The allegedly weekly roundup of notes – Jan 21st, 2022

Following on from last weeks entry, we have another weekly roundup of stuff I’ve been reading.

If you are reading this, it meant I stuck with a habit for more than a week. Fucking go me, consistency.

Using ikeforce to hack IKE VPN’s.
You know when you are doing a pentest, or otherwise trying to own someone, and you come across an IKE VPN? And usually it ends up in the report as some informational or medium risk entry about “aggressive mode” and amounts to fuck all else?

Well, turns out Spiderlabs had not only a good tool for testing further (ikeforce), but also a bunch of blog posts on how to go about compromising networks using it. That are lost to link rot, because Trustwave can’t be trusted to keep a fucking blog online properly. The content is still accessible on the Trustwave site, but not via the original links.

Luckily, the Internet Archive is here to help. Part 1, Part 2, Part 3. It walks you through using ikeforce and ike-scan to go from no access whatsoever to gaining access to networks for further exploitation.

With apparently over 3 million IKE servers online (per Shodan), this oft-ignored technique could enable someone to perform a whole lot of interesting shenanigans.

I also found an excellent resource on the topic of testing/exploiting IKE implementations here.

The story of Geert Jan Jansen, master art forger.
Look, I like art crime. This story about the life and crimes of of Geert Jan Jansen, an absolute fucking gigachad at art forgery, is worth your time reading. It is phenomenal.

I won’t spoil it, so I won’t write much here at all, but this is a fantastic piece of writing about an absolutely prolific – and successful – art forger.

Intranasal B12 administration.
Came across this pubmed article on intranasal B12 administration as a safe and effective way to handle deficiencies in a reddit thread discussing extraction of cobalt metal from B12 by, well, just incinerating it basically.

While the required amount of B12 is absolutely tiny (a milligram or so is more than enough), it did result in a rather amusing set of thoughts that I’ll share for your entertainment.

A side effect of doing a fuck tonne of balloons of nitrous oxide is depletion of B12, which can cause a kind of “hangover” of sorts (brain feels slow). Given intranasal seems to be a perfectly fine route of administration for B12, and people who tend to cane the balloons of nitrous also (generally) enjoy the idea of doing a few lines… It all just fits together all too well.

While racking up lines of B12 probably isn’t what the authors of the paper intended, the mental picture is too funny to not mention.

Yes, another SonicWall remote root.
Ok, so this ones post-authentication, and gets a root-shell on the device. Post authentication makes it somewhat less interesting, but it does give you a good possibility for doing further research on the device itself (for example, to debug the pre-auth unprivileged code execution exploit, from the same chap, that I mentioned in last weeks post. The writeup is here.

TL;DR: post-authentication shell command injection. Probably one of the most common findings with appliances and IoT devices, in my experience. It turns out that filtering shell metacharacters before passing to the shell is genuinely kind of hard.

The associated Metasploit module uses a normal enough command stager using echo or printf to drop a binary and execute it.

Order of addition in chemistry is important (sometimes).
No exact link for this one, more of an observation. I was reading through various writeups on some forums, and noticed something interesting.

The method to prepare a solution of hydrazine, and the method to produce semicarbazide, are closely related – the preparation of hydrazine is well documented by amateur chemists as part of the process of making luminol.

By slowly adding a solution of urea to sodium hypochlorite, you produce hydrazine in solution. Usually, if you don’t want the hydrazine to decompose due to metallic impurities, you add gelatin. You can then isolate the hydrazine by adding sulphuric acid, precipitating it out as hydrazine sulphate.

Turns out if you do it backwards, adding sodium hypochlorite to a urea solution, things behave differently, and you get semicarbazide. The formed hydrazine reacts with the massive excess of urea almost immediately, forming the semicarbazide. This can be isolated by adding hydrochloric acid and precipitating it out as the hydrochloride salt. You don’t need the gelatin this time, as the hydrazine decomposing isn’t an issue.

Semicarbazide can also react with more hydrazine to form carbohydrazide.

Anyway, the lesson from this is pretty simple: even in pretty simple lab procedures, doing things in the correct order is of the utmost importance – mixing things in the wrong order or taking shortcuts can lead to unintended side reactions, or entirely different products forming.

Which may be extremely harmful to ones health or sanity, depending on how wrong it goes.

Australian man goes all the way, makes super concentrated hydrogen peroxide.
One of our absolute favourite content creators, Tom of Explosions&Fire / Extractions&Ire, has resumed making “main channel” videos after a lengthy hiatus caused by a PhD, etc.

In his first (main channel) video since the break, he uses vacuum desiccation, fractional freezing, and some other shenanigans to super-concentrate some hydrogen peroxide.

Watch the video here.

If you aren’t familiar with what ultra-high concentration hydrogen peroxide is used for, well, you clearly haven’t read Ignition yet. I review it here, its worth a read. Hydrogen peroxide at that strength is not only an insanely powerful oxidiser, but also can be used as a monopropellant as it will more than readily decompose into hot steam and oxygen gas. The Germans used it in their V2 rockets during the second world war, as well as some of their insane rocket planes.

A Decent Guide to SSH Tunnels.
“Opsdisk” published a pretty decent guide to SSH tunnels. It does have an upsell of some labs/training, which kind of bugs some folks, but honestly – its a pretty decent tutorial on using ssh -L, ssh -R, and ssh -D – all topics that often confuse people. It also covers some useful pivoting stuff like netsh on Windows, rinetd, etc.

It is one of the few places where I’ve seen someone else use remote port forwards with -R to grab callbacks locally with a remote box acting as a “listener”, an extremely useful technique when pivoting through bastion hosts, jumpboxes, etc.

An RFC3514 implementation (as a backdoor) for Linux.
Ok. So this really cracked me up. Someone wrote an iptables backdoor/modification that just allows any traffic through if the traffic has the “evil bit” set.

For those who don’t know, RFC3514 is a “joke RFC” that states that all “hacker tools” must set a TCP header flag to “1” denoting the traffic they are sending is malicious, so that security software can drop those packets.

A tool for exploiting the ubiquitous Cisco phones.
Those Cisco phones show up on almost every other internal pentest. TrustedSec have released some work and a tool that enables you to perhaps use these devices as a means to gain further access to networks.

Some of the tricks are quite neat, such as dumping all the configs from the configuration management server, exploiting a very common misconfiguration to gain access to the configuration management server, and exploiting a feature of the configuration management server to leak some active directory credentials.

Well worth keeping this in your arsenal as a means of gaining access to AD environments when your foothold is outside the AD environment.

Standing Well Back – A blog about IED/EOD stuff.
As a fan of the more technical aspects of military history, this blog is honestly one of the best things I’ve come across. It is by a British chap, who as I understand it, was an ordinance disposal officer posted to Northern Ireland during the tail end of the Troubles.

It is full of fascinating technical details and discussion around IED technologies from the past and present. Well worth a read.

GoKrazy – an interesting way to reduce attack surface.
I came across this project, which is intended for distributing/running Golang applications. It basically packages the entire app into a minimalistic system image, consisting only of the Linux kernel, your application, and a minimal init system that acts as a supervisor to ensure your app remains running.

It is intended for building apps to run on the Pi, but I suspect it would also work fine on Oracle Cloud’s ARM servers.

This is a rather interesting way to reduce attack surface – if all the server does is literally run your app, and has nothing else on it, the options for an attacker become much, much more limited.

That wraps this week, to be honest. I’d planned to post this on Friday, but forgot, so its a day late.

Lets see if I can get three weeks in a row, eh?

%d bloggers like this: