Wednesday, July 8, 2009

OpenSSH Exploit Alert

A lot of talk has been taking place about an underground openssh exploit. It appears to be linked to the following exploit tools:

“./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.”

anti-sec:~/pwn/xpl# ./openPWN -h  -p 22 -l=users.txt
 [+] openPWN - anti-sec group
[+] Target:
[+] SSH Port: 22
[+] List: users.txt

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

and:

anti-sec: ~ / pwn / xpl # ./0pen0wn-h  -p 22
[+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
[+] Target: 66.197.143.133 [+] Target:
[+] SSH Port: 22 [+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
One website reported a log of the attack that can be found here. There is a lot of discussion of whether this is real or not. It is recommended to make sure that your openssh is at the current version, using a secure configuration, and that your are monitoring the activity against your systems until more information is released on this issue.

Tuesday, May 26, 2009

Kon-Boot: Bypass Windows/Linux Login

I have used the Offline NT Password & Registry Editor tool to gain administrative access on systems for various reasons (i.e., forgot password, penetration testing, forensic investigation, etc). Sometimes, especially during a penetration test, you need to gain access without leaving evidence that you were there. You cannot use this tool without someone knowing that their password has been changed. I just came across a tool that allows you to gain access to a system using any password!

"Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually - without any interferences with physical system changes."


Operating Systems Affected
Windows Server 2008 Standard SP2 (v.275)
Windows Vista Business SP0
Windows Vista Ultimate SP1
Windows Vista Ultimate SP0
Windows Server 2003 Enterprise
Windows XP
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows 7
Gentoo 2.6.24-gentoo-r5 (GRUB 0.97)
Ubuntu 2.6.24.3-debug (GRUB 0.97)
Debian 2.6.18-6-686 (GRUB 0.97)
Fedora 2.6.25.9-76.fc9.i686 (GRUB 0.97)

To get started, download the ISO or floppy image and just reboot the system. When prompted for a password, pick anything and you’re in!!!

Floppy Image DOWNLOAD
ISO Image DOWNLOAD

Tuesday, April 21, 2009

Watcher - Web Testing and Compliance Tool

I have written in the past on the topic of having a testing toolkit and knowing what the tools do as well as when to use them. Most of my work and research lately has been on application security. There are many great tools for testing web applications. I came across a new tool called Watcher that has been getting a lot of attention and is a tool that I have been using a lot lately.

Watcher is a plugin for the Fiddler HTTP debugging proxy with the following features:
  1. Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS
  2. Works seamlessly with complex Web 2.0 applications while you drive the Web browser
  3. Non-intrusive, will not raise alarms or damage production sites
  4. Real-time analysis and reporting - findings are reported as they’re found, exportable to XML
  5. Configurable domains with wildcard support
  6. Extensible framework for adding new checks
Unlike most security testing tools that intrusively probe an application for vulnerabilities and weaknesses, Watcher does all of the security checks in the background, silently, while you browse through an application.

Over 30 checks are included in the framework:
  • Cross-domain stylesheet and javascript references
  • User-controllable cross-domain references
  • User-controllable attribute values such as href, form action, etc.
  • User-controllable javascript events (e.g. onclick)
  • Cross-domain form POSTs
  • Insecure cookies which don't set the HTTPOnly or secure flags
  • Open redirects which can be abused by spammers and phishers
  • Insecure Flash object parameters useful for cross-site scripting
  • Insecure Flash crossdomain.xml
  • Insecure Silverlight clientaccesspolicy.xml
  • Charset declarations which could introduce vulnerability (non-UTF-8)
  • User-controllable charset declarations
  • Dangerous context-switching between HTTP and HTTPS
  • Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
  • Potential HTTP referer leaks of sensitive user-information
  • Potential information leaks in URL parameters
  • Source code comments worth a closer look
  • Insecure authentication protocols like Digest and Basic
  • SSL certificate validation errors
  • SSL insecure protocol issues (allowing SSL v2)
  • Unicode issues with invalid byte streams
  • Sharepoint insecurity checks
  • more….
Keep an eye on this tool as the Microsoft SDL team is excited about it and they are looking at incorporating Watcher in a future version of the Microsoft SDL.

Thursday, April 2, 2009

Conficker Testing

Up till today, all of the automated checks for conficker have been network based (SCS, nmap, Nessus). Continued research with the tools highlighted that the scanning techniques used was not detecting all infected hosts and had the risk of crashing systems using one of the scanning tools.

Today, Tenable released an update to their conficker plugin (#36036) that now uses credentials to log into a host and scan the local system for the presence of the Conficker virus. This type of check provides a higher level of assurance for detecting infected systems and is much safer than the previous ways of checking.

If you have access to the Tenable ProfessionalFeed and HomeFeed, I highly encourage the use of this new plugin to check your environment!

Wednesday, April 1, 2009

Conficker - April Fools?!?!

Today is the big day, right? Or is today a joke on us from the author of conficker? You would think that a person with malicious intent would not want to make an update to their software on the day that everyone is watching!

On another note, if you are using nmap to detect infected systems within your environment, you may need to update the script.

I downloaded the beta version of nmap (nmap-4.85BETA5.tar.bz2) when it was first released. Every system probed (over several thousand systems) for conficker was being marked as "Likely INFECTED"!!! This did not seem right. Using the "Trust But Verify" approach, I used the Simple Conficker Scanner against a number of the identified systems and it marked each system as "seems to be clean". Now what?!?!?!

I reviewed the smb-check-vulns script and their is a flaw with the script. Every system, by default, will get marked as "Likely INFECTED" instead of "Likely CLEAN" when found clean....errr....likely clean.

The script has been fixed and you should grab the latest script or update your nmap through the SVN depository.

Thursday, February 12, 2009

Hidden USB Storage

Gadgets are fun! While exploring through the Instructables website, I came across a hidden USB Storage idea using a USB stick and a standard phone jack.

While there are a lot of interesting ideas on Instructables, I prefer the Hack A Day for some really awesome technical projects. Back to the hidden USB storage idea.....

Building the device seen in the picture and by taking a standard USB cable, stripping the four wires, and then connecting those wires to either end of a telephone line jack and port, you’ve got a cool little connectivity solution.

Monday, January 26, 2009

Wepawet - Website Analysis Made Easy

In December of 2008, I found a great tool called Wepawet, that I now use during my threat research. Wepawet stands for Web Engine to Protect from and Analyze Widespread and Emerging Threats. It is a collection of tools that use static and dynamic techniques to analyze web content to identify possible malicious behavior. It currently supports analyzing Adobe Flash and Javascript files.

Wepawet was created by the Computer Security Group at UCSB. I've had the pleasure of interacting with the students of this great program and have competed against their team at the several Defcon CTF competitions.

In the past, I have used Exploit Prevention Labs LinkScanner to find out if a URL was serving malicious code. While I was researching a new Waledac URL (seocom.mobi), I found the Wepawet analysis of this site and all of its "evilness". The website was serving up eleven (11) exploits for various vulnerabilities.

Check out the output of this tool and use it. I have found it to be very valuable!