Monday, 3 September 2018

Compromising P-CSCF using VoLTE

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call.

figure 1 - Placement of P-CSCF in IMS Platform
Identify and Compromise P-CSCF with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone's terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).


figure 2 - Identifying P-CSCF node connected on port 5060 (SIP protocol)
2) Management console of application server and P-CSCF application (figure 3 & figure 4) were found by performing a service scan on identified IP address.
figure 3 - P-CSCF applications's management console
figure 4 - Application server's management console
3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).

figure 5 - Access to Oracle Glassfish server using weak credentials
4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).
figure 6 - Gained root access to P-CSCF (IMS)

After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.

To prevent from such attacks, telecom operators should ensure traffic segregation between user plane, control plane and management plane. It is highly recommended to patch all the core network elements with latest security patches released by the vendor. Also develop and implement minimum security guidelines before integrating nodes in the network.

Hope you enjoyed reading, suggestions are always welcome.


Cheers!

Tuesday, 23 May 2017

Create secured Meterpreter connection using Metasploit Paranoid Mode

Metasploit Paranoid Mode helps you in creating and maintaining your meterpreter session over SSL.

This is achieved by verifying the handler certificate.

Below demonstration is performed from Kali linux system to exploit Windows 7 system using paranoid mode feature, to create payload, and metasploit, to handle the session using meterpreter.


Following payloads can be used in Paranoid Mode.
Staged (payload.bat|ps1|txt|exe):
windows/meterpreter/reverse_winhttps
windows/meterpreter/reverse_https
windows/x64/meterpreter/reverse_https

Stageless (binary.exe):
windows/meterpreter_reverse_https
windows/x64/meterpreter_reverse_https

The script can be found here.


Thursday, 18 May 2017

Sunday, 14 May 2017

Infecting systems with WannaCry ransomeware

On 12th May 2017, a ransomware was released called WannaCry.
WannaCry leverages the EternalBlue exploit, which was released with the recent NSA data leaks by ShadowBrokers, to target all the windows systems which are not patched with MS17-010.

Video showing Live WannaCry infection:


White list URL www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to stop the virus from infecting the host and from spreading.

Microsoft had release a patch for MS17-010 on 14th March 2017 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Recently, They have also released a patch for Windows XP, Server 2003 and Windows 8 to fight the attack - https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Malware samples can be found on -
https://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE

https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE

https://mega.nz/#!VRtRAaZD!BNcDDAsSSAyb7k3IBdTyy1E1CrOBF5RqVf7MlIFucEI 
password: hackerhouse


This ransomware will look for and encrypt following filetypes:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der


Monday, 1 May 2017

Mimikatz in JScript - Running in memory


Video PoC of running Mimikatz in JS from memory.




Test was performed on Windows 7 x64.

Mimikatz.js can be found here.


Script to convert any .Net application JS can be found here.


Follow me on Twitter - @hardw00t

Exploiting MS17-010 with Metasploit

MS17-010 has made lot of fuzz recently, specially after the NSA data leak by ShadowBrokers.

The exploits are made to run on old version of Python and Windows.
So far we have been using it with FuzzBunch, an exploitation framework similar to Metasploit which was part of the data leak.

We will be using EternalBlue exploit (MS17-010) to compromise Windows server 2008 R2 system.
A test bed was created to perform this, test bed was configured with following:

1) Kali Linux
2) Windows Server 2008 R2 SP1

You can download the exploit from here or use the following command to clone the repository:

git clone https://github.com/hardw00t/Eternalblue-Doublepulsar-Metasploit

Now copy the 'eternalblue_doublepulsar.rb' to the exploit module of Metasploit.

Finally reload all the modules of Metasploit and run the exploit on vulnerable target.

Follow the below video to run the exploit using Metasploit:



Exploiting MS17-010 using FuzzBunch and Metasploit

FuzzBunch is a exploit framework like Metasploit, which was released in the recent NSA data leak by ShadowBrokers.

The leaked data can be found here.

The framework included following exploits:

1) EternalBlue - MS17-010
2) EternalSynergy - MS17-010
3) EternalRomance - MS17-010
4) EternalChampion - MS17-010
5) EmeraldThread - MS10-061
6) EskimoRoll - MS14-068
7) EducatedScholar - MS09-050
8) EclipsedWing - MS08-067

Here we will be using EternalBlue with DoublePulsar, DoublePlusar is used for DLL injection.

A virtual test bed was created for this activity. Virtual envirnment involved the following:
1) Windows XP x86 - installed with Python 2.6, Pywin32 and FuzzBunch repository
2) Windows Server 2k8 R2 SP1

Video PoC: