Please join us and Daniel Suarez, author of runaway hit Daemon to discuss his latest work Freedom(TM). The live stream should be active around 19:30 EST (7:30 PM), Thursday, February 25th. Please keep in mind that the recording time is an estimate.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

By Mark Baggett

Lets face it, security guys love their password protected screensavers. I am no exception. Without it, many users would likely never lock their computers. This simple mechanism may slow down or in some cases completely prevented the attacker from accessing resources on a remote machine. A strong password on a screensaver was one of the hurdles that you had to overcome in the Christmas 2008 Ethical Hacker challenge, "Santa Claus is hacking to town". Santa really could have used this script.

The Relentless-coding blog recently posted a meterpreter script that bypasses the screensaver password protection. The script patches the lsass process running in memory where the codes check the validity of the password that was entered. After the patch is applied the attacker can enter ANY password to unlock the screensaver. The script works on Windows XP SP2, SP3, Windows Vista and Windows 7. Lets take a look at the script in action:

Meterpreter Screensaver unlock script from PaulDotCom on Vimeo.

The script isn't currently part of the metasploit distribution so you'll need to download it from the Relentless-coding site. Save it to your "scripts/meterpreter" directory in your Metasploit installation. In a Backtrack installation you'll find that directory under "/pentest/exploits/framework3/scripts/meterpreter".

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

There are many ways for the attacker to insert themselves in the middle of a conversation. Just some of the tools at the attackers disposal include:

• DNS Cache Poisoning (metasploit)
• NETBIOS Names spoofing (nbtool at skullsecurity.org)
• Lie about the DNS,WINS and/or default gateway with a rouge DHCP server (yersinia, ettercap)
• deliver a WPAD file or otherwise reconfigure the browser proxy (metasploit)
• IPv6 ISATAP spoofing
• Attack routing protocols such as BGP MITM
• IP source routing attacks (netcat)
• ICMP Redirect messages (ettercap)
• ARP Cache Poisoning (yersinia, ettercap, cain)
• Switch Port Stealing (ettercap)
• Layer2 Mac Flooding* (yersinia, macflood, macof)
• Gratuitous Spanning Tree BPDU Root messages* (yersinia)

Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.

Download Brian Almond's paper here

Other resources

http://isc.sans.org/diary.html?storyid=7567

http://www.ciscopress.com/articles/article.asp?p=1181682

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/bcastsup.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.html

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Last year on the show, Marcus J. Carey presented a tech segment about using memory analysis in penetration tests. Memory acquisition came into its own for incident responders a few years back. Even before tools like Volatility, Memoryze or HBGary's Responder were available, many incident responders, including me, used the strings command to perform rudimentary searches and "analysis" of memory artifacts.

Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.

Shortly after Carey's presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.

Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).

What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.

If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.

Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus' Pen-Test mailing list, but I don't believe it's been ahem, weaponized until now.

These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings\<username>\Recent with Microsoft Office files having their own location in Documents and Settings\<username>\Application Data\Microsoft\Office\Recent\. Vista and later versions of Windows have moved the recent link files to Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and Users\<username>\AppData\Roaming\Microsoft\Office\Recent. There may be other locations specific to other applications as well.

For the two common locations, I have created a Meterpreter script port of Harlan Carvey's lslnk.pl that is commonly used by forensics analysts to dump the contents of Windows' .lnk files.

dumplinks.rb can be used with the Meterpreter to dump the contents of Windows' .lnk files either to the Metasploit user's local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey's lslnk.pl, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file's location is printed.

Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen

And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console

Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.

Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 - 20

After listening to Larry's excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own. If you missed the technical segment, you can find the notes here.    To do my own testing I needed to start with a large list of computers.   For my list, I want to have the names of every computer in the domain.   So I turned to "dsquery computer " to get a list of all computers. 

C:\WINDOWS> dsquery computer 

"CN=CONTROLER1,OU=Domain Controllers,DC=subdomain,DC=domain,DC=com"

BLA BLA BLA... Truncated

"CN=WORKSTATION1,OU=ORGUNIT1,OU=OrgUnit2,OU=OrgUnit3,DC=Subdomain,DC=Domain,DC=com"

BLA BLA BLA... Truncated again

The length of the results changes because of the variable number of subdomains, but fortunetly for us the workstation name is always the first part of the string.  It is always between the CN= and the first comma. We can strip out the workstation name with the "DELIMS" and "TOKENS" option of the FOR loop.  Also, by default DSQUERY will only return the first 100 results. This can be changed using the "-LIMIT" option. Setting the LIMIT to 0 returns all result. For now lets check our output looking at only two entries.

C:\WINDOWS>for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do echo %i

C:\WINDOWS>echo "CN=WORKSTATION1

"CN=WORKSTATION1

C:\WINDOWS>echo "CN=WORKSTATION2

"CN=WORKSTATION2

We are almost there. I need to strip the first 4 characters of the line. For this I stole a page or two from Ed Skoudis' play book. We can strip the first four characters with the SET command using the expression variable = %variable:~4%. But, since we are in a FOR loop we have to turn on delayed variable expansion and use ! instead of %.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in 

('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & echo !name!"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & echo !name!

WORKSTATION1

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & echo !name!

WORKSTATION2

Now we have all the computer names in the domain being printed one at a time. I can dump all the names of the machines in the domain to file to feed Larry's event dumper.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i & set name=!name:~4! & echo !name! >> c:\temp\machines.txt"

Better yet, we could combine it with a WMIC command and other commands to do various useful tasks on our machines.  For example, if I want to query every machine in my network for an instance of a process that starts with CMD I could run the following:  (remember that % is a wild card in wmic)

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2308       1            1654784

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2368       1            1626112

So there you go.  Now using this basic syntax...

cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i  & set name=!name:~4! & Any command here based on !name!

... you can run any command you want on every machine in your domain.   

Join me for SANS 504 June 21-26

[Note: We've given up on fighting iTunes and are now releasing both parts for each episode at the same time. Make sure you check your podcast application (most listeners use iTunes) and make sure you are getting both parts of each episode!]

Episode 187 Show Notes

Part 1: Pwning VMware and the Smart Grid...

Part 2: Windows command line kung fu and discussion of the stories for the week!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

John Strand put together a great video showing how to use msfencode's -X parameter to specify a custom template into which you embed a metasploit payload. What does that mean? Any Window's executable can be used to carry any metasploit executable making it that much easier to avoid antivirus detection.

Back in the day, msfpayloads -x parameter read the template.exe from the /data/ directory and did a simple string replacement. msfpayload would look for the string "PAYLOAD:" in the binary and inserts the "RAW" encoded payload at that point in the binary. Creating custome templates required that you create your own templates containing the PAYLOAD string at the execution entry point. If you did create your own template that you want to continue to use because NO ONE detects it, msfencode will still support the old style template. If you want to use old style templates you can use an "undocumented" encoder type called "exe-small".. Set your -t output type to "exe-small" instead of "exe" to use the old style templates.

But that is a lot of work. Now, msfencode reads the PE header, finds a .text section in the executable and either prepends or appends (at random) the payload to the code. Then it modifies the entry point in the executable so that the payload is called before the programs normal code is executed.

Pretty cools stuff. Nice video John!

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

At the podcaster meeting up at Shmoocon 2010 an interesting conversation ensued about the lack of business acumen among penetration testers. "Penetration testers don't understand business and don't know how to talk to our executives" was the charge. (IMHO it is my job as the CISO's job to translate haxor geek speak into boardroom geek speak, but thats another subject) Regardless of whether the charge is accurate, it does benefit the penetration tester to have a basic understanding of how the CFO, auditors and others with a financial background tend to looks at things. This is my attempt to explain their view of the world in term we understand.

For the penetration tester gaining remote access is a two step process. 1) Load malware on the remote host. 2) cause malware to execute. If you have one, but not the other, the system is "safe" from attack. In the financial world, for the GL-Hacker (General Ledger Hacker) they also have a two step process. 1) Affect the transfer of funds between the company and a third party (banks, vendors, employees, credit card companies) 2) Make the appropriate adjustment on the general ledger. If they can do one, but not the other, the company will notice the funds are missing during their "reconciliation process" where they compare the balance of the two systems. Accountants, auditors and CFO's tend to assume that system controls such as authentication, confidentiality and integrity (Yes, I know the A in CIA is availability) are in place and functioning properly. That is our job. They focus on the authorizations given to an account to determine if they allow both functions a GL-Hacker requires (transfer funds, adjust ledger).

With that in mind lets look at some of the major components (sub-ledgers) of a general ledger that are often targets of fraud and how the GL-Hackers tries to manipulate them.

Accounts Payable (IE Money we owe)
Accounts Payable generally have two major components. One for "Purchase Orders" where you are paying vendors for good and services and a "financial transactions" process. Not all vendors will accept checks or payments through traditional means and not all business transactions go through the Purchase Order process. Items such as mergers and acquisitions and other one time executive initiatives are often done via a wire transfer and are done through the "financial transactions" process. The PO process tends to be very well structured and monitored where as the transactions process, by it's nature as a one off process and more often susceptible to fraud. Within the Accounts payables system you often see the following vulnerabilities.

• Can the same person create a vendor and issue them a check?


• Can someone change the banking information on the vendor master file, generate a payment (IE Approve the PO) and change bank information back?


• Are wire transfers confirmed before they are executed? Could the cleaning crew pick up a completed "wire transfers" form with executive signatures from someones inbox, make a copy and perform a "fund transfer replay attack" with a different destination IP address?

Payroll/HR
This is pretty self explanatory. We should all be pretty familiar with the fact that employers can send us money and other financial benefits such as 401k and medical disbursements. Payroll can have similar issues. The person who can create an employee and edit their direct deposit and or benefits information should not have the ability to start or end their active employment (IE pay them)

• Ghost employees. Can someone create an employee record and activate their payroll?


• Incorrect termination dates. If someones last day is the 10th, can HR edit their direct deposit information on the 10th and let payroll run until an end of month termination date.


• Rogue benefits - Can HR edit their own pay rate or bonus? Can they add 401k or other benefits they may not be entitled to?

Accounts Receivables - (Money we are collecting)
We are collecting money here, so its all good right? Not really. There are a couple of things to watch for here. First, does all the money you collect make it to the bank or does it end up in an employees pocket. Second think to worry about is the "account adjustments" such as refunds or chargebacks. The money issue is again solved by separating the lock from the key. The person who collects the money isn't the same person who posts how much money you should have received to the ledger. For refunds and chargebacks, the person who authorizes a refund should not be the same person who determines where the refund goes. A chargeback occurs when a customer disputes a credit card charge on their bill. In those cases the business is required to prove the transaction is legitimate.

• Can an single person edit the banking or credit card number on an account, issue them a refund and then change the information back?

Like hacking computer systems, the number of ways a GL-hacker can commit fraud is only limited by their imagination and their understanding of the system they are attacking. Having good auditors who understand the system and can look at it in terms of how an attacker might game the system is essential to the success of a good risk management program. Accountants rely on logs, monitoring and separating the two essential elements of the attack to protect their systems. Wow.. that sounds familiar.

So there you go, maybe hacker and accountants aren't that different after all. We just have different "geek" speak. We talk in three letters acronyms "SSL, TCP, GRE and SSH" They talk in two "FI, AR, AP, GL". Information Security is pretty new compared to accounting. I think you'll find that by adopting some of their language or at least understanding some of it, you are able to effectively communicate risk and influence change during your next pen test.

PaulDotCom talks smack about security...

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Don't miss this episode where we will officially welcome a new member to the PaulDotCom team! Tune in to find out who else is invited on the PaulDotCom short bus.

We'll also have on Justin Morehouse and Tony Flick, fresh from the Shmoopocalypse to discuss "Stealing Guests... The VMware Way".

Watch us live at 19:30 EST, Thursday February 18th for Episode 187 of PaulDotCom Security Weekly!


Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

CON is a special device file on the Windows operating system. It's short for CONSOLE and can be used at the command line to redirect standard in and standard out. But beware, sometimes CON may not be a console. It might just be a backdoor.

Last Thursday Dan Crowley from Core Impact presented the technical segment on the podcast. Dan discussed his Shmoocon presentation on Windows File Pseudonyms and the many different ways you can address a file on a Windows NTFS partition. Dan covered several interesting ways to twist your filenames to avoid string based filters. I pulled several of them together to create a Windows filename obfuscation cheat sheet based largely on Dan's work. You can download the cheat sheet here.

Among the various windows pseudonyms Dan discussed the use of Windows devices such as CON, AUX, PRN and LPT1. These are reserved file names with a special purpose at the command prompt. Using these devices has been an interest of mine for some time. One interesting aspect of these devices is that they are not easily deleted or created.

Files that can not easily be deleted are interesting as an incident handler and as a penetration tester. If an attacker places these files on your drive you are going to have a hard time getting rid of them unless you know the trick that I'll show you here. So what does it take to create, delete and execute files that use these device names? Here is a quick demonstration video of how an attacker can disguise a backdoor as the CON device and avoid being deleted.

NOT A CON!!!! (it's a backdoor) from PaulDotCom on Vimeo.

Chaos. Intelligent Debate. Shmooball fights. Keg Stands. Educated Opinions.

Thats right get all of that and more when you listen to the audio from the 2010 Shmoocon Podcaster Meetup!

Here's what the press has to say:

"The security podcasters’ meet-up on Saturday night was more like a Motley Crue concert than anything else. The podcasters on stage resembled the head table at a Klingon wedding. But drunken antics conference-wide were minimal, and some decent food for thought came out of the podcasting event despite the rowdiness."

-- Bill Brenner, CSO Online

"The podcasters meetup is like watching a bunch of monkeys fn a football with add!"

-- "@secbarbie"

You be the judge!

Direct Audio Download

Audio Feeds:

David Hoelzer comes and hangs out with the PaulDotCom crew...

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

The PaulDotCom crew lives to recount our near death experiences with the Shmoopocalypse, Chartreuse, and tactical bacon! Come hear us recount these hair raising tales at the 19:30 EST, Thursday February 11th recording of Episode 186 of PaulDotCom Security Weekly!

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

Another successful Shmoocon! This year's conference was well run, tons of fun, and informative. As always what follows is my "What I Learned At Shmoocon" factoids:

• The small feeling of safety I once had using GSM is completely gone. It now falls into the same category as "Wifi".
• Mike Poor looks hot in pink (and is the proud owner of a *really* stretched out pink ladies hack naked tank top)
• Giving the I-Hacked guys a soldering iron results in "Bad things" (depends on your perspective). Injecting audio into the A/V system during a talk and monitoring hotel radio communications are some of the things that sound fun, but were definitely NOT attempted by anyone we know (for the record).
• Even if it is 3:00AM and I have been drinking I can still "evangelize"

PaulDotCom Holding "Court" In the Hotel Lounge
• Just because your Bluetooth dongle is paired with a mouse doesn't mean it won't accept keystrokes. This changes my perspective on Bluetooth security and how I use Bluetooth devices: I won't use Bluetooth on anything that passes my data.
• Kismet now supports passive and active Bluetooth scanning. I've been looking for a replacement to btscanner and hope this is it. By the way, make sure you give Mike Kershaw a beer and thank him for writing Kismet. (Rel1k also got a beer for his work on FastTrack and SET).
• All nipples are not created equal
• You can name a drink whatever you want and even call it a F%$*ing Lolipop (jagermeister and Root Beer)
• Cigars are not as enjoyable when you are standing in the cold with snow blowing all over you
• Being confronted with the following decision is not easy: Face dehydration (and possible resulting death) or use your credit card in the vending machine at a hacker conference.

Slide Your Card Here.....To Get Pwned
• Our listeners rule and thanked us with beer (explains the dehydration eh?). We love our listeners (but not like that, well maybe). A side note, our favorite beers that we may, or may not have brought to the conference in an unmarked box, are G. Schneider & Sohn Aventinus and Westmalle Trapist Ale (Dubbel).
• Don't let Carlos get a hold of your toothbrush, ever. And don't mention the toothbrush thing around his family (sorry Carlos!)
• Mick is no longer allowed on the podcast sober, he is far more entertaining when is is completely drunk. He will express his undying love for Notacon and hockey and force you to love those things just as much as he does.

Hockey & Notacon Bitches!
• Lockpicking is great fun! I learned that you should check if the lock is open before trying to pick it. Nothing is worse that successfully "picking" the lock only to find out you've locked it, not opened it.
• PaulDotCom (Larry & Mick) release details on the Cactus Project, showcasing the dangers of P2P networks with respects to data leakage. More details will be released in the coming weeks.
• When the Shmooball launcher takes aim, run for cover. Larry, along with intern Darren, produced the most spectacular Shmooball cannon ever. While it may not have taken first place in the contest, Bruce can show you a perfectly round bruise on his rib cage as an example of its force.

You Have 10 Seconds To Comply...

Thanks to everyone for a great time, espcially the Shmoocon staff, PaulDotCom Crew, and of course all of our fans. We hope to have the store back up and running so you can buy some PaulDotCom "Hack Naked" gear. Can't wait for next year!

The PaulDotCom crew discuss the stories of the week...

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

The PaulDotCom crew interviews David Maman, CTO of GreenSQL ...

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds: