Saturday, February 23, 2013
Violent Python - TJ OConnor
I was the technical editor for Violent Python.
Here are some links to my 2013 Shmoocon presentation. Unofficial sources report 1200+ people in the room for my presentation with Jake Williams.
Here is a video: http://www.youtube.com/watch?v=R16DmDMvPeI
I also did a series on the Internet Storm Center on the topic. Here are some posts.
Part 1 - http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
Part 2 - http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+2/15406
Part 3 - http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+3/15448
Part 4 - http://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460
SANS SEC573 PYTHON FOR PENETRATION TESTERS
I authored a SANS Course! SEC573 Python for Penetration Testers. This is awesome!
File Hiding and Process Obfuscation
Here is a post I did on Pauldotcom.com on hiding processes.
Python PSEXEC rocks
Manipulate Volume Shadow Copies from Python
SMB Relay Demystified and NTLMv2 Pwnage with Python
TDS, MSSQL and Python
Antivirus Evasion - A peak under the Veil
Windows is 0wned by Default!
Well. This is pretty scary stuff. Rootkits without Rootkits. AV Evasion. My latest research project hit some serious pay dirt here. Sitting in Jason Fossen's SEC505 Securing Windows class is always inspiring and educational. Two years ago I was watching him play with the Application Compatibility Toolkit. I commented that it looked a lot like a rootkit. Jason (one of the smartest guys I know) said, "Yep, I think there is probably a lot of things you could do with that." Jason is awesome. I dug into it for a while, shared it with a few friends, then presented it publicly at this years Derbycon! Check it out.
Wednesday, May 23, 2012
Grabbing Usernames, Passwords, Cookies and more from HTTPS websites
Privilege Escalation through VMWare snapshots
Using Windows Resource Monitor to find hackers
A great SCAPY shortcut for TCP Fussing
Put Meterpreter in Python for 100% evasion:
Cool new SQL Injection Tool - It is different!
Volume Shadow Copy, Symbolic Links and directory name craziness
Execute files up to a month after they have been deleted and "cipher /w" wipes them:
Other related stuff:
EAP MD5 Crack - Attack 802.1X
Packet Reassembler for a new IDS ANALYST evasion technique
Convert Iphone Backup to Google Maps & Dump other data
Saturday, December 4, 2010
Windows 7 symbolic links and hidden files
Real time Google Hacking
Web Application Penetration Testing - Part 4
Web Application Penetration Testing Script - Part 3
Web Penetration Testing Scripts - Part 2
Web Penetration Testing Scripts - Part 1
Creating per user customized dictionaries with USERPASS
Using Metasploit to control netcat and third party exploits
Exploring the Facebook API
Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot
Resilient SSH Tunneled Meterpreter Session
Nessus Scanning through a Metasploit Meterpreter Session
SSH gymnastics with proxychains
Meterpreter script to unlock the screensaver
Killing the Monkey in the Middle
Running a command on every machine in your AD domain from the command line
Bypassing AV with msfencode -x
Smashing the General Ledger for fun and Profit (AKA Accounting 101 for Penetration Testers)
NOT A CON!!!! (it's a backdoor)
CSAW Challenge - Reflections on Pools of Radiance
Pauldotcom 1-28 Technical Segment - Here's what you missed!
Gone in 60 Seconds
Thursday, January 14, 2010
Wireless Access Points Defcon 2004 style
GINA Authentication Bypass
Shmoocon tickets. See you there!
All your Active Directory Computer objects - Gone in 60 seconds
Wednesday, November 25, 2009
Wednesday, November 4, 2009
Sunday, August 16, 2009
By: Mark Baggett
I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?" Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".
So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.
Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return. If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.
Then I created a fragroute configuration file with one line in it:
This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf 192.168.100.12) and transfer the same text between the hosts...
Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set. The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.
So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:
tcp_seg 16 new
This will cause fragroute to transmit frames with overlapping sequence numbers. This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order. So if we skip datagram #3 and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"
Lets look at it in the fragroute packets in figure#3. The first two datagrams (#1 and #2) are garbage. Their payload is random junk. Then fragroute transmits good data in packets 4 and 5. The payload here is the end of our payload "If this had been an actual emergency." After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE, ACK 2933750986. I didn't get that one yet". The receiving TCP stack is complaining about not receiving the first datagram. Then fragroute sends 2 packets with 32 TCP bytes in each. These two datagrams include the FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload). Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2. 16 bytes of packet #10 overlap packet #1. If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected. If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this? The attacks aren't new. Snort has the STREAM5 preprocessor. Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.
Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.
Sunday, June 28, 2009
Friday, May 22, 2009
I spared myself the imagery and let the FBI do what it needed to do using my machine. To me, this story is very interesting. Here a person in a very similar role as the one I played. He could be prosecuted for any residual images left behind on his drive after an investigation.
As far as I know, no CP was ever copied to my hard drive. I had donated a thumbdrive to the cause where all the evidence they needed during that brief investigation was collected. If it is a project I am working on with sensitive data (such as a penetration test) I like to keep everything in TrueCrypt volume making clean up very easy. But in this case, I wasn't driving. It was a windows box and I periodically run "CIPHER /W:C:\" to clean up all the residual files in the free space on the drive, but it’s not something I do religiously. How about you? Well, Cipher is running NOW!
Tuesday, April 28, 2009
What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.
1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?
What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."
According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.
Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
Thursday, April 23, 2009
Wednesday, April 15, 2009
Monday, March 23, 2009
meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
I'm so glad we use this encrypted im channel to exchange sensitive data so the company doesn't catch us. The stolen data is...
Interestingly, the keylogger does not capture the usernames and passwords when the user enters them at the screen saver logon prompts. It records ctrl-alt-delete but not the password. This is actually a good thing from my intended use. Not knowing employees passwords protects the integrity of our audit logs.
Sunday, March 22, 2009
Saturday, March 21, 2009
Sunday, February 15, 2009
Wednesday, February 4, 2009
Wednesday, January 28, 2009
Start with YouTubes “Advanced Search”.
No videos found for “USERXYZ”
Playlist Results for USERXYZ
Zoom in one click at a time making your circle smaller and smaller to see if the video is still in the circle. If search results disappears, its no longer in the circle. Using this method you could take the search down to a city block or so. Then you can switch to http://maps.google.com/ and enable the YouTube overlay. You may find the video is places directly on top of the house where it was uploaded. But a video overlay only appeared in 1 out of the 6 times that I tried to narrow down to a street. It looks like the youtube overlays of Google maps doesn't have as much data as the map search on youtube.
I tested it with 3 video’s where I knew the target street address and in all 3 cases was able to locate their street. In one of the three cases the Google maps overlay displayed the YouTube video on top of the correct house. In one other case I narrowed down a video to a street, but when I asked the account owner about the address he had no idea how that address related to his video although it was within a few miles of his house. There were several cases where I couldn’t get YouTube to return any Geo-encoded video’s on that users account. Its not science, but here is some interesting data being revealed by that search.
Monday, January 26, 2009
Wednesday, January 21, 2009
Tuesday, January 20, 2009
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.
Examine a ton of models & do some math that makes my head hurt.
"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies. The strategy of modeling malicious behavior leads to an unending arms race with an attacker. Alternatively, whitelisting normal content or behavior patterns (perhaps in randomized ways in order to defend against blending attacks) might ultimately be safer than blacklisting arbitrary and highly varied malicious behavior or content."
Saturday, January 10, 2009
Huh? I see this sign frequently. So I went ahead and figured it out. The diagram below reveals the door schedule. I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm etc.. So I guess they only unlock the stair wells on weekends when no one is in the office. Must be a security measure. :)
Sunday, January 4, 2009
To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links
Setting Macro Levels
Office Group Policy Templates