Security-Bsides Austin Texas

I am proud to say that my talk has been selected for B-Sides Austin TX this year.  Check out the Abstract below if you're interested.

Name: David Maloney, @thelightcosineTitle: Don't Pick the lock, steal the key
Length: 45 minutes
Abstract: You've got a problem. You're running a pentest and the only vulnerable box is some shmuck's desktop. Is it game over? wait, what is this WinSCP application on his machine? don't give up just yet. The wonderful world of fail that is password storage is about to save your butt. In this talk we will break down how Windows applications store their password. Where they store them, how they encrypt or obfuscate them, and how we can attack them. Then we will follow up with some real world examples from the Metasploit Framework, and show how you can turn one workstation into total network compromise in a very short ammount of time.

Some facts on the First State Superannuation Issue

Some blogger, has recently written a somewhat uninformed post on the whole Patrick Webster FSS issue. The author seems to be under some misapprehension about how these sorts of things work. Which is cocnerning for someone who claim to be a Web Application Security person, and is taking the pulpit to preach on the issue. Then again, why should we expect anything less from the Internet right?

In his post the author states: " It should go without saying that at this point that he could, just by the actions he had taken up to this point, be in violation of any number of data privacy laws."

Really, goes without saying? Actually it doesn't. Let's take a look. The first statue they claim he is in violation state the following:

308H   Unauthorised access to or modification of restricted data held in computer (summary offence)

(1)  A person:
(a)  who causes any unauthorised access to or modification of restricted data held in a computer, and
(b)  who knows that the access or modification is unauthorised, and
(c)  who intends to cause that access or modification,
      is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.

(2)  An offence against this section is a summary offence.
(3)  In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.


Let's look at the other statute that is referenced:

478.1  Unauthorised access to, or modification of, restricted data
             (1)  A person is guilty of an offence if:
                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and
                     (b)  the person intends to cause the access or modification; and
                     (c)  the person knows that the access or modification is unauthorised; and
                     (d)  one or more of the following applies:
                              (i)  the restricted data is held in a Commonwealth computer;
                             (ii)  the restricted data is held on behalf of the Commonwealth;
                            (iii)  the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty:  2 years imprisonment.
             (2)  Absolute liability applies to paragraph (1)(d).
             (3)  In this section:
restricted data means data:
                     (a)  held in a computer; and
                     (b)  to which access is restricted by an access control system associated with a function of the computer.



Look closely at (3) in both statues. This can only apply if an access control was circumvented. Insecure Direct Object Reference is not bypassing an Access control. It is a complete lack of an Access Control. I may not be a lawyer, but I suspect that this charge would have a VERY hard time standing up in court.

It really is not hard to look up these statues online. I would suggest that people actually read up on the subject matter.  all and all, I would be surprised if this whole matter doesn't blow over. The worst that I suspect will happen is that they make Webster sign that agreement on page 2 of their letter or refuse him any further online access. They could, theoretically, even drop him as a customer I suppose. I doubt any serious legal action will occur, but I could be wrong.

Mr Webster,  I am behind you, and i am sure many others are too. Good luck.

When even Responsible Disclosure Fails

Disclaimer: The opinions expressed in this blog are my own, and do not reflect the views of anyone but myself.

In the latest incident, Patrick Webster of OSI Security, is under threat of legal action. This threat comes after he disclosed a vulnerability to First State Superannuation . The vulnerability was a case of direct Object Reference. By manipulating a GET parameter , Webster was able to access the statements of other customers. The legal threat is based around the idea that Webster violated Australian computer crime laws, and bypassed a security measure. Direct Object reference is not bypassing an access control. It is, by its very nature, the lack of an access control. Webster did not go public with this information, but rather went directly to the company to notify them of the flaw. On one hand, the company thanked him for his help. On the other hand they sicked the police after him and are trying to hold him responsible for the cost of fixing the flaw. Customers of First State Superannuation should be outraged at this. The company, which is responsible for protecting their customers' information has failed to do so. When one of these customers showed this failing, they held him responsible for it. The fact is, FSS has been negligent in providing proper security for their customers. They should be held accountable for this failing. Let's make a hypothetical analogy:

A customer walks into his bank, and asks to access his safety deposit box. They ask him his box number, and he tells them the wrong box number by accident. They bring him another person's box without verifying his identity. When he explains the mistake to them, they call the police and have him arrested.

If you read about this scenario in the newspaper you would be outraged. Why should it be any different in this case?

What is even more deeply disturbing, is the fact that this is far from an isolated incident. In the past year, there have been at least 2 other cases just like this. Earlier this year, a security researched by the handle of Acidgen disclosed a buffer overflow vulnerability to German Software company Magix. Acidgen contacted the company with the information, and had supposedly amiable communication with them. During the course of his conversation, he supplied them with a Proof of Concept that opened up calculator when run. He asked the company to let him know when it would be patched so he could release the details after it had been fixed. This is when Magix began threatening legal action against Acidgen. Among their claims, are the claims that sending the PoC to them constituted distribution of 'hacking tools'. They also claim his intent to release the details after a patch constitutes extortion.

Another example is the PlentyofFish.com dating site hack. Security researchers discovered a vulnerability in the site that allowed access to customers' private data. The researchers claim that they simply informed the operators of the site of the vulnerability. In a bizarre twist, the owner of the site posted a bizarre rambling blog post where he claimed that the researchers attempted to extort him. His story was bizarre in the extreme indicating Russian Mob involvement, extortion, and even originally implicated journalist Brian Krebs in this scheme.

What I see here is a very alarming trend. Companies are trying to redirect all blame for their own failings to the very people who are trying to help make them more secure. If this trend continues, researchers will simply stop practicing responsible disclosure to most of these companies. In some cases the disclosure will go back to Full Disclosure practices. Otherwise, some researchers will just keep silent.

So what would First State Superannuation say if Webster had kept silent. Then a month later someone far less scrupulous exploited this vulnerability to attempt to make a profit. FSS should be thanking Webster for saving them all the embarrassment and possible repercussions of their irresponsible 'security' practices. These companies need to wake up and work with the community to help protect themselves, or things are only going to get worse.

DerbyCon Retrospective

Rel1k recently posted his thoughts on how DerbyCon, and I thought I would share my own. I have not exactly made a secret of how I felt about DerbyCon. The speaker lineup was simply amazing. There were very few spots where I didn't have a talk I wanted to see. I unfortunately had to make some hard decisions between talks that were going at the same time.

When I go to conferences, I often find myself wandering aimlessly for periods. I'm not interested in the talks that are on at that time, and I don't really have anyone to talk to. So I wander about until I find someone I know. Every time I started to wander at Derbycon, I would run into someone who wanted to talk about something. I had no real "down time" the entire conference.

I spent time hanging out with, or at least talking to, people who have been something of heroes to me. I have followed some of these people for years, and getting to talk to them was great. What was even more amazing was that many of them knew who I was! Shaking hands with Chris Gates for the first time was surreal for me. I have followed Chris since I started in security. I tracked dookie2000ca down and finally got him to sign my copy of  Metasploit: A Penetration Tester's Guide.I got to spend time hanging out with jduck, corlanc0der, and sinn3r.  Everywhere I went, I felt not jsut like an equal, but like we were all friends. The most telling thing about the Information Security community is that we call it the Community, not the Industry. DerbyCon embodied this spirit. The entire weekend felt more like a family reunion than a conference, and I was sad to leave.

I was privileged to get to take the CoreLan Exploit Dev bootcamp. This training class was intense. We went from 1600-0200 both days, and didn't make it through everything. Peter Van Eeckhoutte (corelanc0d3r), took a class of 30 people from different backgrounds and walked them through windows exploitation. Some people in the class had absolutely no experience in exploitation. Despite this, Peter kept the entire class moving along, and as far as I could tell, nobody was lost. It was a shame that I had to miss parts of the conference for this training, but I would make the same choice again.

Brandon Perry and I wandered into the CTF room out of curiosity at one point. I had no plans to enter the cTF, so I hadn't really brought any tools with me. We decided to start playing around, not to seriously compete, but to have fun. We shared things we found with each other, and were just having a good time. Before we knew it, we were on top of the leaderboard. The organizers came and asked us to either be scored as a team, or to stop working together. I closed my account out and we kept working together under Brandon's. I was tied up with training for most of the conference, so Brandon spent a lot more time on the CTF than I did. In the end, we ended up in 5th place. I think if we had gone in prepared from the start, and I had the time to focus on it, we could have won. See Brandon's writeup on the CTF efforts here.

A few weeks before Derbycon, I started trying to put together a #metasploit meetup. I wanted to get everyone from the metasploit IRC channel together to hang out for a bit, have some drinks and just have fun. Mubix came up with the idea of throwing a birthday party for ms08-067, so the two ideas merged naturally. Mubix got it all organized and pulled off a great event. There was a big cake  and we all sang happy birthday. Then HD started handing out Redbull and Vodkas to EVERYONE at the party!

So I have ranted for long enough, I guess. The summary is this: Derbycon was probably one of the best experiences I have had. I felt at home the entire time I was there. The entire weekend made me more certain than ever that I am where I belong doing what I am meant to do. I can't possibly thank everybody enough, but thank you conference organizers, Rel1k, HD, Jduck, Corelanc0der, sinn3r, nullthreat, lincoln, bperry, Red, and everyone else I hung out with this weekend.

Update to the Metasploit Exploit Port Wishlist

Here is the latest update to the document I have been creating. This is a list of exploits that are in exploit-db but not in Metasploit. This list is generated by referencing the Knowledge Base in QualysGuard. Its accuracy is not guaranteed, but it should serve as a good starting point for anyone interested in porting exploits to Metasploit.

Metasploit: Dumping Microsoft SQL Server Hashes

New module just committed today: auxiliary/scanner/mssql/mssql_hashdump

This modules takes given credentials and a port and attempts to log into one or more MSSQL Servers. Once it has logged in it will check to make sure it has sysadmin permissions. Assuming it has the needed permissions it will then grab all of the Database Username and Hashes. While it is in there, it will also grab all the Database and Table names. It reports all of this back into the Database for later cracking. Support will be added in the future to the John the Ripper functions to include support for these database hashes. When it does, the database, table names, and instance names will also be sued to seed the JtR wordlists to enhance cracking efforts.



msf  auxiliary(mssql_hashdump) > info

       Name: MSSQL Password Hashdump
     Module: auxiliary/scanner/mssql/mssql_hashdump
    Version: 13435
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  TheLightCosine

Basic options:
  Name                 Current Setting          Required  Description
  ----                 ---------------          --------  -----------
  PASSWORD             reallybadpassword        no        The password for the specified username
  RHOSTS               192.168.1.1,192.168.1.2  yes       The target address range or CIDR identifier
  RPORT                1433                     yes       The target port
  THREADS              1                        yes       The number of concurrent threads
  USERNAME             sa                       no        The username to authenticate as
  USE_WINDOWS_AUTHENT  false                    yes       Use windows authentification

Description:
  This module extracts the usernames and encrypted password hashes
  from a MSSQL server and stores them for later cracking. This module
  also saves information about the server version and table names,
  which can be used to seed the wordlist.

msf  auxiliary(mssql_hashdump) >

Metasploit Development Environment In Ubuntu

I have spent some time today getting a new Metasploit Development Environment in place. With a lot of help from DarkOperator and egyp7 I think I have succeeded.

Step 1: Installing some Pre-Reqs

sudo aptitude install build-essential libssl-dev zlib1g zlib1g-dev subversion openssh-server screen bison flex jam exuberant-ctags libreadline-dev libxml2-dev libxslt-dev libpcap-dev libmysqlclient-dev libpq-dev curl git libsqlite3-dev
Step 2 Installing RVM

sudo bash < <(curl -s https://rvm.beginrescueend.com/install/rvm)
Edit your .bashrc file for each user that will be using RVM:
And add the following lines to the end of it:
# Load RVM source if [[ -s "/usr/local/rvm/scripts/rvm" ]] ; then source "/usr/local/rvm/scripts/rvm" ; fi # Enable Tab Completion in RVM [[ -r /usr/local/rvm//scripts/completion ]] && source /usr/local/rvm/scripts/completion

Then from bash run: source /usr/local/rvm/scripts/rvm


Next we install some necessary packages for rvm:

rvm pkg install zlib
rvm pkg install openssl
rvm pkg install readline

Then we install the ruby versions we want


rvm install 1.9.2 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr 


rvm 1.9.2 --default

rvm install 1.9.1 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

rvm install 1.8.7 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

Then we install some needed Gems:


rvm gem install --no-rdoc --no-ri wirble pry pg nokogiri mysql sdoc msgpack hpricot sqlite3-ruby

Step 3: Adding DarkOperator's IRB customizations:

Create a file ~/.irbrc

The file should look like this:

puts "Loaded ~/.irbrc"
# Load Lobraries
require 'rubygems'
require 'wirble'
require 'irb/completion' 
# Enable Indentation in irb
IRB.conf[:AUTO_INDENT] = true 
# Enable Syntax Coloring 
Wirble.init
Wirble.colorize 
# get all the methods for an object that aren't basic methods from Object
class Object
def local_methods
(methods - Object.instance_methods).sort
end
end 

This customizes irb to give us syntax highlighting, tab completion, auto-indentation, and simple method enumeration.

Step 4: Installing Metasploit:

Metasploit install documentation

Step 5: Running Metasploit:

If you want to run msfconsole with the packaged Ruby, just run 'msfconsole' from bash.

Otherwise select your version like this: rvm 1.8.7

Then call msfconsole with the full path: /opt/metasploit/msf3/msfconsole

That's all there is to it. You are now ready to test your metasploit modules in various different versions of ruby all from the same box.

Once again, thanks to egypt and DarkOperator who provided a lot of this guidance to me.