Spying On Screens and Keystrokes – The Dangers of Open X11

This is not a ground breaking 0-day exploit, nor is it intense new research.  I recently needed to do something that I had done a long time ago, and not very often.  I knew the theory, and it seemed straightforward: I needed to take advantage of an open X11 server during an engagement and realized, while it seemed trivial, I didn’t really remember what to do.  It took me a bit of Goole-fu to find the tools and instructions to get me where I needed to be.  Since I use this blog as my running notepad I’ll put it here for posterity’s sake, and maybe it’ll help someone out in the future who’s searching for answers just like I was.

Now onto the tools you’ll need.  Grab xspy ( or use your BackTrack VM /pentest/sniffers/xspy) and xwatchwin. I found xwatchwin here.

You also need to install xutils-dev (because you’ll need to run xwininfo). On Ubuntu i used

 apt-get install xutils-dev

We need to discover the window ID to pass to xwatchwin. For this I use xwininfo:

xwininfo -root -display remote-IP:0

If you receive output similar to what’s shown below take note of the Window ID.


To begin capturing key strokes issue this command (optionally pipe to log file if you want)

./xspy -display remote_ip:0 >> keys-log.txt

Below is an example of running this command and viewing the live keystrokes from another machine (would be cooler if i put up a vid, eh?).


Notice you get all of the keys, even the up key, backspace and CTRL+C.

To begin spying on the active desktop issue this command

./xwatchwin remote-ip:0 -w window-id

In the earlier output from xwininfo we saw that the window ID was 0xb6 (click picture for better view).


The xwatchwin command, if successful, will launch a window that displays the remote users’ desktop (or whatever is on their X11 session) for you viewing delight.

If you’re out there and happen across an open X11 server listening that is a BIG deal. You can grab all of the keystrokes of the logged on user (ALL of them including passwords put in blind for SSH, etc.).  You can also remotely spy on the current X session, as well.  Not as exciting if it’s a server and no one’s logged in, but still brutal in my opinion.  If you run your organizations’ vulnerability scans  and you find open and unauthenticated X11 servers you need to remedy those findings with a quickness.

You can mitigate this threat by using the old school xhost method, host based firewall, or not allowing gdm, lightdm (or whatever display manager you use) to listen on TCP.  This threat is bad enough on a well protected internal server behind layers of firewalls and that is normally managed via SSH; imagine if this was open on a laptop that someone took to an internet cafe or the airport?  Anyone with a little know how could watchlog every move and keystroke they took!



M$ Screencap Application For Troubleshooting… And Sleuthy Spying

I was recently made aware by an infosec colleague of mine DMFH (aka Donny Harris) about an M$ utility called the Problem Step Recorder, aka psr.exe.  It comes standard on Windows 7 machines.  In a nutshell it’s used to provide a step-by-step breakdown of user activity to provide to tech support after a user has re-created a problem, complete with screen captures!  NOTE: it does NOT capture keystrokes.  So, thankfully M$ did not embed a keylogger into Windows 7.  It shows a script of sorts of user’s activity in windows, info about PIDs, what mouse buttons are clicked and different hooks and internal system calls.  What got me was the screen captures… I know there are metasploit modules (screenspy and screenshot) and AutoIT apps, and that every keylogger on earth has a screencap ability.  DMFH made a good point tho: psr.exe would not be caught by most AV’s being that it is a signed and trusted system utility.  And, if a user sees psr.exe in their taskmgr and google it, they’ll see its an M$ troubleshooting tool, so they may be less concerned with it.

I realize that if you’re on a box and can run psr.exe you’ve already owned it, or are close to doing so; this is not the next l33t h@x0r attack, but another tool in your arsenal.  One use case could be you have shell access to machine (no meterpreter) and you can’t figure out a way to get tools onto the box for some reason.  If it’s a Windows 7 (didn’t find it on server 2k8 r2) you can grab screencaps and save them somewhere you can hopefully access.  Also, to reiterate my point, it’s an M$ utility so you don’t have to bring in another app that could trigger AV.

Below are a few pictures showing what the web archive (.mht) file contained.

Here are the commands to run psr.exe from the cli.  I did try it from a shell gained via metasploit and it worked like  a champ.  The key is migrate (if you’re not already running as them) into a PID of a user to capture that users’ session.

 psr.exe /start /output c:Usersusernametest.zip /sc 1 /gui 0

You need to issue (or schedule task) the below command to stop psr.exe from runningrecording.

psr.exe /stop

Here’s a blog post I found that details some of the switches of psr.exe.

Passed the Offensive Security OSCP Exam!

It has been an intense journey since I signed up for the PWBv3 course from Offsec.  But, now it is all worth it.  I received notice that I passed and can now claim the title: Offensive Security Certified Professional (OSCP).  I have taken many security courses, and have gotten a few certifications along the way, and I must say none have been as rewarding as this.  I cannot sing the praises of Offsec enough, even though sometimes during the course I wanted to curse their diabolical minds for coming up with some of the machines I had to penetrate.  I will admit that this was my second attempt at the OSCP exam.  I will not say I failed the first attempt (well actually that’s exactly what I did) but rather learned valuable lessons from it.  My first attempt was 23 hours straight (I took an hour nap) and at the end I knew I had come up short even before they emailed me.  But, this did not discourage me, it energized me!  I talked to many folks who had had a similar experience.  I will say that I hold this certification higher than any I have attained yet, bar none.

To those who are taking the course and may come across this post: Do not fret!  Remember what you’ve learned, and if you get knocked down get up and go at it again!  For those of you who are not (or have not) taken the course, check it out!  I guarantee even if you’ve been pen-testing for years this course will be a heckuva time!

Shellcode, Assembly and Buffer Overflow

This is quick commo check and update to my progress with the PWBv3 course.

I’ve spent the better part of this week knee deep in shellcode, assembly and debuggers… and let me tell you my brain needs a break!  Don’t let the latter sentence scare you away from this course; the tutorials and examples are excellent, even if you’ve never read the output of a debugger before you can handle it with the help of the videos and lab guide.  I just finished the “extra mile” portions of the buffer overflows module.  I was determined to nail those!  I’ve also read that the extra mile modules will help you in your quest for the OSCP certification (24 hours hack some boxes, remember?).  I found this site to be very helpful when trying my hand at an SEH overflow.

Diving into this training has afforded me the opportunity to strengthen muscles that I used daily, but to also train new ones, with regards to pen testing.

I’ll be writing up more about stack based buffer overflows and basic fuzzing in the future.

Offensive Security Penetration Testing With Backtrack (PWB3)

In my never ending quest for IT security excellence I’ve decided to enroll in the Offensive Security Penetration Testing With Backtrack version 3 (PWB3) course, offered by Offensive-Security.  The course, formerly known as OSCP 101, has turned out to be quite a different animal than other security coursescertification tracks I have taken in the past.  I opted to take the online version, which fits my learning style (and family life!).  I am one week into the course and already think it’s one of the finest security training events I’ve gotten to be a part of so far.  Before enrolling I did some searching to find reviews and opinions of different course participants, and while I did find several, they were few and far between.  I’ve decided to write about my experiences to date, and to provide updates periodically up until the point I take the final exam.  Speaking of the exam, did I mention it’s a 100% hands on exercise, wherein exam participants must compromise unknown machines to pass it?  I don’t think any type of exam cram method will help folks out on this one!  You either know how to perform a pen test, or you fail, simple as that.

I did some reading and found several great write up from folks who have taken the course, but I wanted to throw my hat in the ring of reviewers as well.  I would definitely read these other posts, to get different points of views on the PWB3 course.  You can find one here

Once enrolled you get vpn access to the offsec lab environment, flash video files for the couse and pdf lab guide, as well as a dedicated XP vm in the lab network.

One of the neatest things I’ve come to discover while taking this course is that the initial modules, which at first glance I was tempted to skip, provided value to me!  I’ve been using backtrack for several years, and while my Linux skills may not equate me to an Uber Linux Ninja I am fairly capable of using the Linux command line and bash scripting.  I forced myself early on not to skip any modules and to watch all of the videos AND read the corresponding sections in the lab guide.  I was pleasantly surprised when shortcuts to the ways I’d been doing things were shown, or different tricks to manipulating text were displayed.  I have thoroughly enjoyed the different lab exercises to this point, and have begun getting into the nitty gritty of buffer overflows and shellcode. 

One area that has particularly fascinated me has been the use of search engines (specifically Google) in penetration testinginformation gathering.  I’ve known about Johny Long’s Google Hacking Database  for several years now, but to see it used in practical examples was excellent.  Using Google to find actual vulnerable web servers was cool (also dangerous), but the simple data gathering techniques shown were very eye opening.  To see, and use, some of the different tricks like using Google search operators to scour the Inter-webs to find juicy bits of data has really been excellent.  I’ve known and used some of these techniques in the past, but some of the operators or search methods were new to me.  In one instance I discovered a PDF document that’s footer read “Data contained within this document is confidential and proprietary”.  Yikes!  I contacted the company that was hosting the data and it disappeared the next day. 

It really is amazing the types of things you can find out about people and organizations without doing any “hacking” per se, but just intuitively searching Google.  I highly suggest folks try searching for their own names or originations and see what comes up, you might be surprised!  

This course takes you through a penetration test, from alpha to zeta, and adds value throughout.  I can’t speak more highly of it… well, scratch that.  If I pass the final exam THEN I’ll not be able to speak higher…  I’ll update you on my progress in a week or so.