Security « Security related discussions, articles, and tutorials

As promised from my talk last night on hunting malware with volatility at the Boston Security Meetup Here are the slides.

Hunting Malware With Volatility – Slides

I am still working on the video demo I will upload and post here when it is finished.

Hope you all enjoyed the presentation =) Thanks to Rapid7 for hosting the meetup it was awesome and the conference room was amazing. I want that table =)

Ok it has been a week since DerbyCon and I am still drinking Kentucky Bourbon =)

In all seriousness DerbyCon is one of the best conferences I have been too and it easily goes head to head with DefCon.  The talks were awesome and not just repeats of previous talks given at other cons.  Plus the people I talked with and met were amazing, friendly, and willing to talk about anything especially bourbon =)  To @Rel1k @pure_hate @irongeek well done guys.  All the staff made it an awesome con as well.  I am going back next year and the year after, well you get the picture. The point is you should have been there =)  Don’t miss net years DerbyCon it will be epic.  Shout outs to my friend Buffalo Trace and all the cool people I met at DerbyCon.

Over the past couple of months I have been very busy with a new job and school.  Originally, I did not think I would be able to make it to Defcon 19.  The closer and closer it came to Defcon I felt the need to attend, even after I canceled my original flight and hotel reservations.  The week of Defcon I gave in and got a flight to Las Vegas and a hotel room at Bally’s since the rooms at the Rio by then were highly over priced coming in at $364 a night wow, Bally’s was a lot more reasonable at $130 a night.  So I got the flight the room all squared away, woke up on Friday morning at 6am to go to work until 5pm head to Logan airport and catch my 7:55pm flight to vegas.  I was TIRED….   It was an awesome weekend full of great talks, people, and of course drinking =)  Overall, I really enjoyed all the talks I attended however, one stood out for me.  It was @iiamit talk about botnets over VOIP, it was incredible.  Other than that I took a few pictures while at defcon, to warn you I am not a photographer and don’t take pictures every step I take so I just have a few.  On Sunday evening I was at the LV airport waiting for my red-eye back to Boston, and I got word my flight was delayed an hour and a half.  I was pissed since I had to go straight back to work once my flight landed, I was hungover, tired, and probably smelled bad by the time I got to work on Monday.  I put in my eight hours drove home and went right to sleep for the whole night.  Next con on deck is DerbyCon for me and I am very excited about this new conference it looks awesome already =)

Thanks for reading, more posts will be coming soon..

peace..

-bl

Backtrack 5 ships with some very nice features, however I will be discussing Metasploit and PostgreSQL within this post.  Backtrack 5 ships with metasploit and postgresql out of the box, which means that postgres is already running within BT5.  One thing to note here is that you may need to install the postgres gem and specify the db_driver within msf.  I installed the gem using ruby version 1.8.7, I get errors installing the postgres gem using ruby version 1.9.2_dev.  There are some very nice how-to’s for this over at the BT5 forums. Update 6/1/2011 – MSF does not contain any postgres drivers if launched from ‘/pentest/exploits/framework3′ however, if launched from you path then drivers are available and postgresql is initialized and connected.  However, it is not running on the default 5432 tcp port, instead postgres is running on localhost:7175.  A quick ‘netstat -antp | grep 7175′ command will display if any service is running on a port.

But, if we try to stop the postgres service using /etc/init.d/postgresql-8.4 stop, we get no luck no service is running called postresql-8.4.  Hmm, lets display all services with the ‘service –status-all’ command.  We see the following, which indicates that the installation of postgresql is associated with msf by default within BT5.  As we can see this service is called ‘framework-postgres NICE =)

What does this mean, it means we know the service name so we can start and stop the service, stop auto-run at boot time, and we know that the installation of postgres is associated primarily with metasploit.  But hey, the postgres config files are not in there default location.  Well ok, letf find where they are.  Lets start with where metasploit is installed.  the ‘framework3 directory within the ‘/pentest/exploits/’ directory is a symbolic link to ‘/opt/framework3/msf3′.  Therefore, we look inside these directories and see a postgresql directory within the ‘/opt/framework3′ directory.  However if we start metasploit and try to connect to the database with user and password of ‘root:toor’  we get an authentication error.  So what is the user and password combo used?

After going through some of the directories within the ‘/opt/framework3′ directory, I find an interesting directory called config which has a file named ‘database.yml’ within it.  Let’s cat the contents of the file and see what it tells us.  As we can see from the screenshot below it tells us the username and password.  Nice info, however, instead of specifying the username and password everytime we connect to msf and want to use the postgresql database, we can use the ‘db_connect command with the database.yml file.

As we can see, we have a username of msf and a randomly generated password.  I am running a few different BT5 virtual machines and each one has a different password.  Nice.  Now to connect msf to the database we just use the db_connect command with the right syntax to use the yml file, with the absolute path to the file specified.

Now we are in business.  I figured I would do a little write-up on this since I have not seen a lot of documentation for this anywhere, hope you enjoy.  To be honest I am finding more and more very nice features the BT5 developers introduced.  Nice work.

To sum this all up I really wanted to try out my Alfa AWUS051NH usb card with the new BT5 distro. Injection worked flawlessly and I was able to crack my seclab WEP enabled WAP within a few minutes of injection. However, this was a 64bit WEP key, stronger encryption will take a bit longer and more IV’s to crack. Lets get this going.

The Setup:

BT5 KDE x32 – Virtual Machine
Alfa AWUS051NH USB card
Wireless Access Point running WEP

The Results:

Alfa AWUS051NH in monitor mode.

Start airodump-ng to see where my AP is.

Airodump-ng refined command specifying the BSSID and channel of my target AP.  (sorry guys) =)

Now to start the arp injection using aireplay-ng while airodump-ng is capturing only IV packets.

And now for what everyone has been waiting for =)  Cracking the WEP key, using aircrack-ng.

Easy as 1,2,3 =)  Glad my card works out of the box with BT5.  Hope you all enjoyed this brief post. Till the next time.

-bostonlink

Today May 10th 2011 was the release date of Backtrack 5.  As far as I can tell, it is the best backtrack release to date.  It is highly polished and a easy install.  In my personal and professional opinion this release is a game changer to the industry.  I know I am going to be busy for days exploring all the new tools and features of BT5.  I have also installed BT5 on my XOOM wifi with the BT5-GNOME-ARM edition release as well.  My initial thoughts are the ARM edition is not as polished as the x32 or x64 editions, however, we all knew that.  To be honest I don’t know how practical having BT5 installed on my XOOM is or will become however the coolness factor is there =)  I just couldn’t resist.

That being said, I would like to thank all of the backtrack developers for their hard and continuous work on backtrack.  I can truly say I am in love with this new release and will be testing it out within my lab environment at home and at client engagements while at work.  Thanks again and to the devs your hard work pays off, I hope you all feel appreciated.  Nice work guys.

Moto Xoom BT5 pictures:

Creating a lab environment gives the user an opportunity to explore new technologies, test configurations, test exploitation methods, create scripts, and more. This is why creating a lab environment is an imperative task. In this article I will go over building lab environments specific to penetration testing. However, any one could modify these lab guidelines and create their own specific lab environment. This article is not a definitive guide on how to setup a lab environment to suit everyone’s needs. Instead it is an overview of how to start a penetration testing lab environment.

A lab environment is necessary to learn specific penetration testing techniques that would be illegal if not given specific permission to test public facing systems. Thus, setting up a private environment of your own in which you can launch any attack, tool, exploit, and do whatever you like within the environment is essential to the learning process, plus it is a lot of fun. Another reason for a pentest lab is if you are tasked with a penetration test of a client, and are unfamiliar with an exploit that one of their systems may be vulnerable too, then you can setup a test system that mirrors the original client’s system configuration to the best of your knowledge to test and/or rewrite the exploit to make sure it acts as described. On another note, personally I like to re-write all exploits that are not directly ported within an exploit framework. This assures that the exploit does and performs exactly how I want it too; additionally it gives me peace of mind to know what the shellcode within the exploit does. However, this is out of the scope of this article.

The lab can be small or large but gives you the ability to run multiple operating systems, different configurations, and software to test. Virtualization makes an excellent lab environment and cuts down on the need of a lot of hardware. There are many virtualization solutions on the market today. However, in my opinion VMware products are the best. I may be biased since I started with VMware for this reason this article will be focused on using VMware technology since all of my labs are setup within VMware.

Depending on your setup at minimum you should have a dedicated box or if you don’t want to go the dedicated route the desktop or laptop running your lab should be able to at least run 2-3 virtual machines consecutively without degrading the performance of your system and making it inoperable. Within my lab environments, I have two dedicated servers each with 12GB of ram running Vmware esxi 3.5 and 4.0. However, you do not need a setup like this if you just want too setup a couple of virtual machines to get started with and test against. I do have a VMware workstation lab environment on my desktop as well with 8GB of ram. Additionally, since I travel a lot I installed 8GB or ram on my laptop so I can test against VM’s locally if needed while at a client site or in a hotel room.

That being said I suggest you start off with VMware workstation or server. Workstation is much more robust then VMware server, however it is not free like VMware server edition. It is up too you which virtualization platform you want too run. However, if you are a student VMware does offer educational discounts for VMware Workstation and Fusion (If you have a Mac).

VMware workstation and fusion also gives the user the ability to choose what kind of networking you want too enable on the host. There are three default options, bridged, NAT, and host only. Here are some high –level definitions of the three types of networking. (For more information read the VMware documentation)

Bridged Networking – Assigns the guest system a IP address within the Physical LAN that the host is on.

NAT – Uses Network address translation to assign the guest a NATed IP address which can reach your LAN and the internet through your hosts internet connection.

Host-only – will assign a IP address to the guest that is only accessible on the host system. Host-only basically sandboxes the network to your host, you will not be able to access the Internet or any resources on the LAN which the host is on.

This is good since it gives you many options for your host. However, I highly suggest sticking with host-only when running exploits or testing malware within your lab environment. This will restrict the exploits to a sandboxed network and the exploit or malware will not have the ability to access resources on your production LAN.

Another thing to consider is where to get iso images of operating systems you want too install to play with or test against. For Microsoft builds this can be costly. However, I suggest a technet professional subscription, it will allow you to download Microsoft operating system iso’s for development purposes. Additionally you will want a variety of vm’s setup to test different exploits and tools against. At the least setup the following victim machines within you lab environment:

Windows XP SP2
Windows XP SP3
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Server 2008 R2
Several Linux flavors I like Ubuntu and CentOS
PFsense or Monowall Firewall (Optional)
BT4 and Soon BT5 (Attacker)

This will give you many targets within your environment, which you can test against. As well as, an attacking box, I love backtrack, and the guys who make the backtrack linux distribution possible do a phenomenal job. Backtrack is my preferred attacking box within my lab and while conducting a real-life penetration tests. It is highly recommended since it has the majority of the tools you will need to learn and get to know intimately pre-installed.

To add, once you have all of your test victim machines setup. I highly suggest you store them and make clones and snapshots of the systems this will enable you to revert the systems if they get hosed or corrupt. Clones also come in handy when having to install new vulnerable software on the system. Clones enable you to just clone an existing virtual machine instead of having to install an OS from scratch thus saving precious time.

Overall, having a virtual lab environment for testing purposes can go a long way, as well as, allow you to learn many tasks and methods that you may not have used before. Within your lab environment you are only limited by your mind. I hope you enjoyed my high-level overview of setting up a basic lab environment, and the main idea is to learn and have fun while learning new technology and testing methodologies. I hope you learned how important having a virtual lab environment could be professionally and personally you can learn so much and actually see how many types of technology and operating systems work and how they are different. Therefore, have fun, setup a nice lab and I hoped this article will help you out. Till next time =)

-bostonlink

Information within today’s society is a very interesting topic for discussion.  Add on security and we will have an all out debate.  Overall, information rules our society, everything runs off of some form of information in one way or another.  This is why information is power.  For example let’s say company xyz.com was breached and proprietary information was obtained by the attackers.  Well not so good for xyz.com but lets analyze the motivations of such attacks.  The majority of the time the motivation behind such attacks are to gain information which will lead to financial gain for the attackers.  There are many breaches every year, however the exact numbers are out of scope and not what this article is intended to be about.  Information is a priceless commodity which in the wrong hands can bring down an entire company, cost the company lots of money, ruin reputations, and feed the attackers to breach more companies.  Knowing this sheds light on how much power information has within our society.

What is information?  Information is just about everywhere to name a few, data, databases, webpages, intellectual property, credit card numbers, identities, social security numbers, drivers license numbers, addresses, etc.  I believe there is a need to protect sensitive and confidential information.  This boils down to how to classify information with categories such as Top Secret, Classified, and Public to name a few classifications.  If information is not classified by the nature of the information then how would we know what to secure and what information to make public?  Therefore, information classification should be one layer within a multi-layered information security program.

As a pentester I get a thrill out of trying to circumvent security layers and gain unauthorized access to a box who doesn’t.  However, the main reason behind a pentest is to identify vulnerabilities and use the vulnerabilities to successfully breach a organizations system and report the risk to the organization of the specific vulnerabilities and exploits discovered.  Well to truly report the risk of a vulnerability to an organization the tester needs to analyze what can be done once he has successfully exploited a system.  This is called post-exploitation.  Is it enough that I got a shell on a box during a pentest?  No, a full scale penetration test should include post-exploitation tasks too see what information can be gained from the attack.  Yes it is helpful to let the organization know if a server is vulnerable to a remote code execution vulnerability or a SQL injection attack.  However, it would be more valuable to the organization if the tester was able to identify and gain access to sensitive information within the institution.  There are numerous security researchers who actively research post exploitation and methods to achieve different types of information from a system or network.  Metasploit started to port post-exploitation scripts into actual modules.  As well as Carlos Perez, who has done some awesome research and crafted some excellent scripts for post-exploitation work.

To sum this all up, information is key to any profession within the security industry.  My opinion is not new, I just felt compelled to write a brief blog stating my opinion.  Overall, my motivation behind this article was seeing many client pentest reports that companies gave them automatically generated scan reports and nothing else.  This is not good for the simple fact that it does not indicate a proper penetration test was conducted for the client.  For a great description of what penetration testing should include for an organization I highly recommend heading over to PTES (Penetration Testing Execution Standard).

OK,

I was tired of listing the directory manually everytime I wanted to use a nmap nse scrip on my mac. Therefore, I wrote this simple script to either display all nmap nse script or search for a string and list the relevant scripts. Call me lazy but I am all about saving time and increasing efficiency. I also love the challenge =)

Note: same path in a Ubuntu Linux environment

you can use wget to download the script http://pentest-labs.org/downloads/nse_search.py

I know it has been a while but what can I say I have been busy =)

Anyway, I scripted a quick link puller script that parses a website source code and prints all links within the code to the terminal. I found it useful so I thought I would share it with you all. I know there are some other programs out there that probably do the same thing, but hey I like the challenge of thinking through the scripting process and miking my scripts work. Hope you all enjoy.

ex: ./link_puller.py http://pentest-labs.org

Script: