Archive

Archive for July, 2009

Kon Boot

I’m running behind the curve on this one, but after several of my usual sources suggesting KonBoot as a useful addition to any security toolkit. The premise of Kon-Boot is simple, by modifying the system kernel (Windows or Linux) upon boot there is no need to know the users password to access the system.

Kon-Boot is designed to boot via either floppy or CD, but thanks to the work of IronGeek it is relatively painless to get Kon-Boot running from USB.

Unetbootin continues to be a powerful tool, using which you create a bootable USB drive from the KonBoot floppy drive image. Raymond.cc has a great guide for the process, but ends with the limitation that KonBoot won’t function from USB; until IronGeek steps into the ring with a patch. Simply extract the archive to the root of the USB drive to update chain.c32 and syslinux.cfg then you’re good to go.

There are plenty of videos showing Kon-Boot in action, for example this one. I’ve successfully compromised a Windows 7 host, both local and domain acount, but it can only compromise domain accounts that have previously logged onto the physical machine. Discussing the issue with a Windows admin there have been a couple of potential mitigations developed, but at this point these have yet to be put to the test.

Linux compromise seems to be less powerful as you log in as a new kon-usr user, albeit with UID 0 for superuser privs. Full authentication doesn’t seem available however; the kon-usr drops in at the command line but KDE kicks up an authentication error when trying to start a GUI session.

I still intend to test my Kon-Boot drive against a machine with an encrypted hard drive, I’m not convinced it will work as my current hypothesis is that the Kon-Boot Kernel modifications will be attempted before the drive is unencrypted. I’ll update once I’ve been able to put the hypothesis to the test in a lab.

For the time being Kon-Boot is a permenant addition to my tool-kit, as there are plenty of scenarios that make KonBoot a legitimate tool for both security and non-security techies alike. Thanks to www.piotrbania.com for development and release.

Andrew Waite

Advertisements

Updated wardrive rig

This post should be short and sweet as Dale beat me to the punch with an excellent write up of wardriving with BT4. Thanks to some back and forth advice, Dale’s hardware setup is also nearly identical to mine so I wont repeat anything he’s already published. But his post did push me to stop abandoning my wireless kit and update my tools.

The primary change is that I’m now running BT4, rather than BT3; still from a bootable USB drive created via Unetbootin. This provides easy access to the vastly updated Kismet Newcore, Mike Kershaw has done some wonderful work with this release. I’ve found Newcore to be vastly simpler to run than previous Kismet versions, primarily as you can now add additional source interfaces to the setup from the console client itself, rather than needing to modify the config files with some archaic black magic.

Also included within BT4’s toolset is Jabra’s excellent giskismet utility, this provides the same functionality (and more) as my previous kismet2gmapstatic attempts. Since I started development on my home brew tools I’ve had several people point me toward giskismet, wish they’d done so beforehand as it would have saved me some (now defunct) development time. I fully intend to go into more depth with giskismet’s capabilities in a seperate post once I’ve fully got to grips with it as my initial opinion is that this tool is great, so watch this space.

I’ve got the wireless bug again, so if you see a car with plenty of USB cables going through the passenger window be sure to say hi!

Andrew Waite

Categories: Tool-Kit, Wireless

ZeroWine

Zero Wine is:

an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware’s behavior turns out to be very easy.

Install was fairly simple as ZeroWine is distributed as a Qemu virtual image. Qemu, is downloaded here, and ZeroWine here.

To start the ZeroWine image I use the command (change filepaths to suit your install):

>qemu.exe c:\zerowine_vm\zerowine.img -no-kqemu -L . -redir tcp:8000::8000

Once running you can access the service by pointing a browser to localhost/8000 (the ‘-redir tcp:8000::8000’ parameter redirects the ZeroWine image’s port to your local system). This provides a simple web interface to upload and analyse your malware sample:

For a test run I uploaded the most recent sample collected by my Nepenthes honeypot, MD5 hash 3c9563dacd9afe8f2dbbe86d5d0d4c5e. The report generated shows the results of ZeroWines analysis, example below:The first section shows the behavioural analysis of the malware, this should be the most useful aspect of the ZeroWine framework. However as the ZeroWine page itself states, the output is ‘very long and, as so, hard to understand‘ and is unable to distinguish between system calls made by the malware and the underlying analysis framework. As a result I personally find the information provided by the report less useful than it could be.

There are definitely better sources for generating automated analysis of malware samples, for example VirusTotal or CWSandbox. However, depending on how the malware sample was obtained legal or business requirements may prevent you from releasing the sample to a third party, and not all provided services can provide the immediate response of a local system; meaning ZeroWine can still be a valid and useful tool in your arsenal.

Taking the concept forward, Jim Clausing recently released an excellent paper on setting up an automated malware environment with open source tools. I haven’t had a chance to try out any of Jim’s suggestions, but have read the paper and listened to the related podcast and the recommendations are definitely on my todo list to improve my malware analysis toolkit.

Andrew Waite

June SuperMondays Review

2009/07/14 Comments off

This review of June’s event is more than a little late, but it was still a great event. The format was different this time around, with an open podium. This produced some interesting and unexpected topics, the first being an introduction into the world of geocaching from Alastair McDonald.

Alastair’s talk caught me unawares as I was expecting a technical overview of maintaining geographically dispersed content and services for load-balancing and DR. Instead I was introduced to a world of following GPS co-ordinates to find hidden caches of goodies, in the real-world. Whilst the concept of geocaching was new to me, once aware of it’s presence it appears to be a very popular hobby, Twitter seems to be full of people all over the globe discussing success or failure of searching for various caches. I’m failing to fully do justice to Alastair’s presentation and geocaching as whole, so I’d advice watching the footage yourself (along with the rest of the talks).

Second up, was the Ecommerce Experiment. The team are setting up an ecommerce site in an unfamiliar market over the next three years, and are blogging and tweeting all there experiences, positive and negative, throughout the entire process. Their presentation was interesting enough, but I’ve been following their posts since and the material is always interesting and shows a side of online commerce normally kept behind closed doors.

Third was Mike Parker with a demo of Drupal, with the goal of ‘work less, surf more’. Web site creation isn’t exactly my forte (check www.infosanity.co.uk if you don’t believe me), but Drupal seems to be a very powerful framework, with plenty of real-world application.

Finally Ryan (@ethicalhack3r), discussed the latest release of DVWA. I won’t go into too much detail, as I’ve already reviewed DVWA previously. If your interested in this area of research, check the archive footage of Ryan’s talk.

Whilst the presentations were all good, but as usual the real value of SuperMondays is the networking opportunity and the discussions before and after. Which begs the question, if you’ve not been to the event why not? Next meeting is July 27th, and the topic is still up for debate, so get involved.

Andrew Waite

Categories: SuperMondays

Starting out with physical security

Several months ago I was involved in a discussion focusing on steps taken to secure information systems, and came to the realisation that all the counter measures and protections where network and system based. As a joke I asked what was the point if someone could pick the building locks and walk out with the hard drives. Surprisingly to me, everyone stop talking and looked slightly concerned. Since then I’ve been toying with the same question: “What is the point of firewalls, IDS, patches etc. if the data isn’t physically protected?”

After doing some research I decided to put the theory to the test and find out how effective common physical security actually is. My first set of tools and training material arrived today, a set of 20 lockpicks and tension tools, a beginners instruction guide and a see-through lock for practice from Southord. The delivery impressed me for speed, at point of purchase Southord stated a three to five week delivery time to Europe, in practice delivery was less than a week; thank you Southord (and Dale Pearson for recommending the set)

Whilst waiting I have been researching the topic quite heavily and have found the forums at lockpicking 101 to be invaluable and need to say thank you to those who have freely contributed information. Hopefully I’ll be able to contribute back to the community once I gain some ability and knowledge.

It’s going to take a lot of practice and persistence before I’m anywhere close to proficient, but ask yourself the same question: Why spend thousands on information security if the physical protection isn’t up to the job?

Andrew Waite

Damn Vulnerable Web App, version 1.0.4

2009/07/10 1 comment

Ryan Dewhurst of ethicalhack3r.co.uk has created and been maintaining Damn Vulnerable Web App (DVWA). The goal of the project is to aid learning and teaching of the art of web application security.

Ryan provided an overview and demo of the suite at a recent SuperMondays open podium event, you can find an archive of the presentation here.

I’ve been looking at DVWA (current version is 1.0.4) and it is showing promise, especially as web application security is one of my weaker skill sets having limited experience in this field. DVWA currently focuses on six different attack vectors:

  • Brute-force
  • Command Execution
  • File Inclusion
  • SQL Injection
  • File Upload
  • Cross Site Scripting (XSS)

Each section provides help to exploit the target vulnerability, as well as providing access to the source code for white box review to aid full understanding of how the vulnerability exists and how it can be protected against. Each example attack vector also has the option of setting variable levels of implemented security, providing increasingly advanced attack vectors.

DVWA provides a solid basis for investigating and studying web application security issues, as well as a multitude of great links for further reading. For those of you with skill, or those that learn quickly there currently are vulnerabilities in even the high-security level versions of the code, but I’ll leave finding this as an excise for the reader.

Nice work Ryan, keep it up.

Andrew Waite

Categories: Exploit, Lab, Web App Security

Good night Milw0rm

Final Update: Crisis averted, Milw0rm is still up and functioning.

Looks like Milw0rm is calling it a night. Haven’ t been able to get any official word as the site is unavailable. As the site is now unavailable it’s hard to tell what happened, but an ISC diary has this message from the site:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Always a shame when a big player in the infosec community closes it’s doors. My thanks to all those how contributed and ran the site when it was a going concern; and if anyone has a recent mirror, I’d appreciate a copy, mines a little dated 😥

Andrew Waite

Update:
Looks like the fat lady may not be singing for Milw0rm just yet, Str0ke post this on Twitter:

I have talked with a few friends and I’ll be handing the site over so a group of people can add exploits / other things to the site. Hopefully it will be a new good start

Plus Dale Pearson of Security Active pointed me in the direction of splo.it, which is currently posting nothing but a farewell to Milw0rm. Given the (rather cool) URL it may become Milw0rm’s spiritual successor.

Update 2:
This keeps on going, Milworm came back and then died under the load of people trying to grab an upto date archive (ISC Diary). Until/if Milw0rm comes back for good you can get a copy of the July archive via Security Database Tools Watch

Categories: Exploit, InfoSec, Reading, Tool-Kit