It's Just A Text File...

Had to figure out a creative way to send an executable to someone.  This isn't a new method by any means-more of a reminder of how important security awareness training is.

Person didn't want to use OneDrive, Dropbox, or a myriad of other methods to share files.  Their e-mail blocked a bunch of different file formats including a password protected zip.

So I sent them a text file containing the base64 encoded version of a password protected zip that contained the executable I needed to send.

Then I sent instructions about how to decode it with multiple different methods in case one failed and the password without saying pass or password-just that they would need it and what it is.

Now imagine I'm a social engineer tricking people into doing this and downloading/running a dropper for me or I'm someone keen on bypassing DLP.  

People say, "There's no way someone would try that." My question is why not?

They said the same thing when I told a vendor at my former job that a social engineer could send a malicious QR code.

Here we are now years later and it's in the news that adversaries are doing that.  https://gbhackers.com/malicious-qr-codes-steal-employee-credentials/amp/

It was being done before it was in the news just not as wide-spread.

I was inspired that that could be done because one of the SANS Holiday Hack Challenges had us bypass a badge system that uses QR codes and it was vulnerable to SQL Injection.

I got to thinking-why wouldn't someone send a QR code via e-mail and social engineer people into scanning it.  It's easy.  So, when we were testing a vendor solution at old job, I tested that. I sent a malicious QR code.  I highly doubt I was the first person to think of this.

Every defense we put in place, they meet with a "new" tactic.  Even if the attack is actually old and very simple.  

Please-train people.  Try to think ahead-and not just what is popular now, but what could be a problem soon.

Created Very Basic Password Cracker

It's been a while.  Completed Holiday Hack 2022 while SANS CDI.  I saw the challenge go up early, so I started working on it as soon as I saw it.  I was taking SEC565 the week that I finished the Holiday Hack and did NetWars again that week.  It was nice to play NetWars again, given it had been a while.  Things have changed regarding NetWars.  They pause the game so you can't work on flags outside of the hours for the tournament.  In a way, it's good-it keeps students from being too focused on NetWars so they aren't paying attention in class.

Working on a different ctf.  In this one, they gave us a hash type  that's not supported by tools I use (like hashcat)-at least not for the versions I use that I'm aware of.  I was a little scared of this question.  I wouldn't call myself strong when it comes to programming or scripting.

I thought about very basically how logging in and crackers work.  You have a hash (and potentially a salt stored in a database.  When someone wants to login, they submit their password, then that password is hashed with the algorithm used to hash their password (and/or salt) to begin with, and that hash is compared to the hash stored in the database.

I thought, "How do I create a hash?"  Looked up that algorithm, and someone was nice enough to already have a program out there that creates hashes with that algorithm.  I took their program as a starting point.  Then I thought, "What do I want to do specifically?"  Take passwords from a list (dictionary), hash them with the salt, one by one, and compare each hash to the one I'm trying to crack.  Then tell me the password. "Are there any other variables I need?  Well, I needed one for comparing the hashes.  I also needed one for the password itself.  Are there any functions I need to add?  I added a loop that takes each password line by line from a file.  Then I added a function that compares the created hash and the original that tells me if the hashes match and what password it was.  It breaks out of the loop at that time as well.

I did a test run with one password/hash.  It worked.  Tried it with the hash for the ctf.  Worked again.  The password was in a well-known dictionary.  Thank goodness for that.

I went out of my comfort zone with this one; I wasn't sure if this would be a challenge I could tackle, but I did.  You don't really know what you are capable of unless you try.