This is a ton of fun, and a great tool for learning. Enjoy!
BananaGlee. I just love saying that word
So, was reading up on the NSA backdoors for Cisco and other OSes, http://cryptome.org/2014/01/nsa-codenames.htm, and got to thinking about how the NSA might exfiltrate their data or run updates…It’s gotta be pretty stealthy, and I’m sure they have means of reflecting data to/from their Remote Operations Center (ROC) in such a way that you can’t merely look at odd destination IPs from your network.
This got me thinking about how I would find such data on a network. First off, obviously, I’d have to tap the firewall between firewall and edge router. I’d also want to tap the firewall for all internal connections. Each of these taps would be duplicated to a separate network card on a passive device.
1) eliminate all traffic that originated from one interface and went out another interface. This has to be an exact match. I would think any changes outside of TTL would be something that would have to be looked at.
2) what is left after (1) would have to be traffic originating from the firewall (although not necessarily using the firewalls IP or MAC). That’s gotta be a much smaller set of data.
3) With the data set from (2), you’ve gotta just start tracing through each one.
This would, no doubt, be tons of fun. I don’t know how often the device phones home to the ROC, what protocol they might use , etc…
If anyone has any ideas, I’d love to hear them. I find this extremely fascinating.
So, my boss had asked me last week to read the Mandiant report and see how these Chinese APT1 attacks could be detected on a network both during and after an attack. After reading the report, I was pretty saddened by just how little has been done in the last 20 years in Infosec. The tactics and protocols used to steal data are old (decades old) and stale. My initial reaction was, and is, that user’s are still not being properly educated AND held responsible for their actions. We’re letting the users off too easily! Corporations are still trying to solve a people problem with software or appliances.
Take a look at the top 15 Security startups of 2013 (http://www.businessinsider.com/15-most-important-security-startups-2013-1?op=1). Now, look at how many of these software products ASSUME that the user will do the wrong thing and click on a link or an attachment. We have sandbox technology so that when the user downloads the malware, software can fix it (remember Pelican SafeTNet from late 90′s early 2000′s). We have software that steers employees away from bad websites (how does this work? A list of bad sites won’t work…downloading the page and running static checks won’t work…I dunno…would be interesting to hear more, but I digress).
Look, if your kids were prone to starting fires while cooking food, is the fix to create a million dollar stove that auto-senses when the heat is too high or when the smell of burnt food is in the air and automatically shuts down? Or, is the fix to teach your kids the proper way to use the stove? If I was a Corporate Security officer, I would make user education a top priority. I would even be willing to bring in a company that specialized in user security education (train the trainer type stuff). That would be money well spent. Every new user gets a class in computer security complete with a hands-on lab, test, and an Acceptable Use policy that they sign after completion. Existing users have to “re-certify” every year when they get a performance review.
Next, hold the user accountable for their actions after completing said training. In this day and age, a compromised computer inside the network is a license to steal. Having a computer with Internet access is a serious responsibility. If you mess up and do what you were trained NOT to do, then you are punished. Keep messing up and you get your pink slip. The user’s aren’t as stupid as we make them out to be. If their actions impact their bottom line, they will act accordingly. If we don’t hold the user responsible, why do they have any reason to change their behavior?
And, on a related tangent, maybe I’m just too old school but I don’t understand why a company would allow their employees (paid to do a Corporate-related job) to surf social media, p2p, job-search sites, dating sites, web-based email, etc. etc.
I had the chance to hang out at the SECCDC yesterday at Kennesaw State Univ. For those not familiar with these events (I wasn’t either, until yesterday), you have colleges who bring in teams to defend against a ‘red team’. UNC Charlotte defended their network better than the other colleges. It was interesting to see these schools throwing in block filters, redirects, etc. on the fly. Impressive from a bunch of college students. The red team was equally impressive. There wasn’t a box that they didn’t, at some point, root thoroughly…
One interesting note. During the competition, there was a full power outage. UPSes died. Images were lost. Router configs were killed. It generally set the entire competition back a few hours (at least). Just a reminder that physical security is every bit as important as the logical security….
Actually, the title of this blog is a bit misleading. It should read “a new toolbox for your toolbox collection”
If you’ve ever done a web app pen test, you know that it gets messy really quick. Add in source code auditing, screen shots, movie shots, reporting, etc. etc. and you end up with tons and tons of tools running, large folders of data, and a headache when it comes time to put all this data into a presentable format.
Dinis Cruz is hoping to relieve some of this headache with his new OWASP O2 platform. This single interface ties together source code auditing, some penetration testing tools, integration with 3rd party scanners (in the future), windows productivity tools, movie editor, and a whole lot more.
I installed it and have been playing with it. As with any toolbox, there will always be things you would like to see, but this beta release (1.2) has a ton of features and hooks for many more.
So, go and try it! You can get the code from http://www.o2platform.com/wiki/O2_Release/v1.1_Beta
I love parsing public data. I blogged about it here http://blogs.securiteam.com/index.php/archives/328 about 4 years ago (wow, how time flies)
Now, there is a new set of email data from Supreme Court Justice nominee Elena Kagan which the Sunlight Foundation folks put into a nice gmail interface here: http://elenasinbox.com/
Unfortunately, the dump from the archives looks to be in PDF format. I’m hoping there is a way to get the plain text dump of these emails. I’ve contacted the Sunlight guys and hope to get a chance to run some parsing algorithms shortly
Update: Tom Lee and Jake Brewer quickly responded and shared their methodology with me (thanks guys!)…I’m downloading now and will be parsing shortly
Last update: After getting everything converted over to text, I ran a series of checks for different things like checking/saving accounts, ssn, credit card, pr0n, etc. The only hits were a password to a non-existent site and some pr0n hits in the received box. All in all, very tame stuff.
So, obviously, network and application scanners are targeting flash ‘.swf’ (swiff) files. These scanners decompile and then do static analysis on the code. Very cool stuff. There are several that I know of that are handling swiff code in this manner.
1) SWFScan (sorry for linking to a forum search, but there is no nice clean URI for this product)
If I had the time, I’d like to see how these automated scanners handle malformed swiff files (hack-a-hack attacks).
A quick question for those more familiar with flash security tools: is there an open source lib for decompiling flash swiff files? Comment here or shoot me an email at email@example.com
Regarding http://blogs.securiteam.com/index.php/archives/1165 , I won’t be able to do daily posts…I’m just way too busy for that…
A few months back, I was sent a 4-foot tall, 80 pound kiosk in the mail. I had 32 hours (one weekend) to figure out how to break the software. It only took a few hours, so I thought I’d put together a list of Kiosk 101 security bullets.
1) Encrypt *all* of the traffic. If you’re not using certificates, it is downright trivial to modify a DNS server (or write a quick MITM proxy) to point your web/xml client to some other web site. Plus, do you really want your clients order, warranty information, address, phone number, best time to contact, etc passed in plain text over the web?
2) Do not trust the store network. Assume that someone malicious can both read AND write data on the store network.
3) Port scan or do a netstat on the kiosk OS to ensure that your kiosk isn’t set up with a service that binds a socket that you haven’t thought to ACL. I thought it unusual to find 6 open TCP ports on a secured kiosk device. For that matter, how about just blocking everything except the ports that you need?
4) disable broadcast services, especially ones that tell the passive listener the OS, system name, etc.
5) there is more at risk than just the kiosk. Consider the attacker who figures out how the client protocol works and then uses this information to spoof a malicious client and attack the server.
6) disabling the cache on the local system isn’t the same as always storing confidential data securely (in transit and at rest). Assume that the attacker can figure out your “magic key strokes” (maybe by recording a technician servicing the machine??????) and get local access.
7) This will be a service nightmare, but the devices shouldn’t be configured with the same accounts and passwords. If you break one kiosk, you shouldn’t be given the keys to all of the same kiosks.
If you play any sort of sport, you’ll be familiar with the means by which an athlete develops their skill. I like to box, so I’ll use that as an analogy. Before you ever get in the ring, you have to know how to balance your body, hold your hands, throw a punch, move your feet and head, etc. Once you master the FORM, you can then move to SPEED and STRENGTH training. You don’t start on the heavy bag. Kids who start on the heavy bag learn how to push a heavy bag…not how to fight. Kids who start with shadow-boxing, footwork, then move to double-end or speed work, and finally end up on the heavy bag, have the correct form to punch through an object and not push an object. I digress…
There is a discussion on the dailydave mailing list regarding the benefits of being able to reliably write exploit code in order to do pen-testing. Writing exploit code, reversing binary apps, and fuzzing are great skills. I liken them to a knockout punch. Not many people have these skills (relative to the total number of pen-testers). The problem is that you don’t want to start learning how to knock people out until you have figured out how to get close enough to throw the punch. How many times have you seen a pen-tester show up on site with his/her interpreter? I don’t mean a literal interpreter, I mean the person tasked with harnessing the creative maelstrom that is the pen-tester. These two (or more) often have their shtick all worked out and the Corporate folks grin along with the show.
Corporate folks: whatcha got on that leash there?
Interpreter: the whooly behemoth, recently returned from a heap-overflow bloodbath at Antigua
Corporate folks: AH! EEH! is it…is it like the others?
Interpreter: Unlike any other that has been seen in this part of the corporate world. Terribly destructive.
Corporate folks: Do we treat it like the others and put it in a cube near the bathroom, feed it pizza and caffeine and never, ever look it in the eyes?
Interpreter: Yes. Further, you have been blessed with the fact that I have been blessed with the ability of communicating with Bob…errr…the Behemoth. [turns to behemoth] ukkle snarp miselthrape dominos pizza muhgarkle
Behemoth: muhgarkle? jasi blem blam Papa Johns [and shuffles off to cube]
Interpreter: He’s on it now. [winks at crowd] I don’t know howwwwwww he does it [glances over shoulder at shuffling behemoth]…different breed, that’s for sure.
Corporate folks: [laughing]. Well, we sure are glad they sent You. Some companies [wink wink] just leave their behemoths on site with no supervision.
Interpreter: Oh, no. Yeah, we could never do that with this one…I could tell you some stories…oh my…leave him alone on site…horrible…hey, it’s almost 11:00. Who’s up for lunch?
This is roughly akin to a boxer entering the ring on the shoulders of another guy. The other guy lugs him around the ring, trying to position him to throw haymakers at the opponent. How much better if the guy throwing the haymakers had mastered the form necessary to get close enough to land a punch. With respect to corporate consultants, the form isn’t really that hard to come by. A few things:
1) You should be and smell clean. Often overlooked, a consultant should be well dressed, groomed, and not reek of the margarita shots that he/she was taking at the strip club 3 hours before the work day began.
2) You should be able to communicate with the business professionals that are paying for your consulting. This includes both speaking AND writing in a clear and intelligible fashion.
3) You should be able to understand business drivers and how they might *possibly* apply to your consulting engagement. This is an important point – The company will tell you what needs to be accomplished. Not the other way around.
So, I blogged about it here, initially. This week I’ve been playing with keyloggers. I had my keyloggers setup on win2k3 and winxp machines and I was accessing them via RDP. I made the mistake of keeping my RDP session nailed up. A few days later, I note tons of entries being displayed within the keylogger GUI. Of course, since the clipboard auto-synchs between the client machine and the RDP server, the keylogger on the virtual machine had been logging the clipboard contents from my home machine. I had been doing tons of code edits, so every cut-and-paste was captured and displayed by the keylogger software. Pretty embarrassing!
Now, what would I find if I setup a machine on a stub network, installed a keyboard logger, and let the hackers come on in? For everyone attaching to my machine, I would be snagging their clipboard. That might be interesting data.
OK, I’m sure that, as usual, I’m a day late to this party…but, I’m having lots of fun with Wikiscanner . It’s pretty fun to browse around companies that you’ve worked for and seeing what edits they have been doing on Wiki. One of the cool things is to look at a company and see when and where they have been editing their Companies wiki (it’s also funny to see when and where they have been editing their competitions wiki). Companies want to ensure that the Wiki article reflects well on their company. After all, a google query for company X will almost always have the Wiki article as one of the top hits. I’m pretty sure that this can be used to an attacker’s favour. For instance, if you know that the PR folks are monitoring and editing a certain page on the Internet at regular intervals, then you can inject malicious links, code (?), etc. and use it to target the internal user. What if the wiki page for a large software vendor contained a link to where they could download a demo of the software for free? Would the PR person know better than to download the software and see what it was?
I’m hyped! The much-anticipated Maltego version 2.0 is out. I had previously alluded to maltego here. To the 1% of you who haven’t heard of Maltego, it’s a tool for determining relationships between domains, users, email addresses, etc. I can’t think of an Infosec or traditional corporate security group which wouldn’t benefit from this tool. Check out new features here and here.
OK, everyone is probably familiar with the riddle put forth by Samson. e.g. “From the eater came forth food; and from the strong came forth sweet.”. The answer to that riddle was hidden. Who could have guessed the meaning? The strength of the riddle was in the fact that it was based on subjective knowledge that only Samson possessed. Of course, the story ends badly due to philistine subterfuge…but, I digress. I know that the security industry puts forth much effort in solving the riddle of “spam”. Question one, would a person, solving the spam riddle, be best served in keeping the answer to himself? It would seem that any sort of public solution would give the spammer equal opportunity to adjust their attack vector.
I don’t know much about spam. Google (and their gmail app) seem to know a lot about spam . Joe Stewart over at Secureworks knows a lot about spam. He claims that the top botnets can send over 100 billion spams per day. I have a few more ignorant questions:
2) Spam is a nuisance. Can the power of spam be harnessed and used against ones enemies? If spam is the “eater”, how can it be used to ones advantage?
3) The sending of spam seems highly automated. Can the power of spam be turned inward? Like a child scooping cuploads of black ants on a red ant mount, is there a way of causing a “war” between spambots? Would such a war benefit anyone?
I have a strong distrust of most marketing and sales individuals. I hate evaluating software and getting a dozen calls or emails from some overzealous, inside-sales weenie. For this reason, I usually use bogus information when I fill out the obligatory form requesting the software that I want to play with. Lately, a lot more companies have been ignoring my queries for eval software. While I’m pleased to not be receiving calls or emails, I would appreciate the actual software. Today, while waiting (not too patiently) for my link to come through, I went through the email looking for some clue as to why I wasn’t selected to play with their software. In the HTML, I note a line like this (obfuscated somewhat and using ‘(‘ and ‘)’ instead of angle brackets).
&_esniff=true” HEIGHT=”1″ WIDTH=”1″)
What’s that? Why is HEIGHT and WIDTH equal to 1? How will I ever see that?
So, the natural next question is: What happens when the web browser (or email client) requests that image. Well, it turns out it’s not a real image. It’s size is 0 bytes and the error code is “204 NoContent”.
I add a single quote to the abcdefghijklmnopqrstuv string. Now, I’m getting an error message like:
“MarketFirst encountered an error while processing your request.”
So, what’s the deal with that little, bitty image? Well, it turns out that I’m not supposed to see that little, bitty image. That little snippet is part of a marketing software (MarketFirst) which tracks when and where the email is opened (ooooh, I am *so* hating marketing guys right now).
To see other companies using the marketfirst software, google:
MarketFirst error inurl:”/mk/”
Even more fun, google:
MarketFirst inurl:”/mk/” ODBC error
Wanna try it yourself. Check out:
You’ll even get your own email which tracks back to their database…call it marketer on marketer crime.
Now, if I could just get a MarketFirst demo evaluation
P.S. and here’s how to bypass marketer profiling and get your software downloads. Open the email in plain text (it’s MIME encoded). Convert it to HTML text. Post the HTML on some web site. Now, call your buddy at a Fortune50 company and have him/her click the link. I bet you get the download now.
P.S.S Even more fun….embed the HTML in an email to some user at the same company where you are requesting the download
I’m rushing this post out so that this post can be the 1,000th post
1) see if there has been any cross-pollenation across the sites
2) See if any of these Fortune 1000 web developers have embedded open source code within their app.
3) If (2), I’d like to run the open source code through a static source code analyzer and see if there are any ‘gotchas’.
A few months ago, I did this exercise for a single Fortune 1000 company. I wasn’t really surprised to find a bunch of open source libs in use. In this particular case, I didn’t even need to use google codesearch to find the package that they were using. The company had left all te GNU comment info within the source. It also wasn’t surprising to find that the developers had installed the entire open source project under an ‘include’ directory, even though my spider only found a link to several of the ‘.js’ files. And, lastly, searching bugtraq for this particular product revealed that they were running an older, vulnerable version of their open source software. Mildly interesting. I’d love to automate this. A cool product would:
1) spider a site and download all their code (even HTML can have comment fields or variable names which can be used to track the HTML back to an open source app)
2) Use some algorithm to find uniq identifiers within the code. Store these identifiers.
3) Use some algorithm to compare these identifiers to other sites which have already been spidered and stored.
4) Feed these identifiers to ‘google codesearch’ to see if the code is part of a larger, open source project.
5) If (4) use some algorithm to determine the version level. Query bugtraq for flaws within the observed version.
6) Run the code through some static analyzers looking for coding flaws.
That’s it. Happy 1,000-post birthday Securiteam blogs!
Maltego GUI is off-the-freaking-chain. Check it out at http://www.paterva.com/web2/maltego/maltego-gui-1.0-download.html
Also, the folks at Security Compass have released some new firefox plugins which should aid in detecting SQL injection and XSS. I’m between gigs, but will give these a good test drive the next time I’m tasked with a web application.
If one doesn’t already exist, I’d like an open source “Reporting Framework”. A metasploit for power reporters. I spend at least 10% of my consulting hours on reporting. I hate reporting. Feed this tool your reports and get back a standard report in the template of your choosing. All cross-referencing with CVE, CVSS, BID, NIST, etc. should be automagic. Relevant references should be automatically inserted (links to patches, standards, etc.). There should even be an option for uploading screen shots which are tagged to an IP/FQDN and service…
Enjoy the Holiday of your choosing,