Thursday, June 6, 2019

Keyboard Kung-Fu Part 1: Windows 10

I'll admit my keyboard shortcut knowledge for GUI manipulation has never been very strong. I've been thinking a lot about efficiency recently to get more done and have more free time. Saving a few minutes per hour could be the difference between having work life balance and not, or having that creative time at work where you can really innovate and create something special.

The below are a number of keyboard shortcuts for Windows 10 and Chrome/Firefox running on Windows. I haven't included the most well known shortcuts (Ctrl+C/V/X), those that use keys that are not typically on a laptop keyboard, or anything to do with Microsoft Internet Explorer/Edge (for reasons that are self evident). All of the articles I used to collect these shortcuts are below in the "References" section - it definitely seemed like you had to go to several different sources to collect all of the gems.

I've highlighted some of the shortcuts I didn't know about before this research that I think are especially useful. I'll be doing the same exercise for OSX shortly and will make an equivalent post. Ping me on Twitter if you have other favorites!

Windows Explorer
Shift+deleteDelete bypassing recycle bin
Ctrl+Shift+NNew folder
Ctrl+Shift+EShow subfolders within a folder
Alt+EnterOpen properties for selection
Alt+ArrowSelect folder the is before after, or child/parent with up and down

Open Common Menus
Windows + XOpen Poweruser menu (!Open PowerShell as Admin, Event Viewer, Task Manager, Explorer, etc!)
Windows + SOpens search
Windows + TabOpens task viewer which helps with switching programs (select with arrow keys)
Windows + IOpens Windows settings
Windows + EOpen Windows Explorer
Windows + RRun dialog box
Windows + PChange presentation mode for display
Shift+f10Display shortcut menu for selection
Alt+PrintscreenCapture current window to clipboard

Virtual Desktops
Windows + Ctrl + right or left arrowShow Virtual Desktop to right or left
Windows + Ctrl + DNew virtual desktop
Windows + Ctrl + F4Close virtual desktop

Window Management
Windows + Alt + #This Opens items on your task bar by number of items pinned.
Windows + Shift + #This Opens a NEW window for the item on your task bar
Windows + MMinimize all windows
Windows + left or right arrowDock current window on either side of the screen
Windows + down arrowMinimize window or dock to lower corner of screen
Windows + up arrowMaximize window or dock to upper corner of screen
Windows + ,Peek at desktop (kind of cool if you just want to check, release the Windows key to go back)
Alt+EscCycle through windows in the order they were Opened (change focus)
Ctrl + NNew window
Ctrl + TNew tab
Ctrl + RRefresh

Text Files
Ctrl + Right or Left arrowMove cursor to the beginning of word
Ctrl + Shift with arrow keySelect a block of Text
Shift + arrow keySelect individual characters
Ctrl + BackspaceDelete previous word
Ctrl + DeleteDelete next word
Ctrl + Up or DownMove to beginning or end of paragraph

F2Rename item
F3Search equivalent to ctrl+f in most programs
F6Cycle through screen elements in a Window or desktop
F11Toggle full screen on active window

Browser Shortcuts (Work on both FFox and Chrome)
Ctrl+Shift+TabView and select Open tabs with arrow keys
Ctrl+ numberSwitch to the Open tab correlating to the number you choose
Ctrl+9Go to the LAST tab, even if it's more than 9.
Ctrl+Shift+TOpen last tab you CLOSED (useful!)
Alt+D OR Ctrl+LSelect the address bar (never use the mouse)
Ctrl+WClose tab
Ctrl+JView downloads
Ctrl+Shift+DeleteDelete browsing history/cache (or at least Open window)
Ctrl+PPrint webpage to PDF
Ctrl+EnterAutomatically put www. and .com on either side of a string and go to the site (not super useful IMO)
Ctrl+ClickOpen link in new tab
Alt + Arrow keyBack or forward navigation
Ctrl+OOpen Files
Ctrl+KGoogle search in the URL bar

Chrome Specific
Ctrl+Shift+NNew incognito window

FireFox Specific
Ctrl+Shift+PNew private window


Thursday, January 10, 2019

Walkthrough: Network Forensics CTF - TufMups Undercover Operation

I published the “TufMups” CTF scenario over a year ago, and in that time a few people have asked for a walkthrough. I think we can file this blog post solidly in the “better late than never” category. Enough time has passed that I didn’t remember exactly how to do these challenges and had a bit of fun with it. As always please reach me on Twitter with any questions or comments.

If you don't have it here is the evidence download. I’ll be working through this using Kali Linux running on VMware Workstation, but you only need a few tools (Wireshark, fcrackzip, strings, grep, etc) so feel free to use what you like.

1. What is the start time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)? 2017-12-10 17:43:18
2. What is the end time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)? 2017-12-10 18:25:20

The first two questions are simply the time and date of the beginning and end of the PCAP. First open the PCAP in Wireshark, set the “Time Display Format” (View menu) to “Date and Time of Day”, then simply scroll to the first and last packet to mark the time and date.

3. How many total packets were sent between the host and the hacker website IP? 15128

The next question is regarding how many packets were sent between the victim and the “hacker website IP”. The IP address is provided in a screenshot from the setup of the CTF:

There are a couple of ways we can come to this answer. First we could use a display filter and view the number of displayed packets at the bottom of the Wireshark window.

Alternately we could view this information from the “Conversations” menu in the “Statistics” menu in Wireshark.

4. What is the hostname of the system the PCAP was recovered from? (all caps) MSEDGEWIN10

This one may be slightly more tricky, as there’s no guarantee a PCAP will contain the hostnames of any systems related to the network traffic.

One way to find the hostname in this case is within the NBNS (Netbios Name Service) packets. This is a common broadcast protocol that should be turned off in your environment due to trivially executed poisoning attacks (see - details here: ).

This traffic can be filtered with a display filter of “nbns”.

The hostname is also in DHCP. You can find this with either a display filter of “bootp” or “udp.port == 68”.

This information can also be found in the dhcp packets for ipv6 using “dhcpv6” as a display filter.

If you used a display filter like the below to filter out all of the known protocols where we found this hostname, then searched the packet bytes for the hostname, this could have interesting results! I’m not going to do that here because it would lead to answers out of order, but perhaps a valid future CTF or investigation strategy. If you get a piece of information, pivot, and extract as much value from it as you can.

5. What exact version of browser did K3anu use? (exact number only) 63.0.3239.84

To determine the browser that the user was utilizing HTTP traffic is the best place to start. A “GET” request from the user’s browser will almost certainly have a user agent string unless it has been specifically configured not to, or is a strange browser of the user’s own creation :D.

Below we search for the user’s IP address AND destination port of 80, then find the first GET request and view the HTTP header via the right-click “Follow TCP Stream” option.

6. What operating system did K3anu use? (Name and number only) Windows 10

This question can be answered with the same user-agent string data used in question 5. The “Windows NT 10.0” designation in the UA string is exactly what it sounds like, Windows 10.
The site can break down some of the more confusing/obscure UA strings.

7. How many DNS queries in the PCAP received NXdomain responses? 5

Full transparency - I just had to Google how to do this one. I think that’s part of the fun of CTF, doing some things you don’t use every day but enhance understanding.

This question is specifically about how many requests actually received the “no such name” / “nxdomain” response. We can find this answer by filtering for “dns.flags.rcode == 3”.

8. What is the hidden message in the TufMups website? (decoded) ftp creds are p1ggy / ripgonzo

Ok now we have a cooler puzzle. We know the IP address of the website from the first question ( so presumably this is the website where we’re looking for the hidden message.

This could be found by running the display filter for ip.addr == or a myriad of other ways, but thinking about what we’ve already been provided why not search for a unique word from the web page we saw in the screenshot? In this case I searched the “packet details” for “mercifully”.

That surely looks like a secret code of some kind. bH56Kml4b255Kmt4byp6O21tcyolKnhjem1lZHBl
This is the first time we’re going to use Cyber Chef.

Right off the bat what do we know about this string. It’s upper and lowercase alphanumeric only. It seems like a likely base64 string.

This output doesn’t necessarily tell us it was base64, but there are some interesting aspects of the output. For instance, the asterisks almost look like they are separating words?

At this point I would try all the simple encryption/encoding methods I could think of (rotation, XOR, etc) because this is a CTF after all and it’s unlikely this string is so well encrypted it will be extremely difficult to crack.

Rotation is a bust in this case. On to XOR. Cyberchef has some very useful key bruteforcing functionality. In this case we’ll use the “XOR Brute Force” which by default tries all possible keys with a keylength of 1.

After reviewing the first several lines of the brute force, it’s clear “0a” is the key, and the secret message contains FTP credentials.

9. What is the key to decode the secret message? 0a

Explained in previous answer.

10. How did K3anu get access to the file? (lowercase, just protocol) ftp

They can’t all be hard questions :P. This one is pretty much answered by the previous answer.

11. What's the nickname of the operator on the IRC channel? K3rm1t

Searching with a display filter of “irc” or “tcp.port == 6667” will both lead us to tcp stream 2930 which is the IRC network traffic in this PCAP. By following this TCP stream we can get the answer to this question and the follow on questions.

When the users of the channel are listed, a “@” symbol before the name indicates that user is an operator.

12. What is the 1st operation needed to decode the IRC users "secure" comms? (just the format name) base64
13. What is the 2nd operation needed to decode the IRC users "secure" comms? (just the format name) rot13
14. What is the 3rd operation needed to decode the IRC users "secure" comms? (just the format name) hex
15. What is the 4th and final operation needed to decode the IRC users "secure" comms? (2 words lowercase) morse code

Fair warning - I received feedback that this was a “Guess what I’m thinking” CTF question and have taken that into account on future scenarios. That said - it is doable and several analysts got it quickly. Can you tell I had Cyberchef and simple encoding/decryption challenges on my mind when I made this?

When Keanu enters the IRC channel he’s asking to collaborate with the Tufmups on some epic hacks. Shortly thereafter the members switch to “secure comms” which are relayed right in front of Keanu in the IRC channel, but are obfuscated. Based upon the series of questions you can tell there are 4 operations that will have to be run against the messages to reveal the plaintext.

First step is to grab all of the “secure comms” and get them into Cyberchef. The compliant character set and trailing padding (=) is a dead giveaway that the first step is Base64.

Ok - the output from the Base64 decode almost looks like space delimited hex, but the characters aren’t compliant (see that there are letters beyond F). At this point I think we know what the THIRD step is (hex) but the second step isn’t clear. I’d run through the usual offenders (rot, xor) at this point. Rot13 gives us a hex compliant character set.

After adding hex to ASCII to our recipe we get the following mumbo-jumbo:

At this point I admit it’s a bit cryptic, but some of you might instantly recognize this as morse code, which is indeed an option within CyberChef.

It seems like the Tufmups were onto Keanu and his informant ways.

16. What is the password to decrypt the zip file that was downloaded by K3anu? fozzie

This question is going to demand a couple of things - extracting the file K3anu downloaded via FTP, and decrypting it.

First we can view the FTP commands run by using a display filter of “ftp” and following TCP stream (stream 4075).

We see in the FTP traffic that two files were downloaded by K3anu, “decrypttool.exe” and “”. Based upon the conversation we saw earlier in the IRC channel, it sounds like the mups were planning to “pwn” K3anu so I’d be skeptical of the contents of these files.

Pivoting to a display filter of “ftp-data” we can follow the two TCP streams to extract the files themselves. Simply select the server side of the conversation (drop down menu at the bottom of the follow TCP stream window), select “show and save data as RAW” and save the file to disk for each of the TCP streams.

We only need the zip file “” for this question, but it’s best to extract both files at this point as they will be needed for future questions.

Google searches for “how to crack zip password Kali Linux” will quickly lead you to fcrackzip, which is likely the most popular tool for this task. Fcrackzip syntax is a little finicky in my experience and it typically takes me 2 tries and a Google search to get it right (good article here). It also sometimes doesn’t like to be stopped with ctrl+c. That said it works!

By executing fcrackzip with a Dictionary attack (-D for dictionary, -p to specify the wordlist location, -u to unzip ensuring true positives, and -v for verbose) using the popular “rockyou.txt” wordlist we can identify the password “fozzie” within seconds.

17. How many total rows of “fullz” are represented in the file? 13377

This one is simple - the decrypted file “tufmups_fullz_dec17.csv has 13378 total rows, one of which is a header row, hence 13377 total rows of “fullz”.

18. How many people in the “fullz” are named Joshua, have a Mastercard, and use an OS X system? 12

This question is a simple series of grep commands to obtain the answer. Something to consider is capitalization, using the “-i” switch to make your query not case dependent is wise.

19. From the previous question (people named Joshua) - what is the most expensive car new in this filtered list? 2006 Pagani Zonda

One of the last columns in the CSV is the car the person owns. Cut or awk can be used to extract these values, they are the 37th comma in from the beginning of each line.

Ultimately there are two cars here that are quite exotic and expensive, the Koenigsegg CC8S and the Pagani Zonda. At this point you can research which car cost more new - at the time I found that the Zonda was more. They are both too rich for my blood.

20. What IP and port does the executable connect to? Ip:port

Perhaps the best way to get this answer is to simply run the executable in a sandbox or local VM. It should also be possible to decompile the executable (as we’ll find in question 22). It’s also possible that by this point you’ve found this highly suspicious traffic containing standard out from a Windows command line session on port 1234 as other questions led you to it.

21. What is the MD5 hash of the malicious executable? 20422a060c5f8ee5e2c3ba3329de514f I can’t recreate this answer now!  

At the time of the initial event for this CTF this was the answer I and others consistently got from the executable extracted via Wireshark. When extracting the file with a current version of Wireshark I am getting a different hash now. Apologies for this issue if anyone has had difficulty recreating this answer.

22. What was used to compile the malicious executable? Pyinstaller

The malicious executable contains a number of strings that are unique to the Pyinstaller compiler.

23. What executable did K3anu likely use to download files from the remote server? (exactly as written in source material) WinSCP.exe

This is a tricky one. K3anu only downloaded files via FTP from the remote server. This is a matter of reviewing the output the attacker received over port 1234 in TCP stream #4082
In the tasklist output we see “WinSCP.exe” which is the only FTP capable software running on the system.

24. What is the host system's exact BIOS version? innotek GmbH VirtualBox, 12/1/2006

This is another question directly answerable from the attacker’s C2 traffic in stream #4082. As part of the attackers “systeminfo” command output the BIOS version is revealed.

25. What is the filename of the first file taken from K3anu's computer?

This answer is also in the C2 traffic in steam #4082. Below we see a netcat command sending the “” file to the malicious server on tcp/1235.

26. What is the filename of the second file taken from K3anu's computer?

Directly below the exfiltration we see the same activity for “”.

27. What utility was used to steal the files from K3anu's computer? Ncat

Answered in 25/26.

28. What destination port was used to steal the files from K3anu's computer? 1235

Answered in 25/26.

29. What is the password to decrypt the file stolen from K3anu's computer? (it's lowercase) molder

To get this answer first you need to extract the ZIP file from the PCAP using the same process used to extract the mupsfullz ZIP. You can also use the exact same fcrackzip command and dictionary against this encrypted zip and get the password “molder” within seconds.

30. What is K3anu's real identity? Constantine
Unzipping the “” file reveals a series of pictures named “Constantine”.

Each of these images has a “Comment” section in the exif metadata that is a message from K3anu. Exiftool is the tool of choice for viewing this meta.

31. What city is K3anu likely to be in? Pontevedra

This is entirely based upon the coordinates in the previous question. Plug them into Google maps.

32. What is K3anu's likely status? (lowercase) dead

Unfortunately it looks like our informant was murdered by puppets.

33. What is the address of the restaurant closest to where K3anu is likely to be? (exactly as reported by Google maps) Camino C5 Illas Cies, 8, Vigo, Pontevedra, Spain

When you viewed the coordinates in Google maps this restaurant is essentially at the end of the dock where the coordinates land.

34. The hacker left a message for law enforcement on K3anu's system, what was it? (message only) yeah good luck finding this guy cops, great job picking an informant.. real winner with his grilled cheese

This answer is the last command issued by the attacker in the C2 network traffic (stream 4082).