Creating Metasploitable 3 in a nested VM environment completely blind like maniacs do

Disclaimer: I’m a hacker and I’m also slightly insane.

Translation: I break software for fun, profit and because I don’t like to follow the rules all the time. This means I like to install software in ways no one else has or the developer intended.

Typically software installs are provided in such a way as to make it easier for the end-user to get it on their system and get up and running with it as fast as possible.

No end-user ever said to themselves “Gee, I want to spend fifteen hours trying to install this software in an environment it’s not intended to be in for no other reason than I’m curious and I CAN.”

Except, I say that all the time and I believe in trying new things so I can learn.

I am a fan of Rapid7 and I use Metasploit just like any other hacker. I hacked Metasploitable 1 & 2. They were easy to import and fun to play around with.

Then came Metasploitable 3. Before you can play with it, you have to create it. This is actually a brilliant idea on the part of Rapid7’s staff because it teaches you how a VM is built with Vagrant and Packer but it’s this idea where the problems started for the users.

Because not that many people build VMs this way.

I began to notice two weeks ago that a lot of people on Twitter were having issues installing this vulnerable VM using the Windows 10 way. This is the *accepted* way to do it. Rapid7 even supplies us with a video made by a man named Jeremy who does just that.

I didn’t want to go through all that trouble even though in the end it probably would’ve been a lot faster. I wanted to install it in a NESTED VM environment that had Ubuntu, NOT Windows 10.

Why Ubuntu? Because it keeps you on your toes and if something is going to break, Ubuntu will make sure it does. You have to know workarounds with this OS and so when I do experiments of this kind, I like to throw Ubuntu into the mix to make it all that much harder.

 

————–Pre-Requisites—————

***Before you begin, you must make sure that Hardware Virtualization is enabled in your BIOS – Stop reading right now, reboot and check. Chances are if you already have VM labs set up it’s already set but doesn’t hurt to check.

My system is already configured this way so I didn’t need to do this. If your chip doesn’t support this, stop, you can’t do this but you’re free to read how this maniac did 🙂

What I have: Windows 8.1 host computer running VMWare Workstation 12 loaded with a 64-bit Ubuntu 17.10 VMWare image which has Virtualbox installed inside of it.

**You cannot use Virtualbox to create the Metasploitable 3 VM because VirtualBox does not support Nested Virtualiation (VMs within VMs). VMWare does. I forgot about this rule and tried to do this in Virtualbox yesterday and got all the way to the end, saw the AMD-V error and realized where I went wrong.

Whoops! First world hacker problems.

My attack and research lab environments are all in VirtualBox. I have two SSDs dedicated to them as they start up very fast.

Before I get to my steps, I want to clearly explain what you are doing here. In previous versions of the Metasploitable ( 1 & 2 ) they were already pre-made into Virtual images you could attach to VMs in your fav hyper-visor.

This time, because the VM is made in a Windows OS and because of licensing issues with redistributing Windows OSes, Rapid7, the makers of Metasploit and the Metasploitable vuln VMs, created a way for you to create the VM yourself.

They can’t give you a ready-made image, it would be against Microsoft’s terms. But they can give you a framework in which to build the image which points directly to Microsoft’s servers to download the Windows 2008 ISOs needed (main OS and guest additions)

So, what I’m about to show you is this:

This means I’m running the Ubuntu VM guest on a Windows 8.1 host in VMware and then inside that guest Ubuntu VM I’m going to install VirtualBox again to get Metasploitable 3 created.

I’m spelling this out so there’s no confusion as you progress through this. Any questions, DM me on Twitter. I respond within 24 hours usually.

Set aside several hours for this. No distractions. You’ll just wind up getting aggravated further if you run into issues and have to get up to go walk the dog or cook dinner.

 

 

  1. I downloaded the Ubuntu 17.10 VMware image from OsBoxes http://www.osboxes.org/ubuntu/#ubuntu-1710-vmware

    Username: osboxes  Password: osboxes.org

  2. I downloaded VMWare https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
  3. I added the vmdk virtual disk file to the VMware machine, please do the following:

    Open your VMware virtual machine and make sure it is powered off;
    Choose VM -> Settings;
    On the Hardware tab, click Add to start the Add Hardware wizard, select Hard Disk and click Next.
    On the Select a Disk page, select Use an existing virtual disk and click Next.
    On the Select an Existing Disk page, enter the path name and filename for the existing disk file, or browse to the file and click OK.

  4. I enabled Bridged Adapter in the Networking section so as not to futz around with my special NAT environment I have for my VMs. Specific VMs require they be air-gapped, either because you’re analyzing malware or because they are vulnerable and opening them up fully to the Internet (public-facing) is a BAD idea. But for right now don’t worry about that. Let’s just get it Internet access so we can download what we need right away without restrictions.
  5. I gave the VM 12 GB of RAM and like 100 GB of space so it wouldn’t run out and I wouldn’t have to expand anything or play around with Gparted.
  6. I know my system supports it but if you’re following along, check if your system supports Nested VirtualizationFor Intel processors, cat out

    /sys/module/kvm_intel/parameters/nestedFor AMD processors into /sys/module/kvm_amd/parameters/nested.

    You should receive 1 or Y, if nested virt is supported, 0 or N otherwise. AMD processors should have it enabled by default, (certain) Intel processors might not. Example:

    $ cat /sys/module/kvm_intel/parameters/nested
    Y
    $ cat /sys/module/kvm_amd/parameters/nested
    Y

  7. Start up the Ubuntu VM.
  8. Change the ubuntu user’s password. It is “osboxes.org” to begin with.
  9. Now download Git

    sudo apt-get install git

  10. Git clone the Metasploitable 3 repo

    sudo git clone https://github.com/rapid7/metasploitable3.git

  11. I downloaded the ISOs required for Metasploitable 3 direct from their sources as described in one of the README.md files.
  12. I then edited the windows_2008_r2.json file in the metasploitable3 repository. At the end of the file look for ISO URL and put my file path in there instead of the Microsoft URL because why download it a second time?

    “variables”: { “iso_url”: “/home/osboxes/metasploitable3/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso”, “iso_checksum_type”: “md5”, “iso_checksum”: “4263be2cf3c59177c45085c0a7bc6ca5″,”autounattend”: “./answer_files/2008_r2/Autounattend.xml”

  13. Installed latest version of Vagrant

    sudo apt install vagrant

  14. You can check if vagrant is installed by typing vagrant -v in Terminal or vagrant version.
  15. Now download the vagrant plugin. In Terminal type

    sudo vagrant plugin install vagrant-reload

  16. Install Packer and VirtualBox

    sudo apt install packer virtualbox

  17. Now test that it’s installed by typing packer in a terminal and then virtualbox. If you see options you’re good.
  18. At this point we have all the pre-reqs in place and should be able to start the shell script to build the VM. But trying to build it with sudo ./build_win2008.sh was failing epically. I had to figure out another way for it to work.

    I knew I could build it manually using the supplied JSON script and the command “packer build”

    So I tried that.

    packer build windows_2008_r2.json

    This failed. VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component MachineWrap, interface IMachine

    So I did some research https://www.virtualbox.org/ticket/7367 and it said to do a headless start. This means there’s no GUI and you’re essentially blind running this.

    Also, there’s an additional problem which is that I’d be invoking VBoxManage through a JSON script not directly through the command line.

    So that meant I needed to edit the JSON file. I searched through it for the word “headless” and found it was set to false. I set it to true.

    And then I waited.

    I could see it was writing the Metasploitable VDI file in a new directory it created “output virtualbox-iso” F5ing (refreshing) allowed me to see it kept writing to it. I figured this was a good sign.

    I waited an agonizing 15 mins to see “Waiting for SSH to become available”

    It took another hour to fully build.

    Then it failed at the end with a VMWare error but I had the ovf, vmdk, vagrantfile and json file.

    I tried to start vagrant up but that failed too. I have something wonky somewhere. Not to worry, I can import it!

    Part of being a hacker is thinking on your feet and being able to consider your options, on the fly, if necessary, and trying what you can with the least amount of damage. Since this is an experiment, I don’t care about damage.

  19. I fired up Virtualbox and used File > Import Appliance and selected the “box.ovf” file it had created in a subdirectory in the metasploitable3 folder.

    It fails saying it’s corrupted.

    But it had created a backup zip of the four files so I extracted them someplace else and imported from there.

    This was successful! 🙂

    Now all I have to do is mount one of my external drives, transfer the zip to it and import it into my host computer’s Virtualbox environment.

    I can then attack it with Kali or whatever else.

    I’m going to follow my steps again this week, recreate this entire scenario from scratch and see if I missed anything in this tutorial. If I do, I’ll edit this guide.

    This required a lot of thinking on my part when things failed so I may have missed a few steps.

    In closing, remember that there is always an alternate way to do things. Always try new ways even if they seem crazy because you open up your horizons that way and get to experience new things.

    I downloaded Metasploitable 3 when it first came out and forgot about it. The discussions on Twitter are what prompted me to finally create it but I just didn’t want to copy everyone else.

    Anyway, that’s that. I didn’t give up although I wanted to. Ubuntu is such a pain at times!

Thank you to Jobert @ Hacker One

In 1986 when Blankenship, otherwise known as “The Mentor” wrote The Hacker Manifesto published in Phrack Magazine, I was ten years old. I didn’t hear of him until I was close to eighteen and started to really get into fixing computers and building networks. I subscribed to 2600, I donated money to the Free Kevin movement, went to and worked at computer shows on the weekends doing everything I could to be a part of the hacker culture. I built my first computer at sixteen and this was after failing my high school computer class. Like The Mentor, I was bored. My teacher was so frustrated with my horsing around that he said the most I’d ever be able to do was “flip burgers”. I smiled at him and went on my merry way knowing that he was dead wrong. I knew I was destined for greater things when at six years old when we got a microwave, a newfangled invention at the time, I cooked something in it without being told how to operate it. My entire life I had an affinity for everything electronic.

At 19, I was a manager of software and the help desk at the now defunct Family Golf Centers, Inc. I personally unpacked, turned on and configured over 160 Novell servers in three weeks and had them deployed to our pro shops working over the phone and in person with meager 56k uplinks.

At 23, I was the youngest systems administrator at Honeywell. They hired me to man the help desk. Two weeks later after the I Love You Virus hit and I programmed a custom button in Outlook to send out not only the fix but instructions to every single employee, I was given keys to seven kingdoms, or in our line of work, servers. They also let me play around with the AS400s. God, I miss those. I remember the day I became a Domain Admin for the first time. I was so proud! First password I ever gave out to a user was momoney. He was an accounting guy 😉

Yesterday I turned 41 and I still just have a high school education. This is not to say that college wouldn’t have been nice, I just couldn’t afford the *time* because while my other friends the same age were busy getting drunk while going to college, I was stuck in a server room trying to coax a Novell or NT server into playing nice with me. One time I got drunk at a bar in one of my company’s sports centers and the night manager was pouring coffee in my mouth and shaking me awake after the server went down and drunk as a skunk I fixed it.

Another time the floor above us sprung a leak and the ceiling was raining water down on my very expensive Lucent Merlin Legend PBX and I ran to a neighboring construction company’s office, stole a tarp from them and threw it over the damn thing before all was lost.

I was making the equivalent of $60,000 a year THEN with my “burger-flipping” equivalent of knowledge, if my H.S. teacher was to be believed, and I took my boyfriends out. They couldn’t keep up with me.

Since then I have been fortunate enough to have worked for Arrow Electronics, Symbol Technologies and Olympus of America, to name just a few.

Today I work for a forensics lab with some of the most amazing scientists, molecular biologists, chemists and brilliant minds this world has ever seen. I am not only their resident hacker and sysadmin but I’m also just a hacker who loves our craft dearly.

But nine years ago when I got back to hacking full-time (I was involved heavily in the scene in the late 90s, early 00’s), my life took a turn for the worst with the death of my stepfather. He got up for work on August 19th, 2008 and an hour later fell over and I was awakened by my mother screaming for me. I lived in the apartment downstairs. I ran upstairs to see her performing CPR on him. An hour after that he was gone.

Then the recession hit. I was out of work. Things got bad. They got so bad we had to suck the oil out of our pool’s oil tank during one blizzard because we ran out of heat. You know that heating program the former (now deceased) president of Venezuela, Hugo Chavez, had for poor people? Yeah, thanks to him we were warm that year. I don’t care that he was a tyrant. He kept my mother and I from freezing to death. I mourned him for the proper three days and every Winter, I say a silent prayer for him, in thanks. I am a witness to at least one act of kindness he did in his life.

I will spare you the gory details which followed in the subsequent years but suffice it to say, if something could go wrong in my life then, it DID. Every day it seemed like a new nightmare unfolded. I got my car repo’d, lost a temp job I took just to try and stay above water, was literally eating Ramen soup at night and trying desperately to keep my mother, who has an inoperable non-cancerous brain tumor which has caused her to go almost blind, from losing her mind as I was quickly losing mine.

I had a skill, you see, and I couldn’t fucking use it to save my immortal soul. I sent out applications EVERYWHERE. I got a rejection letter from Walmart where the hiring manager expressed surprise that I couldn’t find a job based on where I had worked previously. He thought I was trolling them. I called his office and begged him in a voicemail and said “I will clean your toilets. I don’t care. I just want to eat a piece of meat next week.”

He didn’t call me back. I don’t fault him for that. I wouldn’t have either. I sounded batshit insane. And, honestly? I probably WAS.

I came dangerously close to ending my life when we were forced to leave our home due to foreclosure. We had just three weeks left before the sherrif was coming to evict us when we FINALLY found a place to live.

You just could never know how soul-crushing it was to have been SO successful in my life and not be able to save my mother when she needed me the most. This is a woman who was told she would never have a child, she kept trying, gave me life, supported me through every scrape, every heartache and the ONE TIME she needs me, I was an epic failure.

Not that she ever said but I lost sleep every time I thought about how I must’ve been a collosal disappointment.

All my savings were gone. I sold every piece of jewelry, every computer, everything that had any SPECK of value and none of it came close to what was needed.

But then one night, five years ago now, bleary-eyed and exhausted from another horrible day that always repeated itself and never got better, I happened upon something written by Tavis Ormandy about this site Crackmes.de (It’s down right now but hopefully will be back up soon!) and how he reversed this app.

I had always been a fan of Tavis so if he was touting the site, I knew I had to be a part of it.

I immediately signed up and cracked my first crackme a week later. I jumped around, I was so excited!

The rest is too long to list. I’ve probably bored you enough already. Tavis recently followed me on Twitter and expressed gratitude for something I wrote to him. I was hysterical when I got the notification because he could never know what he did for me and what he represents to me, as a result.

I told him he was one of my personal heroes and what he doesn’t know is that he is as much responsible for saving my life as hacking in general is because if he hadn’t intrigued me with what he had written, I never would’ve tried to reverse the executable myself. I never would’ve done half of what I’ve done since if it wasn’t for him.

When I cracked that exe, I had hope again. I had a point of reference. Something to look forward to. Not the inevitable misery of the next day. Thank you Tavis. Really, man, you’re my savior!

Now let me tell you about another personal hero of mine and the true reason for this post.

His name is Jobert Abma. He is the Co-Founder of the bug bounty program coordinator company, Hacker One. And he is an amazing human being! Three days ago was Jobert’s birthday and he sent out a tweet saying that if we told him why we decided to become hackers, he would reward three of us with some really awesome swag.

Without thinking of how it might be perceived (and that it was the poor man’s birthday and I maybe shouldn’t be writing something as awful as I did), I wrote how hacking saved me from opening my wrists in a bath tub.

It was the truth. It was knee-jerk. Poorly timed. I felt horrible and said so to another hacker on Twitter that I should’ve checked myself. But Jobert’s tweet struck a chord with me. It was in that moment, reading it, that I remembered cracking the Crackme and how uplifting a feeling it had been. I said I owed hacking a debt and that is also true. It truly saved my life.

Jobert has since reached out to me and picked me as one of the winners of his amazing generosity!

I want to thank Jobert for believing in me, a complete stranger, and for taking the time out of what has to be a busy day for him to write me what he did. It was beautiful. I haven’t stopped crying some two hours later now after receiving the notification. Thank you Jobert!!!

The hacking community may be vast in numbers of actual hackers but we are still close-knit and we support one another. Look at how the community came together to support MalwareTechBlog Marcus Hutchins! I am amazed daily at all the awesome things hackers do for one another. At times it is a thankless job. Most of I.T. is, to be quite honest. We bust our asses, solving impossible problems, for individuals, who, through no fault of their own, cannot truly appreciate the gravity of our work and research because they don’t understand the technology they use which we are always on hand to fix.

But we do understand it and they need us, even if they don’t always like to admit that.

Jobert’s company, Hacker One, has a mission to bring hackers and companies together on a level playing field to ensure that hackers get paid a fair enough wage for finding vulnerabilities and companies don’t have to worry about 0-Days ruining their stock prices because some hacker didn’t disclose properly and RESPONSIBLY.

I’m not a marketing person and I probably did a terrible job of explaining what they do but please trust me when I say that what they do is very important.

I participated in Hacker One’s collaboration with the DoD during Hack the Pentagon.

They are good people.

Doing great things for humanity.

Support them and thank them, when you can.

In closing, I sent Jobert an email thanking him personally but I wanted the world to know how happy he made me tonight. This was the best birthday gift ever! If Jobert should ever need my help, he only need ask me and I’ll be there for him. Whenever. Wherever. Don’t care what it is, I told him I have a saying that we have to give back what we take.

So thanks again Jobert, from one hacker to another! Together, we do hit harder!

I will endeavor to use your gift to do good for the world like you do and hopefully make you proud!

https://www.hackerone.com

 

 

Installing Guest Additions in VirtualBox for Kali Linux Rolling

 

I just set up yet another VM with Kali (because I broke mine, which is typical, I do this several times a year and never take snapshots, I like to install fresh, saving tools/scripts in a shared directory) and had the “copy-paste” between Host and Guest with Bi-Directional sharing enabled problem (this means despite being told to copy and paste between the two, it wasn’t) so I thought I’d share my notes on how I’ve gotten it to work in the past.

I first do this

 

 

If after this it doesn’t work, go to the Devices menu of your Virtualbox program window.


Click “Insert Guest Additions CD image”
It creates a VboxAdditions_(versionofOracleboxyouarerunning)_somenumber CD image file on the desktop of your Kali linux VM.


Double click this and a window will appear
Right click and copy the VBoxLinuxAdditions.run file and paste it to your Desktop
Close out of the window
Open Terminal

 

 

And you should now have a full screen (if that was your problem) and/or copy-paste between host and guest should now be restored.

The Power of Chaining Commands in Linux

This took me about two hours to fiddle with. I’m trying to get better at writing my own scripts and chaining commands instead of relying on the ready-made scripts of other hackers, to whom I am eternally grateful for because without them I would never have learned how to even do half of what I do.

I thought I’d share with you a quick way I extracted info I needed from Searchsploit which is a great tool but once you find the exploit you’re looking for you have to specifically go into the directory where it is and then view the contents.

In Kali the exploits are in the /usr/share/exploitdb/platforms/ directory in a subdirectory for their particular language.

If you type it out it can get tiring and if you go through Nautilus it’s just as tiring to double click.

So I set out to see if I could get the info from these directories in one line in Bash.

For the purposes of our test, let’s say I want to search for exploits for Sendmail v 8. The first step is to see what we can see:

 

 

Eww. That’s way too much information.

Those Arbitrary Code Exec sploits look interesting. Let’s see just those using grep.

 

 

 

Okay that’s a little better but in order to get to each individual exploit I would have to type the following:

 

And that would get old fast. So I thought about how to do a bunch of commands that would create a script to do the following:

1. Search the tool Searchsploit for all Arbitrary Code Execution exploits for the program Sendmail 8
2. Cut the last few lines of each sploit with the paths to each filename
3. Append cat /usr/share/exploitdb/platforms/ path to the beginning of each line
4. Add a > character to the end of each line
5. Add numbers which increase by one to the end of each line
6. Create a script called “test.sh”
7. Give it executable rights
4. Then run the script it just created which would then dump the contents of each exploit file into four numerically sequenced files so I could view them.

 

In order to do this I had to find the column numbers for linux/local/…..

The final command structure is thus:

searchsploit Sendmail 8 | grep "Code Execution" | cut -c 195-220 | sed -e 's#^#cat /usr/share/exploitdb/platforms/#' | awk '{print $0">"}' | awk '{ print $0,NR}' | awk '{ print $0".txt"}' >test.sh | chmod +x /root/Desktop/test.sh | sh /root/Desktop/test.sh

 

In closing, this isn’t perfect and I realize that. Also, for some strange reason, after an hour of testing various things, the column numbers were changing on me. I do not know why. I’m really in the beginning stages of shell scripting and I know I can write a script which will extract all this information and put it into the four files as I like without having to run each of these commands.

I’ll work on tweaking this and doing just that next time but I had a need for a few exploits and I figured I would use this as a way to illustrate how powerful Linux is and how useful chaining commands really is.

 

Sendmail Gmail 2FA Python Script & More

Happy Hack Sunday! This is the day that I truly devote to our craft and do things on my To Do list. Which is a list of things I’d like to get done because I need them to get done or things which I’d just like to do for the fun of it and to broaden my horizons. This is also the day I patch my systems. Today I have a few things I’d like to discuss with you all. So let’s get started here.

—————-Linux Hacking—————-

I’d like to direct your attention to the e-book Linux 101 Hacks “Practical Examples to Build a Strong Foundation in Linux” by Ramesh Natarajan. I’ve found this text useful and have incorporated some of the techniques into my own Scratchpad notes that I plan to publish here on my blog later this year. It is a guide I’ve been steadily adding to over the last four years pertaining to hacking and CTF competitions.

Find it here: http://www.thegeekstuff.com/linux-101-hacks-ebook/

—————-Rastalabs—————-

Do yourselves a very big favor and put this site on your watchlist because you’re going to want to be a part of this when it goes live. I have followed hacker Rastamouse for the last four years and he is EXTREMELY gifted. You should also read his write-ups because his hacking is solid.

https://rastalabs.net/2017/05/21/progress-update-2/

—————-Rook & Bl4de not Razor & Blade———–

Speaking of gifted hackers, my Twitter pals hackers Rook & Blade should be ones you should watch.

Rook does a lot of live streaming events where he demonstrates his talent.

https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA/videos

Bl4de is trying to get to number one on HackerOne’s top bug-hunter’s list and I’m convinced he will get there one day.

https://twitter.com/_bl4de

—————-HackerFantastic & x0rz—————-

Hackers HackerFantastic and x0rz had an interesting debate this week on Twitter about whether or not it’s “ethical” to “hack back” when targeted. But look through their feeds as well because they are exceptional at what they do as well.

https://twitter.com/hackerfantastic

https://twitter.com/x0rz

—————-Sendmail Gmail 2FA Python Script——–

I was recently inspired to write a quick Python sendmail script (with help from StackOverflow) which allows me to send an email to multiple addresses AND uses 2FA with App Passwords through Gmail.

 

You want to change the following values:

Line 2: Change fromaddr= to the email you are sending it from
Line 3: Change the toaddrs to the email addresses you are sending the mail to. If you have more than two you are going to add another comma at the end of secondemail@gmail.com, followed by a tick mark ‘ the third email address and close with a tick mark

Line 5: Change the Subject to what you want
Line 7: Change “Testing” to the body of the message you want

Line 9: Change your username to your Gmail username
Line 10: This is important, in order to successfully authenticate you have to first create an “App Password” for Google’s Two-Factor Authentication 2FA process.

Google “Google App Password” and click the second link.
Create a “Mail” Password.
Name it Python or whatever you want to call it
Click Generate
Copy the password that it generates for you into Line 10. It can be with or without the spaces in it.
Name the script what you want just DO NOT call it “email.py”!

This will fail as it will think its an existing email python script named “email.py” in your Linux system and if you have Kali Linux it definitely will.

Make it executable chmod +x nameofyourscript.py

Run it ./nameofyourscript.py or python nameofyourscript.py

 

—————-Amazon Infosec Book Contest————–

Hacker RoxyD https://twitter.com/theroxyd runs an ongoing Amazon book contest where you can either donate to her cause if you have extra Amazon credits or win the contest as I did along with some others in May.

Got a copy of HashCrack which went on my desk on top of the RTFM and BTFM manuals.

She’s very sweet and I just like her. Support her if you can, please.

—————-Closing—————-

I’m working on another boot2root challenge which I should be doing a writeup for next week or the following so look out for that. I have a bunch of hardware-related hacking I’m doing on my own and I’m also fixing some things for family and friends so my time is split for the next couple of weeks.

But I get to use my soldering iron so I’m happy about that!

As always, hack often and all the things! Thank you for reading!

How to Stop WannaCry Ransomware – Non-Technical Version

In this post, I attempt to consolidate the most salient pieces of information related to the global cyber-attack known as the “WannaCry Ransomware” in a way that is non-technical. I am just putting up links for non-computer savvy users to find the information fast because I’m noticing that there’s a lot of information being thrown at the public which I do not think they understand as evidenced by the fact that my private messages across many different outlets are filled with people asking what they should do to stop this on their own computers.

I hope this little bit I’m writing here helps the collective effort to stop this thing for good.

If I can help in any other way, my keyboard is at your disposal, my hacker brethren.

————————————
Foreword
————————————

Twenty-one years ago when I accepted my first M.I.S. position (they called I.T. that in those days), I took a silent vow that I would assist end-users to interact with their computers in a meaningful and productive way that would both demystify them and educate using whatever knowledge I had at my disposal; promising constantly to keep my skills current so I could help them not be so fearful of a machine that was created to automate tasks and make their lives easier.

Now, as a whitehat hacker, I uphold this vow and take it one step further in swearing to do all I can to keep these machines from harming the very people who use them and destroying their lives.

My God, this sounds like I’m rewriting the script to The Terminator but in those days computer viruses were easier to remove, they didn’t take down entire hospital networks and didn’t kill people.

It’s not my place to pass judgment but I just want to say to the hacker(s) who authored WannaCry, there is a line in the movie Jurassic Park which is so apropos here and I think you should learn the meaning behind:

Jeff Goldblum’s character, speaking about the dangerous science of cloning dinosaur DNA and bringing them back to life, says, “Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.

————————————
What the heck is WannaCry?
————————————

It’s a self-replicating Ransomware infection which has piggy-backed code inside of it borrowed from the NSA which allows it to penetrate a system via the SMB port 445, execute on its own, fully encrypt a drive, delete all backups and then move onto the next in computer worm fashion.  All without needing a password or user intervention. Meaning, it infects you without your knowledge or consent and your password is useless in this particular scenario.

————————————
How to stop it from getting on my computer?
————————————

1. You will need to immediately update (what we call patch) your computer with the latest updates from Microsoft. It only affects Windows systems. The link to do this is below under the MS17-010 section.

2. You will need to fully update your anti-virus software’s definitions and make sure its Real-Time functionality is on and working.

3. Disable what is called SMB version 1.0. There is a vulnerability in the software which runs this protocol which gives hackers and this particular virus the ability to penetrate your system without your knowledge or consent. They do not need your password. They bypass passwords altogether.

4. You should block port incoming traffic on port 445 on your firewall. You will need to look up instructions on how to do that as there are many out there and no one person can give you instructions for your particular one without knowing what it is. Port 445 is the port which SMB uses to communicate. I tell you how to do it in Windows Firewall below but you could be using other firewall software.

————————————
How to Disable SMB version 1.0
————————————

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

This article describe multiple ways to achieve this. Scroll down to “Windows Client: Add or Remove Programs method”

————————————
How to Patch Your OS
————————————

MS17-010 These are the links to the patches for your respective operating system. Scroll down and look for your system on the left-hand side of the table. If you try to run an executable that is not for your system, Windows will not allow you to do so and will give you an error.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

If for whatever reason this fails, run Windows Update and update through there.

————————————
How to Block Port 445 in your Windows Firewall

————————————

http://www.thewindowsclub.com/block-open-port-windows-8-firewall

———————————–
Backup
————————————

You should immediately do a full backup of whatever important data you would not wish to lose and disconnect the device you are backing up to from your computer so as to avoid any infection getting into your backup device and encrypting it as well, thus making the backup data useless.

————————————
What do I do if I’ve been infected?
————————————

Do NOT pay the ransom. All this does is give the author of this virus and other bad hackers the idea that people will pay to get their data back. It encourages them. Many times they take the money and don’t decrypt the data. This is a bad idea.

I don’t know what other computer experts would tell you to do but my advice?

Fully wipe your computer and restore from backup.

An infection this dangerous, I wouldn’t take the chance that all traces of it were removed by an anti-virus suite. If you have a clean system and can restore your data which hasn’t been encrypted, you’re good.

If you start to dismantle it piece by piece and leave one of its remnants behind, you could be exposing your computer to damage in the future. I wouldn’t chance it.

————————————
How do I prevent infections like this in the future?
————————————

I can’t predict what’s going to happen with the next virus any more than any other hacker or computer expert can but I can tell you this, to date, I’ve never had any system of mine been infected and I study malware code. I have live viral samples in a controlled environment.

The reason for this is prior to executing any file, be it from email, the web, etc, I virus check it TWICE both with my AV software on my computer and an off-site checker like Virus Total.

I do not follow links I’m unsure of and I will paste the URLs into Virus Total to get a sense of whether or not they are bad before I visit them.

I don’t like email so most of it I delete without reading. Even legitimate emails I receive. I’m lazy 🙂

Keep your system up to date with security updates and patches. Keep your anti-virus software up to date as well. Virus check all files.

But nothing is 100%. You can start by educating yourself on how to keep your computer clean from viruses by researching it.

————————————
Technical Info on WannaCry
————————————

Malwaretech is the AMAZING hacker who stopped the virus from spreading further by registering the domain hidden in its code!  He deserves an award, something, to thank him for his quick-thinking which saved lives!!!!

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

https://www.bleepingcomputer.com/news/security/honeypot-server-gets-infected-with-wannacry-ransomware-6-times-in-90-minutes/

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

————————————
Conclusion
————————————

The moral of the story is there are just as many good hackers out there working to protect the masses than there are bad. The speed in which friends, colleagues of mine and other hackers I deeply admire and respect came together to stop this on a global scale is truly awe-inspiring.

When you see a hacker in the world, make sure you thank them. Even the bad guys too. Because without them none of us would be able to demonstrate OUR skill and illustrate how hard we work to keep the rest of you safe.

Any questions, comments? Find me on Twitter. Because, I delete emails, remember? 😉

 

Shout out to all hackerkind

I am so grateful for all the private messages I get from hackers all over the world who are kind enough to share their ideas with me and their love for our craft.  I appreciate these rare moments, getting to bond with them, who, like me, are for the most part, solitary creatures.

To the non-hacker we are God-like beings who wield powers they feel they will never understand. We do things with computers that most people never thought possible. Sometimes this uncertainty and misunderstanding leads to them demonizing us. In the MSM, on social media and even in face to face conversations. We are the invisible phantoms they fear.

Many of them aren’t even aware that there is such a thing as a “good” hacker as I know from personal experience because whenever I am asked what it is I do and I tell them, they start to laugh. Like this is a joke. Like, I, am a joke. Although I assure you, I’m not.

Then when I tell them this is a lifestyle, they give me strange looks and they start to liken it to bizarre subcultures they’ve heard about that have nothing to do with hacking. Because the word “lifestyle” tends to evoke stereotypical imagery in the heads of those who are ignorant.

But this is a way of life. It is my way of life. And it is yours, my fellow hackers.

This is the path we have chosen and we are necessary. They need us even if they don’t think they do. I know this because like many of you, I’ve made a career out of being able to fix computers and they can barely turn them on. So, I can’t be all that bad.

I spend a lot of time mentoring other hackers who are new to the game and are unsure. It is to them that I speak now.

I do not know everything and neither will you. None of us, even the ones who make the news and are famous, know everything.

Because as great as we are at hacking computers and networks, at the end of the day we are NOT computers ourselves and can store vast quantities of data and reference them in milliseconds when asked.

We are human.

When a computer fails at a task, it tends to spit out a lot of garbage and errors and gets very confused.

When we fail, we pick ourselves up and try again. Like The Mentor said way back in 86, our crime is that of curiosity. We can’t help ourselves!

A computer can only try again provided it has the instructions to do so.

The joy of what we do is in the discovery and the disappointments, as I say. I get frustrated just as much as the rest of you. There are days where I can root a system very quickly and many others where I go blank and don’t know how to proceed. It may take me longer than I think is necessary. I get down and out too.

But you cannot let this consume you and you must not let these feelings best you.

You are better than this.

Please trust me when I say, that you GOT THIS.

It may take you a day longer than you think but you’ll find your way.

And if you need someone to talk to or some friendly encouragement, come talk to me.

Project Avatar, Syntax Highlighting, Twitter

I haven’t written as much as I would like the last few months because I just started a new job and I’m trying to get acclimated to a new schedule, plus life got in the way. I’m also at a loss here as to what to write even though I started this blog with the intention I would write what I, personally, wanted to know when I started hacking but couldn’t easily find because it was scattered across the Interwebz like pages to some old grimoire someone wanted to keep hidden. But I get distracted easily so I lost sight of my goal. This particular post isn’t about hacking, per se, as it is part of setting up your environment. And not just your digital one either.

In previous posts I talked about things like making sure you have the right virtual lab set up for your projects, research and hacking. I didn’t go in-depth with it because I know I don’t have the perfect lab setup and I really shouldn’t be teaching this specific skill. I am sure there are many things I could do better with my labs. I know I don’t leak packets when I shouldn’t but beyond that I’m so into what I want to accomplish I don’t pay all that much attention to the minutae as I should.

However, I recommend you take the time to learn properly prior to really getting in knee-deep here. This way you have a solid foundation and you don’t get lazy like me.

The good news is DA_667 (Twitter: https://twitter.com/da_667) otherwise known as Blind Seeker (web:https://blindseeker.com/blahg/) has done what the rest of us could not and that is written a 447 page PDF called “Project Avatar” on how to do just this: set up a proper virtualization environment. So you should definitely start there. I haven’t read it all but what I’ve read has impressed me thoroughly. I really love what I see. Mostly that he obviously labored over this project for quite some time, stuck with it, and in the end gave us all something we can use as an excellent starting point in this area.

Before you read any further, if you’re not on Twitter, you need to be. I am a verbose individual so Twitter never appealed to me because of the 140 char limitation on posts. I love to drone on and on about the things which interest me and Facebook was my outlet. Unfortunately, all my friends and family aren’t really interested in reading that on Monday I soldered a component or that on Wednesday I ordered a logic analyzer so I could reverse engineer flash memory. No offense to them (and they would agree with me here) most of them can’t say oscilliscope let alone know what one does. Also, I’m sure that when they’re scrolling down their news feed seeing similar memes and reading how Grandma beat level 400 in Candy Crush, the LAST thing they want to see from me is, “Hey, I stayed out of prison today by not leveraging X vulnerability on X server!”

Twitter, however, has LOTS of people who not only know how to avoid incarceration but they can pronounce every strange computer sciencey type word you can too!

And most of them are are super nice and accommodating to those new in the field of pentesting and infosec.

I should’ve joined years ago but I’m very happy I did at the tail end of last year.

So sign up and start making infosec pals!

One of the things I really wanted for my site which I recently implemented is something called syntax highlighting. This is code which highlights programmatic code (in its native prog lang colors) on the page so that the reader can see what it would look like in the terminal, if they were using it.

I don’t know why I wanted this so badly but a lot of other hackers have it on their blogs so I figured I should have it too. Plus it made the code stand out and look so organized. I hesitated to install it because I figured it would be this long drawn out process and I’d have to change all these variables and I put it off because of (surprise!) laziness.

Last week I finally forced myself to spend three hours doing it. This is what I told myself I was going to devote to its install and I wasn’t going to do anything else or get distracted because it was important I have the colors!

And…I installed it/configured it in 10 minutes.

I couldn’t believe how simple it was or how fast it all was. And the interface you use when you’re posting to WordPress for it is the CUTEST thing you will ever use in an editor, in my opinion.
So now I’m sitting here at my desk, blinking slowly at my screen, as I’m slowly going through the interface and checking out all the options and I’m just amazed. Even though I knew the end-result because I had spent those GRUELING ten minutes installing the damn thing, I was amazed at the power of a computer program to emulate what a terminal looks like on a webpage. I’m still amazed.

Anyway, it’s called Crayon.

And it is glorious.

You can get it here: https://wordpress.org/plugins/crayon-syntax-highlighter/

This is the documentation: https://github.com/aramk/crayon-syntax-highlighter

This is what the code looks like without it:
from __future__ import print_function

import time
import datetime
import threading
import os
import logging

try:
import cPickle as pickle
except ImportError:
import pickle

try:
import hashlib
except ImportError:
# python 2.4
import md5 as hashlib

try:
import fcntl
except ImportError:
# Probably on a windows system
# TODO: use win32file
pass
And this is what it looks like with it (This is a Python script)

 

I’m not as good as Blind Seeker but I’ve been steadily working on a CTF Hacking guide I plan to publish here by late Summer. Just with a variety of techniques I use, where to find more, tools I use frequently and why and other stuff I picked up along the way.

It’s always going to be a work in progress because I’ll never be fully finished but when I do get it up here, I’d love feedback on it.

So that’s my quick update. In the next few weeks I’ll be posting more frequently.

Open Letter to Spirit Air, Lego, Avon, etc.

I looked at this quickly today and have NOT fully investigated this. Haven’t used any tools either. I want to clarify this and set it straight from the beginning. So there’s a lot missing but here’s what I know right now.

1. Something funky is going on with a third-party email marketing vendor that Spirit Airlines, Avon and Legoland and I suspect many other companies use.

and

2. I don’t think this is supposed to be happening. In fact, I think user information is at risk.

I don’t have a formal PoC or any other deep technical analysis because I’m at work and my boss just asked me to look into this because it’s my job as the resident hacker on staff. But I have other things I need to get to today so this is it for now.

At 8:00 A.M. EST this morning an email was received at my company (and many others on the web – there’s an active Reddit thread going on about it) where the contents said

http://forms.spiritairlines.com/ats/msg.aspx?sg1=1a746964b69a99cf83a8ec18a47 test carlos test new 09212016 test 3 test 4 – it is 4:50am carlos test 5/13 test 6/10 Test – 5 – Johnny @ XXXX Day 500 this is still a test they suspect nothing 8/12 test blah blah 9/9 blah blah test 9/30 Test 6 – Jhon R 😀 Test Jhon R 07152016 — Test Jhon R 08262016 ”’ Hope this is the final for this year 🙂 carlos test 2017 Jhon Test 🙂 carlos test 2/22/17 William Test 03/04/17 William Test 03/15/17 William Test 03/29/17

This is the Reddit thread in question

https://www.reddit.com/r/sysadmin/comments/62cm9l/spirit_airlines_newsletter_email_looks_compromised/#bottom-comments

So being a curious hacker I started to take a look at the email (the headers show it was sent from Spirit Airlines and the recipient at my company is subscribed to their email list), the Reddit thread and a variety of other things.

Here’s the curious things I found.

Searching Google with various combinations of “forms.spiritairlines.com” I came across references to former emails which have been sent to people subscribed to their mailing list but which have been published in a variety of ways all over the Internet.

I don’t know why people expose their info like this but they do and in this case this has enabled me to see the other weird thing about this.

The problem is it is possible to click on these links and see the messages which were sent to the users they were sent to. I realize it’s a general marketing email sent out to thousands but at the bottom of these emails if you click “unsubscribe” you can see the email address this particular message was sent to.

And that’s not a good thing.

The “SG1=” parameter with the correct hash brings up the email.

Now here’s where it gets weird.

It is possible to bring up other company website marketing campaign emails within ANY OTHER DOMAIN that has the same marketing email provider sent to other customers of theirs by appending different hashes to the end of the URL.

So basically I can bring up an Avon email sent to an Avon customer by appending the proper hash to the end of the URL Spirit Airlines uses to render ITS marketing emails to customers.

This should not be happening.

This is a Clark’s Shoes email sent to someone but you can pull it up on Spirit Air:

http://forms.spiritairlines.com/ats/msg.aspx?sg1=cb5f3014aee8b3b44654a8fb0af00d00

By Googling “/ats/msg.aspx?sg=1=” in Google I was able to bring up a multitude of individuals referencing emails they received from different companies.  Mostly on Pinterest.

Here’s an Avon email http://x.email2us.avon.com/ats/msg.aspx?sg1=98f1a0c781297ad027318847666628b5

Now take the tail end of it sg1=98f1a0c781297ad027318847666628b5 and append it to the original Spirit Air email and it comes up just the same as it does with its native URL

http://forms.spiritairlines.com/ats/msg.aspx?sg1=98f1a0c781297ad027318847666628b5

Now click Unsubscribe and you can see who it was sent to.

Here’s one for Legoland rendered through Spirit Air.

http://forms.spiritairlines.com/ats/msg.aspx?sg1=821d7fc3e0a74485035b0ecadf3f3613

I’m pulling it up on the URL for Spirit Air but it’s actually supposed to be on Lego’s domain.

So I think whatever 3rd-Party vendor Lego, Avon, Spirit Air and other companies are using have some things misconfigured and the Subscribe or Campaign app they are using uses a centralized database which can be accessed across domains.

Can’t say more than that because I’m out of time to look at this right now.

I don’t even know the provider.

But I know it’s not good for user data to be out there like this.  One of the many ways that society underestimates us hackers is how easily we can Dox you based on information YOU put out there for public consumption.

You’d be terrified if I showed you what I can find out about you just using the pictures you post to your FB and Twitter and Instagram and Google’s Street View. I find where people live all the time because they don’t turn off GPS Location!

The less we know about you the better.

Pieces of information like email addresses and the contents of emails go towards what a user likes and enables us to build possible password lists to attack that person.

And since user psychology is always that MOST users use the same passwords across the board, this becomes dangerous and irresponsible of companies because they are helping us to hack their customers.

In this particular case, while I’m referencing hashes that have already been to the Internet, what if I was to build a list of hashes that I auto-generate and append them and see what comes up?

I’m willing to bet I can bring up all sorts of emails.

So, Avon, Clarks, Lego and Spirit Air, please sort out your email marketing campaign provider please and have them check what’s going on.

I find it hard to believe the I.T. people at your respective companies don’t know what they’re doing. It is more plausible that this third-party vendor has something out of whack since it’s the common denominator between you all.

If I can be of service you can find me on Twitter @blackroomsec

Feel free to DM me there.

In closing, I know this is not responsibly disclosed but it’s already been put on Reddit and I’m not the ONLY hacker who is going to notice this. I’m just a good whitehat one. A blackhat might actively attack your domains seeing as this app is not functioning correctly and possibly dump databases if its vulnerable.

My review of PCBWeb Designer

In the interest of full disclosure, I’d like to say that PCBWeb.com was my second choice in PCB design software. Not because they did anything wrong but because I only learned of them when my first choice (who shall remain unnamed, no reason to badmouth anyone, trying to keep this blog positive!) failed epically. I’m so glad THAT relationship didn’t work out because I’m really happy now! 🙂

As I’ve said earlier, I have 32 gigs of RAM in my box. I have a GPU that can crack 7 billion passwords a second. A cryptanalysis (rainbow table) attack for me takes under a few minutes. And that’s running through a full set of tables, sometimes several charsets worth.

There should be zero reason why software isn’t running properly on my system.

And while I acknowledge that using new software the first few times makes me a novice, I’ve been building computers and fixing them since I was sixteen (I’m 40 now) and I’m also a hacker.

Which means I’m not a novice in the larger sense but I’m a situational novice in using whatever particular software I’m using for the first time.

I’m not saying I know everything, I don’t, but I know enough.

My first choice took FOREVER to load on my system and by minute ten it felt like it was insulting my intelligence. On purpose.

There were moments where aside from questioning if it was sentient and just toying with my emotions like an emotionally unavailable romantic interest, I started to glance at the clock and wonder if this was all a sick practical joke.

But, being headstrong and stubborn, I figured I’d keep at it for no longer than a half hour and if by then we couldn’t get along, it was time to throw in the towel and move on.

I didn’t quite fall asleep an hour later when it finally loaded and presented me with something vaguely resembling a GUI but my arm did.

Now, with pins and needles, I didn’t even bother to check if I had something misconfigured or what the real problem could be. I had very little interest in troubleshooting and you who are reading this should know that I always have a LOT of interest in troubleshooting considering I get paid to do that in my day job and always have my entire career.

I’m the girl they call when there’s no hope and everyone’s out of ideas. Real end-game, Chicken-Little scenario stuff.

For some reason, I was blessed with an innate understanding of most things computer and so as a result I’ve typically been given difficult obstacles which I’ve been lucky and fortunate enough to overcome. Yay! Go me!

While it may seem like I’m tooting my own horn here, I’m not, I’m just trying to give you an idea of the kind of troubleshooter I am and a general idea of my skillset.

I can do things. Lots of things. Never mastered how to do hospital corners on my bed but if you have some wacky little error on your screen and need help? You call me and I get it to play nice with your OS.

So having said that, I was disappointed because my mojo wasn’t rising with Option # 1.

After sulking for far longer than was appropriate given Option # 1 and I hadn’t spent all that much time together and they had made a bad impression, I went out in desperate search for a replacement. And that’s when I found PCBWeb and I’m not so disappointed anymore!
They are the PCB design software equivalent of the phrase “you have to kiss a lot of frogs before you meet your prince!”

In fact, I am so in love, I can fairly say that I’m in this for the long haul.

The install took under five minutes and that’s with reboot. The account setup took less than that and once I signed in, it started immediately.

Unlike their nameless competitor’s product which stalled ridiculously and caused me to re-evaluate if I had forgotten how to properly install software.

Sorry, I’m still a little bitter over it and I realize how asinine this must read but I’m being honest.

Now I’m not a PCB designer. I can’t even do Origami. But what I lack in creativity I more than make up for in the critical thinking department.

In this area of circuit board design I can say I am a novice and I admit it. But I’m learning and since I have a few breadboards and lots of parts, I want to get designing my little projects in an easy way that isn’t going to break my brain, my bank or test my patience.

I have enough in my brain as it is with what I have to know each day just to function as a quasi-responsible adult, the last thing I need is to have to learn new software, although I do all the time.

The side menu is very easy to use and I was able to drill down to what I was looking for very quickly which impressed me further. Even if I wasn’t fully aware of WHAT I was looking at, I have to say I enjoyed the experience because it felt like I was accomplishing SOMETHING.

I really enjoyed the “Bill of Materials” tab which is a running list of all the parts you selected for the board, their price and a link which goes directly to Digi-Key’s website so you can order them.

On another note as to aesthetics of the program, the font they used for the buttons is beautiful and was a pleasant surprise as it sets it apart from other programs.

The “Assembly Quote” feature was also appreciated as it brings you directly to Advanced Assembly’s website where you can get a free quote on your design.

Everything you need to get your circuit board created is at the click of a button in one place.

Easy. No fuss. And most importantly no stress!

Now I realize that we’re still in the honeymoon phase here but I can confidently plug this company and this software and recommend you try it out.

One thing I will say that caught my attention is the level of detail they provided with loads of features yet which doesn’t bog the software down nor make it seem impossible to learn.

This indicated to me that the team which worked on this software loves it like it is their baby and they really owned it in terms of designing it as efficiently as they did.

They all cared about it and it shows, is my point.

This, to me, is very important because if the creators of something don’t stand behind their work, if something should ever go wrong, it means they are not likely to stand behind you and help.

I would also like to point out that like any good dating prospect does the day after the first date, PCBWeb, the company, followed up with me on Twitter to thank me for tweeting about them and earned my instantaneous respect.

Just one little message from them reaffirmed my belief that I made the right choice. I really appreciate when companies reach out to their customer base as it illustrates they care about their product and the people who are using it.

I will be writing more about them in the future.

I’ll also be posting my designs.

If you would like to see what they are about (and I strongly suggest you do!) they can be found here: http://www.pcbweb.com/