Tom Neaves

Introducing Ncrack, a Network Brute Forcer on Crack

2010-03-08T18:19:44Z

"Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic engine that can adapt to different network situations. Ncrack can also be extensively fine-tuned for special cases, though the default parameters are generic enough to cover almost every situation. It is built on a modular architecture that allows for easy extension to support additional protocols. Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords in a rapid and reliable way. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services."

I've always had a bit of a Hydra addiction when it comes to brute forcing services however Ncrack looks pretty tasty, especially with the parallel goodness. Better than Hydra? Only time will tell...

Check the screenshots and man page out at http://nmap.org/ncrack/man.html#man-description

Read more and grab Ncrack at http://nmap.org/ncrack/

Hash Me Up (Mac OS X Styleee)

2010-03-08T15:28:44Z

On a good day you'll catch me on my MacBook Pro like any other Apple fanboy. However, I was on a penetration test recently where access was obtained to a Mac OS X Server and a little bit of pain was caused due to the way Apple manage the user accounts.

Want to dump some hashes in Leopard?

First you must find a user's GUID.

dscl localhost -read /Search/Users/username | grep GeneratedUID | cut -c15-

Now you can dump the hashes. By default, you'll only be able to dump the salted SHA1 hash. However, wait for it, if the user has SMB file sharing enabled, the NTLM hash will also be stored - bonus.

To get the salted SHA1 (first 8 characters are the salt):

cat /var/db/shadow/hash/GUID | cut -c105-152

To get the NTLM goodness (first 32 characters are NT, next 32 are LM):

cat /var/db/shadow/hash/GUID | cut -c-64

Kneber Botnet - The End is Nigh! Not Quite!

2010-02-19T11:49:53Z

Just a quick one this morning... A botnet has been discovered that has apparently hijacked more than 75,000 boxes across the world, named "Kneber". The media have got hold of this information and are spinning it so fast that even I'm a little dizzy.

The Kneber botnet is a VARIANT of the ZeuS trojan, which allows botnet herders an easy GUI to customise their malware, botnets and dropzones. Kneber, as far as a malware, is NOT new! Kneber as a botnet IS new.

Don't panic! The ZeuS trojan (and variants) are being picked up by most good AVs... so if you keep these up to date then you should* be OK.

Symantec and Fortinet have written good papers on the ZeuS trojan.

FortiGuard | Zeus: God of DIY Botnets
http://www.fortiguard.com/analysis/zeusanalysis.html

Symantec | Zeus, King of the Underground Crimeware Toolkits
http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

OK, great, I'm glad we cleared that up. :o)

* Excluding the use of 0day packers, ack!

Web 2.0 + People = New Challenges

2010-01-30T09:31:06Z

This article originally appeared on Verizon Business' ThinkForward blog. It is written by me with a different audience in mind and is business-centric. However, no harm in punting here too.

The computer industry loves a good buzzword and "Web 2.0" is no exception to this rule. Journalists have been using this buzzword for some time now and many of the top sites on the Internet (the likes of Facebook and Twitter) already make use of this Web 2.0 jazz, but what is it and what does it mean for security? Wikipedia describes Web 2.0 as, "the changing trends in the use of World Wide Web technology and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web." This mainly refers to JavaScript technology, which now seems like it has been about since the beginning of time. However, the Wikipedia entry does relate to the web changing - from static pages to dynamic and user-driven content, such as blogs, wikis and social networking sites. As all security savvy people know, with any new technology or trends come new security implications. It's a cat-and-mouse game out there. Web 2.0 now involves people heavily, which is a good thing for usability but not such a good thing for security. Let's look at some of the potential issues.

In at number one is user-generated content. Web 2.0 is all about allowing users to add their own content in the form of text and photos. If software security taught us anything, it was to never ever (ever!) trust input provided by the user. Input could be bad, malformed or just blatantly malicious. As the data will be saved on a backend database and then be referenced to generate content for other users, data validation just become even more important.

In at number two are web services. Web 2.0 allows different systems to be able communicate and interface with each other using a common API (Application Programming Interface, based on XML), also known as web services. For instance, this allows one web site the ability to pull photos from a third-party photo-sharing web site, interactive maps from another and content from a third. This is a huge change from the past where all data was taken from one source, often managed by the same organization.

This creates security implications in relation to trust. How do we know the third party is taking security seriously? A compromise that occurs at the third party can now negatively influence and affect your organization due to data being used (and trusted) to create content. The availability of web services also increases the possible attack vectors for an attacker.

In at number three are people and passwords. Web 2.0 blurs the boundaries between work and personal life. LinkedIn, Facebook and Twitter have dual uses both professionally and personally and often cross over. This has many security and reputation implications; however, I am most concerned about information leakage and weak passwords. Web 2.0 is built around community-driven sites, content for and by the users, and as such users are often provided with the ability to create personal profile pages. Facebook is a good example of this. The amount of information that can be gleaned from these unrestricted pages should not be underestimated. Information can be used in furthering attacks both externally and internally into an organization.

The second issue is passwords. Time and time again it has been documented that people are the weakest link in security and therefore education needs to start here. Human beings will often pick dictionary-based passwords, which are vulnerable to dictionary-based password attacks. However, for some time now the industry has stood up to this challenge by implementing password complexity, which requires special characters and password lengths. This has somewhat mitigated this vulnerability. Another issue is that users often reuse the same password across multiple sites and applications. Internally this isn't as much of a problem; however, this habit used over the Internet creates security implications that will only increase with more Web 2.0 sites.

Don't panic! Change is a good thing. But awareness of the security implications of how people are using the web needs to be acknowledged and factored into an organization's risk exposure. Education is always key to making sure employees are aware of the security policies of your organization. It is also a good chance to demonstrate how poor security can affect them personally, namely identity theft. Developers should consider new technologies to help them double check that user-generated content is safe. Finally, the risk of a compromise occurring via web services can be mitigated by conducting a security assessment on all endpoints where the web services interact including third parties to give added assurances.

Nmap 5.20 released

2010-01-21T10:18:22Z

More than 150 significant improvements,
30+ new Nmap Scripting Engine (NSE) scripts
Enhanced Performance and Reduced Memory Consumption
Protocol-specific Payloads for more Effective UDP Scanning
A Completely rewritten traceroute engine
Massive OS and version detection DB updates (10,000+ signatures)

Don't just take my word for it, read the changelog at http://nmap.org/changelog.html

Grab it at http://nmap.org/download.html

BackTrack Final 4 released

2010-01-20T14:18:10Z

BackTrack 4 (Final) is officially released.

If you didn't already know, "BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking."

This release includes a new kernel, a larger than life toolset repository, custom tools a plenty, and more importantly, fixes for all those annoying bugs in the pre-release.

You can download it at http://www.backtrack-linux.org/downloads/

However, the site has been getting hit pretty hard this week so I suggest you grab the torrent at http://www.backtrack-linux.org/bt4-final.iso.torrent

Second GSM Cipher Fail - A5/3

2010-01-12T00:16:21Z

The GSM encryption algorithm A5/1 has been known to be broken for some time now... about 10 years to be exact. However, if you were sleeping under a rock for the last few weeks, you would have missed the news that some researchers have put the theoretical attack into practice, making it a reality for mobile phone operators.

Anyway, seems A5/3 (also known as KASUMI) may also be broken. News circulating on the interweb talks of a 0day paper that could be published any day now. Further fodder about it is here and here.

Attack on PHP sessions and random numbers

2010-01-11T21:56:23Z

PHP random numbers and session IDs weaker than thought. Proof of concept code and further information at http://samy.pl/phpwn/

Friend or foe? Automated Malware Analysis and Identification

2009-09-28T17:50:02Z

I am doing a PhD on the subject so it's only right I post something up related to it. Whether you're a security researcher fishing for binaries or a system administrator that suspects an executable on a box might be a little bit fishy... this post is aimed at both of you.

Malware analysis can be painful to say the least, and in many cases you need to do manual inspection (at least for identification when an AV doesn't yet have a signature...) but what does save time and a lot of pain is automated analysis. There are sandboxes out there on the net that will allow you to upload your fishy binary and have it analysed on their machines, both in terms of a host assessment and the network activity. This is helpful in the remediation stage as you can firewall the appropriate ports and blacklist the relevant IPs while you deal with removing registry keys and rootkits in the meantime by using these results. Some will even cross reference it with multiple AV signatures to tell you what they flag it as.

Here are some FREE (!!!) automated malware analysis services on the net:

Anubis

BitBlaze Malware Analysis Service

Comodo Automated Analysis System

CWSandbox

EUREKA Malware Analysis Internet Service

Joebox

Norman Sandbox

ThreatExpert

That should keep you going for now.

Give us a flash! Introducing SWFScan, the Flash Security Scanner

2009-09-19T09:05:35Z

The nice people at the Web Security Research Group over at HP have created a bit of goodness that will find vulnerabilities in applications built on the Flash platform. Right now it's free but no doubt they will be merging this with WebInspect at some point I'm guessing.

It will;

(a) decompile the Flash application and extract the ActionScript code and statically analyse it, identifying things like information disclosure.

(b) reports on insecure programming and deployment practices and suggests solutions (like buy WebInspect? ;o))

All in all, a nice little addition to a penetration tester's web application testing toolkit.

Grab SWFScan here. Or read more about it here.

4f - The File Format Fuzzing Framework

2009-09-19T08:54:32Z

If I had a pound for everytime I have said "it's all about your inputs, never trust your inputs" then I'd probably be chillin' out on some beach in Hawaii right now. But anyway...

The guys over at Krakow Labs have put together a little bit of goodness in relation to fuzzing, more importantly, application fuzzing. It's name? 4f... (you see what they did... they used the four F's and... anyway...)

How is 4f different? Well it's purpose is to find vulnerabilities in code that parses file formats including configuration files, think ./omghi2u "-c omg.conf" here.

4f uses specialised modules for fuzzing code that interprets file formats. Several modules are included and more can be written to follow other formats. A custom debugger is also thrown in which will log all the crucial goodness on a crash.

Grab it here. Read more about it here.

Usage

USAGE:   ./4f <-T /usr/bin/target> <-M #> [-N fuzz.conf]
                   [-A ARGS] [-R /output] [-L log.txt] [-C] [-D]

INFO:       [-O Fuzzing Oracle] [-S Modules Available]

Windows Sysinternals Tools Updated

2009-09-19T08:44:39Z

Sysinternals has long been the choice for both analysing malware behaviour and in penetration tests with focus on application assessments. It allows you to see exactly what a binary is really doing deep down in the Windows OS, such as reading and writing files, reading and writing registry keys and the execution of child processes, etc.

We say goodbye to RegMon and FileMon as for some time now ProcMon did their goodness anyway... so they've officially been put into a retirement home.

ProcMon and ProcDump got an overhaul - little tweaks here and there.

Grab them from Sysinternal's website here.

Aircrack-ng 1.0 released

2009-09-12T23:04:30Z

As the title states, new version of the Aircrack-ng suite got released the other day...

Changelog;

- airserv-ng: Now works fine between 32 and 64bit OSes.
- wesside-ng: Fixed some endianness bugs
- airodump-ng-oui-update: Make sure the user is root when updating the file.
- airmon-ng: Updated iw download link (0.9.17).
- All: Fixed compilation with some gcc.
- patches: Added missing patches from patches.aircrack-ng.org: mac80211_2.6.28-rc4-wl_frag+ack_v3.patch
- manpage: Updated aireplay-ng manpage.
- INSTALLING: Removed (now) useless requirement for OSX installation.
- GUI (windows): Fixed 2nd selection of a capture file.

Grab it here.

If Your Name's Not Down You Ain't Coming In - Impersonating Windows Services For Fun, Profit Or Just To Evade Group Policy

2009-08-22T23:23:40Z

Apologies for the long title, I just couldn't resist. This article/blog post compliments my previous one on evading GPO and getting a command prompt. Anyhow, that's in the past, let's move on with our lives.

Why would you want to evade Group Policy in the first place? I think I've mentioned it before but usually as part of a GAP (Government Assurance Pack) analysis performed in a penetration test. Clients usually want to know their if their implemention of a GAP lockdown leaves the workstation in a good condition, e.g. do any loopholes allow a malicious user to break out of the environment. Also, does the lockdown stop users from doing what they need to do? Again, a fine line between usability, functionality and security. I feel kinda like a lawyer when performing these reviews - it's often a case of looking through pages of GPO rules and software restriction policies and looking for wildcards with regards to executable files/directories and cross referencing these with writable privileges. Anyway... going a bit into the methodology there, lets get back on track.

Lets assume you have exhausted all other options with regards to breaking out of the environment and you're near to smashing the place up... Wait! I may just be able to help.

Windows has a little thing called "Services" which can be accessed by typing "services.msc" from the run prompt. Great - but what if the run prompt has been locked down? Well you can usually access it through the start menus - even as a normal or power user. If you can't do it via this method then you need to overcome this obstacle first - not covered in this post! There are 101 ways to break out of Windows environments in little but effective ways - Office macros, Internet Explorer functionality and Windows Help are your friends here.

Right, so you managed to get this badboy services application open? That's good news. You will be presented with a big list of all different services, some system, some third party (see screenshot below). Some of these will get started automatically on boot, others are required to be started manually and some will be disabled. Some are executed in the context of Local Service, a specific user, others as Local System. We are looking for a service with the right qualities, think online dating, GSOH, etc;

- It must be executed in the context of Local System;

- It can be manually started (although automatic is good but will require a reboot);

- The service must call an executable in a directory to which we have write access to.

(click image to enlarge)

Satisfy all these conditions and the service has marriage written all over it.

As a normal user, or even as a power user, we won't be able to edit any of the services parameters; paths, etc. However, we will be able to stop/start it. Ignore that for now.

You'll notice a load of services point to executables in the Windows System directory, write access here is out of the question. You will get lucky with third party applications that act as a service to the OS, those which live in C:\Program Files\... (which we can potentially write to) and those which need to be run in the context of Local System.

Lets assume we found some Citrix service in this example which is manually started and runs under the context of Local System when started and finally, it lives in C:\Program Files\Citrix\CitrixBah.exe. You can see all this information from going into the properties (right click) on the specific service - an example is in the screenshot below.

(click image to enlarge)

So in our example, in the "Path to executable:" bit would be C:\Program Files\Citrix\CitrixBah.exe. We first stop this service. Please note it is always good to pick non-essential services to impersonate if you have the choice! We go looking in C:\Program Files\Citrix\ (via 1000 breakout methods) and find CitrixBah.exe and rename it to CitrixOld.exe. If we didn't have write access to this folder we'd see a nasty Windows popup right now... but since from your paperwork (or even from xcacls) you know you have write access, its all good.

You now get creative - I usually whack up my own compiled code that will add a new user and assign them to the Administrators group (via net user command). I get this onto the box via whatever isn't locked down; USB, CD-ROM (always a killer...) and over the Internet. I name this CitrixBah.exe and place it in C:\Program Files\Citrix\. When run as a normal user this obviously gives me a great big nada... However, since it will be run under the context of Local System, happy times.

Now go back to Windows Services, right click and click "Start" or you can do it within the properties. It will quickly run your goodness then quit. You will now have your own admin user. Re-login or just right click and run "Explorer" with the Run-As goodness with your new user.

Don't forget to put the old CitrixBah.exe back too! ;o)

Thank you, and goodnight.

All Your Metadata Are Belong To Us, FOCA...

2009-08-06T22:23:53Z

So, quite a hardcore time in Vegas. If you ever get the chance to get table service in the Mirage's Jet nightclub or the Bellagio's Bank nightclub then you should snap it right up - might cost you though ;o) Anyhow, something that I thought was worthwhile from Defcon 17 was a little tool called FOCA. The name is itself jokes but it is quite interesting.

You probably know all about MS Office/Open Office, etc. documents leaving meta data all over the place - previous authors, dates, changes, etc. Just go have a peek under File --> Options/Summary or Properties and it'll show you. It's old school stuff. Anyway, what I didn't realise was how much information PDF files leaked - internal usernames, hostnames, directories, etc.

What the crazy (...proper crazy) guys at Informatica64 have done is create a pretty neat Win32 application that pulls all of these infoz out and allows you to sort them in a meaningful way. You can even extract badboy usernames and load them straight into Hydra for example. Makes for a nice little information gathering/discovery tool for black box penetration tests.

Anyhow I won't bang on about it too much, you get the picture. PaulDotCom has a nice write up with plenty of screenshots.