Rcapd start meterpreter module

During the post-exploitation phase of an intrusion, after getting a shell on a computer, one of the steps to gain access to other computers or networking devices is thru traffic sniffing. Just listening to the traffic passing through the machine, even in a switched environment, can provide us with very useful information about the network topology or the potential vulnerabilities that can we exploit later: NetBIOS names, users / passwords in clear ARP, CDP, DHCP, HSRP, VRRP, etc..

To listen the traffic from a shell, however, we must make use of external tools that we need to download and run on the compromised computer. A good choice is rawcap which allows packet capturing without relying on packet capture drivers as WinPcap (libpcap library for Windows used by many traffic analysis tools).

Another option is to use Meterpreter from where we can rely on capture modules without using the compromised machine harddisk. To do so, Meterpreter sniffer has the sniffer extension o the packetrecorder module by @Carlos_Perez aka Darkoperator. Both can be used to generate and save the pcap file locally with the captured traffic.

As an alternative to these two options, I have created a small module (rpcapd_start) that activates the service rpcapd in order to capture traffic remotely. It is not uncommon to find user computers, even Windows servers, with WinPcap installed. So, what better way to get traffic than using this service remotely? As an additional benefit we won’t depend on the meterpreter session because once activated, we can capture traffic with any software that supports rpcap.

The WinPcap installation will create a new service called rpcapd disabled by default.

The module will just activate rpcapd, specifying the port and the operating mode (active or passive). We may also choose whether or not we want authentication.

Since it is likely that the computer will be NATed behind a router or firewall, in practice, the most useful will be the active mode, where the compromised machine will be the one connecting to us.

After starting the service and in the case of using a passive connection (as in the example) a new rule will be added in the Windows Firewall under the name “Windows Service” to allow incoming traffic.

Then we can connect to the machine from any tool that supports rpcap and start capturing traffic.

The module is already included in Metasploit so you just need to update it so simply for download.

Introduction to Mallory Proxy

Although I have tried most of the proxies that allow to modify web traffic “on the air” such as burp or WebScarab, I recently discovered a pretty interesting, not only because of its developers and the context in which it was presented, but also because of its features and architecture. Mallory Proxy is a proxy developed by the computer security experts Intrepidus that was presented at the Black Hat 2010.

Mallory is developed in Python and shows a server side and a client interface for configuration and user interaction.

For those who want to try Mallory, the application shows basically has two options. The first is to follow the installation instructions and download and install both proxy sources and dependencies. The second is to download a VMWare image whose operating system is Ubuntu and that comes with both software and dependencies.

[Read more…]

SSD drive forensics

(Please note this post was originally published in the Spanish version of Security Art Work last 5th Nov 2012)

Some weeks ago I was playing with django, when I accidentally deleted an application that I had already finished. It was not complex; it had few lines of code and I think I would have been able to recover it in less than a day, but I saw in this error the chance to learn how to make a recovery of data on a SSD drive.

The configuration of this computer’s drive is as follows: GPT partitioning with multiple partitions formatted with ext4 (without LVM). My previous experience in this type of situations has always been to use the most known tools in GNU/Linux environments: sleuthkit, autopsy, testdisk y photorec (these last two usually come in the same package), dd, grep

[Read more…]

Locating our smartphone

Since smartphones installed in our lives, either for personal or professional use, one of the greatest fears is losing it. We store a great amount of sensitive information in this devices that can be potentially accessed by a malicious person. This problem is even bigger when it comes to professional smartphones, which have not only personal but also access to the corporate environment and information.

So what happens when you lose your mobile phone? If we have correctly hardened it, that will not be a major problem. The person who finds the device must know the code or the unlock pattern screen. In the best case, after N repeated attempts the device will wipe and no information will be compromised (full erase of user data). (Paranoid note: Do not leave footprints on the screen if we use a pattern to unlock the device).

And if we want to find it? Who knows, maybe no one found it and it still lays beneath the park bench. In this case we need third-party applications that allow us to locate the device. There are many of them, free and commercial, but we will describe briefly the most popular, although of course any reader contribution is obviously welcome.

Commercial applications

On one side we have the commercial applications, and every person must decide if the app is worth the price or not.


This product comes from an American company that provides a product to perform a full trace of a mobile device with an application available for Android, iOS or Blackberry. However, you need to pay $99.99 per year. The basic version includes the following features:

  • Call Log.
  • SMS received / sent.
  • Access the phonebook.
  • Tasks and Calendar.
  • History and Web bookmarks.
  • GPS tracking.
  • SIM change notification.

The ‘Platinum‘ version offers the possibility to listen to telephone calls among other options. This version ‘full-equipe‘ costs $199.99/yr. You can access a demo of the dashboard (or control panel) in the following link: http://demo.stealthgenie.com/dashboard


In the past we have already talked about Cerberus, as in the post regarding a case of “>malicious user that loses a mobile device on purpose (Spanish).

This application is available from € 2.99, with a lifetime license that allows you to control up to five different devices.

From the dashboard of Cerberus we have the following list of possible actions to control the device, among which is tracking through GPS.

This product is only available for Android smartphones.

Free applications

On the other hand, there are other free applications that allow you to track your mobile device. The features included are more limited than those offered by commercial solutions, but to some users they may be enough.


This application only allows to track the device via GPS. Although free, next December 13th it will cease to provide this service, something that can be of interest for those users who are currently using it.

Screenshot of the main dashboard
This product is only available for Android smartphones.


This is one of the solutions that most caught my attention, since from the begining it was a product to keep track of a computer (Windows or Mac OS X). Prey gradually expanded its range and now can be installed on Android, iOS and even Linux.

The advantages of this product is that there is a paid version ranging from $5 to $399 per month depending on the number of devices and functionality required. On the product page you can find more information on the plans.

Below there is a screenshot of the dashboard on an Android device that has this product installed.

As you can see in the picture above, the geolocation feature is not enabled unless the device has been lost, which is one of the main differences it has with Cerberus.

Another option to highlight is the locking of the mobile device with a password. In the moment that this feature is enabled (be the phone marked as lost or not) the device is blocked until the owner enters the password specified in the control panel, as shown in the image:

Plan B

What would happen if you lose your device without any of the above applications installed? As its name suggests, there is a plan B.

This application is available to download from Google Play and can be installed remotely on the device. We conducted a test setup and in minutes the application appeared correctly installed in the device.

Once installed, when the device gets GPS coverage it sends its coordinates to the Gmail account that’s associated with it.

This product is only available for Android smartphones.

Personal opinion

Getting into a more paranoid view, the application that best security and privacy offers (call it confidence if you want) is Prey, not only because it has a free version but because the trace options. Maybe it is not as complete as its competitors, but being an open source product has the advantage that the code is auditable and it can be verified that no unknown actions are performed without the user consent.

Of course, with this I want to re-emphasize the danger that we saw in the previous post about finding a mobile device on the street and using it in our daily tasks (or business, even more dangerous) without taking proper precautions.

Online reputation, a rising value

How much is our reputation worth? To respond to this issue we have to consider the relationship between reputation and success. And when I say “success” I mean achieving our objectives, both personal and professional. In certain groups, reputation is an essential element for its success or decline. We could include in that group people with public office as mayors, councilors, ministers, etc., but it also directly affects professionals from the private sector as actors, singers, designers and a long etcetera.

In this entry we’ll talk about the particularities of online reputation and see some examples that show its importance. Let’s start by defining what online reputation is. Although the concept has many corners worth to explore, the simplest definition comes courtesy of Wikipedia: The online reputation is a reflection of the prestige or esteem of a person or brand on the Internet.

It is known that to achieve and maintain a good reputation requires much effort, perseverance, dedication and time. On the other hand, “bad reputation” can be reached in the most unexpected moment as either hand of a scandal, a simple misunderstanding or an error. The same happens with “online reputation” but with the particularity that information technologies highlight the impact of our actions. If you are good, there are ways to publicizing, disseminate and make the most of our effort. However, our failures will also be more widespread, deeper and faster. Therefore, we could say that online reputation is more “fragile” than the reputation traditional concept. Needless to say that both concepts (reputation and online reputation) are closely linked.

To illustrate what we commented on the “fragility” of the online reputation, we will see some examples in which a unfortunate simple comment and/or misunderstanding has tarnished the reputation of some famous.

[Read more…]

Real Cloud Security

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)

Act I: The cloud

(In a small room we find the Chief Executive Officer (CEO), the Chief Security Officer (CSO) and the Chief Marketing Officer (CMO). The latter comes with a PC World magazine under his arm)

CMO: Blablablabla Cloud blablabla costs blablabla availability blablablabla Google.
CSO: Blablabla SLA blablabla, blablabla privacy, blablabla blablabla outsourcing, blablabla.
CEO: Blablablabla dollars, blablabla staff, IT blablabla servers. ¿Security? Blablablabla.
CSO: Blablabla, blablabla SOX, penalties, blablabla data theft blablabla, blablabla press. Blablabla impact and risk.
CMO: Insecure? Hahahaha, blablabla, blablabla and blablabla. CSO blablabla, distrust. Blabla, blabla, Gartner, blablabla?? Blablablabla. That does not happen.
CEO: blablablabla CIO, blablabla blablabla IT budget.
CSO: Alea jacta est.

Act II: Hunky-dory

(While the Chief Executive Officer looks at the Chief Marketing Officer tablet, they see the Chief Security Officer, who quickens the pace but is intercepted in the aisle)

CMO: Blablabla access, blablabla iPad, iPhone. Blablabla? CSO? Blablabla, this security guys blablabla. Access, blablabla, password blablabla, blablabla SSL.
CEO: Blablabla friendly, blabla, blablabla success. Blablablabla reason blabla costs, blablabla enterprise 2.0.
CSO: Pater Noster qui es in caelis, sanctificétur nomen Tuum

Act III: A small problem

(There is a problem in the Marshall Islands that has disabled the connection to the cloud provider, and althought it is not known yet, may have caused data loss)

CEO: Blablabla connection, blabla deletion, blablabla access. Blablablabla data, blablabla cloud!!
CMO: Blablablabla probability blabla blablablabla Gartner CIO, blabla CSO .
CSO: Blablabla risk, blablabla impact, blabla quality of service, blablabla Google.
CEO: Blablabla reputation, blablabla bussiness, blablabla Google!
CMO: …
CSO: …

Act IV: Choose Your Own Adventure

(Do you remember these books? ;)

Option #1

CSO: Blablabla backup, blabla fireproof, blablablabla recovery blablabla system.
CEO: Muacs.

Option #2

10 CEO: …
20 CMO: …
30 CSO: …
goto 10

Option #3

CSO: Blablablabla ¿CIO?
CIO: Blablabla, Terms of Service, blablablabla complaint, blablabla compensation, blablablabla.
CEO: Blablabla data, blablabla available blablabla #@!*& blablabla ten dollars.

Well, how did finished the adventure in the cloud?

If you’ve been able to continue this conversation, you might like this video that our colleague Adrian has found:

Covert channels

(Please note this post was originally published in the Spanish version of Security Art Work last 26th Oct 2010)

Covert channels is an evasion technique that allows an attacker to send information using the communication protocols headers. In this post we will cover-up of channels in the TCP/IP protocols and provide a tool, CovertShell, designed as a proof of concept. The sources are at the end of this post.

The TCP/IP protocol has headers that usually are initialized by the client to maintain or number a communication. The technique covert channels uses these fields to assign them values ​​so the target machine does not interpret these fields as part of the communication, but to obtain data.

An interesting example was developed by Craig H. Rowland in his paper back in 1996: Covert Channels in the TCP/IP Protocol Suite, where he created a small client/server “CovertTCP” of no more than 500 lines that allowed file transfer between client and server, using for it only the fields SEQ, ACK (TCP protocol) and ID field (IP protocol). This information was on the protocol overhead and not in the payload.

[Read more…]

Auditing TCP stack with Scapy

Recently I have been playing with the library Scapy for Python. It allows to create any type of network packet with a few simple commands, even for non existing protocols making use of RAW packets.

Suppose we want to evaluate the behavior of the TCP stack when any combination of TCP flags is received. In order to do it, we need to send TCP packets to a given port using any combination of them.

Keep in mind that sending a packet with the SYN and ACK flags is the same as sending it with the flags ACK and SYN. Therefore it is necessary to generate any combination considering that the order does not affect the result and avoiding to send more packets than those strictly necessary.

[Read more…]

Introduction to SSH tunnels

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Jul 2012)

All of us have at some time found that the service we wanted to access is on a computer unreachable from our network or other similar problems. If we have SSH access we can easily solve problems like this using SSH tunnels.

We propose a first scenario, in which we have a database server protected by a firewall that prevents us directly interact with the database but that can be accessed by SSH (assuming MySQL, which uses port 3306).

[Read more…]

The “hidden” information in your photos (they may be saying things you don’t know)

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Jul 2011)

This post is not about steganography (see the definition we did in another post — Spanish), nor any complex technique developed by a technology expert. This is something much simpler: the geolocation information that some devices —including many smartphones— store on the photos without many users being aware of it. That information is saved in the “hidden” information of the photos and can be easily accessed with programs such as exif reader. Please note that with “hidden information” we do not mean information someone has tried to hide, but information that is unknown to most users of smartphones what in practice is basically the same as what we understand by “hidden”. Usually these devices have an option that allows us to enable or disable geolocation features; for instance, to do so on the Blackberry there is an option called GeoTag in the camera options.

As always the fact that a smartphone can geotag a photo is not a good or bad thing by itself. Our use of this information it’s what makes it a potential hazard so it’s important that everyone, especially the youngest ones, are aware of such information. It must be taken into account that the mixture between the geolocation of a photo and real-time information systems as it is the case of twitter can become an explosive mixture.

We can get an idea of this by visiting the url http://icanstalku.com/ (project currently closed). It’s just scaring.

As we can see, extracting the geolocation data (longitude and latitude stored in the photo information) and using Google Maps we have not only the picture of our beautiful dog that we wanted to share with our friends but also the geolocation of our nice house:

What follows it is a fictional story… or maybe not.

Let’s suppose “bichomalo” (if you want to know who “bichomalo” —Badguy— is check this link: http://www.youtube.com/watch?v=JcB_RfX0BVQ — Spanish) has just found Alice, a nice 15 years old girl who he is obsessed with.

Girl dads’ have bought her the latest smartphone with an Internet flat rate; they don’t know much about technology or security risks. Alice creates her twitter user —of course with her real name— and begins to tweet; it is cool. Soon, she starts sharing photos in their tweets, ignoring that they contain the coordinates of the place where the photo is taken. Bichomalo certainly knows it. He creates a fake profile and follows the girl; a photo of a young blonde girl trimmed down to show only her eyes, downloaded from any corner of the Internet, makes it credible enough. He often tweets girly things and even sends some private messages to Alice.

This friday our girl is at the birthday of her best friend. It took she some time to convince her parents but they finally accepted because she would not be far from home. The party is funny and she tweets many photos, but at 2am she gets tired and decides to go back home, only a few blocks away. “Time 2 go home“, publishes Alice in her twitter… Bichomalo reads it and knows exactly where is she, where is she going and her way to home; almost a hundred photos published over a couple of months with a lot of geolocation data. We don’t need to say anything else.

We can’t deny geolocation it is a useful technology. However, as with any other technology, we must be aware of its dangers and there’s only one way for it: education. Even more when, as we have seen, when its bad use may impact significantly on vulnerable groups as our children.