Friday, May 30, 2008

physical access pwns you again...China +1

unconfirmed but completely believable:

"Government officials are not confirming a report that Chinese officials may have secretly copied the contents of a government laptop computer during a December visit to China by Commerce Secretary Carlos Gutierrez.

Commerce Secretary Carlos Gutierrez’s visit to China has raised security questions.

The Associated Press said an investigation into the suspected incident also involved whether China used the information to try to hack into Commerce computers.

The AP cited officials and industry experts as sources for the story, which said the surreptitious copying is believed to have occurred when a laptop belonging to someone in the U.S. trade delegation was left unattended.

When asked whether the Commerce Department is looking into the matter, spokesman Richard Mills said, “We take security seriously, and as we learn of concerns about security, we look into them.”

This kind of stuff has been going on for years to businessmen, and who's to blame them if some jackass leaves a laptop unattended.

Thursday, May 29, 2008

Taking Ownership of Identify Theft

Just going to throw this out there.

I think everyone agrees that Identify Theft is a huge issue but no one seems to take ownership of it.

I would say there are two to three kinds of identify theft methods

1. physically stealing information, like out of your mailbox, or a waiter steals your CC number off your card receipt from dinner

2. data lost from electronic breaches/losses

3. phishing

In general, if the first two happen to you there is little you could have done about it. Yeah you can get a PO Box, yes you can pay with cash for everything, so that aside or even maybe if you have done that let's talk about #3.

With phishing, I had to have a lack of thought (or common sense) and enter PII into a phishing site "I" did that. No hacker MADE me do that, I did it.

So the point? Instead of saying "a hacker stole my identity" maybe we should start urging people to take ownership of their stupid ass mistakes and say "I lost my identity" when the situation warrants it. Taking ownership of mistakes generally leads to not making that mistake again where passing the buck off to someone else for the blame generally leads to a wasn't my fault mentality.

When someone loses a cell phone and a person finds it and makes calls we don't say someone stole their cell phone do we? We say I lost my cell phone and some jerk ran up the charges.

I do realize that some bad guy has to actually "do" the actual identify theft, but if you gave him the information, its not his fault your an idiot just his luck.


Monday, May 26, 2008

Local Physical Attack Against VISTA To Obtain SYSTEM

Pretty cool video doing a local physical attack against a Vista Box.

McGrew Security Blog pointed me to it:

"he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine. In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe . The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U."

Its short and worth a look.

Sunday, May 25, 2008

2 More Webcasts by Ed Skoudis

Here are two more webcasts to take a look at. I know you have to be registered to see the SANS one.

New Computer Attack Tools and Techniques at SANS

Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security

The SANS one was good. here is the outline:

• Improved Scanning with NSE
• Cain – The Attacker’s Dream Tool
• Pass the Hash Attacks
• New Research Areas & Conclusions

Pretty good stuff. I hope that nmap can become the "single vulnerability" checker that nessus used to be, that would be handy.

You can also get some more info on Pass the Hash stuff on my blog and similarly the token impersonation techniques. Both things you should probably be incorporating into your pentest methodology.

I havent watched the Penest Ninjitsu Part II one yet.

Friday, May 23, 2008

School District in PA "hacked" by a 15 year old

From Dark Reading:
15-Year-Old Steals Data on 55,000 People in School District Hack

A Pennsylvania school district suffered its second consecutive breach at the hands of one of its students – the latest attack involved personal information on students, staff, and county residents.

Before you click that link, read this one from the school district.

start from the bottom and read up, its an interesting chain of events. Especially conflicting reports of "that a student had overridden the security of a classroom computer" and "The breach occurred in the high school during the student’s study hall, a time when students are authorized to use the school’s computer for studying and research."

This is also pretty good:

"Prior to 2006, Social Security numbers had been used by the district as key indicators in our resident data base. The file the student accessed was a copy of a report that had been issued in 2005. (He did not access our secured database) Social Security numbers are no longer used by the district and our new database does not include this information. "

In response, the District has:
  • Tightened up folder security by confirming all folder permissions
  • Separated network servers to ensure that students have access only to student servers
  • Reconfirmed the integrity of the district’s firewall protection to prevent unauthorized outside users
  • Removed all access to folders that had been breached.
  • Continued to remind teachers and administrators to keep individual district passwords private.
  • Begun a Board authorized complete overhaul of the active directory file structures dealing with login, password security and folder access permissions.
I'm far removed from this, but it looks suspiciously like the "hack" was someone browsing the network shares that had crappy permissions on them. How that equates to "unauthorized access" in beyond me but i'm sure the kid will take the fall and not the school's network admins for doing a shitty job.

A better question is why a database or names, addresses and social security numbers is sitting unencrypted on a network share.

"Your personal information including your name, address and social security number in an unencrypted and un-redacted form were among those accessed."

and for a next to final kick in the nuts:

"We are providing you this notice so that you can take measures to contact the credit reporting agencies and monitor any unusual activity in your account....Under Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, contact"

Yep we lost your data, we were irresponsible, our admins failed to safeguard your PII and you basically get the same thing you got if we had been doing the right thing.

and lastly:

"In December 2007, another DASD student circumvented the security of the district’s computer network by using unauthorized software. That student was arrested and has been charged. The district responded to this incident by researching and putting together a plan to overhaul the active directory file structures dealing with login, password security and folder access permissions. The second security breach will require complete additional security revamping."

Oh yeah? and six months later this happens? looks like you did a A+ job on that one. Someone should be sooooo fired.

Thursday, May 22, 2008

May NoVA Sec Meeting on IPv6 Security

quick post on tonight's NoVA Sec meeting. It was on IPv6 security. I went thinking it would be the standard blah blah IPv6 talk I have seen 10 other times, but it wasn't. Joe Klien of command information gave a really really good talk on IPv6 security issues. He gave just a taste of the fun network hacking things to come and I'm pretty excited about it.

He covered alot, but big stuff was IPv6 addressing schemes basically how the addresses are being (& going to be) assigned, how well current FW/router/OS vendors are doing with IPv6 integration and support, how well security scanners are doing with IPv6, and some talk about all the broken stuff in IPv6.

Things I took away from the talk:
-that snort 2.8.whatever and snort 3 (which natively supports IPv6) have a whopping 6 alerts for IPv6. So looks like if you can identify some IPv6 boxes you can scan them all day and probably not generate an alert.
-most FW admins aren't blocking things on IPv6 addresses, so your IPv4 address space/ports might be locked up tight but IPv6 is open to the world.
-applications can bind to one, several or all IPv6 addresses, so we'll probably start seeing malware binding to some random globally addressable IPv6 address and pretty much be hidden.
-also a bit on discovery of IPv6 devices on the network, at this point you mostly need to do passive scanning to see if anyone is talking in IPv6 protocols on the network and go from there or query DNS.

There was tons more but thats about all I can think of right now. Oh and they offer training on IPv6 Security, so maybe something worth looking in to.

Wednesday, May 21, 2008

podcast comments

Caught a couple more podcasts.

Old one from sploitcast from shmoocon. Most interesting part was the SCADA stuff. After seeing Jason Larson's talk on SCADA Security at BH D.C. it seems that even though the impact of SCADA can be pretty high, you aren't going to get into a SCADA system and start issuing arbitrary commands. There is a pretty big element of needing to know what protocols the system is speaking and figuring out what it can do. I'm oversimplifying, but its not like taking out the gas company is as easy popping it with dcom and hitting the blow up button (or issuing the blowup command on the commandline).

*edit* someone emailed me and said it was pretty much that easy as far as getting into those types of systems because they cant be patches. making them do bad things is a bit harder.

Of other interest was the talk about ZigBee (wikipedia definition).

ZigBee just may be the next new thing to break and to claim that the sky is falling about. The whole public safety wifi, 2nd link, 3rd link, 4th link net is more fun but probably wont win you any friends in LE. I can't find the link but I did read somewhere that encryption was optional in the standard...whoo hooo.

Network Security Podcast 103, best part was them talking about how Rich, Martin and Paul of pauldotcom got into the security business and the discussion on the CISSP certification. On the same topic, has a really good interview with Ed Skoudis and big topic of the interview is getting into the security business.

Risky Business #61 & 62. I don't have anything to say about 62, but 61 was with HD Moore. I'm a self confessed metasploit fan, so pretty much anything related to that fires me up and HD's "evil EeePC" sounds awesome. Cool little laptops, karma and metasploit, owning people on the plane, too much fun. As soon as I can find someone selling the new Eee PC 900 in "hacker" galaxy black I'm all over that bad boy.

also caught pauldotcom #107. got nothing for you on that one. oops scratch that. Free wifi at starbucks by changing your user agent to "mobile safari" is the bomb.

Lastly, someone asked if I was actually getting anything out of the podcasts and the answer is yes. By the time I get to work I've got my mind right and I'm not totally focused on wishing I had a missile launcher in my car to blow up the asshat driving 55 in the fast lane.

Friday, May 16, 2008

ChicagoCon Day 1 wrap-up

The first round of talks was on Friday nite and they went well. By far the best talk was Luke McOmie and Chris Nickerson's talk on "The Art of Espionage" They talked about why red team style pentesting is working and why you should want your organization to have those types of tests conducted. They also gave out a good basic methodology on conduction those kind of assessments. It was a really good talk and I am looking forward to their workshop tomorrow.

2nd up was my talk on "New School Information Gathering". took me a bit to get warmed up but I think it went well after I got going.

The talk was basically about information gathering beyond just using whois lookups without sending non-standard traffic or scanning to the target domain.

End Result?
Organization's net blocks, external servers IPs and domain names, internal IP ranges, emails to send phishing attacks to, phone numbers to call, trust relationships with other organizations, & other relevant information for your audit and hopefully identifying exploitable flaws in the target’s network without scanning or sending non-standard traffic at the organization.

3rd was Matt Luallen of Sph3r3 LLC. He talked about "Simple Principles to Protect Information and Control Now and Tomorrow." He rolled out 22 principles to protect information. Definitely worth taking another look at when the slides come out.

Last up was Kelly Housman of Microsoft talking about "A look into Defense In Depth Security." I missed the first part because i was snagging free food. What I did catch was about Microsoft's Network Access Protection (NAP) initiative. Basically NAC implemented in windows software, where if your agent doesn't check in with the server and you aren't patched up you wont get network access tickets and you'll be segmented off and ignored by other clients. I'm old school and I like network gear doing my layer 2/3 protection instead of it being implemented by a server and some client software. I'm also leery of how a client will start to "ignore" an unauthenticated host on a LAN as well. He also went into some IPSec stuff, very MS centric and if you are running OSX or *nix you may be out of luck. Of course the whole trick to NAC is just figuring out how to tell the "checking software" what it wants to hear.

I'm excited for day 2, hopefully I'll get out an update on day 2 tomorrow.

New School Information Gathering Talk at ChicagoCon

Gave my New School Information Gathering talk at ChicagoCon. I think it went pretty well and I got some good feedback on it afterwards.

here was the agenda:

Open Source Intelligence Gathering (OSINT)‏
Google Mail Harvesters
Online Tools

I was pretty surprised that most people had not heard of the tools and only like 3 people had heard of Maltego. I should have a Maltego v2 review getting pushed out on soon.

slides and audio should be out next week on the ChicagoCon site. If you are really anxious you can email me and I will probably send them to you.

Thursday, May 15, 2008

I Was a Teenage Bot Master Article on The Register

pretty good read, especially the part about the bot code being backdoored. Kind of like Billy Rios' Bad Sushi talk about some phishing site kits being backdoored to send the Credit Card information to the original creator.

"One day in May 2005, a 16-year-old hacker named SoBe opened his front door to find a swarm of FBI agents descending on his family's three-story house in Boca Raton, Florida. With an arm and leg in casts from a recent motorcycle accident, one agent grabbed his good arm while others seized thousands of dollars worth of computers, video game consoles and other electronics. His parents looked on.

At that moment, some 2,700 miles away, in the Los Angeles suburb of Downey, California, the FBI was serving a separate search warrant on Jeanson James Ancheta, SoBe's 20-year-old employer and hacking mentor. It was the second time in six months Ancheta had been raided by the FBI - a clear sign, had either bothered to notice, that their year-long botnet spree was unravelling."


commuting and podcasting

We just bought a house so now my commute has gone from 20 minute to usually close to an hour (yea 66). so i've started listening to podcasts to pass the time and hopefully do something worthwhile with 2 hours a day.

I caught two podcasts the other day, cyberspeak and pauldotcom. I had heard of pauldotcom, they came mobbing into shmoocon a couple of years ago in their black t-shirts, but cyberspeak was a suggested podcast when I was subscribing to pauldotcom.

cyberspeak 10 may 2008 was on the Mac Lockpic and basically about not much to say. i'll be looking into flyclear to help my butt get through the airport.

pauldotcom episode 106 was on some command line nessus for some checks, metasploit and some news. click the link for show notes, which are really handy.

comments on the show:
They used an outdated metasploit command "use -m Sam" which i guess still works, do a "use priv" instead. I had seen the nessus command line stuff. Joe pushed that out in a LearnSecurityOnline newsletter awhile back. They also dumped the hashes into john, thats so old school and not necessary. use pass the hash if you can dump the hashes. and big thanks to Stewart in the token passing #2 post about using "gsecdump -u" to see who's logged in.
Lastly, i'm failing to see the big deal about sslnetcat when its in perl. great for authorized uses on *nix, not so great for pushing a shell back from a compromised windows host unless they have perl installed, which you cant count on. A recompiled cryptcat or even better sbd will probably give you more bank for your so called buck.

Token Passing with Incognito Part 3

Sorry no screen shots, i didnt think anyone would care that much but I have been able to confirm in my testing (dameware 6) that if you are using dameware in your enterprise for remote management/admin you are leaving tokens laying around on the remote boxes.

Because dameware just gives you a screen on the remote host and you still have to log in, the token lingers until you reboot.

Good to know if you are auditing an organization that uses dameware. Like most things, the real protection is to ensure the auditor/attacker cant get on the box in the first place and for client side attacks that the privilege to leverage the token passing tool is not allowed on user accounts (even admin accounts unless its needed). This is configurable in group policy.

still to-do, Terminal Services and RDP

Val Smith tells it like it is

God Bless Val Smith for laying it out there.

"I'm in it for the fun.

There I said it. If everyone did everything securely, I wouldn't have
much to do and I'd have to pour coffees or flip burgers for a living.
I like showing up for a pen test and finding unpatched boxes, or users
sharing admin passwords. I love finding web apps with null byte file
inclusion bugs, or passwordless ssh keys with sudo permissions on
every server. Its FUN. I suspect other security researchers have
reached this conclusion (even if they haven't admitted it to
themselves yet) that security is probably too hard a problem to
"solve" and all our ranting really doesn't make anyone more secure in
the long run. At this point, broken things are fun and we just want to
play and thankfully people are willing to pay for it. I don't mind if
you continuously make it just a little bit harder, just to keep it
interesting, but don't take away my exploits please! ;) "

Changes to Nessus License Model

Nessus has changed their license model to essentially do away with the free version for anyone who scans networks (yeah yeah there are exceptions). I wont get into the greedy or not, like Martin McKeay said "Tenable made a business decision that they need to collect revenue on their plugin feeds in order to continue providing the level of support they have always given. Some people are going to complain that Tenable is getting greedy; I’d counter that they just want to get paid for the work they’ve been supplying to the community for years."

For the most part i agree with that, and what is a smart decision by Tenable to look around and see that other VA scanners that are comparable cost more so they "might as well" charge too. But i do have to admit that since there is no good tool that "does it all" it is getting mighty annoying to pay for multiple tools to get a job done.

A new fully open source VA scanner like nessus used to be is a long time coming, but i don't think anyone will step up to bat. The only reason to do it would be to make money and why go up against nessus?

But if anyone IS taking requests... a VA scanner that i can select specific checks without running all the crap that runs for nessus would be nice or checks that require all the nessus libraries. a little command line jobby that you throw it an iprange and a check and it does the rest would be more than handy.


pentestmonkey pointed me to OpenVAS...thanks!

Saturday, May 10, 2008

Maltego v2 is out and its friggin awesome

I did a previous blog post using Maltego v1 and will be talking a bit about maltego at ChicagoCon but Maltego v2 is out and its a very nice upgrade.

from the site:

Version 2 of Maltego has been completely rewritten - it’s a complete new code base.
The following has been added from the KZ3 release:

  • Load/Save of entire graphs means you can always go back to your investigation.
  • Printing of graphs (over multiple pages) for discussions.
  • Export of entities (CSV format) makes it easy to import Maltego data into other databases.
  • Commercial grade layout library:
    • The layout and navigation have been optimized for speed and usability.
    • Four layout types to rearrange data the way YOU want it.
    • Two view types for finding relevant info on large graphs.
  • More entities and 20 brand new transforms for even deeper searches and more information.
  • Search/Find (on entity value, detailed info and additional fields) helps you to get to key nodes quicker.
  • Multiple open graphs on different tabs for easy switching between graphs.
  • Dedicated clear-all, zoom buttons for notebook users.
  • Hollywood quality look & feel will impress your friends and your boss.
  • Integrated help on transforms and entities to increase your learning curve.
  • Complete user guide ensures you are never lost.
  • Prepopulated and preconfigured transforms and transform sets saves you time.
  • Population of API key integrated with license key so it’s never lost.
  • Platform independent installer means you can install it anywhere.
I like it alot and one of the coolest features is the ability to create a graph and allow others to view it, not to mention print it out, save it, and export it as a .csv. Oh and the technorati blog keyword and link search is badass. You can check out this demo video to see what i am talking about: and more screenshots here:

I'm trying to tidy up slides for next week but expect a maltego post or article after chicagocon.


TJX Breach Write-Up

Interesting write up on the beginning of the TJX breach:

of course they didnt answer the big question of how the attackers gained access to the RTS Servers

"(2) After breaching the TJX wireless system, the attacker was able to gain administrative privileges to the RTS servers located at the TJX corporate headquarters in Framingham, MA. The RTS servers hold all cardholder data that is processed centrally for most TJX stores."

because cracking a WEP key gets you on the network but doesnt give you the ability to log into anywhere on the network.

Friday, May 9, 2008

ChicagoCon "Con" portion 16 & 17 May 2008

I'll be speaking at The "Con"portion of ChicagoCon on "New School Information Gathering".

if you are in the chicago area its only 100 bucks for a ticket and Don always has tons of stuff to give away, so it gonna be worth the money.

The link has the schedule but of interest is the two keynotes.

One by the Tiger Team guys on

The Art of Espionage (Tactics, Defense, and your Corporation)

TruTV's Luke McOmie, CISSP, NSA-IAM, NSA-IEM &
Chris Nickerson CISSP,CISA, NSA-IAM,17799 Lead Auditor

and one from Intelguardian Matt Carpenter

Windows Command-Line Ninjitsu

Matthew Carpenter, SANS, Intelguardians

all the other talks look good to me as well, so it should be a good time.

see you there!


Tuesday, May 6, 2008

Token Passing with Incognito Part 2

Alright, i love this tool and its been officially merged into the msf trunk which is just super.

After talking to the guys at work and doing some thinking on it, the most useful aspect of incognito is being able to become a domain user (if they have logged into the compromised box since the last reboot). Why would i want to be a user instead of the all powerful SYSTEM? well, for one thing, users have access to "net" commands and can enumerate domain information and can view and map shares and what not, generally system while megabadass on the box you are on cant do jack on the domain. SOOOO unless you popped a shell on the DC we need to try to become a user.

so on to the screenshots...

So normal scenario we pop a shell with metasploit, with the NEW "old reliable" msdns_zonename exploit and use the meterpreter payload. Once we are in our meterpreter shell do a "use incognito" to load the library.

we list the available tokens by user using "list_tokens -u". Once we see someone we want to try to impersonate we run the "impersonate_token "domain\\user" command. We can verify it worked using a getuid in meterpreter.

At this point we have two options. We can run commands as our new user and create our own user and add them to whatever groups we want to add them to. Keep in mind that "most" of this works because the person we are impersonating had admin priviliges on the domain (as far as adding users to the domain). If we just wanted to become a user to do domain enumeration we can still do that.

so lets see getting a command shell with our impersonated token.

you have to make sure you pass it the "-t" option to use your token.

2nd option is to just add a user and add them to the appropriate group(s). Just follow along, its not too hard.

now you can just log in normally to the domain, or do whatever it is you need to do to get your paycheck.

I did some playing with the dameware and this tool. i'll save comments for a future post and I need to do some more playing but it appears to be leaving a token in memory as well.

Friday, May 2, 2008

Token Passing with Incognito

I've seen a few people post a link to this paper and tool but no one actually showing it in use yet, so here is the first of some notes on it.

From the whitepaper:
"Domain Privilege Escalation refers to the ability to use a Delegate token to access other systems, which may otherwise be secure from direct attack. This is possible because Delegate tokens contain authentication credentials and so can be used to access external systems for which those credentials are valid.

In order to perform this type of attack, it is usually necessary to have administrative privileges on the compromised system. This is because impersonating a token requires the “SeImpersonate” privilege, as of Windows XP SP2, Windows 2003 and Windows 2000 SP4; additionally, Delegate tokens are normally the result of interactive logins and so administrative access is required in order to access the tokens present in all user processes on the system. Other privileges may also be required (such as “SeAssignPrimaryTokenPrivilege” and “SeCreateTokenPrivilege”) depending on the specific post-exploitation task performed.

There are, however, some exceptions to this. For example, if an attacker were to compromise a service account that was trusted for delegation then they may be able to perform this attack, since services are normally given the “SeImpersonate” privilege. Additionally, on systems before “SeImpersonate” was introduced it may be possible to perform this attack from a low privileged user account under certain circumstances.

A good example of a use case for this type of attack would be as part of compromising a critical database server. If an attacker were unable to compromise the database server directly then they could turn their attention to the DBA’s workstation, since their user account will often have legitimate access to the database servers themselves. If they successfully compromised the workstation then they could use the tokens present to access the database server."

If you actually read the whitepaper there are several scenarios. I am going to cover having a user account with administrative privileges, dumping available tokens, and becoming another user.

Let's get started. First we want to see who we are. Let's run the "set" command to see.

Let's also see what groups brian is in:

Then we run find_token (which any user can actually run) and then we use incognito to list tokens that are available to delegate and impersonate
Next we connect to the remote box, and use the impersonate token for HOUSEOFMUNCH\root and become that user.


pop a system shell and become a user

user the meterpreter incognito module

verify the terminal services stuff in the paper

see how dameware with windows authentication handles tokens

project website:
DEFCON 15 Presentation (pdf):
DEFCON 15 Presentation (video): Broke...WTF

Token Kidnapping by Cesar