The Paris Hack
Posted by creining | Filed under Security
It’s been big news lately, Paris Hilton having her T-Mobile Sidekick get hacked and her addressbook, notes, and camera phone images showing up all over the internet and back again. I originally suspected that it was a result of T-Mobile getting pwned by Nicolas Jacobsen throughout the course of a year that was in the news recently. That article states that Jacobsen “could access information on any of the Bellevue, Washington-based company’s 16.3 million customers, including many customers’ Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts. He did not have access to credit card numbers.” However, I ran into this O’Reilly article by Brian McWilliams that states T-Mobile.com requires users to answer a secret question if they forget their passwords in order to reset their password. Supposedly, someone simply masquerated as Hilton using her T-Mobile.com email account and forget their (her) password. Hilton’s question was “What is your favorite pet’s name?” Anyone who doesn’t live in a cave knows that Hilton carries around a little rat dog named Tinkerbell everywhere she goes. I really dislike secret questions, for one, if they are lame and there’s no lockout on attempts they can easily be bruteforced (favorite color, etc). Second, some answers can be obtained through social engineering or public records (name of street you grew up on, etc). Third, I can use a fairly secure password but have to rely on an answer to a secret question as essentially my backup password. This backup password, in my case, will be much easier to guess than my fairly secure password.
PADS – Passive Asset Detection Engine
Posted by creining | Filed under Security
I’ve known about PADS, the Passive Asset Detection Engine, probably since it was first publically released. I finally had a chance to try it out and I think it is useful in identifying asset types without using active means. You can run PADS on existing pcap files or run it in daemon mode and have it listen on an interface. I decided to chew through some existing full pcaps from a Sguil sensor by using the -r flag and having PADS only report on my network assets using the -n flag:
for i in /var/log/snort/dailylogs/2005-02-2*/*; do ./pads -n 10.0.0.0/23 -r $i; done
PADS writes the data to a CSV file called assets.csv by default. The data in this file looks like this:
10.0.0.131,25,6,smtp,Generic SMTP - Possible Postfix,110900691810.0.0.130,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691810.0.0.163,443,6,ssl,OpenSSL,110900691910.0.0.133,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691910.0.0.156,0,1,ICMP,ICMP,1109006919
You can run a report using the PADS Text Reporting Module pads-report.pl. A snippet of the report looks like this:
1 ------------------------------------------------------IP: 10.0.0.135ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p1 (Protocol 2.0)13782 unknown unknown 2 ------------------------------------------------------IP: 10.0.0.138ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)13782 unknown unknown 3 ------------------------------------------------------IP: 10.0.0.144 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0) 4 ------------------------------------------------------IP: 10.0.0.145 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)7040 www Unknown HTTP (HTTP/1.1)
PADS makes its decisions on what the application is by using a signature file, much like the one used by NMAP when using the -sV flag to do service detection. Here’s what some of the Apache signatures look like in the PADS signature file:
www,v/Apache/$1//,Server: Apache\/([\S]+)[\r\n]www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+\((.*)\)www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+([\S]+)www,v/Apache///,Server: Apache[\r\n]
I think this information would be a great complement within the Sguil console for doing Network Security Monitoring. Tony Lukasavage contributed code to PADS called ATM (Assets to MySQL) which takes the asset file and INSERTs the data into a MySQL database. Also, when browsing the PADS forums on Sourceforge I saw that Matt Shelton, PADS author, wrote “I’m working on something similar to the Snort/Barnyard approach. It’s the same concept; the detection engine will be separated from the IO module. Look for it in the upcoming v1.2!” So, I think when Matt gets that complete it will be trivial to hack PADS into Sguil.
MySQL bot infecting Windows machines
Posted by creining | Filed under Security
The ISC’s Handlers Diary today covers a new MySQL bot that actually is quite clever. First off, it only affects MySQL running on Windows systems (who does that? I guess quite a few people as there are a few thousand systems infected). The bot doesn’t take advantage of any vulnerability in MySQL but by bruteforcing the MySQL root password by chewing through a long list of passwords. Again, this is a great example that the use of strong passwords is a fundamental part of security. The clever part comes after the bot successfully connects to the database as the root user. As outlined in the Handlers Diary:
“Once connected, the bot will create a table called ‘bla’ using the database ‘mysql’. The ‘mysql’ database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named ‘line’.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called ‘app_result.dll’ using ‘select * from bla into dumpfile “app_result.dll”‘. The ‘bla’ table is dropped once the file is created.
In order to execute the ‘app_result.dll’, the bot creates a mysql function called ‘app_result’ which uses the ‘app_result.dll’ file saved earlier. This function is executed, and as a result the bot is loaded and run.”
I think that leveraging the MySQL root access the way the bot author(s) did to compromise the entire system is really sweet!
Password recovery on a Cisco PIX 501
Posted by creining | Filed under Security
I found myself with a couple Cisco PIX 501s that were pulled from production awhile ago and needed to be redeployed. The passwords were unknown. So, I used the document Password Recovery and AAA Configuration Recovery Procedure for the PIX in order to reset the password. I needed to download the binary file available on that webpage for the version of the PIX software that was installed as well a TFTP server. Working from a Windows machine I chose SolarWinds TFTP server. I followed the steps under the section “PIX Without a Floppy Drive”. This involved going into monitor mode on the PIX by booting it up and hitting ESC, setting the interface to use by issuing ‘interface 0′, setting the IP address of the 0 interface with the ‘address’ command, setting the filename to retrieve from the server with the command ‘file np63.bin’ (the binary file I downloaded), and setting the server with the command ‘server’ (the IP of the TFTP server):
monitor> interface 0 0: i8255X @ PCI(bus:0 dev:17 irq:9 ) 1: i8255X @ PCI(bus:0 dev:18 irq:10) Using 0: i82557 @ PCI(bus:0 dev:17 irq:9 ), MAC: 000e.83b2.e0a4 monitor> address 10.3.10.24 address 10.3.10.24 monitor> file np63.bin file np63.bin monitor> server 10.3.10.25 server 10.3.10.25
At this point it was possible to ping the TFTP server and retrieve the binary file with the command ‘tftp’:
monitor> ping 10.3.10.25 Sending 5, 100-byte 0x891a ICMP Echoes to 10.3.10.25, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> tftp tftp np63.bin@10.3.10.25........................................................ ................................................................................ ............................................. Received 92160 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 Flash=E28F640J3 @ 0x3000000 BIOS Flash=E28F640J3 @ 0xD8000 Do you wish to erase the passwords? [yn] y
The default telnet password after this is “cisco” and there is no enable password. Pretty painless.
Troubleshooting SSL from the command line
Posted by creining | Filed under Security
I find myself having to investigate why an SSL service is not working from time to time. Usually this happens when I’m on a remote shell and don’t have access to a web browser. Debugging cleartext services is usually easy because they usually return a banner or other data after making a connection to them. For instance with the HTTP protocol you can simply do something like:
# echo -e -n "HEAD / HTTP/1.0\r\n\r\n" | nc foo.bar.com 80 HTTP/1.1 500 No Context configured to process this request Content-Type: text/html Date: Wed, 26 Jan 2005 16:08:19 GMT Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector) Connection: close
The openssl command line tool has an option, s_client, that implements a generic client that can speak SSL/TLS. If we were to use nc to connect to the host on its SSL speaking port it would not return anything. So using the openssl tool we do this in order to test https://cisco.com:
# openssl s_client -connect cisco.com:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyDCCAzWgAwIBAgIQG0uiUxcuxmQb7twrU/JutzANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDQwNDA4MDAwMDAwWhcNMDYwNDI0MjM1OTU5WjCBgTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcUCFNhbiBKb3NlMRYwFAYDVQQK
FA1DaXNjbyBTeXN0ZW1zMRowGAYDVQQLFBFJVEctV1NJKGNjby1zai0xKTEWMBQG
A1UEAxQNd3d3LmNpc2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
3U8aY/Ucx4HQGFPqojIiPBqJ3AqJDP5ELC0+LYNj+FfPkiIRb5IkjW1eI/ko1W8K
qWVVmWmZ/LawudemBy/m3HxzC/h2qxWM0SZmOF6TdBgIauxo+0iy1g6cVfyoSBo4
g2Vr1Qui9Hygbi5ImTlo5lDSlq+oI1qDEmxKNIxjUJcCAwEAAaOCAWQwggFgMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL1JTQVNlY3VyZVNlcnZlci5jcmwwRAYDVR0gBD0wOzA5
BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2ln
bi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA0BggrBgEF
BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBt
BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAN+AInV44pc9opxUWRuRZGE02VL
OWx97/UT49Fi/VbL7VaR39EZ1gXAFtnNPFZ5+X/SUzUqQD0g04u/8cYpMsYPfsr/
vh6sym/jGXHNWaSkWGcUKM23b7XFJpYaZO1PHuYKN19vV32TlnsFJBNQ5YuW5UxT
EKF1Oatw5nzxpTpK
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1536 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2932C689345E5C302FE75477926FE21ACDB2CD8D86AF720B7FBF96BF94B17994
Session-ID-ctx:
Master-Key: 6D9817BBCE4723C870BAAB33FDCFFA7419DCFA192605760A93977763E31F48218C388A6D184CDE6A6C12EF8CE37DC8A1
Key-Arg : None
Krb5 Principal: None
Start Time: 1106755570
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
At this point we can interact with the web service just like we did with the HTTP service earlier:
GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 26 Jan 2005 16:23:58 GMT Server: Apache/1.0 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7d Set-Cookie: CP_GUTC=198.7.47.200.7211106756640314; path=/; expires=Sun, 20-Jan-30 16:23:58 GMT; domain=.cisco.com Last-Modified: Tue, 14 Dec 1999 19:03:53 GMT ETag: "330c3-41-38569499" Accept-Ranges: bytes Content-Length: 65 Connection: close Content-Type: text/html
I find it useful to use the -nbio argument along with the -state argument for openssl which runs it with non-blocking IO while printing states so you can use tools like grep:
# openssl s_client -connect cisco.com:443 -state -nbio 2>&1 | grep SSL SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1536 bytes and written 340 bytes New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session:
Browsing the Web and Reading E-mail Safely as an Administrator
Posted by creining | Filed under Security
Michael Howard has written in his blog a two part series on how you can run as admin on your Windows box and access the internet (browser, email, IM) safely by dropping certain admin privileges. Howard is a self-described “Simple Software Security Guy at Microsoft” actually Senior Security Program Manager in the Secure Engineering group at Microsoft and is co-author of Writing Secure Code. Part one of the article is here and part two is here. Of note is that only Windows XP and Windows Server 2003 (and later) support this capability because of new functionality called Software Restriction Policy also known as SAFER. In part one Howard provides a link to download DropMyRights.msi which is an app that takes the current users token (like admin) then removes various privileges from it and then will use this stripped token to spawn the application that should run under a non-admin context. DropMyRights.msi can be used with any application like IE or Outlook or Firefox or Groupwise. It couldn’t be easier to set up either. You simply create a shortcut and pass the application you want to run with least priveleges to DropMyRights.exe such as “C:\dropmyrights.exe “c:\program files\internet explorer\iexplore.exe”. Using this method means you are utilizing APIs like SaferCreateLevel and SaferComputeTokenFromLevel.
In part two Howard shows how to use Software Restriction Policies through local or enterprise policy. There are five SAFER security levels, Disallow, Unrestricted, Normal User, Constrained, and Untrusted. Howard provides a link to Group Policy Object snap-in which needs to be added to MMC. Once added there will be a Software Restriction Policy menu item where policy on an app like IE or Outlook can be changed so that runs as a low-privilege user rather than admin. Howard states that the “beauty of this solution over the solution using the SAFER APIs is that the SAFER policy mechanism is enforced by the operating system when a process starts. So you can invoke Internet Explorer from a shortcut on the desktop or a saved URL on the desktop, and Internet Explorer will run as a user.” The other exciting thing about the ability to change the security level is the Disallow level; so lets say there’s a 0day Windows virus and your AV vendor hasn’t released a definition for it. Well you can now implement a stopgap solution until your AV vendor releases the def by setting a Disallow rule. For instance W32/Bagle propagated by adding an exe in the WINDOWS SYSTEM directory named bbeagle.exe. So you could simply add the Disallow rule for c:\windows\system32\bbeagle.exe to your Group Policy and roll the policy out to the entire organization.
Other tangent knowledge I learned about when I was reading about this is about how policies are pushed or retrieved by Windows machines. Windows 2000 periodically refreshes group policy settings throughout the network. On clients, this is done by default every 90 minutes with a randomized offset of +/- 30 minutes. You can force an update by issuing “secedit /refreshpolicy machine_policy” or “secedit /refreshpolicy user_policy” on the command prompt. However, secedit has been replaced by gpupdate on XP, Server 2003, and later.
Googling webcams
Posted by creining | Filed under Security
I was pointed to this forum that explained googling for inurl:”ViewerFrame?Mode=” will reveal plenty of unsecured webcams. You can control these cameras too, which makes it all the more interesting. It’s kind of neat to be able to peer in on the life of an ordinary person on the other side of the world and make the camera follow them back and forth. I don’t think vendors will ever start to ship products in *some state* of being secured rather than none simply due to ease of setup and use. Look at all the issues with APs and default SSIDs. Sad but true.
SQL Injection Attacks by Example
Posted by creining | Filed under Security
SQL Injection Attacks by Example is an article written by Steve Friedl which really drives at *how* one goes about discovering how the application can be exploited and finding a SQL injection attack. I really enjoyed this walkthrough since it is essentially a real-world hack.
Snort <=2.2 Denial of Service exploit posted
Posted by creining | Filed under Security
While doing my daily security reading, I came across news of a Snort 2.20 DoS exploit posted at SANS ISC. According to the daily handler, K-OTik notified them of an exploit for Snort 2.2 and earlier. According to the handler, “It will core dump a running Snort process with a specially crafted packed. The recommended fix is to upgrade to Snort 2.3 RC1 or better which various handlers have reported is stable. This particular exploit works with Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and OpenBSD).” Chatting with Marty Roesch over IRC, he stated that the exploit only works when Snort is run in sniffer mode. Specifically, it’s a bug in log.c and will only happen when “you touch the p->tcp_options[] array directly and nothing in snort outside the protocol printers does”.
Lepton’s crack or LCrack for Windows password auditing
Posted by creining | Filed under Security
Reading a recent thread on the pen-test mailing list about password auditing led me to Lepton’s Crack or LCrack for short which is a free GPL password cracking engine and development workbench. Of course, the old standbys of JtR, rainbow tables (which I wrote about before) and the Windows based Cain & Abel and L0phtCrack ($$$) were mentioned. But I had never heard of LCrack. Browsing the LCrack website, I came across a link to An experiment with Lepton’s Crack. After reading this article, the advantages or unique features of LCrack over other software like Cain & Abel or JtR would have to be the advanced regex support which would be useful for auditing passwords with known conventions or if a partial password is known.