Saturday, November 15, 2008

Squirtle and MS08-068

HD Moore already did some great analysis on how the MS08-068 patch affected the SMB Relay attacks within Metasploit. The answer?

You can't attack the source workstation/server if MS08-068 has been applied.

This ONLY affects Squirtle if your evil agent attempts to communicate back to the victim. It should not impact attacking their IMAP, HTTP or File/Print servers.

As always the goal of Squirtle is to permit others to extend their own tools to permit the use of authentication requests from controlled browsers and at your own time or when the right users click on your evil link!

Have fun with the latest updates and thanks to Natron for pointing me towards HD's analysis.

Friday, November 14, 2008

Squirtle Updates: IMAP, Metasploit integration complete

I just gave a talk to everyone here at DeepSec 08. Other than the weather being a bit cold and wet Vienna is awesome. Everyone seems happy to be at this conference and to share and network with each other. It's always fun giving the Squirtle talk to new audiences and see their eyes light up as they start to get why this attack matters to their environments or how they could use it on a client's penetration test.

With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!
  • IMAP Mirroring! Download a victim's entire IMAP directory! Use social engineering, have the help desk e-mail them a new password!
  • Metasploit integration! SMB Relay an enterprise's server farm with Squirtle!
Get the latest updates from the Squirtle SVN at http://squirtle.googlecode.com/. The MSF update is a patch against the as-of-writing-this MSF 3.2-current SVN code. If things change I'll try to keep it updated. Not sure if this is "MSF-code worthy" as it uses the JSON ruby gem vs processing the result manually. I had the library installed, didn't want to write my own parser. :P

On Nov 11th MSRC posted some information on MS08-068 implementing some changes to the NTLM protocol to neuter the SMB Relay attack and possibly (but not mentioned) Squirtle as well. I haven't had a chance to play with yet as I didn't want to possibly spoil the live demos so close to DeepSec. It's nearly time to spend the evening at Metalab so more information as it develops (I promise!)

Big thanks to everyone here at DeepSec for coordinating this one-of-kind conference. Vienna is such a beautiful place to visit, I only wish it would be earlier in the season when it's not so cold and dreary outside. I hope to come next year for DeepSec 09!

Also, look for my ugly mug to make an appearance on Help Net Security soon. It's a brief plea on using Squirtle and hopefully my excitement over reaching more people isn't too transparent. :)