Thursday, 23 April 2009

Backtrack 4 Beta and Nessus 4.0.0

I recently installed Nessus 4.0.0 on a vmware install of BackTrack 4 Beta. Below are the steps I took.

Download the following linux packages from the nessus website.


You will also need to register in order to obtain the activation key.

Before installing we will need to install some missing dependencies

apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant

Install the server.

# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb

Configure the certificate

# /opt/nessus/sbin/nessus-mkcert

Add the admin user

# /opt/nessus/sbin/nessus-adduser

# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'

# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb

# /etc/init.d/nessusd start

And start the client from the Menu>Intenet>NessusClient or use the CLI

Wednesday, 22 April 2009

Social Engineering Investigations

Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.

One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.

Social engineering attacks can vary from low tech to high tech.

There are many factors that can lead to a successful social engineering attack.

Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.

Organisations need to be aware of just how much information they are giving away on their websites.

Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.

Armed with this information an attacker may call the help desk posing as someone in a senior position in the organisation asking for "help" on how to connect to the network from home. Help desk staff have been surprisingly helpful to me in the past when I have attempted this type of attack.

An attacker may also pose as a sales rep or as an employee of a IT related magazine or journal or even as someone seeking employment and ask to speak to the help desk / IT department. When connected they would ask a series of questions relating to the computer systems in place. Such as operating systems ( Windows, Apple Mac's, Linux / Unix) network infrastructure, wireless, remote access, web based email etc.

This information can help an attacker target specific areas of the network, such as wireless access points or remote access systems.

Also organisations will typically have large bins outside the premises, around the back, near the car park, basement level etc. Since the bins are collected and / or emptied by third parties access to them is rarely restricted.

The amount of information that can be recovered from looking through a companies rubbish can be very rewarding. Such as customer records, employee records, financial statements and other sensitive company data. This style of attack is commonly known as "dumpster diving".

These points would typically be the first steps as the attacker never has to enter the building to gain access to sensitive information about the organisation. This raises and interesting question, since people are volunteering the information has the attacker broken any laws ? Also if the bins are in a publicly accessible / shared area has the attacker broken any laws by "dumpster diving" ?

An attacker could also just walk in the front door, past security and reception staff. Mornings and lunchtimes are always a good time to attempt this as there is a constant flow of people leaving and going in to the building.

Other common entry points would be via the car park. But by far the best way in is with the smokers. The attacker will hang around outside and start chatting to other smokers and then just walk into the building with them. Once in the building its easier to move around because if your there people assume that your supposed to be there, after all you've been seen outside smoking and talking with genuine employees. An attacker may then install various keyloggers , covert wireless access points or other bugging devices. Even something as simple as walking up to a printer and taking "your" printout will go unnoticed.

The likelihood of the above attacks been detected are low.

Prevention of some of these types of attacks can also be difficult.

The physical security of the building and its associated property should be monitored by a combination of monitored cctv and security guards. Bins should be locked and / or held in a secure area until they are collected.

Now for the IT side of things. This is normally shorter as the trick is to get into the building. The majority of the time sensitive data in not stored on employees computers or laptops but in servers. These servers are typically stored in locked rooms that are secured by a physical lock and or an electronic lock such as a swipe card or proximity card. Access is generally restricted to a few IT staff. If the attacker wanted to gain access to this room for whatever reason, stealing the physical hardware for example, they would first need to out who has access to the room and then attempt to covertly copy their access card.

Often if the attacker really needs to access server stored data, its more efficient to attempt to "hack" into the network from the inside or even simply find a desk and call the IT department and ask them to reset "your" password.

The attacker may even simply pick up a laptop and walk out.

If the attacker really needs access to the server room they may pose as a engineer from one of the organisations 3rd party support vendors or even from the local telecoms company. A little work with some logo's downloaded from the vendors website, a colour printer and a laminator or plastic card printer are all that's needed to add credibility to the attackers "story" as to why access is needed. Add in a few businesses cards with the "office" phone number and a work order and the attacker may even be given unsupervised access to the server room or other sensitive areas of the business such as meeting and conference rooms.

The more high tech attacks are normally associated with phishing style attacks where an attacker will setup a fake website to look identical to the organisations and a URL that closely matches the organisations. The attacker will typically focus on the logon page or other page that prompt the user for sensitive information. The end user will typically not know that their details have been "stolen". In the more sophisticated version of this attack the attacker will capture the user data and then "send" that data to the genuine site for processing. If the details are correct to user will be presented with a valid session if not they will get the standard logon failed message.

Now the people side of things is always going to be the hard part to protect yourself from.

Staff will need to be trained on the Do's and Don'ts of both the security surrounding the building and the IT systems.

The help desk staff should be trained to ask specific security questions in order to verify the identity of user, relying on caller id or someones post code, zip code or date of birth is not sufficient. Caller id is easy to fake and a persons home address is not too difficult to obtain.

Reception staff, PA's and sectaries are your first line of defence against telephone style attacks. These staff members should be trained in filtering out the false calls from the genuine. Keep in mind that not all false callers can stopped here but can at least be slowed down.

All employees should be made to feel comfortable to challenge people who they personally do not recognise or any "employee" not displaying a valid id card.
All non employee visitors the building should be escorted everywhere.
Visitors should not be given access to the organisations network unless authorised.
Be wary of IP telephones in semi public areas such as a reception area, as these phones are connected to the organisations internal network and typically have two network ports all an attacker would need to do is connect their laptop to the IP phone to connect to the organisations network. The same applies to wired / wireless internet access for guests. Guest internet access should be on a separate network segment or vlan with deny access to the corporate lan.

Do you think you would fall victim to a social engineering attack.?Ask yourself the following questions:

Do I know everyone in the building ?
Would I hold a access controlled (swipe / proximity card) door open for someone if they were carrying something ?
Would I challenge someone if I could not see their employee id badge ?
Would I lend mine to someone who approached me at the coffee machine if they said they left theirs in their car ?
Would I let someone in if I saw then chatting to one of the PA's or secretaries ?
If someone called me on an internal extension claiming to be from the IT department would I give them my password ?

People are the weak link in the chain here. An attacker will use peoples natural willingness to help against then. This is why social engineering attacks work, its because they are allowed to work.

Investigating these type of attack.

The fact that you know an attack has taken place is a good start.
How was it detected ?
When was it detected ?
When did the attack take place ?
How was the attack carried out ?

How to investigate this type of attack is one that needs to be handled carefully. The aim really being "How did someone manage to steal our assets? Be that information or hardware or both."
This would typically start with interviewing any persons identified from the previous questions. One thing to keep in mind is that people will feel embarrassed about coming forward and talking about the "attack".

They may feel guilty about any information they may have divulged. I would suggest that a third party conduct these interviews anonymously, ie. people do not have to give their names to the interviewer and the interview is carried out in confidence that no disciplinary action will be taken. The attack will have succeeded because of either a lack of controls or the lack of proper implementation, monitoring and enforcement of controls. Take the employee id card as an example. Most policies state that "employees are required to have their ID cards visible at all times". Is this true for the organisation ? Is this policy actually enforced ? In my experience the companies that enforce this are few and far between.

The results of these attacks will usually result in your staff been more aware of just how easy it is to leak data without even knowing it. I feel that an organisation should notify all its staff when an social engineering style attack has been discovered so they may all learn from it. Remember that your staff are your first line of defence against a social engineer.

Tuesday, 21 April 2009

EnCase and Tableau Forensic Bay

Came across this issue today and though I'd share it with you.

I recently installed the latest version of EnCase Version Reading the release notes states that hard drives connected to Tableau Write Blockers are now recognized by EnCase as been write blocked. Since we use a large number of Tableau devices I started testing.

In testing I have found this to be true for the Tableau T35es, T35e, T3u , T4, T14 and the T15.

When testing with the T335 (Forensic Drive Bay Controller Firmware 6.22) I found the that EnCase is not correctly identifying a drive as been write blocked.

Test Results

IDE - Set to Read Only
SATA1 - Set to Read Only
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked

IDE - Set to Read Write
SATA1 - Set to Read Write
SATA2 - Set to Read Write

EnCase see's all drives as not Write Blocked

IDE - Set to Read Only
SATA1 - Set to Read Write
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked.

This can be an issue because if you believe what EnCase is telling you when you are creating a forensic image of a suspect drive and it is in a read/write bay you may accidentally alter potential evidence however the EnCase report will state that the drive was acquired while write blocked.

I have made Guidance Software aware of this issue.

Guidance Software have created defect number 28371 for this issue.

Monday, 20 April 2009

Install OpenOffice 3.01 in Backtrack 4 Beta

I decided to install OpenOffice in Backtrack since it is not part of the default pack because of size limitations. I always find it useful to have a spreadsheet application installed as part of my Pen-Testing toolkit.
Get the Linux DEB. I am using the English (US)

tar -zxvf OOo_3.0.1_LinuxIntel_install_en-US_deb.tar.gz
cd OOo_inst_folder/DEBS
dpkg -i *.deb

(Not sure this is needed for KDE but I did it for the icons in kmenuedit)
cd desktop-integration
dpkg -i *.deb

Add it to KDE if you are using Gnome you don't need to do this.

Click on Utilities
Ctrl+N (New)

Name: OpenOffice3 (or what ever you want)
Command: /opt/openoffice.org3/program/soffice
Click on the blank icon next to name and pick an icon for open office
Ctrl+S (Save)

Thursday, 16 April 2009

Increase the number of tcp connections in Windows XP


Half-open limit fix is a program designed to change the maximum number of concurrent half-open outbound TCP connections (connection attempts) in the Windows system file tcpip.sys.

Microsoft first introduced this limit in Windows XP SP2 (Service Pack 2) and is present in all later versions of Windows. This was done to try to slow the spreading of viruses and malware from system to system and also to reduce the impact of infected systems participating in DoS (Denial of Service) attacks.

This limit makes it impossible for Windows systems to have more than 10 concurrent half-open outbound connections. After 10, new connection attempts are put in a queue and forced to wait.

Wednesday, 15 April 2009

FreeNAS - Transmission and Windows Remote Client

I've been playing around with FreeNAS for some time now and have migrated an old Debian server over to FreeNAS in order to make things easier for the non-linux members of our team.

The server hosts all the deployment images for our lab workstations amoung other non-sensitive data. The images are deployed via pxe. more on that to follow in another post.

I recently looked at the BitTorrent service which seems like a good idea. All your torrents are controlled and downloaded to centeral location. Ideal in a lab environment. Downloading the latest version of Ubuntu or OpenOffice is now as simple as dropping the .torrent file in to shared directory and letting FreeNAS take care of the rest.

The majority of the lab workstations are Windows box's so I went to the Transmission website to download the Windows remote client. It was then that I found that Transmission do not have a Windows client.

A few google minutes later I find transmission-remote-dotnet on the google code page. I installed it, configured it to connect to the FreeNAS server and now have it running without any issues on a test machine.

Thursday, 2 April 2009

VMWare Shared Folders and BackTrack 4 Beta

I finally got around to trying out the latest version of Backtrack 4 Beta. Using VMWare Workstation 6.5.1 I enabled "Shared Folders" so I could use some pre-complied tables. However when I browsed to /mnt/hgfs I see a blank folder.
Trying mount.hgfs .host:/ /mnt/hgfs/ gave the following error. Error: cannot mount filesystem: No such device

To fix this issue follow these steps.

Download and extract the latest tarball of open-vm-tools from sourceforge.

Download and extract the latest glib tarball from because open-vm-tools require it

Install glib
./configure && make && make install

Satisfy dependencies of open-vm-tools.
./configure --without-dnet --without-x --without-unity --without-icu && make && make install

Reboot and use the following command to mount your VMWare Shared Folder.

mount -t vmhgfs .host:/ /mnt/hgfs/

Wednesday, 1 April 2009

Add Pre-Computed WPA hashes to airolib

First I obtained the 33GB rainbow table from

Please note that the 33 GB file is compressed using a number of methods so you need a lot of space to decompress the hash files.

When file is downloaded (wpa_psk-h1kari_renderman.tar.lzma) extract the file, I used 7zip.
Once extracted you are left with wpa_psk-h1kari_renderman.tar

Next step is to decompress the .tar, I used 7zip.
When the extraction is complete you will have 9 folders these folders contain the pre-compiled Hashes.

Now all you have to do is know what essid you are looking for I assume you are Auditing your OWN NETWORK or have permission to audit your clients network.


I want to audit a wireless network with WPA encryption with an essid of "Private"

airolib-ng testdb --import cowpatty /mnt/sdb1/wpapsk/xag-0/Private

There will then be some reading and writing to "testdb"

airolib-ng testdb --stats

you should see your essid computed to 100%