Archive for March, 2012

ms12-020 mitigations

2012/03/16 Comments off

This week has been an interesting one for followers of the info-sec arena. On Tuesday Microsoft released a patch and security bulletin for MS12-020 for a critical flaw in remote desktop protocol, allowing for remote code execution without the need to authenticate to the target system first. Since the patch was released the good, the bad and the ugly of infosec have been attempting to reverse engineer the patch to develop a functional exploit; and over the last 24hrs PoC code has started to become publicly available.

As a result, the SANS Internet Storm Centre has raised their InfoCon threat level to Yellow. This is because weaponised versions of functional exploit code are expected over the coming days and weeks, with past experience making it likely that the exploit will be linked to worm capabilities for automated propagation.

So, the sky is falling right? Not as much as the furore would have you believe. Despite this does have the potential to become a well known, well exploited and long running bug; it is defensible with solid practices in play.

  1. Turn it off: If you don’t need RDP (or any port/service for that matter), turn it off. Reduces the attack vector against known or unknown weaknesses in the service
  2. Patch it: Microsoft released a patch of the weakness on Tuesday BEFORE exploit code was widely publicly available. You should be patching systems as standard operations; if you’re not, no would be a good time to catch up and remove the oversight.
  3. Limit access: If you can’t turn the service off because you need it, does it need to be available to world? If not restrict access to trusted source locations only via either perimeter or host based firewalling (or both). It doesn’t remove the threat completely, but it should severely reduce the risk if you’re not accepting connections from any machine on the internet. Only allowing access to the port via a VPN connection would also reduce the ability of a malicious source to connect to the service.
  4. (Bonus Point) Logging: Make sure you keep a close eye on your system logs; if you do get compromised, the damage could be limited if you can identify and respond to the breach promptly.

I’ve enjoyed watching the action this week, and the potential fallout has the potential to be more interesting still; but you should be able to prevent your systems from become part of a large statistic of low-hanging fruit with a few easy or common steps to securing your environment against the threat.

–Andrew Waite

Categories: Exploit, InfoSec, MS Windows

echo “fat” | sed s/a/i

2012/03/15 1 comment

More of a personal post this time; the post title(*) is about as geeky as it gets, if you’re only here for the tech then you may want to skip this one 🙂

I’m a geek (no surprises there), and thanks to too many hours hunched of the keyboard in the dark coding away into the small hours I’ve come to resemble the stereotype; overweight, four-eyed and (preferably) in black. I always assumed that this was me, and was happy with that; but towards the end of last summer there appeared to be an increase in geeks and hacker-types pushing to get fitter: Hackerrun came and went, and a couple of my clients participated in a local 10k run. So I thought I’d see what all the fuss was about and join in.


At the time I came across the Couch to 5k program, which claims to be a nine week training program that will take you from zero fitness to being able to run 5k. Three workouts a week, no more than 30minutes a workout; even I can find time to squeeze that into my routine when I try to. I can definitely vouch for the zero fitness aspect of the program, the very first workout has you running for only one minute at a time (and who can’t run for a minute?). Well, it turned out I couldn’t…..

I’m still not running 5k yet despite being training for more than nine weeks, but I’m definitely getting there and I’m now completing training sessions that would have killed me 6 months ago without complaint.


Running has been going well, but I wanted to round out my training to get stronger as well as fitter; but as I don’t have room at home for large and expensive weight machines and don’t want to get locked into paying a gym for the next 12months or more I was struggling to find a way to incorporate this, until I came across the 100 pushup challenge.

The theory and training programme are similar to c25k, which I’m already comfortable with, follow a training plan and in eight weeks you’ll be able to do 100 consecutive pushups. Starting with an initial strength test of ‘how many pushups can you do without collapsing’ (I managed a meagre 6) you find a column on the training programme, and again have three workouts a week. This takes even less time than the 30minutes needed for the running sessions, I completed each of the week 1 sessions in ~5minutes each.

I only completed the last workout session of week 1 this morning, and already I managed a total of 44 pushups, with my last set being 12; twice what I was capable of at the start of the week. How’s that for progress?

IT Angle?

So, why am I sharing this? For one, I’m hoping that by throwing the fact that I’m training out in the public domain I’ll generate some peer pressure to keep going. It’s harder to stop if you have to explain to everyone why you’ve gone back to being lazy and unfit. Secondly, I wanted to share some of the apps, tech and services I’ve used so far in the hope it might help someone else.

I track all of my runs (and longer dog walking sessions) with RunKeeper. With the Runkeeper app on any GPS enabled smartphone it will track your route and pace of any run. Personally I find having stats, maps and other geekery tracking my progression helps keep my attention overtime. It’s also very simple to program the c25k workouts into runkeeper so your phone will beep when you’ve reach the time to switch between running and walking. Security warning: runkeeper doesn’t enforce HTTPS at login or elsewhere on the site, make sure your protected when you connect.

One word of caution, I found the GPS antenna on my phone becoming flaky so I recently upgraded to a dedicated sports watch, Garmin Forerunner 110. Not cheap, but still far cheaper than my outlay would have been if I was pounding the treadmill in a gym rather than the pavement for free.

On the pushup front, I’ve been using the Stronger app for tracking strength training and integrates nicely with RunKeeper to keep everything in the same place. The app works well, but I’ve found it to be ssssllllllloooooowwwwwwww at times.

Peer pressure time; if you’re a RunKeeper user my profile is here, feel free join my street team. If you’re not a RunKeeper user you can still use the same link to track my training progress and give me a friendly kick if I stop being active 😉

Never thought I’d say this, but I’m actually enjoying doing physical exercise now. And losing 10% of my starting body weight so far doesn’t hurt either; if I can do it, anyone can.

–Andrew Waite

(*) for the none ‘nix geeks reading this, the post title is a Bash one-liner. With the sed command changing the eventual output from fat to fit…..

Categories: Uncategorized

Pipal password analysis of Kippo password useage

2012/03/03 Comments off

Pipal is a tool for quickly and easily analysing password trends across many passwords, created by @digininja and @n00bz. Install (such as it is) is a straightforward affair; download, unpack, run. Standard usage is equally straightforward; ./pipal.rb ;

Download Pipal from here

I’ve not had too much opportunity run the tool myself, as Robin has been quick to release the results of Pipal’s analysis whenever a new breach has been made publicly available, results of this analysis can be found here.

So, trying to find an opportunity to give Pipal a run out, I decided to take a look at the passwords gathered by my Kippo installation. First up, I decided to take a look at the passwords used with added accounts once intruders compromise the system. Curious to see if the passwords chosen by those that break systems are vulnerable to the same weaknesses of standard users. This password list is quite short, so I’ll just add below:

  • zmxncbv
  • martin4e
  • sanja123hack
  • i123456
  • sistem123q
  • madaucusania
  • zaq12ws34edc
  • 3rwin89
  • b3s3mn0gumala
  • mylove120
  • zipp3r21
  • 19U!&u178
  • sor123in

The full results of this analysis is available here.

Pipal’s output from the analysis can be found here. I was surprised with some of the findings, >;60% of the passwords were 8 characters or less, many based on dictionaries words and only one utilising non-alphanumeric characters. Considering the people choosing these passwords gained access to the server by taking advantage of weak root password, I’d really expect better awareness of the importance of generating strong passwords. Guess not…..

Next up, I wanted to take a look at the passwords that are being used by bruteforce and scanning attempts to gain access to the honeypot installation. This password list is far longer than the list above, totalling 382374 entries. The full list input file is available here, and was generating by running the below SQL query against Kippo’s database. For the purposes of this analysis I decided to ignore authentication attempts that use blank passwords, but for the curious, attempts with passwords number 244062 attempts.

select count(password) from auth where password ;””;

For those not familiar with Kippo, it’s worth noting that it’s default root password (which I stuck with for this analysis) is ‘123456’, this will definitely have had an impact on the results below; partly because it features more prominently as attackers knowing the password confirm and utilise the the credentials, and bruteforce scanners will (may?) stop their attack once valid credentials are found, so that attempts which would have been made after ‘123456’ are not seen by the Kippo sensor.

The full output from Pipal from this analysis can be found here. Whilst the advice is weaker than ‘best practice’ advice on creating secure passwords, this data set indicates that simply choosing a password with 10 or more characters will avoid more 80% of remote password cracking attempts (local, offline attacks will be a different matter so take with a pinch of salt.

From finally getting my hands dirty with Pipal it’s a great tool, that does exactly what it sets out to do; give the users the numbers, so they can tell the story of the dataset.


Categories: Honeypot, Kippo