I’m writing this post, as I really feel that this course needs to get more publicity. Over the last few years I have done countless security courses, and exams from some of the top players in this market, and nothing has come close to the OSCP training.

I first signed up for the training in May, as I saw it advertised on the Offensive Security website and thought that it sounded fun. At a first glance, I really wasn’t too sure about the training materials, as you get a Flash based CBT and a PDF, I initially ran thought the CBT side of things in a week, when I actually got around to doing the training, and thought that it needed a bit of work. I think that I wasn’t looking at the training from the right angle, and that’s why I misjudged it, it’s not designed to teach you everything in one sitting, it’s designed to give you enough information to go away and actually spend some time researching the different areas that they cover, and in which case, it’s the best training that I’ve ever taken!

There is no way that a training course could cover everything that they cover without expecting you to go away and do some research yourself, and well to me, doing the research on my own time really paid off, as I feel that I learnt more in the time that I spent either going through the training or researching bits of it, than I have in the last 2 years.

Now on to the actual challenge that you must pass to obtain the certification, this is a live hack of a number of predefined hosts, and you have 24 hours to get through them all. You can pretty much use any publicly available exploits or ever write your own to compromise these hosts, and well let me tell, this has be the most insane 24 hours that I have ever had. It took me 23 hours and 55 minutes, and even then I didn’t manage to fully finish the last question, but I knew that 5 minutes wouldn’t have been enough for me to finish it. throughout the whole 24 hour period, I had 2 hours sleep, and the rest of the time was spent trying to compromise the various hosts. It may not take other people as long as it took me, but “Challenge” is definitely the right choice of words for it. If you don’t know how to exploit systems to a level where you have root/Administrator access then in no way are you ready for the Challenge.

Thankfully I made it through, and if I hadn’t I would have sat it again, but it would have been a while before I did, as it really does take it out of you. From my side though, when I come across another OSCP, I will show them the respect they deserve, as honestly, if you can get through the Challenge, they you should have a pretty good idea about how to conduct a proper penetration test, and no other training that I’ve done has ever been as hands on or in depth.

To anyone thinking about taking the course, do yourself and your employer a favour and sign up for it, you won’t regret it.

About a month back it was SecuriTeam Blogs birthday, and I have been meaning to write something about this for a while now. As we all know though, when we actually get around to doing the things that we want to, is usually an entirely different story.

I was going to write about my favourite article over the last year, but to be honest, I can’t think of an article that I didn’t enjoy either reading or writing on here, so this post is going to be a little bit different.

I’ve seen the statistics of how many returning visitors we have coming to this site on a daily basis and how many new and unique visitors we got in the last year, and all that I can honestly say is WOW! The numbers were huge, so I guess between all the bloggers on here, we must be doing something right, whether that’s writing about the latest Virus that’s doing the rounds, hiring penetration testers, botnets or running IE7 on Linux.

I think that all the bloggers that write for SecuriTeam will agree with me on this one, we’re not going to stop writing these stories, as we enjoy writing them, probably as much as you enjoy reading them. Hopefully in time the quality of our stories will exceed the levels that they’re at now, and we’ll find even more interesting things to write about. I think that in this ever evolving world that we call security, that’s really not going to be too difficult to do, and all of us on here are probably writing way to many reports anyway, so that always helps to keep the writing interesting.

So to end this post, I’d like to say a big thank you to all our readers, as you’re the people that keep this site going, we just write the articles, if it wasn’t for you, this site probably wouldn’t exist. If there are any issues that you’d like covered in the future, let us know, and we’ll do our best to oblige.

A security researcher going by the name of InfoSec Sellout has claimed to have found an undisclosed security vulnerability in  mDNSResponder which he is claiming is remotely exploitable.

At present there is only a prrof-of-concept worm that will leave a file on the system to prove that it’s been exploited, apparently though modifying the payload on this one is a trivial task. This has currently only been tested on Intel Macs, as the author does not have any PPC hardware at his disposal at present.

As yet, the author has not notified Apple about this one, as he does not want to give incomplete research results, but more importantly he is also waiting for compensation from unnamed sources, so this really is an interesting one.

I’m going to try and set up an interview with the author and see what other info he is willing to disclose.

Here’s a few links on this one:

http://www.securityfocus.com/bid/24924

http://infosecsellout.blogspot.com/

This post seems from news.com to sum it all up really:

i appreciate your confidence, but the fact remains, nobody has exploited OSX. that’s a fact you can’t deny. 10’s of millions of machines, nobody has gotten in.

so it’s time to put up or shut up… here is a raw OSX Server. Why don’t you report back to us when you “crack it”

http://24.8.244.176/

If you can’t, all your comments are “baseless”.

Have fun!

So after the takedown of seclists.org, and all the different points of view that were being aired, on the various web sites, I decided to contact Fyodor and ask him exactly what happened, and what’s going to happen in the future in regard to godaddy.com. Once again, thanks to Fyodor for taking the time to answer my questions.
The following is taken from an interview that I did with Fyodor last night, so here it is:

In your words could you please describe what happened to
seclists.org, I know that you have probably been asked this countless
times, but there are also countless sites that don’t mention your
point of view? Also, on these same sites, some are saying that you
had 60 seconds warning, others are saying 60 minutes, what’s the
exact figure?

Basically, GoDaddy suspended one of the domain names I had registered
with them based on a complaint by MySpace without giving me a chance
to respond or requiring any sort of court order from MySpace. GoDaddy
wasn’t even my ISP or web host. Policing web content of the 18
million domains in their registry is not their job. Worse, it was
extraordinarily hard and frustrating to reach them and get an actual
reason for the shutdown. I’ve described the shutdown in far more
detail at http://NoDaddy.Com .

As for the timing, they left me a voicemail at ‘9:39:31 AM PST’
according to the time stamp from my voicemail provider. In the
voicemail, they say my domain is “scheduled for suspension”. Then at
‘9:40:23′ (according to my time-synced mail server) they emailed me a
“Domain Suspension Notice” saying that my “domain names have been
suspended”. So they only gave me 52 seconds to respond to their
voicemail! Plus, their voicemail didn’t include a phone number to
reach them at! I have posted both the email and voicemail recording at
NoDaddy.Com.

GoDaddy nevertheless tried to claim that they gave me an hour of
notice. Their general counsel Christine Jones was caught by Wired in
that lie at
http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html .

Aside from nodaddy.com do you plan on taking any action, namely
legal, against godaddy.com?

They certainly deserve it, and some lawyers have offered to help. But
I haven’t even asked them for monetary restitution for the damage they
have caused — I just want them to change their policies to be more
customer-friendly. Or if they don’t, I want their behavior to be
well-known so that other consumers can make a better choice. So
unless they do something outrageous (such as sueing me for speaking
out against them on NoDaddy.Com), I’m not presently planning any legal
action against GoDaddy.
Will you be taking any action against myspace.com because of this
atrocity at all?

I would cancel my account if I was pathetic enough to have one .
They should have contacted me directly to remove the page. My email
address and phone number were availble on the public whois, and I also
watch the abuse@seclists.org email address for complaints about
illegal postings to the mailing lists. Ironically, GoDaddy shut down
the complaint email address when they shut down the whole doamin
SecLists.org.

So while MySpace made a mistake by sending the request directly to
GoDaddy, I hold GoDaddy much more culpable for agreeing to the
outrageous domain.

How much of an impact do you feel this had on the security
community in general?

I hope it has raised awarness of the problem of vigilante domain
registrars hijacking their customers’ domains because they find the
web content objectionable. This isn’t just a security community
issue, but an issue for all web sites. Particularly those which
accept user-generated content such as forum posts or blog comments.
My whole domain was shut down with no notice or reason immediately
given based on a 3rd party post I had nothing to do with.

How much of an impact has this had on your life?

It has kept me very busy for the last week. But I’m hoping it will
calm down so I can return to focusing the majority of my time to
maintaining Nmap and my web sites.

I know that it mentions this on nodaddy.com, but what can people
do to help on the nodaddy.com site?

The site is meant to be a community effort, so help is appreciated.
Here are some ideas:

o Forum Operator — If someone wants to start a web forum system where
uses can post their GoDaddy horror stores and seek advice, that
would be useful. We would be happy to provide a subdomain such as
forums.noddady.com for this.

o Webmaster help — If someone wants to help maintain the site content
(post new news stories, etc.), I would be happy for the help. They
need to know (or learn to use) the Subversion version detection system.

o Creative content, like cartoons, pictures for the “NoDaddy Girls”
contest, etc. The point of the site is to spread the word about
GoDaddy abuses, but also to have fun .

Last but not least, any new and exciting things coming along in the
next release of nmap that you’d be willing to share?

We are very excited about a new scripting language, which is already
in alpha stage. You can see our writeup here:

http://insecure.org/nmap/nse/

Also, we have received tons of user OS submissions for the second
generation OS detection system http://insecure.org/nmap/osdetect/,
so the next release should work even better in that respect.

This just came in on FD, and well, I’d suggest that anyone reading this checks to make sure that no-one you know got fooled by this one.

The phishing site can be found at http://www.marcolano.com/login

All the usernames and passwords can be found here http://www.marcolano.com/login/myspace.txt

I’ve also submitted this to digg.com as it may help to get the world out there a bit more, if nothing else maybe the digg effect will take the site down before the law can. Here’s the link:

http://www.digg.com/security/Change_your_Myspace_passwords_now

Well, I know that this is a bit of a shameless plug, but I also think that it’ll help out anyone who tasked with securing OS X in any way or form. I’ve just finished working with a bunch of guys on putting this checklist together for the SANS S.C.O.R.E section on their website, so take a look and I hope it helps someone out. It covers all the basic parts of securing OS X, and is more than sufficient to get a lot of people started, and to end up with a much more secure OS X installation.
http://www.sans.org/score/macosxchecklist.php?

Any comments highly appreciated.

Clayton, Murdoch and Watson have got a paper up on how to defeat the “Great Firewall” of China, it’s a really interesting read, if I was based in China I’d test it out myself, as I’m not though let’s hear it from anyone over there that has tried this as to whether or not this this works. Theoretically it all makes sense, but in practice is usually different. It’s a well written paper, and I would highly recommend it to anyone who’s interested in bypassing firewalls, let alone firewalls of this magnitude.

Here’s the direct link to the paper:

http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

As always, have fun!

Here’s the link to the site:

http://experts.microsoft.fr

Link to the mirror in case it gets fixed anytime soon.

http://www.flickr.com/photos/affandesign/169734004/

Like I said, too amusing not to post

UPDATE:

So I guess Windows Server 2003 isn’t that secure after all, even if configured by Microsoft, really makes you think doesn’t it.

TiTHack has been pretty busy today by the looks of things, check out the Zone-H stats for him today:

http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,TiTHacK/

It’ s also worth noting the amount of Windows Server 2003 instances, are we seeing a new 0 day here by any chance? If so, I mentioned it first

http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,TiTHacK/

UPDATE:

Zone-H had an interview with TiTHack about the methods used in the attack, more here:

http://www.zone-h.org/content/view/4770/31/

This means that detecting rootkits could get a hell of a lot more difficult that it currently is, for more info on this see Tibbar’s blog.
The source code for this project is also up for download on his site, so what does this mean to the security community? Comments people?

What the hell is this, let’s target OS X week? This is directly from the guys over at F-Secure labs, they’ve just found 2 more variants of the OS X worm Inqtana.A, the variants are names Inqtana.B and Inqtana.C. The only difference is the way that the worm will start on the infected machine once the user has accepted the OBEX transfer.

More details on this can be found on the F-Secure blog
Guess this means that OS X is finally being taken seriously out there, and about time too.
What’s everyone’s thoughts on all the OS X action we’ve been seeing lately?

In the last two weeks, we’ve had Leap.A, Inqtana.A and now a vulnerability with the way that Apple’s web browser Safari, and it’s mail application Mail.app handle the opening and executing of certain file types by default. This issue is mainly concerned with the opening of .zip files on OS X, and the malicious possibilities are endless on this one.

This vulnerability has been discovered by Michael Lehn The culprit of this vulnerability is in the default configuration of Apple’s Safari web browser. In it’s default configuration the option to “Open ’safe’ files after downloading” is enabled. The function of this option is to automatically display, documents, spreadsheets, movies and images as soon as they are downloaded to the users computer, by opening them with the application associated with the file type.

The vulnerability comes into play when you store a shell script in a ZIP archive without including the ’shebang line’ (#!/bin/bash) in the shell script. As soon as you omit the ’shebang line’, Safari will no longer recognise the script as potentially dangerous content, and executes the shell script without any confirmation needed by the user.

The shell script will get executed within the Terminal.app by a shell. If the user has configured Finder to open scripts using Terminal.app, this will happen automatically, without any intervention on the users part. If you give the script an extension, such as “jpg” or “mov” and then store it within a ZIP archive, OS X will add a binary metadata file to the archive which determines the files association. What this metafile does is instruct the operating system on any other Mac to open that file with Terminal.app — regardless of the extension or the symbol displayed in Finder. The terminal will then re-direct scripts without an interpreter line directly to bash, the standard UNIX shell in OS X.

The immediate action that OS X users should be taking against this right now is to deactivate the “Open ’safe’ files after downloading” option in the Safari preferences pane. An additional security measure is to move the Terminal.app from /Applications/Utilities into a different folder altogether, this is because the metadata file within the ZIP archive always contains the absolute path to the application to be used to open/execute the file. The only issue with doing this is that when you apply security patches/system updates to OS X, the application must be moved back into it’s original location, otherwise it could cause problems in applying the updates.

To determine if you are vulnerable Heise Security have a safe online demonstration available here. This demo attempts to open Terminal.app to display the contents of a folder. If you are running OS X in it’s default configuration and use Safari, the window will open without waiting for a prompt from the user. The possibilities of what this script could do are endless, and I am going to leave that part to everyone’s imagination. Feel free to submit comments on the worst possible thing you could do with shell script running under the currently logged on user running Safari

Times are getting interesting for OS X users out there, first we have news of Leap.A, the OS X virus that’s currently doing the rounds, and now we have Inqtana.A, an OS X bluetooth proof-of-concept worm for OS X 10.4 (Tiger).

Inqtana.A has not yet been been seen in the wild, but it is recommended that you install the latest security patches from Apple just to make sure that you’re covered in case this turns into more than just a proof-of-concept. Inqtana.A uses Bluetooth library and this expires on the 24th February, so it is unlikely that this will be seen in the wild in it’s current form, but the PoC is there now, and this leaves opening’s for someone to make use of it.

The CVE number for this worm is CVE-2005-1333
Inqtana.A arrives to victims systems as an OBEX Push request, and the user will be prompted to accept the data transfer. If the user accepts the data transfer Inqtana.A will then use a directory traversal exploit to copy it’s files that so it starts up automatically upon the next reboot. Once the system has been rebooted and Inqtana.A has been activated it will then look for any devices that accept OBEX Push requests and try to copy itself to those devices in the same manner.

Inqtana.A tries to copy 3 files via bluetooth to replicate, the files are:
w0rm-support.tgz - The worm components
com.openbundle.plist - Needed for automatic startup after reboot
om.pwned.plist - Needed for automatic startup after reboot

To remove the worm from your system:
- Apply the latest security patches from Apple
- Remove the following files from your system:
- /Users/w0rm-support.tgz
- /Users/InqTest.class
- /Users/com.openbundle.plist
- /Users/com.pwned.plist
- /Users/libavetanaBT.jnilib
- /Users/javax
- /Users/de
- /Users/[user name]/Library/LaunchAgents/com.pwned.plist
-/Users/[user name]/Library/LaunchAgents/com.openbundle.plist

Thanks once again to the guys at F-Secure for all the info on this one.
It really seems like things are hotting up on the OS X front these days, which could be a good thing, as Apple has always been someone quiet on security patches and exactly what they fix, maybe this will cause them to give a bit more disclosure on the subject. OS X has a reputation for being secure, and it’s one of Apple’s marketing messages, so to keep that Apple are really going to have a lot of work to do on the security front if things start kicking off.

I’ve been following the news on this one since it started on macrumors.com, and now F-Secure have classed this one as a virus. The file in question is named “latestpics.tgz”, and when it was initially posted is was advertised as being pictures of the upcoming “Mac OS X Leopard”, also known as “OS X 10.5″.

You can’t simply just get infected with this virus, there are certain things that you have to do for this to infect your Mac. Which is still a worry as a lot of people will be really interested in seeing the pictures of the new OS X, and will undoubtedly go through the following steps needed to infect you beloved Mac. If you somehow come across this file which either got sent to you via e-mail, ichat or you found somewhere to download it. DO NOT, perform these steps, otherwise you will become infected!

- Double-click on the file to decompress it
- Double-click on the resulting file to “open” it

If you are running as a non-admin user even if you do go the steps above, it will still infect some files, not as badly though as if you are running as an admin user OS X, as this needs to have admin rights to be able to infect certain files.

This is a brilliant attempt at social engineering more than anything, as the virus is not capable of self propagating at all, it relies solely on users actually going through the steps mentioned above. Another important note is that there is a bug in the code that prevents this virus from working as it was properly intended to do, which is good for anyone running OS X, but bad in the sense that it will stop certain applications from launching once you are infected. This virus does not exploit any security holes in OS X at all, as I mentioned above it purely relies on the user trying to see what’s in the compressed file.

A brief rundown on the contents of the file:

Once the file has been unzipped, tar will let you know that there are 2 files contained within, namely:
._latestpics
latestpics

The .latestpics file is actually the resource fork of the file, which has had it’s icon changed to reflect it as a jpeg file, therefore fooling users in to trying to open this file. The following from Andrew Welch gives a really decent breakdown on what exactly the virus does:

“1) It copies itself to /tmp as “latestpics”
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip’d copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from “latestpics.tar.gz” to “latestpics.tgz” then deletes the copied “latestpics” executable from /tmp

–This gives it a pristine copy of itself, for later transmission.–

5) It extracts an Input Manager called “apphook.bundle” that is embedded in the macho executable, and copies it to /tmp
6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

–This allows it to have the code in the “apphook.bundle” injected into any subsequently launched application via the InputManager mechanism–

8a) When an application is subsequently launched, the “apphook.bundle” Input Manager then appears to try to send the pristine “latestpics.tgz” file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).

8b) (It looks like the author intended to get it to send the “latestpics.tgz” file out via eMail as well, but never got around to writing that code)

–This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally–

9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
10) In an apparent “Charlie and the Chocolate Factory” reference, it then checks to see if the xattr ‘oompa’ of the application executable is > 0… if so, it bails out, to prevent it from re-infecting an already infected application
11) If not, it sets the xattr ‘oompa’ of the application executable to be ‘loompa’ (this does nothing, it is just a marker that it has infected this app)
12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

nb: If run via double-clicking on the file, and the user doesn’t have privileges to modify an application, it silently fails. If run via the command line, it will ask for the admin password if it encounters an application for which it doesn’t have privileges to modify.

–It has thus effectively injected its code in the host application–

13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory… see below)
15) Due to a bug in it’s code for executing the original app from it’s resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending “/..namedfork/rsrc” to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.

In the end, it doesn’t appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running.”

Here
is a disassembly of the executable if you’re interested, this is only the main executable portion of the code, not the embedded “apphook” InputManager code.

Granted this is only done against a 40-bit WEP key, so that would explain why it only takes 10 minutes to obtain the WEP key, but this is still pretty good going either way. Plus you don’t have to keep changing tools to eventually obtain the WEP key.

The video is a bit blurry, but if you’ve got a Mac and have KisMac installed, it’s really not difficult to make out what’s going on at all.

Really worthwhile watch!!

http://www.ethicalhack.org/videos.php

Nmap 4.00 has been in development for about 2 years now, and boasts a more than 230 improvements since the 3.50 release.

For those who have been keeping on the bleeding edge and upgrading with each version Nmap 4.00, there is only one change since 3.9999.

Head over to Insecure.org’s download area to download it, and start compiling.
If you haven’t been keeping up with the changes as they come up you’re going to notice some really huge improvements over scanning times and scan options.

There’s a really good interview with Fyodor over at Security Focus, it’s a really worthwhile read if you want some more insight into the new release.

A complete list of changes can be found below, this taken from the official Nmap change log, as you can see there are numerous improvements and changes:

# Nmap Changelog ($Id: CHANGELOG 3095 2006-01-30 07:30:56Z fyodor $); -*-text-*-
4.00

o Added the ‘?’ command to the runtime interaction system. It prints a
list of accepted commands. Thanks to Andrew Lutomirski
(luto(a)myrealbox.com) for the patch.

o See the announcement at
http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level
changes since 3.50.

3.9999

o Generated a new libpcre/configure to cope with changes in LibPCRE
6.4

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt)

o Updated nmap-protocols with the latest IEEE internet protocols
assignments (http://www.iana.org/assignments/protocol-numbers).

o Updated the Nmap version number and related fields that MS Visual
Studio places in the binary. This was done by editing
mswin32/nmap.rc.

3.999

o Added runtime interaction support to Windows, thanks to patches from
Andrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no).

o Changed a couple lines of tcpip.cc (put certain IP header fields in
host byte order rather than NBO) to (hopefully) support Mac OS X on
Intel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the
patch.

o Upgraded the included LibPCRE from version 6.3 to 6.4. There was a
report of version detection crashes on the new Intel-based MACs with
6.3.

o Fixed an issue in which the installer would malfunction in rare
issues when installing to a directory with spaces in it. Thanks to
Thierry Zoller (Thierry(a)Zoller.lu) for the report.

3.99

o Integrated all remaining 2005 service submissions. The DB now has
surpassed 3,000 signatures for the first time. There now are 3,153
signatures for 381 service protocols. Those protocols span the
gamut from abc, acap, afp, and afs to zebedee, zebra, and
zenimaging. It even covers obscure protocols such as http, ftp,
smtp, and ssh . Thanks to Version Detection Czar Doug Hoyte for
his excellent work on this.

o Created a Windows executable installer using the open source NSIS
(Nullsoft Scriptable Install System). It handles Pcap installation,
registry performance changes, and adding Nmap to your cmd.exe
executable path. The installer source files are in mswin32/nsis/ .
Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
creating the initial version.

o Fixed a backward compatibility bug in which Nmap didn’t recognize
the –min_rtt_timeout option (it only recog