How to Hack a Computer in Seconds or Bash Bunny and Packet Squirrel Attacks

We have had a bit too much work past few weeks, so I have “taken extra time” with another article. I prefer to write less often, but more interestingly, than to write just to meet the “quota”.

In the last 3 weeks, I have managed to complete the ECSA (EC-Council Certified Security Analyst). I have managed to pass version 9, so I also had a practical exam (they have released version 10 about a month ago). I would like to try an OSCP (Offensive Security Certified Professional) this year, but I have no idea where to find the time. In addition to that, I want to extend the CCNP this summer.

I have also finally finished a lecture on hacking gadgets (I wrote about them in the articles “Hacking Gadgets: Hak5 Bash Bunny” and “Hacking Gadgets: Hak5 Packet Squirrel“). We have hosted a lecture for my colleagues, colleagues from internal IT departments of our customers and some business partners. On Thursday I gave it to IT in IKEM Prague.

I would like to share it with you, at least, in the form of content of this article – you may also find something interesting for yourself. I have tried to make the lecture mainly practical – ie. most of the time was reserved for live demos. The goal was to showcase that anyone who has IT awareness and free tan can “hack”. Therefore, safety must not be underestimated.

The content described below is very much a compress since the whole lecture is 3 hours. I have tried to present various details, interesting facts, ways of defense and answer the questions during the presentation. The videos I’m referring to aren’t mine. I was wondering why to repeat something that someone else already did. 🙂

Part 1: Safety starting line

I know this is a “repeated song” and everyone has heard the following recommendations o so many times. Even so, sometimes we encounter an environment where it’s not entirely OK. I would like to start raising awareness of how easy it is to break a network which is not being updated or weak passwords that are being used.

Not updated OS/SW/HW

It is true that sometimes an update breaks something. If you didn´t update, it wouldn’t happen. On the other hand, if you do not update, you expose your network to a much larger downtime. If a cryptovirus travels through the network, it only leaves a “burned ground” behind (inaccessible data on all stations and servers) and the downtime is definitely longer than just a few hours.

An example of this situation has occurred in the Maersk company (IT “heroes” saved Maersk from NotPetya). They have had to reinstall 45,000 stations and 4,500 servers within 10 days. They estimate the damage at 5-6 billion crowns.

In the lecture, I have shown how easy it is to exploit the vulnerability in the SMB protocol described in MS17-010 and the exploitable EtternalBlue exploit. I have attacked a non-patched Windows 7 PC using Kali Linux and Metasploit in front of others – I have created a user, downloaded documents, made a screenshot, installed a keylogger, and dumped hash of user passwords.

Weak password

I took dumped NTLM hash from a previous attack and launched a brute-force attack on it through hashcat. In theory, we have gone through how fast these hashes can be broken. Nvidia GTX1080 will do 41 billion attempts in 1 second. This means that with the number of characters 62 (a-Z0-9) and the password length of 7 characters, there are 3.521 billion (62^7) combinations. If I try 41 billion combinations every second, the seven-character password will be broken in no more than 85 seconds! An eight-character password can be broken within 1.5 hours and nine-character password within 4 days. This theoretical point of view was confirmed by a practical demonstration. 🙂

If a user uses a strong password, it doesn’t automatically mean that everything is fine. I have then demonstrated this using escaped service databases such as Linkedin, Dropbox, Zomato, Badoo (which I have also managed to get 🙂 ). People often use the same password for multiple services, or the password has a pattern (for example, “Mom21”). An attacker tries different variations of the password (eg, “Mom00” to “Mom99”). To find out if your password has been corrupt, visitHave I Been Pwned?“, which I have already mentioned in Password Management.

Part 2: Bash Bunny

After the safety minimum (updates and passwords), I have continued to introduce the Bash Bunny gadget. I have performed all of the demonstrations against the fully updated NB with Windows 10 Pro and the current ESET Endpoint Antivirus in default.

Quick note: Antivirus has been circumvented by custom programs and knowledge of the environment – it’s not that ESET is bad – just the default configuration is quite “loose” to not cause false detection/malfunction.

Backdoor

The first example was an attack on NB left unattended (the user jumped to call to the next room and did not lock its NB). I have clicked the Bash Bunny into the NB and disconnected it again within 17 seconds. Such a short time was enough to bring a backdoor into the NB, which connects to the attacker’s server and automatically starts after NB is restarted. The attack is based on the “Windows Persistent Reverse Shell for Bash Bunny” payload.

Stealing data from the computer

Another attempt was again performed at an unattended unlocked NB. This time it took 35 seconds, but the result was not a backdoor in NB, but stolen data from. I have built the attack on the “Password Grabber” payload, which I have extended with MZCookiesView, SkypeLogView, BrowsingHistoryView, KeeThief, and some powershell commands. In 35 seconds I have stolen the following from the attacked NB:

  • history of visited websites (IE, FF, Chrome)
  • all skype conversations,
  • “Documents” folder
  • remembered passwords in browsers (IE, FF, Chrome)
  • passwords for all Wifi that the NB knows
  • browser cookies (since I am lazy, just FF)
  • password for KeePass password manager (if open on PC)
  • all Windows-imported certificates (if marked as exportable).

I have pulled it all out, even though the logged in user was not an administrator. If he would be an administrator, I would also take away the hashes of other users’ passwords and passwords stored in the Windows Credential Manager.

It may be interesting that you do not even have to touch the NB during the attack, so your fingerprints will not be left behind. BB (Bash Bunny) can also “silence” the computer during an attack by telling the NB that it is a network card and will run all traffic.

Locked computer attack

Defending against the previous two attacks is locking the NB as you move away from it. Unfortunately, even the locked NB can be attacked. When BB connects to NB as a network card, it is capable of capturing NTLMv2 authentication and then retrieving the original password. BB includes a “QuickCreds” payload that will take care of it.

However, I liked the attack from the P4wnP1 project, which took it one step further. As soon as the device intercepts NTLMv2 authentication, it immediately tries to guess the password and then enters it into the system. See the demo below. It’s really spectacular, like some science fiction movie. 🙂

I ported this attack to BB – it was necessary to compile JtR (John the Ripper) manually and write the script. BB is then able to test passwords with its CPU at 200,000 passwords per second. So using the “rockyou” vocabulary, you will test 14 million passwords within 2 minutes.

It is interesting that locking accounts after X invalid attempts will not protect you against this attack.

Part 3: Packet Squirrel

The last part of the lecture was dedicated to the Packet Squirrel and MiTM Attacks.

Sniffing

Default Packet Squirrel includes a payload – “sniffer” that writes all traffic data to a connected USB flash drive. I have plugged PS (Packet Squirrel) in between NB and switch and showed how to extract FTP, telnet, web and IMAP passwords from network traffic.

PS is not detectable in the network. It only passively sits on the wires (it does not have an IP address or interface in the network) and collects everything that passes through it. The attack is therefore feasible in case of physical access to the environment. e.g. you plug in the PS in the morning and collect it in the evening.

Data tampering and browser hacking

When an attacker has a strategic position within the network, it is a shame to limit itself to eavesdropping. PS can interfere with data. Another example was injecting malicious code into network traffic and compromising PC through old leaky Firefox. It looks like a user is browsing legitimate websites – the attacker modifies the data on the way and inserts malicious code into them, resulting in the browser being controlled (Beef) or the whole PC (exploit firefox_smil_uaf).

I wanted to show that surfing the web is a rather dangerous thing. It is necessary to maintain an updated browser, not to turn off UAC and not to browse from privileged stations. 🙂

Another interesting thing about this attack is the fact that NIPS (network intrusion prevention system) will not protect you from it, because the malicious code will be injected just before it reaches the PC – that is, the data going through the router/switch, are still ok. 🙂

SSL stripping

The above-mentioned attack cannot be done when HTTPS communication is encrypted. However, it is enough for an attacker to visit a single HTTP site to launch its attack. In addition, many sites have an HTTPS version but do not have HSTS set. Another example was an attack to redirect a user to an unencrypted version of the site instead of an encrypted one so that an attacker could inject code as in the example above.

RDP MITM

I have kept the last demo as icing on an imaginary cake. Many people keep self-signed certificates on RDP servers (we still don’t have it one hundred percent). When they connect via RDP to the server, they receive a warning message about the untrusted certificate (or the remote server’s identity could not be verified). And this is where the problem can occur. An attacker is able to blend into your connection without you knowing anything. It gets your login information (including plaintext password).

Interestingly, not even some 2FAs will protect you from this attack.

Conclusion

I hope the participants have enjoyed the lecture and that you, the readers, have found at least something interesting in the summary. Its aim was to show that “hacking” something is not that difficult and it is important to not to underestimate security. I will be happy for any feedback (eg what to improve, what topic you are interested in). I would like to devote more time to lecturing/training in the future.

Update 7.5.2018: I have recently written an article about the restrictions and monitoring methods we use in our company: “IT Security: Security Life Cycle

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Discussion

vrkiller 22

2020-07-02 v 09:00

considering the time of my comment i doubt you’ll see this but can you please teach us how to recreate your brute forcing payload or make a post about your brute forcing payload for the bash bunny

Reply

Reply

martinhaller

2020-07-02 v 10:13

I am sorry, but I haven’t made notes during my preparations :(. I remember I have ported the script from project P4snP1 https://github.com/RoganDawes/P4wnP1/blob/master/payloads/Win10_LockPicker.txt . Also I had to install jtr/responder on bash bunny.

Reply

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Hack The Box OSCP MCSE CHFI ECSA CCNP CCNA