Monday, December 17, 2007
A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process.
What's new in uhooker v1.3?
-Several bug fixes, everything should work better than before :)
-Fixed bug with readunicode() API where reading empty multibyte strings,
resulted in the plugin freezing for ever.
-Now you can load multiple .CFG files (load one, then load another to hook
something else, etc). Previously, you were only allowed to load one .CFG file
with breakpoints/handlers definitions. Now you can load as many as you like
whenever you want.
-If a .CFG file overlaps previously set hooks, you have the chance
to redefine them (for example, you can dinamically change the
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).
-Errors in the code of the handlers (written in python) are now correctly handled.
-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over
This scenario was very common, particuarly if you were developing
your own handler/script for the first time, or if you were
modifying at runtime the code of a handler/script.
Well, no more! :), Now if you have an error (syntax error,
identation error, general programming error,etc), the error that
your handler has will be displayed on the uhooker's console, and
you'll be able to recover from that error. This improvement means:
1-If an error occurs on the code, you don't
need to restart the debugger's session (and lose
the state of the program, etc.).
2-If you are changing in runtime the code of the
handler, and you makee a mistake, you'll see what
caused the error, and you can fix the script/handler
and move on!.
-and there are probably more things but I didn't write them down and now I dont't remember :).
Wednesday, December 12, 2007
that allows you to intercept and modify network traffic using an hex editor.
Embedded Video (only IE I think)
Tuesday, December 04, 2007
I'm uploading new scripts for uhooker and also new videos showing how these scripts are used, to help you get an idea of the purpose of the scripts.
I just uploaded a video showing how to use the Change Connect() script, you can find it here:
Embedded in browser:
Direct Download of .WMV file (if using firefox, you will probably
need to download this one):
Note: If anyone knows of a free program to do screencasts & convert screencasts
to .SWF files(flash), please let me know. I'm currently doing it using 'Windows
Media Encoder', and I couldn't find a decent program to convert .WMV
to Flash. Any suggestion is welcome.
Friday, November 30, 2007
Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.
Thursday, November 29, 2007
I also 'improved' and added the following scripts:
Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).
I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.
And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to web.archive.org and prepare to be amazed!.
Monday, November 19, 2007
Windows Anti-Debug Reference
by Nicolas Falliere
I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).
I'll read it later today and make a post if i can think of sthg worth saying about it :).
Saturday, November 17, 2007
Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.
For more info and photos, click here.
Wednesday, November 07, 2007
So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.
So, instead of doing that, just use genhooks.py like this:
genhooks.py -f kernel32.dll -t b -c kernel32.cfg -p kernel32.py
-f: specifies the name of the DLL
-t: specifies the hook type. b = before, a = after, * = address (you would normally use b or a)
-c: OPTIONAL. specifies the name of the .cfg file. if it is not specified, the dllname_without_the_extesion.cfg will be used
-p: OPTIONAL. name of the .py file with the hooks for all the functions. if it is not specified the dllname_without_the_extension.py will be used.
And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).
The script can be found here:
Direct download link:
Edit wifizoo.py and change the following code:
# mm, would be better to use callback perhaps. TODO
p = sniff(filter=None, iface=conf.iface, count=1)
pkt = p
#capture.pcap is the name of the capture file. Yes, it's hard-coded :)
pcapr = PcapReader('capture.pcap')
# mm, would be better to use callback perhaps. TODO
#p = sniff(filter=None, iface=conf.iface, count=1)
pkt = pcapr.next()
#pkt = p
Is a quick hack, but it works.
Friday, November 02, 2007
Tuesday, October 02, 2007
-It now has a web GUI running on localhost:8000, it will hopefully make its use more 'convenient'
-And it also has an 'http proxy' ala ferret/hamster. You can display the captured cookies with the web gui, clicking on a cookie will set that cookie on the wifizoo proxy. Set your browser to use the proxy, and again, hopefully, that will do the trick.
Direct download link:
Wednesday, September 19, 2007
This 'fix' is going to be included in the next version, but if anyone wants the fix right now, please send me an email (hernan [at] gmail.com) and I'll send you the version that supports cards that do not output prism headers.
Tuesday, September 18, 2007
You can get it here:
The direct download link is the following:
(if you click the last link, you miss the graph samples :))
Friday, September 07, 2007
I also wanted a tool to leave unattended, hopping thru all 802.11 channels, go read a book, come back, and get some useful information from it. I also wanted to make graphs of stuff, because everybody loves graph, and I do too :). I really believe data representation is very important and changes everything.
So I basically reinvented the wheel, added some stuff to it, everything using python, and came up with WifiZoo.
You can check it out at http://community.corest.com/~hochoa/wifizoo/index.html. You can find a detailed description of the tool in the previous link.
Again, is nothing spectacular, but is a fun tool to use on wireless penetration tests, it works, still lots of functionality needs to be added, but again, it gets the job done. For now, I take the tool as a fun exercise to spend time on from time to time :).
Wednesday, September 05, 2007
It includes scenarios, workarounds, possible issues etc.
I'll be adding more info from time to time, so check it out periodically if you are interested in the tool.
Tuesday, September 04, 2007
I expect people to continue having issues on some platforms because the things the tool does are dependant on certain memory areas that vary from OS version to OS version, so, if you have issues, please let me know, most of the time is very easy to add support for your platform to the tool.
The source code is available here.
The binaries are available here
-Improved support for windows xpsp2 german/french, windows 2003 sp1/sp2, both for
IAM.EXE and WHOSTHERE.EXE
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or WHOSTHERE.EXE is
not working in your configuration, please run the tools again specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me know, I expect people
to have issues because the addresses vary from OS version to OS version.
Note for Windows Server 2003 users:
-if you run IAM.EXE and it ends as expected, as If it had worked, but then you run
WHOSTHERE.EXE and the credentials did not change, do the following:
-start a cmd.exe using runas, for example:
runas /user:administrator cmd.exe
-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.
It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials in memory. If
you are logging to the machine remotely using psexec/Remote Desktop etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..
Friday, August 24, 2007
So at +265 you have the 'Owner user name' and at +297 'Owner group name'.
let's try it:
yes, 'hernan' , that's me, 'wheel', yes, that's the group name.
Now go to google and do some 'filetype:tar'/'filetype:tgz' etc. searches
and have fun!. :)
Friday, August 17, 2007
The idea behind this is to avoid situations where you would run the tool in a system that doesn't have the correct LSASRV.DLL version most likely crashing the LSASS.EXE process and having to reboot your machine. not good :).
So, if you run IAM.EXE and get something like this:
Checking LSASRV.DLL....Unknown LSASRV.DLL.
LSASRV.DLL: 00050001h. A280884h
It means I don't know about your DLL version. Please send me an email with the version number you have and I'll do my best to get a hold of a copy of that exact DLL version to solve the issue. (when you are at it, also send me the text representation of the DLL version just in case , just rigth-click the DLL, properties->Version->File
Version, and also the language of your windows installation, etc.)
I'll try to come up with a generic solution for this, but since the tool is mostly intended to be run on your own machine and not to be used to compromise a machine or whatever, I didn't think it would matter much to make it generic. This should not be difficult to implement.
On the other hand, WHOSTHERE.EXE does not have such checks because it only reads memory, so when it fails, you only get invalid output; the worst thing that can happen is WHOSTHERE.EXE itself crashing.
Wednesday, August 15, 2007
I'm releasing Pass-The-Hash Toolkit v1.0, you can find it here:
For those of you that do not want to read the detailed description :),
in a nutshell, it is pass-the-hash for windows (iam.exe), for example:
iam.exe administrator mydomain 0102030405060708090A0B0C0D0E0F10
After running the program, outbound network connections that use NTLM
authentication will use the new credentials. And a tool
(whosthere.exe) to list currently logged on users and their NTLM
credentials by reading LSASS.EXE's internal structures (see the 'long
description' for use cases).
And now the long description:
The Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions mantained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged
in thru Remote Desktop/Terminal Services), and also change in runtime
the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH
Utilities in the toolkit:
* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to
change your current NTLM credentials withouth having the cleartext
password but the hashes of the password. The program receives a
username, domain name and the LM and NT hashes of the password; using
this it will change in memory the NTLM credentials associated with the
current windows logon session. After the program performs this
operation, all outbound network connections to services that use for
authentication the NTLM credentials of the currently logged on user
will utilize the credentials modified by IAM.EXE. This includes 'net
use', 'net view', many third-party DCOM services that use NTLM
authentication, etc. This is basically 'pass-the-hash' for windows;
one of the main advantages is that you don't need to use a modified
version of samba or samba-tng and be restricted to the limited
functionality they implement, you can now use windows and any
third-party software with stolen hashes withouth having to obtain the
cleartext version of a password. For more information take a look at
this paper I wrote back in 2000 Modifying Windows NT Logon Credentials
* WHOSTHERE.EXE: This tool will list the current logon sessions
with NTLM credentials (username,domain name, LM and NT hashes). Logon
sessions are created by windows services that log in using specific
users, remote desktop connections, etc. This tool has many uses, one
that i think is interesting: Let's say you compromised a Windows
Server that is part of a Windows Domain (e.g.: Backup server) but is
NOT the domain controller. Since it is not the domain controller, you
only have access to the local SAM and although you did effectively
comprise a sensitive server you did not compromise the domain.
However, it is very common in such situations to find that
administrators are using Remote Desktop to connect to the compromised
server to perform different tasks. So this is your chance, just wait
for the administrator to log into the compromised server using remote
desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.
* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.
Friday, July 27, 2007
And you are all set... well... you are not :). IIS implements something called 'Socket Pooling' and if you have this enabled it basically makes IIS bind to all available IP addresses. So even when you go to the GUI and change the IP you want IIS to bind to, IT DOESN'T WORK. In order to make it work, you need to disable 'Socket Pooling', and you can do so with the following command:
script adsutil.vbs set w3svc/disablesocketpooling true
I just thought this was amusing and decided to make a post :). Something similar occurs with IIS 6.0 but I have not tried it yet. You can get more information here:
IIS Binds to All Available IP Addresses When It Starts
How to Disable Socket Pooling
IIS 6.0: Setting Metabase Property DisableSocketPooling Has No Effect
Thursday, July 26, 2007
Check out Gera's new tool!:
"HeapDraw was originally created as a postmortem analisys tool, to see how the heap evolved during the life of a process. The idea is that although we may be used to textual output, like that of ltrace or a malloc/free hooking library, it's much better to see it graphically (in fact I used to make drawings by hand until I realized "WTF am I doing? I have a computer to do it for me!").
HeapTracer is the new name, after it became a runtime analisys tool."
You can find it here.