Monthly Archives: March 2015

Teensy++ 2.0 with a meterpreter and some powershell priv escalation

I bought a Teensy++ 2.0 to use for demonstration purposes and I realized that there are a lot of information and howtos when it comes to penetration testing, but I didn’t find a really good article that took everything from start to finish. So I decided to put together something of my own with inspiration from what other people had done.

The first thing to do is to download Arduino IDE at http://arduino.cc/en/Main/Software I used version 1.6.0 in this article.

The next step is to download phukdlib from here:

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

Version 0.3 should work fine.

Next is the source code, that you should upload to the Teensy. Let me walk you through what is going on. This code only works for Windows 7 and higher.

1. The desktop is shown
2. The start menu is opened
3. Powershell is started
4. cmd is asked to start as RunAs (Start-Process cmd -Verb runAs) which means that it will try to do a privilege escalation. This is required for the next step.
5. A firewall rule for FTP is added
6. The file bumbi.exe is downloaded
7. The file is executed

The file bumbi.exe in this case is a meterpreter payload of your choice. Of course you can do this much easier by simply encoding a meterpreter as powershell but I found this example and thought it was pretty neat. It does however add the extra step of having to add the firewall rule. Otherwise you will get the question, “Do you want to allow this traffic?” when starting the ftp transfer.

A final note on the code, this was programmed using the keyboard layout for Swedish in Arduino IDE, so you may have to change the code for the FTP firewall rule, if you are having issues getting that part to work.

Source code for the project:

More information about the Teensy and what you can done can be found on the links below

http://www.securitysift.com/fun-with-teensy/

Using Salesforce API with python to create Cases and send Emails

This is an area which is pretty hard to find information about. A lot of people simply use Salesforce for accounts and sales, which means that they do not use Servicedesk at all.

When I wanted to integrate Salesforce from a SIEM solution I thought, how hard can it be. First of all, it was not hard when I finally found out how to do it. But getting there took a few hours. Here is how you can do it.

There is a nice python toolkit that is pretty outdated, but it works like a charm

https://code.google.com/p/salesforce-python-toolkit/

Start by donwloading it.
The next step is gather a few things from your Salesforce installation. You need these:

* Your security token for the account that you are going to use.
(Help here: https://help.salesforce.com/apex/HTViewHelpDoc?id=user_security_token.htm)

* Your username and password for the account that you are going to use.

* The WSDL of your installation. In my case it was the Enterprise WSDL.
(Help here: https://www.salesforce.com/developer/docs/api/Content/sforce_api_quickstart_steps_generate_wsdl.htm)

Once you have all these things follow these steps. I did this on Debian, but it will work the same on any Linux dist.

1. Install salesforce python toolkit (python setup.py install)

2. Save the WSDL as a file called wsdl.xml on your local system. In my example below I have created a folder in /root/ called salesforce and put it there.

3. Create the file below, called main.py and place it in the same folder.

4. Now you should have two files, one file called “main.py” and one called “wsdl.xml” in the same folder.

5. The next step is to replace some of the items in the code above. Start with changing the receiver e-mail. This is just an example on how you send e-mail via Salesforce.

6. Add your credentials (user,password,token) to the row at the top where you do the login.

7. The final thing is the AccountId. This is the Company (or Account in salesforce terms) that will be the owner of the Case when it is created. You can put your own Company id here for example. AccountId is located when you browse an account and look at the URL. It will be something like “001g00000XLyIxiF”. It starts with 001. Take that string and put it at the AccountId.

8. Done!

If you want to do more, have a look in the WSDL file. It is pretty straight forward and you can do a lot of things. If you search for “SingleEmailMessage” or “Case” you can find the objects and you see what kind of parameters you can set. Cases are of type Object so when you create them you use the create() function. As seen above. Read more here:

https://www.salesforce.com/developer/docs/api/
https://www.salesforce.com/developer/docs/api/Content/sforce_api_objects_case.htm
https://varunver.wordpress.com/2014/02/24/installing-salesforce-python-toolkit/
Good luck!