The allegedly weekly roundup of notes – Feb 11th, 2022

So far I seem to actually be able to keep this somewhat up. Neat. Remember how I said “allegedly” though? Yeah, I skipped a week. This originally was meant to go out on Feb 4th, but I ended up being busy as. So I just changed the title to the 11th and rolled with it.

I had more stuff to add, but lacked time to properly write it up. So into the backlog it goes for future weeks.

No SonicWall this time, I think. They could mess up close to publication time and get featured again though. Instead I make fun of Cisco’s login logic in their RV320 router and promise to release an updated toolkit sometime.

You may notice that drug policy is something I bring up quite a lot in these, honestly, I might end up writing some longer form stuff on that topic as its something I care about quite a bit, and drug policy in Ireland needs a serious fucking overhaul. The promised Citizens Assembly on the matter has been yeeted off to the backburner again by the incompetents in power, because they just don’t want to deal with it.

As always, you can find the academic papers on a certain Hub of Science. Because I live in permanent fear of Elsevier’s legal strike force dropping a megaton of lawsuits from orbit onto my head, I won’t be linking directly to that.

No evidence that Naloxone availability increases opiate abuse.
Some murderous fuckwits think that readily available Naloxone somehow creates a moral hazard or enables opiate addicts, by… Saving their lives in the event of an overdose.

So, here is a study that rigorously tested this theory based on data, and found that no, Naloxone availability did not contribute to increased opiate use. It did, however, prevent addicts who overdosed from dying, and reduced strain on emergency rooms.

I am personally of the opinion Naloxone autoinjectors or nasal sprays should be available to anyone and everyone, cheaply or freely, over the counter, no questions asked. It is a safe way to prevent someone suffering an opiate overdose from snuffing it. Something I would really like to have in my first aid kit, given how common opiate abuse has become.

While availability is improving in the US and Canada, over on this side of the pond I can’t seem to source it at all, and importing it seems like a fantastic way to end up in a quagmire of legal problems. Apparently there was a pilot scheme of take-home naloxone at one point ran by the HSE, but bugger all since then that I can find.

The only reason to be against general availability of this life saving intervention is that you think addicts should just fucking die.

15 years of Torbrowser.
This is an interesting blogpost from the Tor project about the development of the Tor Browser Bundle over the last 15 years.

It is a good look at how the package evolved and became more user friendly – and contributed to enhancing the security of Firefox itself.

It is kind of neat how over time, they removed various potential footguns from the browser bundle, such as deprecating the “Torbutton” extension entirely because it allowed users to shoot themselves in the foot. Relevant infosuck comic below.

been there.

It will be interesting to see how the Tor browser bundle evolves (along with the rest of the Tor ecosystem) going forward. The pure-Rust implementation of Tor is particularly exciting, though most of the features I give a fuck about (hidden/onion services) don’t seem to be coming along anytime soon, and don’t seem to have funding either. I am very hopeful that changes.

Pass-the-hash as a feature: Cisco’s RV320 login process.
Some of you may be familiar with this exploit/toolkit I wrote a long time and a different Github account ago, based on some advisories by Redteam Security.

I’ve been rewriting the toolkit lately, to implement some features I wanted to add back then, and realised I never really explained how the magic login stuff works.

So on a lot of Cisco shit, the web passwords are stored hashed with MD5. However, for some absolutely insane reason, when the user logs in with their browser, the password is hashed client side (in the browser) using JavaScript, usually with a static salt embedded in the page, and the hashed value sent. This is compared with the stored hash, and if they match, you get logged in.

The following lines in “exec_cmd.py” show how the password hash is computed from the password.

    password_hash_plain = password+auth_key # auth_key is embedded in the login page, acts as "salt"
    password_hash = hashlib.md5(password_hash_plain).hexdigest() # yeah, really.

What is extremely bizarre is that the password is also sent base64 encoded in another parameter, but doesn’t seem to get checked against anything. I’m not sure what the fuck the engineers were smoking when designing this insane login process.

This completely nonsensical pattern is copied by a few other vendors too – it’s not unique to Cisco. I have absolutely no idea why they wouldn’t do the hashing on the device itself, but someone suggested to me that it may be considered too computationally expensive and potentially a DoS vector, given these things run on potato CPU’s.

With the “easy_access” exploit, we use the configuration-leaking bug to dump the password hash from the device, and then craft a login request that sends over the hash. Effectively performing a pass-the-hash attack. We don’t need to actually crack the hash, or know the plaintext value of the password!

Once we have our logged in session, all the post-authentication attack surface is wide open to us, so we go on to exploit the rather trivial shell command injection bug present, to gain code execution.

I’ll hopefully publish a rewrite of the full toolkit sometime in the future, as there are a good number of things I want to change about it, to make it more reliable and suchlike.

I would also like to extend the toolkit to exploit some newer issues in the Cisco Small Business line of router/VPN appliances, along with add some robust version fingerprinting logic, fix some issues with the login logic that fails sometimes for no good reason, etc.

Classification of carfentanil synthesis methods based on chemical impurity profile
When illicit drug are manufactured and distributed, usually they contain some impurities from the production method. Purification to the point where these would not be realistically detectable is not practical for the illicit laboratory, and also isn’t necessary.

Depending on the route used to manufacture a synthetic drug (or any other compound), the side products and impurities present will be different. Impurities in intermediate compounds or precursors will “carry forward” to some extent and show up in the final product. This allows for quite powerful “fingerprinting” of the route of synthesis by analytical chemists based on the impurity profile. If you know how it was made, you can then narrow down who could have made it based on access to specific precursors and suchlike.

This paper, recently published, shows how they did this for the synthetic opoid drug carfentanil. Carfentanil isn’t just any synthetic dope, it was infamously used in that hostage crisis in Moscow in 2002 to incapacitate everyone involved, killing quite a number of people (yes, including the hostages). As an aside – the opening of the movie Tenet seems to borrow heavily from this tragic incident. Due to its absurd potency and proven potential for use as a chemical weapon, carfentanil is of extremely serious concern to the authorities, and the OPCW (Organisation for the Prohibition of Chemical Weapons) takes serious interest in the material.

How they did it is pretty interesting. They took some known routes to synthesise the stuff on a lab scale, and had multiple chemists perform the reactions, to give them a varying set of samples from different chemists and different routes. Not all chemists are created equal, so this additional variable adds a few more bits of entropy to how much impurities will be in each sample. They even used different suppliers for the starting material. These products were analysed and used as a training set. Following on from this, they applied the samples to various surfaces, left them a while, and took samples following the sample collection protocol used by the Swedish military’s CBRN people, and analysed these samples. This emulates the conditions in which samples would be collected after, say, a terrorist attack using carfentanil.

The collected samples were analysed, and compared with the training set, to see if they could work out which samples corresponded to which synthetic route. The end result was that yes, their modelling worked, and they were able to determine based on “crime scene samples” what route was used to produce the carfentanil.

This kind of paper is fascinating to me, as it is pretty close to one of my proposed final year projects when I was studying forensic science. My project plan was to acquire a bunch of samples of a certain drug (specifically, MDMA), analyse them using all the fancy machinery available in the analytical lab, and then prepare a few samples myself using a few different methods and see if I could draw any inferences from the “in the wild samples” based on impurity profiles. For obvious enough reasons, when I suggested this project, I was told no due to the whole “manufacturing illegal drugs” aspect of it.

Another reason why its fascinating is that this kind of research has a lot of parallels to binary reverse engineering conducted by computer security researchers. Identifying an unknown compound, reverse engineering how the fuck it was possibly made (and from what), etc, is all incredibly similar to binary reversing.

Electrochemistry, MDMA, 2C-B, in-situ derivatization, and drug sample detection? Oh my.
In the same edition of the Forensic Chemistry journal, I saw this open access paper, which really caught my attention. It turns out that with rapid on-site drug testing, discerning between MDMA and 2C-B can be rather difficult, with certain tests for MDMA showing false positives when the sample is actually 2C-B. Of course, they can be easily differentiated between back at the lab with all the fancy gubbins, but this poses a real problem in field-testing conditions such as at music festivals or nightclubs.

Music festivals or nightclubs? Drug testing? What? Well, in the UK, an organisation called “The Loop” offers free, rapid tests of your drugs at some music festivals along with advice. So you can bring a sample of your dodgy pills in, they check them and tell you what they are, and you get to make an informed choice on if you should neck them or not. In the Netherlands there is similar initiatives. The testing also comes with advice from a health professional telling you how to reduce potential harm to yourself, and suggesting maybe you shouldn’t be munching on dodgy yokes.

This kind of practical harm reduction is far better at reducing the incidence of overdoses and other bad outcomes at music events and suchlike than just saying “don’t do drugs, kids”. People are going to take drugs, the best option is to make the whole thing safer. It also allows gathering useful information for healthcare professionals and law enforcement agencies about what kinds of drugs actually are out there.

Anyway, back to the paper. There is a method of rapid detection/analysis of drugs under field conditions that I had never heard of before involving an electrochemical sensor. The drug sample is mixed with an acetate buffer solution, and placed on this special little device with a silver and carbon set of electrodes. A square wave of electricity is passed through it, measurements taken, and an electrochemical profile built for the drug. It turns out that this method is actually pretty good. Except, in the case of 2C-B and MDMA, where their profiles are incredibly similar.

This method is used over IR/UV/Visible spectroscopy because often drugs are mixed with a dye, such as the brightly coloured pills you find, or the cutting/bulking agents and binders interfere. It is also apparently fairly cheap.

In order to differentiate between 2C-B and MDMA, the researchers found that by adding formaldehyde they could selectively methylate the 2C-B (and not MDMA), forming a derivative product that had a sufficiently different “profile” that you could tell it apart from the MDMA. Even better, you could do this in-situ by just mixing the sample with some formaldehyde, adding the buffer, and away you go.

The paper mentions that discerning between MDMA and 2C-B is quite a useful capability to have, because often the two drugs are mixed up. “Ecstacy” pills, traditionally containing MDMA, may contain 2C-B instead. Being able to make a rapid determination in the field is absurdly useful.

They helpfully name who supplied the electrodes and measurement kit, so maybe I’ll email them asking if I can buy some, sometime. I have no real use for a rapid drug identification system, but it probably has other interesting applications for substance identification, and the technology behind it seems awful fun to play with.

Elsevier embedding tracking metadata in PDF’s, with worlds dumbest excuse.
Elsevier got caught embedding tracking codes in PDF’s of journal articles. Their PR flacks claim this is to, uh, prevent ransomware?

In reality, it is to track down which accounts at academic institutions are sharing journal access with services such as Sci-Hub.

Elsevier consistently likes to make baseless allegations that Sci-Hub is a threat to the security of academic institutions. Elsevier shills have even made allegations that Sci-Hub or its supporters use malware, phishing, stolen credentials, deception, fraud, and outright criminal means to obtain access to journal articles. Furthermore, they even have made claims that browsing the Sci-Hub site or downloading articles from it poses a grave threat to ones security.

All of which is largely bollocks* . Elsevier and their ilk are shitting it that their bottom line is being impacted. For too long they have made good money acting as a toll collector, shaking researchers down for access to scientific data, while providing fuck all of actual value themselves. Kind of like landlords, but for knowledge. People freely sharing knowledge without them getting their fee hurts shareholder value.

So, remember to strip the metadata from any PDF before you share it, and be aware that they probably will implement other watermarking techniques in future.

Getting the Alfa AWUS1900 Working.
So you got yourself one of the new Alfa wireless cards, delighted that Alfa Networks finally seem to have ran out of the accursed Mini-USB parts, and are using a slightly more sensible connector at last (USB-B Micro SuperSpeed, maybe in a few years they will go USB-C). It also has twice the amount of antennae, so that means twice the hacking. Seriously. It is the most conspicuous looking fucking thing.

You put on your balaclava, boot up your backtrack Kale Lincox VM, plug in your new adaptor, and prepare to crack the neighbours wireless network.

And nothing happens. The card isn’t supported. Fuck.

TL;DR: drivers suck, drivers have continued to suck for the last year, and the fix was found in a reddit comment, linking to this: https://github.com/aircrack-ng/rtl8814au/issues/32

The comprehensive guide to NTLM relaying, etc, for 2022.
NTLM relaying and related attacks have been a staple in the arsenal of any hacker for quite a while. However, the techniques slightly change over time, and a lot of information about them is outdated.

This blog post from Jean at TrustedSec outlines all the various updates to the technique that will be landing you some domain admin shells in 2022 and beyond.

Of special note is the abuse of Active Directory Certificate Services using relaying of credentials to gain Kerberos ticket things. The how-this-works from Specter Ops is like, a fucking literal book long, so I won’t go into it here. But that is a technique you should get familiar with. Spend a few days reading over the whole thing, play with it in the “lab”, etc.

An interesting series on Linux persistence.
I came across this post on using systemd generators as a persistence mechanism on Linux. It is part of a larger series (with a neat mindmap graphic thing!) by some clever chap covering Linux persistence mechanisms and mapping them to Mitre’s ATT&CK framework.

I’d wanted to write a series like this, but luckily, I don’t need to now. I’ll just let him document them all (with sysmon/audit queries/detections, etc for the blue team), and then come up with some new ones that I can publish with clickbait titles about being 100% fully undetectable, etc.

I highly recommend that series to anyone, red or blue or whatever team, as its really rather good.

EU apparently banning anonymous domain registration, threat intelligence clowns celebrating.
The EU, in its drive to make me actually hate it, apparently has plans to prohibit anonymous domain registration. Threat intelligence firms, whose entire product is based on trading peoples privacy for extremely vague promises of security, are fucking delighted – as this will enhance their ability to provide Brian Krebs with dox on 15 year old script kiddies from Discord.

You can find the EU proposal here. It is just as fucking stupid as you think. I’m hardly the only one annoyed about this – Patrick Breyer’s blog has more information on the matter.

If you are a 15 year old script kiddie in fear of being doxed by Brian Krebs, I can recommend you get some Brian Krebs Repellent from our sponsors over on Hacker Health.

%d bloggers like this: