what's useful, what's a dime a dozen, what's only going to do part of what you want versus all of it...

Luckily the fan favorites are famous for a reason. Just about anything you'd need is already downloaded into Kali Linux, which is jam packed with much, much more than the average hacker even needs!

Tools are dependent on what you need to do. For this class we need to inspect web traffic, recover source code, analyze said code of source, and debug things remotely.

Inspecting web traffic covers SSL / TLS and HTTP. SSL is Secure Sockets Layer and TLS is Transport Layer Security. These are literally just protocols (rules! internet rules that really smart people spent a lot of time figuring out) that encrypts traffic (mixes and chops and surrounds your communication, to keep it safe and secure). HTTP is the hypertext transfer protocol, which is another set of rules that figures out how information is going to travel between devices, like computers, web servers, phones, etc.

But do you always follow the rules? Exactly. Even by accident, a lot can fall through the cracks or go wrong. Being able to see *exactly* what's happening is pivotal in *taking advantage* of what's not dotting the i's and crossing the t's.

Possibly the most famous tool for web hacking, and the obvious choice for inspecting web traffic, is Burp Suite. It gathers info, can pause in the middle of talking to websites and connections that usually happen behind the scenes in milliseconds, like manipulating HTTP requests. You can easily compare changes, decode, the list goes on.

Decompiling source code is the one where you could find a million things that all do very specific things. For example dnSpy can debug and edit .NET assemblies, like .exe or .dll files that usually *run*, and don't get cracked open and checked inside. At least not by a normal user. .NET binaries are easier to convert back to something readable because it uses runtime compiling, rather than compiling during assembly. All you have to do is de-compile. It's the difference between figuring out what's in a salad and what's in a baked loaf of bread. One's pretty easy to de-compile. The other, you'd probably not be able to guess, unless you already knew, that there are eggs in it! dnSpy decompiles assemblies so you can edit code, explore, and you can even add more features via dnSpy plugins.

Another type of code objects useful to analyze are Java ARchive or JAR files. Another decompiler that's good for JAR files is JD-GUI, which lets you inspect source code and Java class files so you can figure out how things work.

Analyzing source code is another act that can come with a lot of options. Data enters an application through a source. It's then used or it acts on its own in a 'sink'. We can either start at the sink (bottom-up approach) or with the sources (top-down approach). We could do a hybrid of these or even automate code analysis to snag low-hanging fruit and really balance between time, effort and quality. But when you have to just *look* at something with your *eyes*, most people choose VSCode. VSCode can download an incredible amount of plug ins, like remote ssh or kubernetes, it can push and pull to gitlab, examine hundreds of files with ease, search, search and replace... I could go on!

Last need is remote debugging, which really shows what an application is doing during runtime (when it's running!). Debugging can go step-by-step through huge amalgamations using breakpoints, which can continue through steps, step over a step, step INTO a step (because that step has a huge amalgamation of steps inside of it too, of course it does!), step out of that step, restart from the beginning or from a breakpoint, stop, or hot code replace. And the best part? VSCode does this too!

Remote debugging lets us debug a running process. All we need is access to the source code and debugger port on whatever remote system we happen to be working in.

Easy, right? Only a few tools and all the time in the world... WEB-300 was mostly whitebox application security, research, and learning chained attack methods. For example, you'd do three or seven steps, which incorporate two or four attacks, rather than just one. It's more realistic, as just one attack usually isn't enough to fell a giant. And here there be giants. Worry not: we've got some slingshots now.

The next step is seeing if we can get them to work!

Useful links:

(PortSwigger Ltd., 2020), https://portswigger.net/burp/documentation

(DNN Corp., 2020), https://www.dnnsoftware.com/

(0xd4d, 2020), https://github.com/0xd4d/dnSpy

(ICSharpCode , 2020), https://github.com/icsharpcode/ILSpy

(MicroSoft, 2021), https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe

(Wikipedia, 2021), https://en.wikipedia.org/wiki/Cross-reference

(Wikipedia, 2019), https://en.wikipedia.org/wiki/Breakpoint

(Oracle, 2020), https://docs.oracle.com/javase/tutorial/deployment/jar/manifestindex.html

(Wikipedia, 2021), https://en.wikipedia.org/wiki/Integrated_development_environment

(Microsoft, 2022), https://code.visualstudio.com/(Wikipedia, 2021), https://en.wikipedia.org/wiki/False_positives_and_false_negatives

So I've got some news, I'm going back into penetration testing. ^^

I'm starting as a Security Consultant with a brilliant company on the 19th who've offered me an amazing salary.

What I'm mainly impressed by is their training though: not only do you get CREST certification (wanted in the UK,) you also get a training budget to pursue certification of your choosing. I'm going to use mine to achieve more offsec certification. c: They also help with soft skill development too which is my weak point!

I'm hoping this will be the start of an actual career in penetration testing for me. My reason for the move back is mainly due to my interests- hacking is one thing I genuinely get enjoyment out of in my own time and I seem to have potential in it based on the two companies being interested in hiring me!

Think I'm ready to accept the inevitability of client interaction too. XD

So after like a month I’m back and I’ve finished my keylogger project... Honestly there’s more I would have liked to explore but I’m pretty busy with uni work and other things right now so I thought I’d leave it as is. 

I used SigPirate (as mentioned in my previous post) on the dropper in addition to on the keylogger. 

The dropper works by including the binary of the keylogger as an ico file in the resource section of the dropper executable, simply done by copying the exe to the directory and renaming it to have the ico file extension. The resources section in a PE file enables developers to embed various types of data such as icons, images, raw data... The list goes on.

Resources.rc

For those curious, Resources.h simply defines FAVICON_ICO as 100. The ico file should also be in the same directory as the Resources header file. 

There’s honestly not much to show with the dropper program- I can show you a bulk of it in one image.

extractExe loads the ‘ico’ file from the .rsrc section of the program and saves the extracted data into the exeBin variable while saveExeToDisk is pretty self explanatory- it saves the exe to the startup file of the user running the exe.

I did originally add in a launchExe method too; unfortunately this triggered Windows Defender so I kept it to simply saving the exe into the user’s startup folder. Resultingly, the malware activates upon system restart.

On a Windows system with Visual Studio Redistributable installed and no additional antivirus software, this is a viable keylogger that would run as long as the user is unaware of their startup directory; I even somewhat prepared for this scenario by editting the file properties of the file. I named the exe ‘StartupBooster’ and gave it the following file properties:

Conclusion

Honestly I did enjoy this project; I do, however, feel I would have got more out of it if I’d waited until my uni work was finished for the year before starting it. I would have liked to look into getting this to run undetected on a system with additional antivirus software installed.

Additionally, I am somewhat unhappy with the structure of the dropper program as I would have liked to extract the logic of saveExeToDisk into different methods, such as adding genExeFilePath. I did originally do this but I did it last minute and when it didn’t work instantly I resigned to just going back to it’s original structure. However, this is the programming side of me potentially being overly critical. xD 

In future I will likely return to malware dev; I might leave it until I’ve got most of my uni work done for the year as I’m the sort of person who doesn’t do well with focusing on several different things at once as I feel a pressure to get things finished ASAP and it bugs me when I have to leave a personal project on standby!

I’m thinking of doing lighter things that can be done in a period of 1-2 days until then. For example, I have plans to look a little into assembly programming (I have a course on Udemy for this which I haven’t looked at yet!) and I might even return to doing the odd CTF challenge to keep my basic hacking skills sharp- honestly I would have to recap on the uses of nmap and alike at this point!

I’m even considering doing a CTF challenge manually and then writing a program in C++ to automate the process. Also considering writing a C++ program for enumeration that runs on Linux. 

Not sure what I’ll be doing first quite yet! Regardless, I am still glad I did this project and I learned quite a bit about Windows Defender and PE file structure in the process. :) 

In part one I showed a basically functioning keylogger I was working on that was logging keypresses in a useable manner; the produced data was not being sent anywhere, thus making it useless from a malware perspective unless the malicious actor somehow has physical machine access!

In part two, I show how I went about sending data to a remote server. 

Here is the first method I added to KeyLogger- dataToOut. This method takes in a string of data to copy to outputtedData, an external string variable. I did (and still am) considering storing this on the heap via dynamic memory allocation instead to reduce the possibility of stack overflow but I’ll get to that later if needed. :) 

The method essentially uses external variables to keep track of the time passed since the method last executed and calls dataToServer (up next) if the specified time period has passed. For testing purposes, I simply kept this at 10 seconds-20 seconds; my plan is to change this to 5 minutes- dynamic memory allocation for outputtedData may very well be needed when I do this!

These are the external variables used by dataToOut. I had to use externals as KeyLogger methods are virtual due to the need to execute them with every keypress- using standard methods is pointless as I’d have to create a new instance of the class with every keypress, thus losing data from previous keypresses. Probably other ways to do this- I could have maybe created an external instance of the class itself- but if it isn’t broke don’t fix it!

This is dataToServer. I decided to implement the methods in RequestSender as normal. It simply converts outputtedData from a string to a char pointer- a variable that holds the memory address of an array of characters- calculates it’s size and then sends across to RequestSender. 

sendDataAcross is simply a wrapper method that calls the required methods within RequestSender in the needed order.

Here is my RequestSender class and the sendDataAcross method. I decided to use winhttp for sending requests across. Scroll to the bottom of the page at https://docs.microsoft.com/en-us/windows/win32/api/winhttp/nf-winhttp-winhttpsendrequest if you’re curious on implementation.

Here is the output to stdout when sending the request and the received POST requests from the attacker’s end. I script kiddied the POST request receival and opted to use pyserv, https://pypi.org/project/pyserv/

I’m considering writing a simple web server in C to do this for the experience but if I do it’ll be after I’ve completed the malware side of this project. :) 

This is pretty much where I’m at now; this is where the interesting part begins.

I need to make this run without triggering Windows Defender firstly: right now it flags up as being a trojan. I believe this is due to the exe not being digitally signed so I’ll need to look into that firstly.

Once the exe runs locally without triggering Defender, I then need to look into coding a dropper which loads the keylogger into the resource section of the exe, decrypts it and saves it to disk. I actually learned the general process of doing this from https://www.udemy.com/course/ehf-maldev-in-windows/. Honestly a great course- it’s short (ideal for me as I have a terrible attention span when it comes to research!) and the instructor really does explain what could be complex topics in simple ways.

After that, it’s just looking into tricks to hide the exe from other processes with the limited privileges of the user. :3

So yeah that’s it for now! Apologies that this is a slow process; honestly I’m working 7 days a week right now. I’m doing 4 days of uni work and 3 days of personal projects; every second week I have to dedicate a day or two to Maths as I’m working towards a GCSE in Higher Maths. I only got a C at Foundational Maths in school as I bluntly didn’t give a crap enough to put any effort into it back then. xD

Due to this, I am sometimes a bit sluggish on some days. I’m getting there though, halfway through my BSc now so not long to go. c: