Social Engineering and Body Language

Social engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Over the years I’ve done my fair share of social engineering, and the one thing that I have always found to come in handy is being able to read people’s body language. Being able to notice when someone is pacifying themselves, when you ask certain questions, and knowing where to hone in on for example, has helped me countless times in the past. Being able to notice the little things like when people are extremely nervous when you mention things like “Well, I’m not too sure Mr Jones, you manager would be too happy about me not being able to gain access to this room, as he’s paying me to have a look around in your data hall.” When they’re blatantly telling you, that they can’t allow you access under company policy, etc, etc.

I would encourage anyone that performs penetration testing that includes social engineering exercises, to really take the time to read up on body language and how you can make it work for you, it will help your social engineering skills, and this will also help you to help your clients.

There are countless books on this topic that you can get from most decent bookstores to help you along your way, and the good news is that some of these are really not expensive at all.

Another thing that you may want to look into is reading micro expressions, although I would recommend that you start with learning basic body language first, and then progressing on to micro expressions.


Safari AutoFill Exploit

So it seems that Safari uses the details from your Address Book to AutoFill forms on web sites, this is enabled by default. In theory this is a great idea, until someone writes some malicious JavaScript to get these details passed to a hidden form without your knowledge. Looking through all the possible available fields in the Apple Address Book app, it really gets quite troubling. Name, Address, Job Title, Department, Anniversary. This could all be used nicely for a really fun Social Engineering exercise, or really help with an identity theft scam.

There is a PoC of this hosted here.

Personally I’d suggest disabling AutoFill in Safari’s preferences, better safe than sorry.


Microsoft LNK exploit added to Metasploit

With all the talk about the Microsoft LNK exploit, it was only a matter of time before the guys over at camp Metasploit added the exploit for this one to the Metasploit Framework.

You can find the details for the module over here.

If you’re one of those types of people that want to have a look at the source code for this one, then you can cast your eyes on that right here.

To get this module into MSF, all you have to do is SVN up.

Have fun ;-)


Mozilla Raises Bug Bounty To $3000 For Security Bugs

Mozilla seems to have now stepped up to the plate to actually pay security researchers for their time spent uncovering new vulnerabilities in their software. The following is taken from the Mozilla Security Bug Bounty Program web site. “The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence. Reporters of valid critical security bugs will receive a $3000 (US) cash reward and a Mozilla T-shirt.”

This is great news and really shows that they’re serious about weeding out the bugs in their software, but the question is, if not for profit organization can afford to pay $3000 for a security bug, then why the hell are places like Microsoft, Apple and Oracle not doing the same? I know that we can go through Tippingpoint’s Zero Day Initiative or iDefense’s ZDI, but still. This really is a great initiative, and will get me spending some late nights trying to find some new bugs.

As security researchers I’m beginning to think that we should all start looking into the companies that pay for bugs with a lot more effort, and they seem to actually care about the security of their products, and I personally have no problem spending a few late nights to try and find a bug in some software if I know that I’m going to get paid for it.

On the other hand, companies such as Microsoft complain when someone releases a 0-day exploit, but you have to wonder if this would have happened had they had the same sort of bug bounty scheme in place. If Microsoft paid security researchers a fair fee for bugs found in their software, then I’m pretty sure the amount of 0-days released by security researchers would drop considerably. It would have to be worthwhile, for example, if Microsoft were to structure their payment on the severity of the exploit, eg, if it was a bug in all versions of IE, then it would gain a much higher payment, than if it was a bug in just Windows Vista, this would have people spending more time trying to find the bugs. After all, what security researcher doesn’t want to be rewarded for his time on a financial level.

Just something for the larger software companies to think about…


Metasploit 3.4.1 Released

Sunday 11th July saw the release of the latest version of the Metasploit Framework, and you can tell that the guys have been really busy over in Metasploit development land. Please see the release notes for this version below, and you can download the latest version from here.


  • Metasploit now has 567 exploits and 283 auxiliary modules (up from 551 and 261 in v3.4)
  • Over 40 community reported bugs were fixed and numerous interfaces were improved


  • The Windows installer now ships with a working Postgres connector
  • New session notifications now always print a timestamp regardless of the TimestampOutput setting
  • Addition of the auxiliary/scanner/discovery/udp_probe module, which works through Meterpreter pivoting
  • HTTP client library is now more reliable when dealing with broken/embedded web servers
  • Improvements to the database import code, covering NeXpose, Nessus, Qualys, and Metasploit Express
  • The msfconsole “connect” command can now speak UDP (specify the -u flag)
  • Nearly all exploit modules now have a DisclosureDate field
  • HTTP fingerprinting routines added to some exploit modules
  • The psexec module can now run native x64 payloads on x64 based Windows systems
  • A development style guide has been added in the HACKING file in the SVN root
  • FTP authentication bruteforce modules added


  • Some Meterpreter scripts (notably persistence and getgui) now create a resource file to undo the changes made to the target system.
  • Meterpreter scripts that create logs and download files now save their data in the ~.msf3/logs/scripts folder.
  • New Meterpreter Scripts:
  • enum_firefox – Enumerates Firefox data like history, bookmarks, form history, typed URLs, cookies and downloads databases.
  • arp_scanner – Script for performing ARP scan for a given CIDR.
  • enum_vmware – Enumerates VMware producst and their configuration.
  • enum_powershell – Enumerates powershell version, execution policy, profile and installed modules.
  • enum_putty – Enumerates recent and saved connections.
  • get_filezilla_creds – Enumerates recent and saved connections and extracts saved credentials.
  • enum_logged_on_users – Enumerate past users that logged in to the system and current connected users.
  • get_env – Extracts all user and system environment variables.
  • get_application_lits – Enumerates installed applications and their version.
  • autoroute – Sets a route from within a Meterpreter session without the need to background the sessions.
  • panda_2007_pavsrv53 – Panda 2007 privilege escalation exploit.
  • Support for a dns bypass list added to auxiliary/server/fakedns. It allows the user to specify which domains to resolve externally while returning forged records for everything else. Thanks to Rudy Ruiz for the patch.
  • Railgun – The Meterpreter “RAILGUN” extension by Patrick HVE has merged and is now available for scripts.
  • PHP Meterpreter – A protocol-compatible port of the original Meterpreter payload to PHP. This new payload adds the ability to pivot through webservers regardless of the native operating system
  • Token impersonation now works with “execute -t” to spawn new commands with a stolen token.

Known Issues

  • Interacting with a meterpreter session during a migration will break the session. See #1360.
  • There is no simple way to interrupt a background script started by AutoRunScript
  • Command interaction on Windows causes a PHP Meterpreter session to die. See #2232

Microsoft Retires Windows 2000 Professional and XP Service Pack 2

Yesterday Microsoft officially retired support for Windows 2000 Professional and Windows XP Service Pack 2 (SP2).

So what does this mean to the average user, well your Operating System isn’t just going to stop working, so that’s the good news. The bad news however is that Microsoft will no longer be releasing any security patches for either of these Operating Systems going forward.

So if a vulnerability is discovered in one of these Operating Systems now, then you really are on your own to try and secure it.

Please be aware of this people and make the necessary upgrades as soon as humanly possible.

For more info on Microsoft’s Support Lifecycle for both of these platforms please see the links below.

Windows 2000 Professional

Windows XP Service Pack 2


Microsoft Black Tuesday Summary July 2010

I decided that it would be a good idea to publish summaries of MS’s patch updates on here each month, let me know your thoughts. I know that you can get these from MS directly, but I just figured that if you read SecuriTeam anyway, then here’s some more useful information for you.

My personal opinion on this one is that if there’s one patch you really should apply ASAP, then it should be MS10-042.
So without further ado.

MS10-042 (Critical – Remote Code Execution)

Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

MS10-043 (Critical – Remote Code Execution)

Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
MS10-044 (Critical – Remote Code Execution)

Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-045 (Important – Remote Code Execution)

Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Have fun patching all, and please remember to test these patches in a non-production environment before applying directly to production environments guys and girls.


Nmap Scripting Engine (NSE)

A few days ago, I found myseld playing with the NSE again, and got to thinking about how many people actually know about NSE, and how to use it. This really is one of my favourite features that has been added to nmap over the years, and it really does make your life easier when doing a lot of scanning.

So, what is the NSE, I hear you ask? Well, instead of me trying to come up with a better way to explain, I’ve taken the following from the nmap online book, which can be found here.
“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”

Some of the new scripts that were added recently were the following, and from the descriptions, you can see just how beneficial these are:

asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

All NSE scripts are written in the Lua Programming Language, for the NSE side of things, this languiage is easy enough to pick up, and come up with some decent scripts, and then share them with others. The more people that write these add-on scripts the better it is for everyone.

I hope that this was useful to someone, and if you’d like to see any other articles on tools, etc, then let me know via the comments and I’ll see what I can do to accomodate.


XKCD: Security

This one is just too funny not to post, and hell, it’s Friday!



Pirate Bay Hacked!

So The Piratebay has been hacked, and the hacker who did it has made off with the details of 4 million users on the site.

The details in question are usernames, e-mail addresses and internet addresses, this was all accomplished via a SQL injection attack.

The hacker in question here is of Argentinian origin, and goes by the handle of Russo, he mentions that he considered selling the data, but then decided to just go public to show that the Piratebay’s security wasn’t up to scratch.

This brings up a very interesting point though, as he could probably get a fair amount of money for these details if he was to sell them to say, oh I don’t know, the RIAA or the MPAA for example?

Even with all the problems that the Piratebay have had over the last few months, it still remains one of the largest bittorrent trackers on the Internet, and having the details of 4 million users is a really nice bounty to walk away with.

The cynic in me is half expecting most of these users to wind up with nice little letters from either the RIAA or the MPAA or both in the next few months, but I guess we’ll just wait and see.

The Piratebay was down for a while yesterday, with the following message posted on the site. “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

Yeah, upgrading some stuff, that’s a good one actually. Maybe Zone-h should change their defacement archieve title to something along the lines of “Upgrade Archieve”

On a side note though, it is interesting when hackers tend to go after sites that are helping to distribute copyright material. This also begs the question of, could he have been sponsored to do this, say under NDA, with a large sum of money from some 4 letter acronym? I’ll leave you with that thought, but if I was running a bittorrent tracker at the moment, I’d be a bit concerned…


Forensics & The Fabled Chain Of Custody

I’m not very big into forensics any more, but occasionally I’ll get asked to take on a case or two, and whenever I do, the one thing that people always manage to seem to get wrong is the chain of custody.

Now for those of you who have no idea what I’m talking about here, here is the blurb from Wikipedia on Chain Of Custody.

Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been planted fraudulently to make someone appear guilty.”

I have seen so many cases through the years, where a single has just gone and asked a user to please shutdown their PC, and then taken it away from them, jumped in a cab, and as it was late, taken the PC home with them for the night. Then the next morning, they’ll walk into my office and ask me to do forensics on the host, as the user in question has been doing x,y and z wrong on company property and they want to fire them and prosecute. It’s very hard trying to explain to senior management, that while, I can do the forensics for you, and I’m sure that I’ll find something, can you please just prove to me that you didn’t put it there to frame the person? This usually results with the same old conversation, that kind of goes along these lines.

Manager: “Of course I didn’t put it there! I’m a senior manager, why would I do that, what do I stand to gain?”

Me: “Well, it could be that you just don’t like this person, or on a personal level, they’ve done something to upset you”

Manager: “Well, I’m telling you that I didn’t put anything on his PC, and I’m a senior manager! So get started with the forensics asap, and let me know!”

Me: “You seem very defensive, it sounds like you may be hiding something?”

Manager: “I am not hiding anything, I just want you to prove that he was doing something wrong so that I can fire him and then get legal to prosecute!”

Me: “Okay, I’ll do what I’ve been asked. Just remember though, I’m a IT Security guy, and you sound guilty to me, even though you may not be, imagine what a lawyer would do with you? We have forensics procedures, that are visible to the entire company in regards to bringing in user’s PC’s, next time can you please take the time to read these?”

The senior manager then usually storms out of the office.

Following proper procedures for forensics purposes is of the utmost importance, as if you do need to lay charges you need to be able to prove that you did everything by the book. If you don’t have detailed procedures for your in-house forensics, maybe now is the time to start thinking about writing some…


Where To Sell Software Vulnerabilities/Exploits?

So the last post that I wrote, and Aviram’s follow on post really got me thinking, unless you know where to sell software vulnerabilities or exploits, finding places isn’t really that easy at all. I knew about ZDI and VPC, but that was it really, and it took me ages to remember VPC.

So I spent some time Googling, and well that didn’t help me much to me honest. So I’ve decided to compile a list on here, with a subject that’s easy enough to search for.

So what I’m asking all our readers is that if you know of anywhere that buys software vulnerabilities legitimately, please let me know by leaving a comment and I’ll update the list here accordingly.

So without any further ado, here’s the definitive list of where you can sell those exploits and vulnerabilities that you worked so hard on discovering and writing.

Beyond Security

Zero Day Initiative (Tippingpoint)

Vulnerability Contributor Program (iDefense)

Global Vulnerability Partnership


Why Is Paid Responsible Disclosure So Damn Difficult?

So I’ve been sitting on an Apple vulnerability for over a month now, and I’m really starting to realise that maybe just sending the details to the Full-Disclosure mailing list and is the right way to go about disclosing vulnerabilities and exploits.

I initially contacted ZDI to see if they would be at all interested in buying the exploit off of me, as I spent a lot of time researching and finding this one, and I’d like to get something for my efforts. I am a firm believer in the No More Free Bugs movement, I understand and appreciate what ZDI are doing, but the fact that it took them just under a month to get back to me, is really not good enough to be very honest. If they don’t have the researchers, then advertise worldwide, instead of just US only. I know I for one, would be happy validating bugs all day, and this is the the type of work that can be remotely.
Yesterday I also submitted the same information to iDefense Labs Vulnerability Contributor Program (VCP), who claim to get back to me within 48 hours, so we’ll see how that goes. I will update this post as and I when I know more.

I also took the off chance of mailing Apple directly, and asking if they offer any rewards for vulnerabilities that have been found, and if so what they would be. I don’t have high hopes on Apple offering anything, but to be honest, I would prefer to  disclose this one directly to Apple. They however  have paid staff to do this work on a full time basis on all their products, so why aren’t they doing it properly, and I feel that anyone else finding bugs for them, should be compensated appropriately. However, I e-mailed them yesterday and recieved an automated response, so we see how long it takes them to respond to me as well.

This may end up being a rather long post, but let’s see. I’m also expecting to see quite a few interesting comments on this post as well, so come on people.

UPDATE 30/06/2010:

Received a response from iDefense last night,and a request for more info. So just over 24 hour response time, which is brilliant, I’m really impressed so far.

Recieved a response from Apple, and if I would like any reward (aside from credit for the find), then I was informed that I should go through ZDI or iDefense.


Backtrack – The Future, The Funding, The Roadmap

Great news, Backtrack now has funding to move ahead with scheduled releases, and a roadmap moving forward up to Backtrack 5. You can view the roadmap here. It seems that the worlds leader in penetration testing training, namely Offensive Security is going to be funding the BackTrack Linux distribution’s development going forward. No need to worry though, BackTrack is still going to remain an Open Source distro.

Other news on this front is that the Exploit Database now has new EDB Research and Development teams that are actively working on vulnerability discovery and development, so watch this space for more news and good things to come. It’s also very worthwhile checking out the Exploit Database Blog.


Hack In The Box Security Conference Comes to Europe

The first ever HITB Security conference will be help in Amsterdam on the 1st and 2nd July, so apologies for only posting this now, but there’s still time to register.

The full conference agenda can be found here.

Some of the talks listed are:

- Breaking Virtualization by Switching to Virtual 8086 Mode

- Attacking SAP Users Using sapsploit

- Fireshark – A tool to Link the Malicious Web

- Having Fun with Apple’s IOKit

So all in all, it looks like it’s going to be an interesting couple of days.

Leave a comment if you’re going, it’d be good to hook up.


DNS and DNScat

So the other day I was conducting a penetration test, and compromising the host in question was easy enough, but I wanted something that would make a bit more of an impact in the report, rather than the standard, used Metasploit with X exploit and a reverse shell. So I spent some time looking through my little bag of tricks and came across DNScat. Now I’ve been wanting to use this tool for a while now, as it just seems like it’d make a nice high impact paragraph to have in a report, with a bit of a different swing on it.

For those of you who haven’t heard of DNScat before, here’s the blurb taken directly from the web site, which can be found here.

“DNScat (pronounced “D-N-S cat”) is a “swiss-army knife” tool to tunnel traffic through DNS servers. It provides a bi-directional communication through DNS servers, and in conjunction with PPP, can be used to set up a virtual private network (VPN).
DNScat, like a swiss army knife can be used for a variety of purposes, including:
- penetration testing of networks behind firewalls
- sending messages though firewalled networks
- setting up a VPN though firewalled networks
- learning how to detect covert channels through DNS servers
- and more… ”

So lo and behold, I finally got a chance to play with DNScat, and the look on the security managers face when he read the report was priceless, he words were something along the lines of. “We made sure to secure everything we could think of, but DNS, really?”

For those of you that do professional penetration testing, if you haven’t used DNScat yet, take the time to have a look at it, and learn how to use, it’s a decent tool and a lot of fun!