Several months ago I tried accessing a Cisco whitepaper (can’t remember which one or what topic) and was prompted to register for a prize draw. I was bored to so thought ‘what the hell’, couple minutes later I was done and forgot about it. Until the post turned up this morning!
I cracked the box open and found a rather shiny looking pen (see below):
Very shiny box for a pen, but it turns out that Cisco know geeks; the pen also includes a 1GB USB drive!
And the perfect finishing touch? The end of the pen also includes a laser pointer, which has given me great enjoyment watching the dog chase and try to devour the red spot on the carpet. Thanks Cisco.
— Andrew Waite
VMware, Win7 & VirtualXP
<update-20091129>
Very grateful to Timmedin for pointing me in the direction of his recent work with the same issue. In usual form, Tim has even packaged up a powershell script to automate the workaround. Check his fix here, much cleaner and slicker than my own. If your still curious, read on for the backstory.
</update>
Since rebuilding part of my toolkit I’ve had issues connecting to my ESXi host server. I had originally thought this was a result of an upgrade from ESXi 3.5 to ESXi 4.0, and the resultant change from VMWare infrastructure client to the new vSphere client. After several hours and days fighting down a blind alley I found a forum post that highlighted Windows 7 as the culprit.
Further reading indicated that this is a widespread issue with no real solution. Best workaround appears to be to run the client within a sandbox via Microsoft’s Virtual XP environment for Windows 7.
After a couple of false starts the install process was fairly straightforward, found here. Simply select hardware architecture (32/64-bit), install a patch, then finally the Virtual XP image. Everything beyond this works as expected, a virtual XP machine. Once in the virtual environment install the vSphere client as normal to regain access your VMWare environment.
Knowing my preferences, observant readers may be wondering why not achieve the same results using a VMWare guest with the vSphere client installed. VMWare Server is already installed on my machine, and was one of my initial thoughts. However, Virtual XP and VMWare utilise virtualisation for different results. The Virtual XP client has several intergration features (can be disabled if prefered) that allow simple, native access of resources on the host machine (files, directories, peripherals etc) from within the guest. This makes working with either, and between, host and guess seamless. Obviously such intergration would be unsuitable for a lab environment as you want/need isolation, seperation and protection from the guest machines so VMWare still has it’s place. As usual, using the right tool for the right job is essential.
At this point I’m back in my lab, and the R&D rolls on, but the experience has led me to look more indepth and Virtual PC. I have started building a BackTrack4 guest with Virtual PC to run within my standard machine for everyday use. Having access to a Linux environment as simply as a double-click as per normal applications will hopefully be a nice addition to my usual working practice.
<UPDATE> BT4 works fine, but the X GUI fails to start. Guess I’ll need to polish up on my commandline kung fu </UPDATE>
— Andrew Waite
Kon Boot
I’m running behind the curve on this one, but after several of my usual sources suggesting KonBoot as a useful addition to any security toolkit. The premise of Kon-Boot is simple, by modifying the system kernel (Windows or Linux) upon boot there is no need to know the users password to access the system.
Kon-Boot is designed to boot via either floppy or CD, but thanks to the work of IronGeek it is relatively painless to get Kon-Boot running from USB.
Unetbootin continues to be a powerful tool, using which you create a bootable USB drive from the KonBoot floppy drive image. Raymond.cc has a great guide for the process, but ends with the limitation that KonBoot won’t function from USB; until IronGeek steps into the ring with a patch. Simply extract the archive to the root of the USB drive to update chain.c32 and syslinux.cfg then you’re good to go.
There are plenty of videos showing Kon-Boot in action, for example this one. I’ve successfully compromised a Windows 7 host, both local and domain acount, but it can only compromise domain accounts that have previously logged onto the physical machine. Discussing the issue with a Windows admin there have been a couple of potential mitigations developed, but at this point these have yet to be put to the test.
Linux compromise seems to be less powerful as you log in as a new kon-usr user, albeit with UID 0 for superuser privs. Full authentication doesn’t seem available however; the kon-usr drops in at the command line but KDE kicks up an authentication error when trying to start a GUI session.
I still intend to test my Kon-Boot drive against a machine with an encrypted hard drive, I’m not convinced it will work as my current hypothesis is that the Kon-Boot Kernel modifications will be attempted before the drive is unencrypted. I’ll update once I’ve been able to put the hypothesis to the test in a lab.
For the time being Kon-Boot is a permenant addition to my tool-kit, as there are plenty of scenarios that make KonBoot a legitimate tool for both security and non-security techies alike. Thanks to www.piotrbania.com for development and release.
— Andrew Waite
Updated wardrive rig
This post should be short and sweet as Dale beat me to the punch with an excellent write up of wardriving with BT4. Thanks to some back and forth advice, Dale’s hardware setup is also nearly identical to mine so I wont repeat anything he’s already published. But his post did push me to stop abandoning my wireless kit and update my tools.
The primary change is that I’m now running BT4, rather than BT3; still from a bootable USB drive created via Unetbootin. This provides easy access to the vastly updated Kismet Newcore, Mike Kershaw has done some wonderful work with this release. I’ve found Newcore to be vastly simpler to run than previous Kismet versions, primarily as you can now add additional source interfaces to the setup from the console client itself, rather than needing to modify the config files with some archaic black magic.
Also included within BT4’s toolset is Jabra’s excellent giskismet utility, this provides the same functionality (and more) as my previous kismet2gmapstatic attempts. Since I started development on my home brew tools I’ve had several people point me toward giskismet, wish they’d done so beforehand as it would have saved me some (now defunct) development time. I fully intend to go into more depth with giskismet’s capabilities in a seperate post once I’ve fully got to grips with it as my initial opinion is that this tool is great, so watch this space.
I’ve got the wireless bug again, so if you see a car with plenty of USB cables going through the passenger window be sure to say hi!
— Andrew Waite
ZeroWine
Zero Wine is:
an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.
The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware’s behavior turns out to be very easy.
Install was fairly simple as ZeroWine is distributed as a Qemu virtual image. Qemu, is downloaded here, and ZeroWine here.
To start the ZeroWine image I use the command (change filepaths to suit your install):
>qemu.exe c:\zerowine_vm\zerowine.img -no-kqemu -L . -redir tcp:8000::8000
Once running you can access the service by pointing a browser to localhost/8000 (the ‘-redir tcp:8000::8000’ parameter redirects the ZeroWine image’s port to your local system). This provides a simple web interface to upload and analyse your malware sample:
For a test run I uploaded the most recent sample collected by my Nepenthes honeypot, MD5 hash 3c9563dacd9afe8f2dbbe86d5d0d4c5e. The report generated shows the results of ZeroWines analysis, example below:The first section shows the behavioural analysis of the malware, this should be the most useful aspect of the ZeroWine framework. However as the ZeroWine page itself states, the output is ‘very long and, as so, hard to understand‘ and is unable to distinguish between system calls made by the malware and the underlying analysis framework. As a result I personally find the information provided by the report less useful than it could be.
There are definitely better sources for generating automated analysis of malware samples, for example VirusTotal or CWSandbox. However, depending on how the malware sample was obtained legal or business requirements may prevent you from releasing the sample to a third party, and not all provided services can provide the immediate response of a local system; meaning ZeroWine can still be a valid and useful tool in your arsenal.
Taking the concept forward, Jim Clausing recently released an excellent paper on setting up an automated malware environment with open source tools. I haven’t had a chance to try out any of Jim’s suggestions, but have read the paper and listened to the related podcast and the recommendations are definitely on my todo list to improve my malware analysis toolkit.
— Andrew Waite
June SuperMondays Review
This review of June’s event is more than a little late, but it was still a great event. The format was different this time around, with an open podium. This produced some interesting and unexpected topics, the first being an introduction into the world of geocaching from Alastair McDonald.
Alastair’s talk caught me unawares as I was expecting a technical overview of maintaining geographically dispersed content and services for load-balancing and DR. Instead I was introduced to a world of following GPS co-ordinates to find hidden caches of goodies, in the real-world. Whilst the concept of geocaching was new to me, once aware of it’s presence it appears to be a very popular hobby, Twitter seems to be full of people all over the globe discussing success or failure of searching for various caches. I’m failing to fully do justice to Alastair’s presentation and geocaching as whole, so I’d advice watching the footage yourself (along with the rest of the talks).
Second up, was the Ecommerce Experiment. The team are setting up an ecommerce site in an unfamiliar market over the next three years, and are blogging and tweeting all there experiences, positive and negative, throughout the entire process. Their presentation was interesting enough, but I’ve been following their posts since and the material is always interesting and shows a side of online commerce normally kept behind closed doors.
Third was Mike Parker with a demo of Drupal, with the goal of ‘work less, surf more’. Web site creation isn’t exactly my forte (check www.infosanity.co.uk if you don’t believe me), but Drupal seems to be a very powerful framework, with plenty of real-world application.
Finally Ryan (@ethicalhack3r), discussed the latest release of DVWA. I won’t go into too much detail, as I’ve already reviewed DVWA previously. If your interested in this area of research, check the archive footage of Ryan’s talk.
Whilst the presentations were all good, but as usual the real value of SuperMondays is the networking opportunity and the discussions before and after. Which begs the question, if you’ve not been to the event why not? Next meeting is July 27th, and the topic is still up for debate, so get involved.
— Andrew Waite
Starting out with physical security
Several months ago I was involved in a discussion focusing on steps taken to secure information systems, and came to the realisation that all the counter measures and protections where network and system based. As a joke I asked what was the point if someone could pick the building locks and walk out with the hard drives. Surprisingly to me, everyone stop talking and looked slightly concerned. Since then I’ve been toying with the same question: “What is the point of firewalls, IDS, patches etc. if the data isn’t physically protected?”
After doing some research I decided to put the theory to the test and find out how effective common physical security actually is. My first set of tools and training material arrived today, a set of 20 lockpicks and tension tools, a beginners instruction guide and a see-through lock for practice from Southord. The delivery impressed me for speed, at point of purchase Southord stated a three to five week delivery time to Europe, in practice delivery was less than a week; thank you Southord (and Dale Pearson for recommending the set)
Whilst waiting I have been researching the topic quite heavily and have found the forums at lockpicking 101 to be invaluable and need to say thank you to those who have freely contributed information. Hopefully I’ll be able to contribute back to the community once I gain some ability and knowledge.
It’s going to take a lot of practice and persistence before I’m anywhere close to proficient, but ask yourself the same question: Why spend thousands on information security if the physical protection isn’t up to the job?
— Andrew Waite
Damn Vulnerable Web App, version 1.0.4
Ryan Dewhurst of ethicalhack3r.co.uk has created and been maintaining Damn Vulnerable Web App (DVWA). The goal of the project is to aid learning and teaching of the art of web application security.
Ryan provided an overview and demo of the suite at a recent SuperMondays open podium event, you can find an archive of the presentation here.
I’ve been looking at DVWA (current version is 1.0.4) and it is showing promise, especially as web application security is one of my weaker skill sets having limited experience in this field. DVWA currently focuses on six different attack vectors:
- Brute-force
- Command Execution
- File Inclusion
- SQL Injection
- File Upload
- Cross Site Scripting (XSS)
Each section provides help to exploit the target vulnerability, as well as providing access to the source code for white box review to aid full understanding of how the vulnerability exists and how it can be protected against. Each example attack vector also has the option of setting variable levels of implemented security, providing increasingly advanced attack vectors.
DVWA provides a solid basis for investigating and studying web application security issues, as well as a multitude of great links for further reading. For those of you with skill, or those that learn quickly there currently are vulnerabilities in even the high-security level versions of the code, but I’ll leave finding this as an excise for the reader.
Nice work Ryan, keep it up.
— Andrew Waite
Good night Milw0rm
Final Update: Crisis averted, Milw0rm is still up and functioning.
Looks like Milw0rm is calling it a night. Haven’ t been able to get any official word as the site is unavailable. As the site is now unavailable it’s hard to tell what happened, but an ISC diary has this message from the site:
Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke
Always a shame when a big player in the infosec community closes it’s doors. My thanks to all those how contributed and ran the site when it was a going concern; and if anyone has a recent mirror, I’d appreciate a copy, mines a little dated :'(
— Andrew Waite
Update:
Looks like the fat lady may not be singing for Milw0rm just yet, Str0ke post this on Twitter:
I have talked with a few friends and I’ll be handing the site over so a group of people can add exploits / other things to the site. Hopefully it will be a new good start
Plus Dale Pearson of Security Active pointed me in the direction of splo.it, which is currently posting nothing but a farewell to Milw0rm. Given the (rather cool) URL it may become Milw0rm’s spiritual successor.
Update 2:
This keeps on going, Milworm came back and then died under the load of people trying to grab an upto date archive (ISC Diary). Until/if Milw0rm comes back for good you can get a copy of the July archive via Security Database Tools Watch
kismet2gmapstatic: Updated versions
I’ve spent the day adding some additional functionality to my GPS mapping proof of concept (original here).
The second release, kismet2gmapstatic-0_2.py, changes the scripts output to wrap the Google maps API call in a self contained HTML page, and contains multiple map images to mitigate the URL length limit.
The third release, kismet2gmapstatic-0_3.py, builds on the HTML framework and includes additional information on each mapped access point: SSID, channel and available encryption options.This will likely be the final release of kismet2gmapstatic in this form, the code has grown organically without any real planning and as a result is a hideous mess, but as a PoC I feel it has served it’s purpose. I still have several ideas and additional functionality that I would like to implement, so watch this space for similar tools in the future.
— Andrew Waite