Thursday, January 27, 2011

More on secure wiping tools: SRM and BCWipe

This article from the SANS Computer Forensics  Blog explains in detail how the secure wiping tools behave from a forensics point of view.

As explained in previous posts,  only a tool that can access the raw device can totally wipe any trace of an existing file, because userland tools cannot access the indirect blocs. This trace can help to confirm that a given file was wiped.

Monday, January 24, 2011

Two new books on the shelf

Extrusion Detection: Security Monitoring for Internal Intrusions
Publisher: Addison-Wesley Professional (November 18, 2005)
Language: English
ISBN-10: 0321349962
ISBN-13: 978-0321349965

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Publisher: Wiley; Pap/Dvdr edition (November 2, 2010)
Language: English
ISBN-10: 0470613033
ISBN-13: 978-0470613030

Evilgrade at Defcon

Evilgrade is a  framework that injects fake updates in common tools like: Java, iTunes, mirc, etc..

This tool needs a MITM attack in order to modify the DNS traffic (ie. Dsniff), to point the update system to a fake web server.

video and  slides

Tuesday, January 18, 2011

Meterpreter script for grabbing Wifi profiles

Digininja has written a Metasploit script that grabs all the Wireless profiles from Windows Vista or Windows 7 boxes.

It does this by using the following command to dump all the profiles to the current %TEMP% directory 
netsh wlan export profile folder=%TEMP% 
Then for each line of the output finding the filename of the profile and downloading it. To tidy up the file is then deleted from the directory.
The profiles are stored in the .msf3/logs/scripts/wlan_profiles/ directory.

To re-use the profiles they can be imported into another Windows box by using the following command 
netsh wlan add profile filename="the_filename.xml"

Use flow data to date and identify an intrussion

One of the key points of  NSM (Network Security Monitoring) is the use of  flows to track/analyse the network activity in order to response to an incident or perform forensics.

I found the two following posts thanks to Richard Bejtlich. They describe how to use the flow data that we can extract from our routers to track and response to an incident.

The first post explains how to track anomalous activity in our systems thanks to the network activity recorded in the flows. In this case, the attacker planted an IRC backdoor.

The second post explains how to detect the attack vector by  filtering  the 'known good' traffic.

Monday, January 17, 2011

Bypassing antivirus signatures

Last weekend I read a nice conversation in the #metasploit IRC channel. A user wanted to know how to bypass antivirus signatures and somebody pointed out  to a presentation  made by the Offensive-Security guys in Schmoocon, back in 2008.

In a nutshell,  we have to patch the binary with a Hex editor.  The original binary will be 'Xored' to avoid the AV signatures and also a new routine will be added at end of the DATA section to decode the contents of the binary in run-time.

You can find  a copy of the video here

Wednesday, January 12, 2011

Are the Linux capabilities adding more security?

Many Linux distributions are moving towards Capabilities in order to get rid of SUID/SGID binaries.  Yes, it sounds nice because it splits the powers into smaller privileges and also adds a high level of granularity.

In practice, it depends how the capabilities are implemented and what privilege gives each capability, because there are cases where the program ends up with insane privileges. Of course, this can cause some troubles  and we will see many problems (exploits?) in the future.

The following article explains some of the cases discussed during the past weeks, that led to local root privilege escalation. They point to the following exploit released in the Full disclosure mailing list and also the post sent by Spender to the Grsecurity Forum, that is a good reading.

Friday, January 7, 2011

Medium interaction SSH honeypot

Thanks to a tweet made by HD Moore  I found  a hilarious  website called  that posts transcripts of script kiddies attacking honeypots. :)

I guess many people is using SSH honeypots like kippo.

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. 
 some interesting features:
  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
  • Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc  

Wednesday, January 5, 2011

Is Cloud Computing Secure Enough?

Talk from  David Jrom (RedHat) at Ruxcon 2010 that discusses the different security problems found in virtualization products as well as possible solutions.


Using static private keys in embedded devices is an epic fail

This  project collects private keys extracted from embedded devices and correlate them with the public certificates.

With this information, an attacker can intercept the communications and decrypt the traffic. Furthermore, having the public and private keys,  the attacker can also perform a MITM attack that cannot be detected by the victim (Not detected by looking at the SSL/SSH layer).

LittleBlackBox is a collection of thousands of private SSL and SSH keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public certificates as well as the hardware/firmware that are known to use those private keys.
A command line utility is included to aid in the identification of devices or network traffic that use these known private keys. Given a public certificate, the utility will search the database to see if it has a corresponding private key; if so, the private key is displayed and can be used for traffic decryption or MITM attacks. Alternatively, it will also display a table of hardware and firmware that is known to use that private key. 

DNS block list for malicious web traffic

Mubix from room362 talks about a new service provided by the

This new service offers a DNS block list that identifies search engines, suspicious, harvesters, comment spammers, or a combination thereof.

Http:BL is similar, but is designed for web traffic rather than mail traffic. The data provided through the service allows website administrators to choose what traffic is allowed onto their sites. This document describes how to integrate with and take advantage of the http:BL service.
Developers who build the http:BL service into their software are encouraged to enable users of their software to give back to the Project. Http:BL is only valuable if malicious robots continue to run across the Project's honey pots. As such, developers are encouraged to implement systems which would allow the easy creation of and/or linking to honey pots.
For example, if you are developing a plugin for blogging software, we encourage you to prompt users during creation to provide their a link to a honey pot they have installed or a QuickLink. Your plugin can then drop invisible links to the honey pot throughout the blog site. Again, http:BL's value depends on getting as much data from the honey pot network as possible, and getting that data depends on getting traffic to honey pots. Please keep this in mind as you develop your software.

forensics: is Shred securely deleting the files?

This article from the SANS Computer Forensics Blog analyzes how the tool shred behaves when wiping files from the file system.

If fact, like any other 'userland' tool, shred opens the file/s by using  the available system calls. Therefore the application cannot access some metadata that remains in the file system.

In the Linux/Unix realm we have tools like shred for securely overwriting files before deleting them in order to prevent recovery of the deleted file.  If your adversary is sufficiently advanced (or just not lazy), they can obviously use these tools to frustrate your forensic investigation.  Previously, I had thought that shred removed all traces of the file from disk.  But in the course of some other file system research I was doing, I've realized that there may be a few lingering artifacts.
 If you look at the shred source code, it simply opens the file like any normal user process, jumps to the beginning of the file, and proceeds to overwrite the file from beginning to end.  As a normal user process, it has access to the data blocks that make up the file content, but not the indirect block metadata.  The file system drivers in the OS "hide" the indirect blocks from the shred program.  A program that wanted to clobber the indirect block data would have to have superuser privileges so that it could open the raw disk device and attack the necessary blocks directly.  Normal user space programs like shred aren't going to have this level of access.

The author of the post verifies the behavior with Sleuthkit . As expected, shred is not able to access  an indirect block that contains metadata  and it does not get deleted. This only can be achieved by opening the raw device and overwriting the needed blocks, that needs admin. privileges.

UPDATE: the file can still be completely recovered from the journal with ext3grep,  if it was recently deleted. We can find some examples in this site.
 Every time a file is accessed, it's Access Time is changed, and it's inode is written to disk, along with 31 other inodes that reside in the same block. When that happens, a copy of that block is written to the journal. Therefore, if your partition isn't too large compared to your journal, and if you at least recently accessed the files you want to recover, you might be able to recover the block pointers from the journal.

Monday, January 3, 2011

High Performance Packet Capture in FreeBSD

Some information regarding high performance packet capture in FreeBSD, that may be interesting if you want to setup a sensor with this operative system.

UPDATE:  How to setup up and test the FreeBSD ringmap

Metasploit and VNC Password Bruteforcing

Nice post from CarnalOwnage that describes how to perform VPN Password Bruteforcing with Metasploit


You should check out this presentation from Julia Wolf if you wonder why PDFs are one of the main attack vectors in the Desktop.

Slides Video

Securing the network with OTP and Radius

Nice presentation from SecTor 2010 that explains how to use OTP and Radius to secure the network.

Radius can easily be  integrated with PAM: SSH, sudo, su, openvpn, postgresql, ....

I like the solution they offer to allow the users remotely access their desktop. FreeNX is tunneled through SSH (user authentication via OTP)  and offers X, VNC, RDP, desktop sharing  and session shadowing.

Video  Slides