cyberwart

I’m into phishing attacks. I think they can be very clever and effective. So despite hating spam, when a particularly interesting attack makes it through my filters I’m interested. Here is a below message I recently received:

Received: from rrcs-70-61-41-118.central.biz.rr.com ([70.61.41.118]) by
XYZ.cyberwart.com with XYZ; Wed, 20 Aug 2008
16:46:16 -0400
Received: from [70.61.41.118] by vs.inext.co.jp; Wed, 20 Aug 2008 15:46:19
-0500
From: “Curtis Townsend” <xire@braintrust-art.com>
To: <XYZ@cyberwart.com>
Subject: Fedex Tracking N_ 6625268383
Date: Wed, 20 Aug 2008 15:46:19 -0500
Message-ID: <01c902db$e3389780$76293d46@xire>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_000E_01C902DB.E3389780″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Importance: Normal
Return-Path: xire@braintrust-art.com
X-OriginalArrivalTime: 20 Aug 2008 20:46:24.0488 (UTC)
FILETIME=[CF540680:01C90305]
X-Evolution-Source: pop://XYZ@localhost/

This is a multi-part message in MIME format.

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: application/zip; name=”WD6128922.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”WD6128922.zip”

I’m waiting on a couple fedex packages so I almost opened it. The sad thing is that looking at it, the details aren’t really there. They should have spoofed the sender and made it look more like a real fedex message.

Not too long ago, I had a customer have some trouble with malicious email being sent to corporate users. The emails came from outside the network, but appeared to be coordinated by an accomplice on the inside. We wanted to see if we could discover who that accomplice was. So I wrote a quick little script using Python and SCAPY to monitor who is emailing who.

#!/usr/bin/python

import sys, signal, os, time

try:
from scapy import *
except:
print “scapy must be installed”
sys.exit()

def net_handler(p):
efrom = eto = esubj = ” ”

t = str(time.strftime(’%X %x’))
src = str(p[IP].src)
dst = str(p[IP].dst)
p = p.getlayer(”TCP”)
msg = str(p.payload).split(’\n’)

#print “–email detected–”

for line in msg:
line = line.upper()
if line.find(”FROM: ” ) == 0:
efrom = line[5:]
efrom = efrom.strip()
if line.find(”TO: ” ) == 0:
eto = line[3:]
eto = eto.strip()
if line.find(”SUBJECT: “) == 0:
esubj = line[8:]
esubj = esubj.strip()

if efrom != ” ” and eto != ” “:
print ‘%s, %s, %s, %s, %s, %s’ % (t, src, dst, efrom, eto, esubj)

def main():
sniff(count=0, store=0, iface=”eth0″, filter= “tcp port 25 or tcp port 110″, prn=net_handler)
print “finis”

main()

My company will be giving out Free Tshirts at Defcon during Bob Rick’s talk. Make sure to stop by to get one!

Despite being a hardcore linux guy, I like all the features Exchange provides. Sure they add additional attack surface, but on the whole the features make business a lot easier. Anyway, CyberWART moved our email server to Exchange and spam instantly increased. Setting up email filtering didn’t fully work out until I enabled it for SMTP — as opposed to the server in general. Since it was a bit of a pain, I thought I’d link the article:

http://technet.microsoft.com/en-us/library/bb914061.aspx

I just stumbled across an interesting article about an upcoming talk at BlackHat. They dub the technique “GIFAR” where they rename a java file as a gif but it still executes as a jar.

CyberWART and G2 have used similar techniques. One of my favorites is to create a html file and rename it to a .doc extension. The file will open, and if done correctly, will look exactly like a MS Word document. However, there are a couple nice perks.

First, some html commands will work. You can embed an hotlink to an image on the web. The computer will automatically pull it. This is useful for SPAM and such.

Additionally, you can embed ActiveX. The ActiveX will autoexecute in the context of the localhost — which is lovely. We’ve been fuzzing those controls.

Update to NOP certifications: they will be available first come
first served (sign up sheet) at the Immunity Inc. booth in the vendor
section of DEFCON. Participants can use their own tools if provided to
us on CD, or
Immunity tools will be provided. …..

….we can confirm that not only will certified NOPs at DEFCON receive
an invitation to the Sexy Hacking party, to be held in an as-yet
undisclosed location on Saturday August 9, but at the party certified
NOPS will also have the opportunity to play Hugh Jackman’s role from
the film Swordfish while sitting an advanced NOP certification test!
Select Sexy Hacking girls will be scene extras and the winners will
receive a job interview with Immunity.

#!/usr/bin/perl -w
use strict;
use MIME::Lite;

# SendTo email id
my $src_addr = $ARGV[0];
my $tgt_list = $ARGV[1];
my $msg_file = $ARGV[2];
my $dst_addr = “”;

my $msg_body = “”;

open(MSGFILE, $msg_file);
while(<MSGFILE>)
{
$msg_body = $msg_body . $_;
}
close(MSGFILE);

open(TFILE,  $tgt_list);
while (<TFILE>)
{
$dst_addr = $_;
#print localtime(time);

# create a new MIME Lite based email
my $msg = MIME::Lite->new
(
Subject => “subject here”,
From    => $src_addr,
To      => $dst_addr,
Type    => ‘text/html’,
Encoding =>’quoted-printable’,
Data    => $msg_body);
#    $msg->add(”Return-Path” => $src_addr);

#$msg->attach(Type        => ‘image/jpeg’,
#        Path        => ‘/Users/gnat/Photoshopped/nat.jpg’,
#        Filename    => ‘gnat-face.jpg’);

$msg->send();

}

close(TFILE);

I recently purchased a new Dell PowerEdge 2950 as a personal R&D box… hey fuzzing in VMs and testing malware is great and I needed more horsepower. Unfortunately, when I installed CentOS 5.2 (I tried RHEL 5.2 as well) the thing would throw an IERR — specifically e1410 the error bit on the CPU after POST/Grub. I couldn’t figure out what the deal was and Dell was no help. It turned out to be the Radeon device driver. If you don’t boot into X11 or if you replace the radeon driver with generic vesa driver you’re set.

Anyone going out to Blackhat/Defcon this year? I know a few of the G2 guys are. Bob Ricks is giving a talk at Defcon and George Saylor may be going. You should definitely check out his talk and send me an email if you’re going to be there.

Wow, it’s been almost a year since my last real blog post. Since then times have been odd. I went to Foundstone for a while. Things there were sometimes fun and I met a lot of great people, but it wasn’ right for me. So I’m back at G2, but we’ve stood up a pen test/exploit research group inside the commercial practice so that’s awesome. Everyone here is great. We have a couple former Foundstone guys here and the team is just rocking. Since G2 doesn’t have a blog I’ll probably start posting here again. More to come soon.

javascript:alert(String.fromCharCode(65));

I always forget to fromCharCode javascript function… Not again!!!

At BH/Defcon HD Moore gave a great talk entitled “Tactical Exploitation”. They dragged the talk out a bit long, but mixed in there were several neat tricks and a more importantly a hacking philosophy that I couldn’t agree with more.

Tactical Exploitation is about being clever. It’s not exploit development, it’s taking existing technology and leveraging it to the attacker’s advantage. A good example is misusing the way NTLM/Netbios works. I’ve seen shops that build HUGE parallel clusters to crack NTLM passwords…. it works, but they never quite understood that you didn’t need to crack the hashes. Rather, you can simply grab them and re-use them. Yes, there are some reasons to crack them, but that’s beyond the scope here. Tactical Exploitation realizes that you only need the hash, and then builds it into an attack. For example, they use file shares embedded in html to cause users to auto connect.

Tactical exploitation is powerful because it’s so simple. Some customer’s hear “0-day” or “exploit development” and instantly you lose relevance. All but a few government and financial institutions care about this level of attack. They (sometimes rightly) regard that threat as beyond their capability and/or as a realistic threat given their business. Therefore tests can rapidly spiral into patch management audits — which prove very little. However, by leveraging misconfiguration, user error, and a few clever hacks you can typically gain access.

Tying these tactical attacks together, you can achieve strategic exploitation of the target and be assured of a successful PT.

Over a year ago I had a job offer from Foundstone. At the time I declined. There were several reasons for that. One of the larger was that the position was in NYC. I think NY is a wonderful city, but I just didn’t feel up to the move. Further, I felt a bit of reservation about Foundstone’s approach. Essentially, most of their pen test type work is very fast and formalized. I was interested in pursuing other approaches. So, I spent a year at a company that offered me that opportunity. When I had pen test work it was great. I could execute the tests mostly like I wanted. I could meet the customer’s need and do research type work too. Unfortunately the PT work didn’t come often enough.

I had considered several very well known shops in the DC area. Many of them follow a very similar mentality that I do. The problem is that they separate development from services — a pen tester generally won’t write code or exploits. To me, I just can’t fathom this. I’ve worked in this type environment and it just seems to me that the service people become too dependent on the developers and the tools…. at the same time the developers get too far away from hands-on the network.

All things considered, I’ve accepted a job with Foundstone (in the DC area). I think their unique mix of business, research, teaching, and writing should offer me the chance to grow in the ways that I want.

The concept of idle scanning has been around for quite a while. I’m not sure how many people really understand it, but the basic principal is to send a syn packet to a target host with a spoofed the source IP of an idle host watch the IPID field. Generally the IPID increments by one every time a host gets a packet. If a host is known idle, than the IPID increases by one if the target responds with a syn-ack to the packet. The details of this can be found at http://insecure.org/nmap/idlescan.html

However, it’s been my experience that most hosts are very seldom really idle. Far more often they tend to be almost idle. This screws up idle scanning, but idle scanning should still work in principal — though you have to be a little trickier. Instead of waiting for a host to become idle, ping it regularly and establish a “heartbeat”. If the heartbeat is fairly stable you can perform what I’m calling semi-idle scanning. Instead of sending one spoofed packet, send a statistically significant burst. If the heartbeat increases sufficiently than you know the target host responded to the semi idle host and therefore the port was open.

Right now I’ve only significantly tested this with hping2, but I’m working on writing a wrapper around nmap’s idle_scan.c. Currently it seems to work, but I’m only thresholding the values rather than using statistics. Really, I should compute the average heartbeat and the standard deviation. Then send a burst and see if I exceed the deviation. In this case, the host doesn’t even really need to be semi-idle — traffic only needs to be statistically constant. However, this method is fairly slow so anything beyond “semi-idle” is REALLY slow.

Thoughts? Comments?

Source code to come shortly….

This year was my first time attending BlackHat. I’ve gone to Defcon several times before and I’ve generally enjoyed the experience. However, I was able to get BH expensed this year and went along.

Initially I was quite impressed. Caesar’s is FAR nicer than Alexis Park or the Riviera. Lunch was excellent and the talks were very comfortable. The parties were awesome and in general I can’t complain at all about the location/setup.

Unfortunately, the speakers just didn’t deliver. There was no exceptional work this year such as exploiting Cisco routers or 0-days for some major software. I can handle the lack of exceptional. If everything were exceptional than exceptional would just be ordinary. I had expected the types of talks I’d heard at Defcon in years past. The speakers are usually the same so shouldn’t the talks be about the same?

The answer is definitely ‘no’. The audience was mostly managers and other suits, so the talks tended to be not technical or product focused. I think the low point was Greg Hoglund’s talk. Greg is an exceptional person, he’s written several of the best books in the Offensive Security sphere. He was talking about exploiting MMORPGS (and you can’t get much cooler than that), but 95% of the talk was just a sales pitch for HBGary’s Inspector — which while I’m sure it’s a cool product but I can’t afford it and I don’t want to hear about it.

So in that room and to thunderous applause of the sales pitch, Hacking died at BH07.