[ Beneath the Waves ]
On The Outside, Reaching In, and She Wore A Mirrored Mask

My weekend project on and off since February has been a pair of penetration-testing tools. These are very early "preview" versions, but should work well enough to be useful for some people. I also wanted to be able to finally get some feedback on whether this was a useful direction to go in. It seemed to me like there was not a good tool in this space. Some might argue that there still isn't, of course :). They're both released under version 3 of the GPL.

On The Outside, Reaching In is designed to automate exfiltration of files from servers with XML External Entity ("XXE") vulnerabilities. It uses a Metasploit-style "module" system, because the specific mechanisms for exploiting this type of vulnerability vary too much for a generalized tool.

She Wore A Mirrored Mask is "a webserver with hidden talents" — it pretends to be something innocuous, but actually acts as a partner for On The Outside, Reaching In when using certain types of XXE exploit. In the future, it may do a lot more than that.

I included four detailed tutorials to get people started:

OTORI - Example 1: Apache Solr

OTORI - Example 2: Squiz Matrix

OTORI - Example 3: Mahara

OTORI - Example 4: McAfee ePO

A few updates

An article I had to cut from the last update due to time constaints has been finished: OTORI - Exploring the Linux Filesystem is about using On The Outside, Reaching In to obtain a variety of useful information from Linux hosts thanks to the pseudo-files in /proc and the special content in a few other locations. This article is the main reason for version 0.2.1 of On The Outside, Reaching In, which includes some lists specifically designed to scrape content from /proc on Linux target systems — see OTORI - Exploring the Linux Filesystem for more details.

I also did some cleanup of the articles related to On The Outside, Reaching In — the FAQ is now a separate document to make the main page less wordy, the Squiz Matrix tutorial (OTORI - Example 2: Squiz Matrix) notes that it (like Mahara) needs to be run on a system without certain very recent libxml2 patches to be vulnerable, etc.

On The Outside, Reaching In - version 0.3

Version 0.3 of On The Outside, Reaching In has been released. The main new feature is the inclusion of a pair of "generic" modules which can be used to exploit basic XXE vulnerabilities without having to wait for someone to write a full module. For example, if you can obtain content from a target system using the Burp Suite Repeater component, you can copy/paste your request into a template file, make a few modifications, and then be able to use On The Outside, Reaching In's features such as walking the filesystem (for Java-based targets), or doing blind reads of numerous files from a list. A detailed tutorial is available: OTORI - Example 7: Generic XXE Modules.

SonicCare® lock picks and Christmas pudding

I've finally gotten around to posting a couple of experiments from the last two years: SonicCare® Lock Picks (an experimental tool), and a recipe for a vegetarian (or vegan), gluten-free version of British-style Christmas Pudding.

Thermal imaging

Another update I've had on my list for awhile — I obtained a FLIR E4 thermal imager in early 2014 and used the modification developed by Mike Harrison and company to bump it up to 320x240 resolution. I've added several sets of Thermal Imaging Examples, and the Thermal versus Near Infrared article has been updated.

A British accent for your Android phone

A few weeks ago I discovered how to Give Your Android Phone A British Accent — and that it's possible to compel it to speak arbitrary text. I think you'll agree that the results are pretty great.

Unofficial ShellShock logo/symbol

Like several other people, I'd read over the last few days a number of comments about how the fantastic ShellShock vulnerability disclosed this past week wasn't quite as cool as Heartbleed because it didn't have a custom logo, and decided to do my part to help remedy the situation. Consider it my tribute to Stephane Chazelas' work.

License: Creative Commons Attribution-ShareAlike CC BY-SA

A few of the other unofficial logos/symbols I've seen:

Wax seal, etc.

I went to Metrix on Capitol Hill in Seattle on Thursday, 2014-10-02, and had a wax seal made out of my personal symbol using a computer-controlled laser. You can see some photos and whatnot in the What Does This Symbol Mean? article. Metrix is a great place, and their rates are outstanding. I thought it would cost $50-$100 to have that seal made, but it was actually more like $15-$20.

Yield-Focused Vulnerability Score

I've been building an experimental vulnerability scoring system designed to give more accurate results (especially for penetration testing) than other existing systems (e.g. CVSS). You can read about it in the Yield-Focused Vulnerability Score (YFVS) article. The live YFVS 0.4 score calculator includes some fancy radial bar graphs that I'm pretty pleased with. You can read more about those in the Nightingale Charts article.

I am definitely looking for feedback on the scoring system — it is most certainly a work-in-progress.

Mimikatz 2.0 Golden/Silver Ticket Walkthroughs

Back in October I had the opportunity to see Benjamin Delpy (the author of Mimikatz) give a presentation on the new features in the 2.0 alpha release of that tool. I haven't run across any walkthroughs that I really felt conveyed the power of the "Golden Ticket" and "Silver Ticket" functionality, so I made some of my own: Mimikatz 2.0 - Golden Ticket Walkthrough and Mimikatz 2.0 - Silver Ticket Walkthrough. Forge your own Domain Admin tickets! Inject XSS attacks into upstream logging/monitoring systems! Corrupt forensic evidence! Misuse trusted web applications to alter the membership of privileged domain groups!

But some of you already knew about all of those things. What about using the Silver Ticket functionality to launch brute-force or dictionary attacks against the password for trusted service accounts used to run SPN-enabled web applications, even if the target domain locks out accounts after some number of failed login attempts? That's covered in Mimikatz 2.0 - Brute-Forcing Service Account Passwords.

[ Page Icon ]