Monday, February 28, 2011

Securing 'su' with Google Authenticator

Nice blog post that explains how to setup the Google Authenticator PAM module to restrict the root access  with 'su'.

Dumping the Wireless Passwords in Windows

I quote:
WirelessKeyDump is a console application (Command Prompt) that dumps the list of all wireless keys stored by the wireless networks module of Windows operating system.

 This utility works on any version of Windows starting from Windows 2000 and up to Windows 7/2008. On Windows 7/Vista/2008, you must use it from a command-prompt window that was started with 'Run As Administrator'. On x64 systems, you must download and use the x64 version of this tool.

Blind SQL in DVWA

This post from Pauldotcom explains how to perform Blind SQL injection attacks against DVWA (Damn Vulnerable Web App) in order to extract the usernames and  password hashes from the database.

Dumping the cached credentials with Metasploit

This Metasploit module published by Mubix can easily fetch all the cached hashes from a running Windows computer.

Mitigating Slowloris

This blogpost from CERT explains how to mitigate DoS attacks with Slowloris by tunning the Apache configuration and using the 'recent' iptables module.

Thursday, February 24, 2011

Malicious Documents Cheat Sheet

The following cheat sheet gives tips to reverse-engineer malicious documents:  MSOffice and PDF files.

Many of the tools and processes are already explained in the book Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.

Analyzing suspicious PDF files with PDF Stream Dumper

This post explains how to analyze PDF files with PDF Stream Dumper, looking for known exploits with signatures.  It also permits to fetch the different objects contained in the PDF and display/interpret Javascript and Shellcode.

Investigating DDoS attacks

Nice post from the  Internet Storm Center that explains how to investigate and mitigate DDoS attacks.

Implement secure file uploads

Nice post from the SANS Application Security Street Fighter Blog.

8 Basic rules to implement secure file uploads.

Are password hashing and salts enough?

Nice blog post from f-secure that explains why using salts to protect our passwords from rainbow tables is not enough.

As a quick resume, the idea behind the blog post is that using salts with hash algorithms like MD5 or SHA* is not enough, because these algorithms are meant for computing speed. Thus, using several GPUs to brute force all the passwords may take only few days.

A possible option to make it more difficult is to use algorithms that are more complex, reducing the number of attempts per second.

The following schemes are recommended:

 •  PBKDF2
 •  Bcrypt

Furthermore (I quote):
So if you are working with passwords, pick one of the schemes above, determine the number of iterations it takes your server check the password for the desired length of time (10, 200ms, et cetera) and use that. Have a unique salt value and iteration count for each user — anything that forces the attacker to focus on each account separately rather than being able to try against all accounts on each iteration.

Tuesday, February 22, 2011

HBGary hack: lessons learned

Nice post from the Internet Storm Center that analyzes the  HBGary Federal hack and highlights the mistakes.

I quote,

A lot of things that we already preach (or should be preaching):
  • Do not use same passwords for multiple applications/sites. A lot of free, good utilities, such as Password Safe exist that will allow you to automatically generate strong passwords and store them in an encrypted key chain.
  • No matter if your company is big or small, you should have change management processes that require all changes to be approved by appropriate personnel. While a CEO can request your administrator to open a port on the firewall, really the security person in charge should approve that. If you don’t have multiple roles for this then make sure that appropriate authentication is in place – i.e. verifying such critical requests through other channels.
  • You should regularly test your web applications – not only external, but also internal. While this does not guarantee that you will identify and eliminate all security vulnerabilities, it will certainly raise the overall security.
  • Encrypt your backups and think twice if you need all those e-mails at one place. Gmail is certainly attractive for storing years of e-mails and searching through them quickly, but imagine what would happen if someone gets access to all your e-mail.
  • When we’re at encryption – encrypt sensitive e-mails too. While it is a nuisance, it can save the day and PGP is not that hard to use. There are downsides, of course, so you should balance between usability and security.
  • If you are a web application developer, and have a need to store (hashed) user passwords remember that algorithms such as MD5 were built for speed! By using today’s GPUs, it is possible to crack hundreds of millions of MD5 passwords per second. Besides this, remember to salt the passwords to make rainbow tables useless (otherwise it’s usually a matter of seconds).
  • Finally, when talking about storing hashed passwords, try to use multiple algorithms to store passwords – something like sha1(sha1(sha1(password))) will still be unnoticeable for your application’s users and at the same time you not only made rainbow tables useless but increased time need for cracking as well (and the attacker will have to make a custom cracking module for his program).

Monday, February 21, 2011

In case I got owned

There is  no better therapy for a Monday morning than laughing.

In case a L33t Hax0r owns me, please download the following reply  from Pauldotcom.


The lame pwned.

Wednesday, February 16, 2011

wordlists for password brute forcing has good compilation of wordlists that were used in the Defcon 2010 password cracking contest.

The following are wordlists both used to create the 2010 contest, but also used to crack passwords found "in the wild". Download these, use 'gunzip' to decompress them, and use them with your favorite password cracking tool
Note: Most of the words are in ALL lower case, you will need to use "rules" in order to capitalize certain characters. Use the following rules combined with these wordlists/dictionaries in order to crack passwords

GPU password brute forcing - oclHashcat+

oclhashcat+ works with ATI and Nvidia video cards and  supports MD5, md5crypt, phpass, NTLM, DCC hashes.

Extracting memory mapped files from memory dumps explains how to extract memory mapped files from memory dumps. This technique is useful when the files we want to investigate (like log files)  are not available in the HD, perhaps because they were deleted.

They use Volatility to extract from the dump all the files opened by the  Event Log service.

Memory Mapped File is:
is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource. This resource is typically a file that is physically present on-disk, but can also be a device, shared memory object, or other resource that the operating system can reference through a file descriptor. Once present, this correlation between the file and the memory space permits applications to treat the mapped portion as if it were primary memory.
The primary benefit of memory mapping a file is increased I/O performance, especially when used on small files.[citation needed] Accessing memory mapped files is faster than using direct read and write operations for two reasons. Firstly, a system call is orders of magnitude slower than a simple change to a program's local memory. Secondly, in most operating systems the memory region mapped actually is the kernel's page cache (file cache), meaning that no copies need to be created in user space.

Tuesday, February 15, 2011

Hex encoding tricks with xxd

Seen in the Internet Storm Center.

The post explains how to modify binary files with vim and xxd as well as data encoding and exfiltration.

Real world data exfiltration

Seen via carnal0wnage

Paper presented in BlackHat DC 2011 that describes the methods used in real data exfiltrations.

I agree with the comments.  Companies tend to only accept a pentest focused only in some reduced systems  and with small time frames instead of conducting  a full scope exercise.

An attacker that really wants your secrets will use all the resources available to gain access to your network and will not care about time (keeping a foothold for many months).



Tuesday, February 8, 2011

Exploiting SCADA systems

Presentation from Defcon that explains the common vulnerabilities in SCADA systems. It also includes a PoC.

Slides Video

Tracker for the Palevo C&C has created a Tracker for the Palevo botnet that will provide a blocklist for the well known C&C.

I quote:
Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.
Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.

As outlined above, Palevo is a huge threat for corporate- and home networks. Due to the fact that it is spread widely and most people are not aware of the problem I have decided to create Palevo Tracker. My goals are:

  • Get some attention on the Palevo threat 

  •  Provide a blocklist for well known Palevo C&Cs to the internet community 

  •  Provide details regarding Palevo C&Cs to ISPs, CERTs and Law Enforcement 

  • Keep the project smart and simple as possible
To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.

Monday, February 7, 2011

Exploiting vulnerabilities in mobile phones

This video from Immunity shows how a mobile phone can be remotely exploited in order to gain access to the enterprise network and/or  steal the personal data stored in the phone itself.

Wednesday, February 2, 2011

New book on the shelf

The Effective Incident Response Team
Publisher: Addison-Wesley Professional; 1st edition (September 26, 2003)
Language: English
ISBN-10: 0201761750
ISBN-13: 978-0201761757

JavaScript obfuscation to the next level

Awesome JavaScript obfuscation. The linked post shows a JavaScript code that pops up an alert.


This shows how difficult is to detect a client-side attack and also demonstrates why we must design our networks to detect malicious activity once the defenses fail.

The blog post talks about the following presentation in Blackhat DC 2011.

Log analysis can be lots of fun

How said that looking at the logs is boring?

gtail is a log visualization tool that helps to analyse the log activity in a 'entertaining way'.

It supports: Apache Combined, Rails, IIS, Postfix/spamd/clamd, Nginx, Squid, PostgreSQL, PureFTPD, MySQL, TShark, qmail/vmpop3d