Archives for the Month of August, 2013

Who’s in Your Email Social Network?

Have you ever wondered who’s in your “Email Social Network”?

I was wondering the other day how to find out who I mail the most. With a bit of PowerShell scripting, the answer is a breeze to find out:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
## Connect with Outlook, and open the 'Sent Items'
$olApp = New-Object -com Outlook.Application 
$namespace = $olApp.GetNamespace("MAPI")
$sentItems = $namespace.GetDefaultFolder(5)

## Go through each item, split out names when there were multiple
## recipients, and clean them up a bit

$sentEverTo = $sentItems.Items | % { $_.To -split ";" } | % { $_.Trim(" '") }

## Group by how often you've sent mail to them
$sortedTo = $sentEverTo | group

## Explore
$sortedTo | sort Count

More Packet Hacking with PowerShell – UDP Manipulation

In the last post, I talked about how I used PowerShell to "STUN Roll" the open WiFi at DefCon. How much code was that? Was it hard?

stun_roll

It turns out that it was pretty reasonable - less than 60 lines of PowerShell.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
## Convert a string in the form of hexadecimal characters into the
## equivalent bytes.

function ConvertFrom-HexString
{
   
param($HexString
)

    $HexString -split "(..)" | ? { $_ } | % { [Convert]::ToByte($_, 16) }
}

## Get the broadcast address for a subnet.
## Modified from
## http://powershell.com/cs/blogs/tips/archive/2013/06/03/calculate-broadcast-address.aspx

function Get-BroadcastAddress
{
   
$ipConfiguration = Get-WmiObject Win32_NetworkAdapterConfiguration |
        Where-Object IPAddress | Select -First 1
    $ipAddress = @($ipConfiguration.IPAddress)[0]
    $subnetMask = @($ipConfiguration.IPSubnet)[0]

    [UInt32]$ip = [IPAddress]::Parse($IPAddress).Address
   
[UInt32]$subnet = [IPAddress]::Parse($SubnetMask).
Address
   
[UInt32]$broadcast = $ip -band $subnet

    New-Object IPAddress ($broadcast -bor -bnot $subnet)
}

## Send the actual STUN packet for some given text
function Send-StunPacket
{
   
param([string] $Text
)

    ## Some header bytes that I got from reviewing the
    ## hexadecimal packet data in WireShark
    $headerContent = "000100" 
   
$bytes = ConvertFrom-HexString $headerContent

    ## After the header bytes is the length of the packet
    ## Found by experimentation
    $bytes += [Byte] (4 + $Text.
Length)

    ## And then some more header bytes that I didn't really know
    ## or care what they did
    $bytes += ConvertFrom-HexString "2112a4426274336f6754616876713150000600"
    $bytes += [Byte] $Text.
Length

    ## Get the bytes for the message, add them to the packet.
    ## This section of the packet is usually for the user's ID.
    $messageBytes = [System.Text.Encoding]::ASCII.GetBytes($Text
)
   
$bytes += $messageBytes

    ## Configure the destination IP address and port
    $dstPort = 3478
    $endpoint = New-Object System.Net.IPEndPoint (Get-BroadcastAddress),$dstPort

    ## And send the packet
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $null = $udpClient.Send($bytes, $bytes.Length, $endpoint
)
   
$udpClient.
Close()
}

## The payload 🙂
$lyrics = 
@"
We're no strangers to love
You know the rules and so do I
A full commitment's what I'm thinking of
You wouldn't get this from any other guy
I just wanna tell you how I'm feeling
Gotta make you understand
 
CHORUS
Never gonna give you up,
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry,
Never gonna say goodbye
Never gonna tell a lie and hurt you
 
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it
And if you ask me how I'm feeling
Don't tell me you're too blind to see (CHORUS)
 
CHORUS
(Ooh give you up)
(Ooh give you up)
(Ooh) never gonna give, never gonna give
(give you up)
(Ooh) never gonna give, never gonna give
(give you up)
 
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it (TO FRONT)
"@

$lines = $lyrics -split "`r`n"
$lines | % { Send-StunPacket $_.Trim() }

 

Happy packet hacking!

Packet Hacking with PowerShell–AKA Mass Defcon Pwnage

Every year, two of the biggest hacking / security conferences take place in Las Vegas: Black Hat, and DefCon.

Both are great experiences, and both have a common theme – hackers (“Intelligent folks that like to make machines do things they weren’t originally designed for”) getting together to educate each other and have fun.

Unsurprisingly, one of the places that people get together to have fun is the free open WiFi.

Aside: Open WiFi led to the nerdiest “social networking” experience I’ve ever had. I was monitoring my hotel network to see how much malicious activity was on it. One of the prominent protocols in a network is LLMNR: a name resolution protocol that queries the local subnet for computers before trying other name resolution protocols. I saw one computer making requests for another laptop (presumably to reconnect a shared drive) – looking for a machine called “johnsmithlaptop”. It was also making LLMNR requests for a couple of servers on the Microsoft internal network. I figured that this was probably John Smith that works in security at Microsoft – who I’d been meaning to catch up with anyways. I sent him a mail asking if he was at BlackHat at my hotel – he was, and we got together for drinks 🙂

At DefCon, they had two networks: a secure network where you downloaded user certificates and that was monitored for threats very heavily, and another. From the FAQ:

Is there a free network at DEF CON?

Why yes, DEF CON 21 is FULLY network-enabled. Now that we've perfected the art of a stable hacker con network, we're ascending to a higher level - we're providing you a network that you feel SAFE in using! Since DEF CON 18 we're WPA2 encrypted over-the-air, with a direct trunk out to the Internet. No peer-to-peer, no sniffing, just straight to the net (and internal servers). We'll provide login credentials at Registration. We know the 3G airwaves will be saturated so we're putting our own cred on the line to give you a net that even we would put our own mobile phones on.

If you're feeling frisky, we'll still have the traditional "open" network for you - bring your laptop (we'd recommend a clean OS, fully patched--you know the procedure) because we don't police what happens on that net. Share & enjoy!

So the free open WiFi is pretty frisky. People are constantly monitoring it with their packet analyzer of choice, looking for fun things to do.

In packet analyzers, most protocols have “wizards” coded that will parse the protocol and give you a high-level summary of what that packet was attempting to do. Here’s an example of NTP (Network Time Protocol) traffic being dissected by WireShark:

capture_ntp

Most of the details in the “Info” column are extremely constrained – for example, describing protocol options, or maybe an IP or DNS address. However, I found one protocol during a Google Hangout I was having that supported almost arbitrary text in the “Info”, and decided to have fun. The protocol was STUN – a protocol designed to help applications figure out all of the complicated NAT translation being done to a client.

If you were monitoring the DefCon network at all you might have seen a packet like this fly by:

stun_roll_flyby

If you put a filter on the STUN protocol, the full beauty of the packet hacking would be exposed:

stun_roll

So, that’s how you (Rick) roll on the free network at DefCon.

In the next post, I’ll go through the code that made the magic happen.

Redacting Sensitive Information with PowerShell

You might sometimes run into a situation where you've got a serialized object stream, and want to redact sensitive information out of that stream. For example, consider the following object:

001
002
003
004
005
006
007
008
009
$objectToSerialize = [PSCustomObject] @{
    Name 
= "Lee"
    SocialSecurityNumber = "SomeSecretNumber"
    Address = "1234 Something Road"
    GateCode = [PSCustomObject]
 @{
        Prefix 
= 1234
        Password = "SomeSecretPassword"
    }
}

 

In this, you want to remove any property value that says "SomeSecret".

PowerShell makes this fairly easy, since the PSObject special property on every type gives you access to an object's methods and properties. For each property value, you can check if it contains sensitive information - and if so, redact it.

Some properties are not simple properties, though. They might be objects with multiple writable properties themselves. In that case, you need to go down the worm hole even further.

Here's a script that demonstrates one approach: Remove-PrivateInformation.ps1

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
param($objectToSerialize)

function CleanObject
{
   
param($objectToClean)

    foreach($property in $objectToClean.PSObject.Properties)
    {
       
## See if there are any settable properties of this property
        $settableProperties = $property.Value.PSObject.Properties | ? { $_.
IsSettable }
       
if(@($settableProperties).Count -gt 0
)
        {
           
CleanObject $property.
Value
        }

        ## Otherwise, we can clean it
        if($property.IsSettable -and
 
            (
$property.Value -match "SomeSecret"
))
        {
           
$property.Value = "Redacted!"
        }
    }
}

## Assuming you can't change $objectToSerialize directly. Otherwise, apply CleanObject
## to the object directly.

$serialized = [System.Management.Automation.PSSerializer]::Serialize($objectToSerialize)
$objectToClean = [System.Management.Automation
.PSSerializer]
::Deserialize($serialized)

CleanObject $objectToClean

$objectToClean

 

And the result:

11 [C:\windows\system32]
>> $objectToSerialize = [PSCustomObject] @{
>>         Name = "Lee"
>>         SocialSecurityNumber = "SomeSecretNumber"
>>         Address = "1234 Something Road"
>>         GateCode = [PSCustomObject] @{
>>             Prefix = 1234
>>             Password = "SomeSecretPassword"
>>         }
>>     }
>>

12 [C:\windows\system32]
>> Remove-PrivateInformation.ps1 $objectToSerialize | Format-List


Name                 : Lee
SocialSecurityNumber : Redacted!
Address              : 1234 Something Road
GateCode             : @{Prefix=1234; Password=Redacted!}




13 [C:\windows\system32]