Ok, so Windows XP SP3 is out.
With this new version:
whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more 'gentle' and 'stealth' :) version of the tool and requires precise memory addresses.
But that's why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.
And that's also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.
This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).
I haven't tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.
In case you were wondering, the new addresses you need for Windows XP SP3 English are:
whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54
(remember that whosthere-alt.exe works as it is on Windows XP SP3)
Thursday, June 26, 2008
Thursday, June 12, 2008
New features for pass-the-hash toolkit
Hi,
I'm in the process of adding new features to the "pass-the-hash toolkit". This means I've found time to do it :), so.. If you have any ideas for new features/bugs that need to be addressed, please let me know.
I'm currently adding:
-better support for Windows Vista
-feature to specifiy addresses (such as the ones obtained via passthehash.idc) to whosthere and iam without having to recompile the tools
If you have any comments, please leave them here as comments to this blog post or
here:
http://www.hexale.org/forums/topic.php?id=3
Thanks!,
Hernan
I'm in the process of adding new features to the "pass-the-hash toolkit". This means I've found time to do it :), so.. If you have any ideas for new features/bugs that need to be addressed, please let me know.
I'm currently adding:
-better support for Windows Vista
-feature to specifiy addresses (such as the ones obtained via passthehash.idc) to whosthere and iam without having to recompile the tools
If you have any comments, please leave them here as comments to this blog post or
here:
http://www.hexale.org/forums/topic.php?id=3
Thanks!,
Hernan
Wednesday, June 04, 2008
Hexale forums
Ok, so I finally set up a web site to put all my stuff on, checkout
www.hexale.org
well.. right now is empty :) but one thing I did installed is the forums
section, check out
www.hexale.org/forums/
There's a forum for each of the tools I have publicly released so far. Some
people have requested such a thing in the past, so here you go, I hope you
find it useful.
If there's another forum you'd like to see, please let me know.
www.hexale.org
well.. right now is empty :) but one thing I did installed is the forums
section, check out
www.hexale.org/forums/
There's a forum for each of the tools I have publicly released so far. Some
people have requested such a thing in the past, so here you go, I hope you
find it useful.
If there's another forum you'd like to see, please let me know.
-t switch added to whosthere and whosthere-alt
Just wanted to let you know that I've added a -t switch both to whosthere and whosthere-alt
the -t switch sets the time interval used by the -i option (the option that waits indefinitely trying to capture new hashes)
before, the time interval was 2 seconds, now this can be set at will using the new -t switch
for example:
whosthere.exe -i -t 20
will attempt to gather new hashes every 20 seconds
whosthere-alt.exe -i -t 0.5
will attempt to gather new hashes every 0.5 seconds
This feature will be available on the next release, but if you really need it, just send me an email and I'll send you the new version with this feature included.
the -t switch sets the time interval used by the -i option (the option that waits indefinitely trying to capture new hashes)
before, the time interval was 2 seconds, now this can be set at will using the new -t switch
for example:
whosthere.exe -i -t 20
will attempt to gather new hashes every 20 seconds
whosthere-alt.exe -i -t 0.5
will attempt to gather new hashes every 0.5 seconds
This feature will be available on the next release, but if you really need it, just send me an email and I'll send you the new version with this feature included.
Thursday, May 22, 2008
Comment on article about 'vm attacks' at www.eusecwest.com
I was reading the following story:
http://www.eusecwest.com/justin-ferguson-interpreter-vm-attacks.html
I'll keep my subjective opinion about the article to myself and will focus on the following:
I think that the use of the function 'sys._getframe()' mentioned in the article as a way to 'obtain a heap address' is 'misleading' .
Python gives away memory addresses all the time, there's no need to call a 'weird' function (sys._getframe() is not weird anyways):
(from http://shell.appspot.com/, but applicable to any python deployment):
>>> a = 'mythbusters'
>>> id(a)
6912173043421908880
>>> hex(id(a))
0xe81da54d11f45f88L'
>> sys._getframe()
frame object at 0xe81da54d1ff6afc8
both addresses are clearly in the same 'range', so I can infer they 'refer' to the same 'thing', if the 'thing' is the 'heap', then both methods 'leak' a heap address,
or more importantly, they 'leak' the same 'thing' :)
or
(on a windows machine)
>>> class a:
... def test(self):
... print 'hola'
...
>>> j = a()
>>> j
__main__.a instance at 0x004AF0F8
>>> sys._getframe()
frame object at 0x00475960
and finally (done at from http://shell.appspot.com/)
>>> import os
>>> os.uname()
('Linux', '', '', '', '')
If you think I'm wrong, please comment!
http://www.eusecwest.com/justin-ferguson-interpreter-vm-attacks.html
I'll keep my subjective opinion about the article to myself and will focus on the following:
I think that the use of the function 'sys._getframe()' mentioned in the article as a way to 'obtain a heap address' is 'misleading' .
Python gives away memory addresses all the time, there's no need to call a 'weird' function (sys._getframe() is not weird anyways):
(from http://shell.appspot.com/, but applicable to any python deployment):
>>> a = 'mythbusters'
>>> id(a)
6912173043421908880
>>> hex(id(a))
0xe81da54d11f45f88L'
>> sys._getframe()
frame object at 0xe81da54d1ff6afc8
both addresses are clearly in the same 'range', so I can infer they 'refer' to the same 'thing', if the 'thing' is the 'heap', then both methods 'leak' a heap address,
or more importantly, they 'leak' the same 'thing' :)
or
(on a windows machine)
>>> class a:
... def test(self):
... print 'hola'
...
>>> j = a()
>>> j
__main__.a instance at 0x004AF0F8
>>> sys._getframe()
frame object at 0x00475960
and finally (done at from http://shell.appspot.com/)
>>> import os
>>> os.uname()
('Linux', '', '', '', '')
If you think I'm wrong, please comment!
Thursday, May 08, 2008
Using whosthere.exe with psexec
Ok, a few days ago I received the following question and I have been asked the same thing before so here it goes:
The question, more or less, is:
How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?
the answer is:
psexec \\ -d -c whosthere.exe -o myhashes.log -i
psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.
Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like
net use \\\ipc$ * /u:user password
and then run psexec.
Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.
Hope it helps!.
The question, more or less, is:
How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?
the answer is:
psexec \\
psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.
Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like
net use \\
and then run psexec.
Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.
Hope it helps!.
Friday, February 29, 2008
Release: Pass-The-Hash toolkit v1.3
SOURCE CODE:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3-src.tgz
BINARIES:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3.tgz
DOCUMENTATION:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
WHATSNEW:
Pass-The-Hash Toolkit 1.3 by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com)
=====================================================================================
What's new?:
* PASSTHEHASH.IDC: This .IDC IDA Pro script can be used to obtain the addresses
iam and whosthere need to obtain/modify logon session credentials. Load LSASRV.DLL
into IDA Pro (make sure to import the symbols) and run the script to get the
addresses you need to add to the source code to add support for the LSASRV.DLL version
you have, in case it is not supported yet.
If you use the script, please send me the addresses so I can include them in
the next version of the toolkit.
* IAM-ALT and WHOSTHERE-ALT: two new tools written from scratch that do the
same thing that IAM and WHOSTHERE do but using a slightly different technique,
aiming at making the tool work on more systems without requiring users to
modify the source code of iam/whosthere (or wait for the next version:)).
The good thing about this 'alt' version of the iam/whosthere tools is that
they SHOULD work on more windows versions without modifications.
The 'bad' thing is that both tools need to execute code inside lsass.exe.
The tools basically use the functions MSV1_0.DLL!NlpDeletePrimaryCredential,
MSV1_0.DLL!NlpAddPrimaryCredential, and MSV1_0.DLL!NlpGetPrimaryCredential;
these are the functions gsecdump uses (if I'm not mistaken).
The current heuristics used to find the functions inside MSV1_0.DLL is horrible
but it works.
whosthere uses a method tha allows it to obtain credentials just by
reading memory, without executing any code. iam does not, but just
because I'm lazy, it will do it eventually, the downside to this approach
is that although it does use heuristics to verify hardcoded addresses, it
does have hardcoded addresses anyways.And that's why to help solve this issue
but at the same time maintain the possiblity of obtaining credentials
without executing code inside lsass.exe, I created the passthehash.idc
script. If you don't care about executing code inside lsass.exe, use
whosthere-alt.
*iam/whosthere: Added support for more windows versions. including different languages.
*iam/iam-alt: new syntax. now you have to use -h to specify the credentials.
*whosthere/whosthere-alt: new -o switch to dump credentials to a file
*whosthere/whosthere-alt: new -i switch that will make whosthere/whosthere-alt
display current logon credentials found in memory and then wait forever for
new logon sessions and display only those new sessions. you can use this switch
together with the -o switch to dump credentials found to a file. Now you can leave the
tool running and it will log all unique interactive logon sessions created, it makes
easier the job of waiting for the administrator to log into the compromised
machine where whosthere/whosthere-alt is running. Thanks to heathengod for the
idea of this feature.
*several bugfixes and stuff
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3-src.tgz
BINARIES:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3.tgz
DOCUMENTATION:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
WHATSNEW:
Pass-The-Hash Toolkit 1.3 by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com)
=====================================================================================
What's new?:
* PASSTHEHASH.IDC: This .IDC IDA Pro script can be used to obtain the addresses
iam and whosthere need to obtain/modify logon session credentials. Load LSASRV.DLL
into IDA Pro (make sure to import the symbols) and run the script to get the
addresses you need to add to the source code to add support for the LSASRV.DLL version
you have, in case it is not supported yet.
If you use the script, please send me the addresses so I can include them in
the next version of the toolkit.
* IAM-ALT and WHOSTHERE-ALT: two new tools written from scratch that do the
same thing that IAM and WHOSTHERE do but using a slightly different technique,
aiming at making the tool work on more systems without requiring users to
modify the source code of iam/whosthere (or wait for the next version:)).
The good thing about this 'alt' version of the iam/whosthere tools is that
they SHOULD work on more windows versions without modifications.
The 'bad' thing is that both tools need to execute code inside lsass.exe.
The tools basically use the functions MSV1_0.DLL!NlpDeletePrimaryCredential,
MSV1_0.DLL!NlpAddPrimaryCredential, and MSV1_0.DLL!NlpGetPrimaryCredential;
these are the functions gsecdump uses (if I'm not mistaken).
The current heuristics used to find the functions inside MSV1_0.DLL is horrible
but it works.
whosthere uses a method tha allows it to obtain credentials just by
reading memory, without executing any code. iam does not, but just
because I'm lazy, it will do it eventually, the downside to this approach
is that although it does use heuristics to verify hardcoded addresses, it
does have hardcoded addresses anyways.And that's why to help solve this issue
but at the same time maintain the possiblity of obtaining credentials
without executing code inside lsass.exe, I created the passthehash.idc
script. If you don't care about executing code inside lsass.exe, use
whosthere-alt.
*iam/whosthere: Added support for more windows versions. including different languages.
*iam/iam-alt: new syntax. now you have to use -h to specify the credentials.
*whosthere/whosthere-alt: new -o switch to dump credentials to a file
*whosthere/whosthere-alt: new -i switch that will make whosthere/whosthere-alt
display current logon credentials found in memory and then wait forever for
new logon sessions and display only those new sessions. you can use this switch
together with the -o switch to dump credentials found to a file. Now you can leave the
tool running and it will log all unique interactive logon sessions created, it makes
easier the job of waiting for the administrator to log into the compromised
machine where whosthere/whosthere-alt is running. Thanks to heathengod for the
idea of this feature.
*several bugfixes and stuff
Monday, January 21, 2008
Pass-The-Hash Toolkit v1.2 released.
Pass-The-Hash Toolkit v1.2 is available.
What is Pass-The-Hash Toolkit?
The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).
Direct download links:
source code:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2_src.tgz
binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2.tgz
More info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
what's new:
http://oss.coresecurity.com/pshtoolkit/release/1.2/WHATSNEW
What is Pass-The-Hash Toolkit?
The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).
Direct download links:
source code:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2_src.tgz
binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2.tgz
More info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
what's new:
http://oss.coresecurity.com/pshtoolkit/release/1.2/WHATSNEW
WifiZoo v1.3 released!
Hi!,
I have just released WifiZoo v1.3.
This is a minor release addressing minor but annoying things people kept poking me about.
I promise a more substantial release soon :).
What's new?
Direct download link:
WifiZoo v1.3
Info about WifiZoo:
WifiZoo Info
I have just released WifiZoo v1.3.
This is a minor release addressing minor but annoying things people kept poking me about.
I promise a more substantial release soon :).
What's new?
Direct download link:
WifiZoo v1.3
Info about WifiZoo:
WifiZoo Info
Friday, January 18, 2008
New version of Pass-The-Hash Toolkit about to be released!
Hi!,
I'm about to release a new version of Pass-The-Hash Toolkit. I can't remember all the things fixed and things that changed, but they are on a file somewhere :), some of them include:
* The elimination of the "-B" switch, now the tool does what it has to do without requiring anything from you
* the output from whosthere.exe is now shorter and the format credentials are presented can now be directly used with l0phtcrack or anything like that (although, doing so kind of goes against the very nature of the iam.exe tool :), but it's ok, for some scenarios you want to know the plaintext password).
* All the extra info displayed by whosthere.exe before is still available via the -D switch (D as in debug info :)).
* Added support for several windows versions and languages
So, before I release the next version, it would be great if you can send me an email to hernan@gmail.com with errors you might have found and want fixed, ideas for new features, etc. please, write! :).
I'm about to release a new version of Pass-The-Hash Toolkit. I can't remember all the things fixed and things that changed, but they are on a file somewhere :), some of them include:
* The elimination of the "-B" switch, now the tool does what it has to do without requiring anything from you
* the output from whosthere.exe is now shorter and the format credentials are presented can now be directly used with l0phtcrack or anything like that (although, doing so kind of goes against the very nature of the iam.exe tool :), but it's ok, for some scenarios you want to know the plaintext password).
* All the extra info displayed by whosthere.exe before is still available via the -D switch (D as in debug info :)).
* Added support for several windows versions and languages
So, before I release the next version, it would be great if you can send me an email to hernan@gmail.com with errors you might have found and want fixed, ideas for new features, etc. please, write! :).
Monday, December 17, 2007
Release uhooker v1.3
What's uhooker?:
A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process.
Download:
http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.tgz
http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.zip
more info:
http://oss.coresecurity.com/projects/uhooker.htm
http://oss.coresecurity.com/uhooker/doc/index.html
Some Videos:
http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv
What's new in uhooker v1.3?
===========================
-Several bug fixes, everything should work better than before :)
-Fixed bug with readunicode() API where reading empty multibyte strings,
resulted in the plugin freezing for ever.
-Now you can load multiple .CFG files (load one, then load another to hook
something else, etc). Previously, you were only allowed to load one .CFG file
with breakpoints/handlers definitions. Now you can load as many as you like
whenever you want.
-If a .CFG file overlaps previously set hooks, you have the chance
to redefine them (for example, you can dinamically change the
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).
-Errors in the code of the handlers (written in python) are now correctly handled.
-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over
again.
This scenario was very common, particuarly if you were developing
your own handler/script for the first time, or if you were
modifying at runtime the code of a handler/script.
Well, no more! :), Now if you have an error (syntax error,
identation error, general programming error,etc), the error that
your handler has will be displayed on the uhooker's console, and
you'll be able to recover from that error. This improvement means:
1-If an error occurs on the code, you don't
need to restart the debugger's session (and lose
the state of the program, etc.).
2-If you are changing in runtime the code of the
handler, and you makee a mistake, you'll see what
caused the error, and you can fix the script/handler
and move on!.
-and there are probably more things but I didn't write them down and now I dont't remember :).
A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process.
Download:
http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.tgz
http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.zip
more info:
http://oss.coresecurity.com/projects/uhooker.htm
http://oss.coresecurity.com/uhooker/doc/index.html
Some Videos:
http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv
What's new in uhooker v1.3?
===========================
-Several bug fixes, everything should work better than before :)
-Fixed bug with readunicode() API where reading empty multibyte strings,
resulted in the plugin freezing for ever.
-Now you can load multiple .CFG files (load one, then load another to hook
something else, etc). Previously, you were only allowed to load one .CFG file
with breakpoints/handlers definitions. Now you can load as many as you like
whenever you want.
-If a .CFG file overlaps previously set hooks, you have the chance
to redefine them (for example, you can dinamically change the
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).
-Errors in the code of the handlers (written in python) are now correctly handled.
-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over
again.
This scenario was very common, particuarly if you were developing
your own handler/script for the first time, or if you were
modifying at runtime the code of a handler/script.
Well, no more! :), Now if you have an error (syntax error,
identation error, general programming error,etc), the error that
your handler has will be displayed on the uhooker's console, and
you'll be able to recover from that error. This improvement means:
1-If an error occurs on the code, you don't
need to restart the debugger's session (and lose
the state of the program, etc.).
2-If you are changing in runtime the code of the
handler, and you makee a mistake, you'll see what
caused the error, and you can fix the script/handler
and move on!.
-and there are probably more things but I didn't write them down and now I dont't remember :).
Wednesday, December 12, 2007
uhooker videos - tcpnet.py video
A new video showing how to use the tcpnet.py script, this is a sample script
that allows you to intercept and modify network traffic using an hex editor.
Embedded Video (only IE I think)
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex_video.html
Direct Download
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv
that allows you to intercept and modify network traffic using an hex editor.
Embedded Video (only IE I think)
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex_video.html
Direct Download
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv
Tuesday, December 04, 2007
Uhooker Videos
Hi All!,
I'm uploading new scripts for uhooker and also new videos showing how these scripts are used, to help you get an idea of the purpose of the scripts.
I just uploaded a video showing how to use the Change Connect() script, you can find it here:
Embedded in browser:
http://oss.coresecurity.com/uhooker/doc/change_connect_video.html
Direct Download of .WMV file (if using firefox, you will probably
need to download this one):
http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv
Note: If anyone knows of a free program to do screencasts & convert screencasts
to .SWF files(flash), please let me know. I'm currently doing it using 'Windows
Media Encoder', and I couldn't find a decent program to convert .WMV
to Flash. Any suggestion is welcome.
I'm uploading new scripts for uhooker and also new videos showing how these scripts are used, to help you get an idea of the purpose of the scripts.
I just uploaded a video showing how to use the Change Connect() script, you can find it here:
Embedded in browser:
http://oss.coresecurity.com/uhooker/doc/change_connect_video.html
Direct Download of .WMV file (if using firefox, you will probably
need to download this one):
http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv
Note: If anyone knows of a free program to do screencasts & convert screencasts
to .SWF files(flash), please let me know. I'm currently doing it using 'Windows
Media Encoder', and I couldn't find a decent program to convert .WMV
to Flash. Any suggestion is welcome.
Friday, November 30, 2007
New 'Change Connect()' uhooker script
I uploaded the following uhooker script:
Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.
Available here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts
Direct Download:
http://oss.coresecurity.com/uhooker/doc/change_connect.cfg
http://oss.coresecurity.com/uhooker/doc/change_connect.py
Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.
Available here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts
Direct Download:
http://oss.coresecurity.com/uhooker/doc/change_connect.cfg
http://oss.coresecurity.com/uhooker/doc/change_connect.py
Thursday, November 29, 2007
New & Updated Uhooker scripts
I updated the uhooker scripts on the uhooker's web page (http://oss.coresecurity.com/uhooker/doc/index.html) some of them were pre-1.2 but did not work with uhooker v1.2 because of minor things, but anyways, now you can download them and they will work :).
I also 'improved' and added the following scripts:
Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).
tcpnet.cfg
tcpnet.py
udpnet.cfg
udpnet.py
I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.
And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to web.archive.org and prepare to be amazed!.
I also 'improved' and added the following scripts:
Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).
tcpnet.cfg
tcpnet.py
udpnet.cfg
udpnet.py
I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.
And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to web.archive.org and prepare to be amazed!.
Monday, November 19, 2007
Anti-debugging Techniques
I just woke up and saw this article that caught my attention (yes, i have a problem, the first thing i read in the morning is not the newspaper but securityfocus.com)
Windows Anti-Debug Reference
by Nicolas Falliere
I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).
I'll read it later today and make a post if i can think of sthg worth saying about it :).
Windows Anti-Debug Reference
by Nicolas Falliere
I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).
I'll read it later today and make a post if i can think of sthg worth saying about it :).
Saturday, November 17, 2007
WifiZoo working on the Nokia N800
Yes!, wifizoo works on the Nokia N800! this is very cool! you won't need to carry around your notebook on your next wireless assessment! :)
Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.
For more info and photos, click here.
Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.
For more info and photos, click here.
Wednesday, November 07, 2007
Simple script to automatically generate uhooker hooks
I've just uploaded a very simple script that can be used to automatically generate hooks for all the functions exported by a DLL to be used with uhooker.
So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.
So, instead of doing that, just use genhooks.py like this:
And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).
The script can be found here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts
Direct download link:
http://oss.coresecurity.com/uhooker/scripts/genhooks.py
So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.
So, instead of doing that, just use genhooks.py like this:
genhooks.py -f kernel32.dll -t b -c kernel32.cfg -p kernel32.py
-f: specifies the name of the DLL
-t: specifies the hook type. b = before, a = after, * = address (you would normally use b or a)
-c: OPTIONAL. specifies the name of the .cfg file. if it is not specified, the dllname_without_the_extesion.cfg will be used
-p: OPTIONAL. name of the .py file with the hooks for all the functions. if it is not specified the dllname_without_the_extension.py will be used.
And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).
The script can be found here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts
Direct download link:
http://oss.coresecurity.com/uhooker/scripts/genhooks.py
Patching WifiZoo to support kismet dumps/pcap capture files
A user emailed me asking for a way to use kismet dumps/pcap capture files with WifiZoo, this is going to be included in the next version of WifiZoo, but you can patch/hack the current version to support kismet dumps/pcap capture files very easily:
Edit wifizoo.py and change the following code:
to:
Is a quick hack, but it works.
Edit wifizoo.py and change the following code:
webproxy.start()
print "Waiting..."
while 1:
# mm, would be better to use callback perhaps. TODO
p = sniff(filter=None, iface=conf.iface, count=1)
pkt = p[0]
to:
webproxy.start()
print "Waiting..."
#capture.pcap is the name of the capture file. Yes, it's hard-coded :)
pcapr = PcapReader('capture.pcap')
while 1:
# mm, would be better to use callback perhaps. TODO
#p = sniff(filter=None, iface=conf.iface, count=1)
pkt = pcapr.next()
#pkt = p[0]
Is a quick hack, but it works.
Friday, November 02, 2007
Numb
I'm still here! hang on! soon I'll be releasing a new version of wifizoo, a new version of the pass-the-hash toolkit and also new stuff/scripts and probably a new version of the universal hooker too!
Soon!
Soon!
Subscribe to:
Posts (Atom)