Archive

Archive for September, 2009

Review: Professional Penetration Testing (for EH-net)

2009/09/28 1 comment

I was recently asked by Don over at EH-Net if I would be interested in reviewing a new book by Thomas Wilhelm of Heorot.net: ‘Professional Penetration Testing: Creating and operating a formal hacking lab’. Naturally I jumped at the opportunity.

I don’t want to discuss the book in too much detail here, as you can read the full review at Ethical Hacker here, but the book is a great addition to my home library. Don also worked his magic to convince the publisher to release a chapter from the book free of charge, chapter four covers the initial setup and configuration of hack lab environment, and can be downloaded from the review.

Hope the review is of use to someone out there, thanks to Thomas for writing the book in the first place and to Don for hooking me up with the review.

Andrew Waite

Advertisements
Categories: InfoSec, Lab, Reading, VMware

AV killing with powershell

2009/09/24 Comments off

A colleague recently introduced me to scripting with Powershell. After seeing a couple of examples of it’s strength for handling legitimate administration tasks my devious side came into play and I started imaging havok in my head.

As a starting project for getting to grips with Powershell basics I thought I’d try a proof of concept to replicate Meterpreter’s ability to disable AV and other defence mechanisms within the getcountermeasure function. I love meterpreter, but sometimes you need to work with more primitive native tools, as Powershell is starting to be included by default within Windows systems it is now one of the ‘primitive’ tools. My theory was that this should give me a bit of a challange, without jumping in at the deep end.

Well I was wrong, I guess showing the strength of Powershell this proved not to be a challange at all. The code below reads a list of unwanted processes from a text file, and kills the processes. All in four lines of code (I’m told this could be shortened at the expense of readability)

#read list of AV processes to kill
$avprocs = Get-Content AVprocs.txt

#kill all unwanted processes
foreach( $procname in $avprocs)
{
Stop-Process -name $procname
}
#simples…..

The next time you pop a Windows box don’t dispare, there’s more power available than just batch scripts 😀

Andrew Waite

P.S. Before anyone shouts about aiding skiddies, the above code could have some great legitimate uses as well; from automatically cleaning up infected systems to aiding productivity by adding doom.exe to the list of processes 😉

The possibilities are endless, both good and bad.

Real world social engineering attempt

2009/09/21 1 comment

Coincidently with my current interest in social engineering practices I believe I recently encountered a real world attempt aimed in my direction. Late Saturday evening received a call claiming to be from the local police department in reference to a speeding ticket.

Something immediately seemed of as caller asked ‘who am I speaking?’ rather than ‘can I speak to X?’. The caller then proceeded to request a meeting at my house for an interview, asking both when we’d be available and ‘what is your address?’, despite the fact the caller had supposedly sent the ticket information in the post.

At this point the call was terminated at this end as confidence was fairly high that the caller wasn’t genuine and the caller recieved no information beyond the fact that a human was available to answer the phone. I’m also confident that I won’t see a ticket in the post this week (unless by strange coincidence).

Best guess is that this may have been recon for a potential burglary (What is your address? When will you be home?) or  potential pre-text for an on site visit (‘policeman’ turns up for interview and needs to use ‘bathroom’). The incident has been reported to the authorities and, with the exception of being advised to lock all windows and doors when not home (obviously don’t know I’m already overly paranoid), the incident won’t be taken any further at this time.

Hopefully nothing further will come as a result of this incident but has left me spooked nonetheless. Information security seems to be all fun and games, until you encounter some of the theory in the real-world, away from prior-permission and contracts.

Andrew Waite

Categories: Social Engineering

Social-Engineer.org

2009/09/21 Comments off

Social-Engineering has always been an interest of mine, whilst I’m not too good deceiving people in person, the potential of [spear-]phishing and physical media drops is too appealing to ignore. Recently there has been a good step forward in the maturity of the field with the opening of social-engineer.org.

If you’re not willing to take my word for the quality of the site, and it’s potential for future resources check out the list contributors in the ‘Team’ section. Some members of the S-E.org team also discuss the project on episode 34 of Exotic Liability.

The resources section of the site already has some high quality video tutorials showing some basic social engineering vectors including the Social Engineer Toolkit (SET) which forms part of the S-E.org framework. SET promises to make the creation and implementation of social engineer attack vectors simpler and easier to control.

I’m expecting some useful resources to be generated and released by this project, definitely one to check back with periodically.

Andrew Waite

Categories: Social Engineering

Python Whois class

2009/09/17 1 comment

After too long away from the project I have been trying to implement some additional functionality to my submissions2stats script for parsing Nepenthes log files. Something that I’ve had in mind for a while is utilising Whois data to better analyse the source of the malware submissions.

I had assumed that this would be relatively simple, after all the ability to port any required functionality is an integral part of geek humour. This wasn’t to be the case this time as I was unable to find anything this time around (although I didn’t discover giskismet until after I’d wrote my kistmet2gmapstatic scripts). To cover the functionality I have written a short python class that queries a 3rd party whois service for a provided IP address and provides metods to access the returned data.

The script can be accessed here. Hopefully others will find this of some use. Example output from the script’s .out() method targetting www.bcc.co.uk:

Whois information for 212.58.253.67
Origin:           AS2818
Inetnum:       212.58.224.0 – 212.58.255.255
Netname:      UK-BBC-991005
descr:              BBC
Country:        GB

N.B. Text is tab delimeted in actual usage

I’ve started adding the class’ functionality into my submissions2stats script. So far things are progressing well and hopefully I should be able to have an updated script available shortly.

Andrew Waite

Categories: Python

Review: Ecommerce, subversion & git @ SuperMondays

2009/09/04 Comments off

Tuesday night provided an interesting evening, and for more than just the somewhat non-geeky location at the Side Cinema. As usual I’ve been beaten to the punch for a review of the event; the offical review, and videos of the presentations can be found at supermondays.org.

David Coxon provided the opening presentation, discussing his project to create an ecommerce shop for the Baltic gallery. As I’d expected of David the talk was interesting, and given the time and budget available the outcome of the project is impressive. The full presentation can be seen here and slides here. David can provide a better insight into the project than I can, so I’ll just say nice work.

The second aspect of the night was a (surprisingly) lively debate on source control systems. Paul Callaghan started by outlining the problem with the ‘traditional’ method of version control with naming schemes for files and folders, before introducing a better system with the use of Git, a distributed version control system. Alex Kavanagh added an alternative solution, in the more commonplace Suberversion/SVN.

From what I could take from the discussions Subversion is more commonly favoured in the business world as it provides a centralised repository, allowing for better management (access control, backups etc.) but Git provides some (arguably) better features and is ‘cooler’ (apparently).

If you work on any project that creates a significant volume of code or documentation you should definitely consider a revision control system of some description. In my case I’m looking at Git for my next project, from Paul’s demo it seems like an easy learning curve into a new working paradigm.

Finally David Livingstone from the University of Northumbria’s School of Computing, Engineering and Information Sciences introduced the Raquel Database System. Raquel is being built as an alternative to existing database technologies, the developers are currently looking for additional testers and project members, if you have any interest in the project contact David at the university.

The night ended, as usual, at the bar. Again as usual this provided many interesting discussions with other group members, if you haven’t already been, or have been to a previous event but not recently, get yourself down to the next SuperMondays event.

Andrew Waite

Categories: SuperMondays