http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-07-19 11:48:01 - InfoSanity : InfoSanity's blog has a new home, infosanitywordpresscom Over the coming weeks I'll be tweaking the layout and updating older links, in the meantime, I'd suggest updating any RSS feeds If anything doesn't work, or dis like the any aspect of the new site let me know -- Andrew Waite IMAGE http://www.secuobs.com/revue/news/122275.shtmlhttp://www.secuobs.com/revue/news/122275.shtml Secuobs.com : 2009-07-14 22:50:20 - InfoSanity - This review of June's event is more than a little late, but it was still a great event The format was different this time around, with an open podium This produced some interesting and unexpected topics, the first being an introduction into the world of geocaching from Alastair McDonald Alastair's talk caught me unawares as I was expecting a technical overview of maintaining geographically dispersed content and services for load-balancing and DR Instead I was introduced to a world of following GPS co-ordinates to find hidden caches of goodies, in the real-world Whilst the concept of geocaching was new to me, once aware of it's presence it appears to be a very popular hobby, Twitter seems to be full of people all over the globe discussing success or failure of searching for various cachesI'm failing to fully do justice to Alastair's presentation and geocaching as whole, so I'd advice watching the footage yourself along with the rest of the talks Second up, was the Ecommerce Experiment The team are setting up an ecommerce site in an unfamiliar market over the next three years, and are blogging and tweeting all there experiences, positive and negative, throughout the entire process Their presentation was interesting enough, but I've been following their posts since and the material is always interesting and shows a side of online commerce normally kept behind closed doors Third was Mike Parker with a demo of Drupal, with the goal of 'work less, surf more' Web site creation isn't exactly my forte check wwwinfosanitycouk if you don't believe me , but Drupal seems to be a very powerful framework, with plenty of real-world application Finally Ryan ethicalhack3r , discussed the latest release of DVWA I won't go into too much detail, as I've already reviewed DVWA previously If your interested in this area of research, check the archive footage of Ryan's talk Whilst the presentations were all good, but as usual the real value of SuperMondays is the networking opportunity and the discussions before and after Which begs the question, if you've not been to the event why not Next meeting is July 27th, and the topic is still up for debate, so get involved -- Andrew Waite IMAGE http://www.secuobs.com/revue/news/120584.shtmlhttp://www.secuobs.com/revue/news/120584.shtml Secuobs.com : 2009-07-14 22:50:20 - InfoSanity - Zero Wine is an open source GPL v2 research project to dynamically analyze the behavior of malware Zero wine just runs the malware using WINE in a safe virtual sandbox in an isolated environment collecting information about the APIs called by the program The output generated by wine using the debug environment variable WINEDEBUG are the API calls used by the malware and the values used by it, of course With this information, analyzing malware's behavior turns out to be very easy Install was fairly simple as ZeroWine is distributed as a Qemu virtual image Qemu, is downloaded here, and ZeroWine here To start the ZeroWine image I use the command change filepaths to suit your install qemuexe c zerowine_vm zerowineimg -no-kqemu -L -redir tcp 8000 8000 Once running you can access the service by pointing a browser to localhost 8000 the '-redir tcp 8000 8000' parameter redirects the ZeroWine image's port to your local system This provides a simple web interface to upload and analyse your malware sample For a test run I uploaded the most recent sample collected by my Nepenthes honeypot, MD5 hash 3c9563dacd9afe8f2dbbe86d5d0d4c5e The report generated shows the results of ZeroWines analysis, example below The first section shows the behavioural analysis of the malware, this should be the most useful aspect of the ZeroWine framework However as the ZeroWine page itself states, the output is 'very long and, as so, hard to understand' and is unable to distinguish between system calls made by the malware and the underlying analysis framework As a result I personally find the information provided by the report less useful than it could be There are definitely better sources for generating automated analysis of malware samples, for example VirusTotal or CWSandbox However, depending on how the malware sample was obtained legal or business requirements may prevent you from releasing the sample to a third party, and not all provided services can provide the immediate response of a local system meaning ZeroWine can still be a valid and useful tool in your arsenal Taking the concept forward, Jim Clausing recently released an excellent paper on setting up an automated malware environment with open source tools I haven't had a chance to try out any of Jim's suggestions, but have read the paper and listened to the related podcast and the recommendations are definitely on my todo list to improve my malware analysis toolkit -- Andrew Waite IMAGE http://www.secuobs.com/revue/news/120583.shtmlhttp://www.secuobs.com/revue/news/120583.shtml Secuobs.com : 2009-07-11 19:55:45 - InfoSanity - Utility script in a similar vein to submissions2csvpy, the script reads Nepenthes' logged_submissions file from stdin and dumps the information into a MySQL database table Initially this serves the same purpose as it's CSV counterpart, importing the date into system with powerful search and filter functionality However this may be useful if wanting to work with the data in more complex tools as SQL databases form powerful backends and can be manipulated easily with almost programming language again, apologises for formatting I'm working on a resource repository for code and tools, hopefully available soon UPDATE Code available from InfoSanity usr bin python import sys import MySQLdb Reads Nepenthes logged_submissions file and inserts data to mysql table connect to database db MySQLdbconnect host localhost , user neplog , passwd neplog123 , db nepenthes create cursor cursor dbcursor read from stdin while 1 line sysstdinreadline if not line break logData linesplit ' ' timestamp logData 0 strip ' ' date timestampsplit 'T' 0 time timestampsplit 'T' 1 sourceIP logData 1 sourceMalware logData 4 malwareMD5 logData 5 Insert row cursorexecute insert into submissions values pourcentss , pourcentss , pourcentss , pourcentss , pourcentss pourcents date, time, sourceIP, sourceMalware, malwareMD5 Database creation I'm sure this can be improved, but it works CREATE TABLE submissions logdate date default NULL, logtime time default NULL, ip char 15 default NULL, url varchar 64 default NULL, MD5 char 32 default NULL Andrew Waite IMAGE http://www.secuobs.com/revue/news/119341.shtmlhttp://www.secuobs.com/revue/news/119341.shtml Secuobs.com : 2009-07-11 19:55:45 - InfoSanity - Several months ago I was involved in a discussion focusing on steps taken to secure information systems, and came to the realisation that all the counter measures and protections where netework and system based As a joke I asked what was the point if someone could pick the building locks and walk out with the hard drives Surprisingly to me, everyone stop talking and looked slightly concerned Since then I've been toying with the same question What is the point of firewalls, IDS, patches etc if the data isn't physically protected After doing some research I decided to put the theory to the test and find out how effective common physical security actually is My first set of tools and training material arrived today, a set of 20 lockpicks and tension tools, a beginners instruction guide and a see through lock for practice from Southord The delivery impressed me for speed, at point of purchase Southord stated a three to five week delivery time to Europe, in practice delivery was less than a week thank you Southord and Dale Pearson for recommending the set Whilst waiting I have been researching the topic quite heavily and have found the forums at lockpicking 101 to be invaluable and need to say thank you to those who have freely contributed information Hopefully I'll be able to contribute back to the community once I gain some ability and knowledge It's going to take a lot of practice and persistance before I'm anywhere close to proficient, but ask yourself the same question Why spend thousands on information security if the physical protection isn't up to the job Andrew Waite IMAGE http://www.secuobs.com/revue/news/119340.shtmlhttp://www.secuobs.com/revue/news/119340.shtml Secuobs.com : 2009-07-10 18:59:41 - InfoSanity - Ryan Dewhurst of ethicalhack3rcouk has created and been maintainingDamn Vulnerable Web App DVWA The goal of the project is to aidlearning and teaching of the art of web application securityRyan provided an overview and demo of the suite at a recentSuperMondays open podium event, you can find an archive of thepresentation hereI've been looking at DVWA current version is 104 and it is showingpromise, especially as web application security is one of my weakerskill sets having limited experience in this field DVWA currentlyfocuses on six different attack vectors:* Brute-force* Command Execution* File Inclusion* SQL Injection* File Upload* Cross Site Scripting XSSEach section provides help to exploit the target vulnerability, aswell as providing access to the source code for white box review toaid full understanding of how the vulnerability exists and how it canbe protected against Each example attack vector also has the optionof setting variable levels of implemented security, providingincreasingly advanced attack vectorsDVWA provides a solid basis for investigating and studying webapplication security issues, as well as a multitude of great links forfurther reading For those of you with skill, or those that learnquickly there currently are vulnerabilities in even the high-securitylevel versions of the code, but I'll leave finding this as an excisefor the readerNice work Ryan, keep it up-- Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/118939.shtmlhttp://www.secuobs.com/revue/news/118939.shtml Secuobs.com : 2009-07-09 00:53:07 - InfoSanity - Looks like Milw0rm is calling it a night Haven' t been able to get anyofficial word as the site is unavailable As the site is nowunavailable it's hard to tell what happened, but an ISC diary has thismessage from the site:Well, this is my goodbye header for milw0rm I wish I had the timeI did in the past to post exploits, I just don't : For the past3 months I have actually done a pretty crappy job of gettingpeoples work out fast enough to be proud of, 0 to 72 hours takingoff weekends isn't fair to the authors on this site I appreciateand thank everyone for their support in the pastBe safe, /str0keAlways a shame when a big player in the infosec community closes it'sdoors My thanks to all those how contributed and ran the site when itwas a going concern; and if anyone has a recent mirror, I'd appreciatea copy, mines a little dated :'-- Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/118260.shtmlhttp://www.secuobs.com/revue/news/118260.shtml Secuobs.com : 2009-07-05 20:11:26 - InfoSanity - I've spent the day adding some additional functionality to my GPS mappingproof of concept original hereThe second release, kismet2gmapstatic-0_2py, changes the scriptsoutput to wrap the Google maps API call in a self contained HTML page,and contains multiple map images to mitigate the URL length limitThe third release, kismet2gmapstatic-0_3py, builds on the HTMLframework and includes additional information on each mapped accesspoint: SSID, channel and available encryption options This willlikely be the final release of kismet2gmapstatic in this form, thecode has grown organically without any real planning and as a resultis a hideous mess, but as a PoC I feel it has served it's purpose Istill have several ideas and additional functionality that I wouldlike to implement, so watch this space for similar tools in thefuture-- Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/117027.shtmlhttp://www.secuobs.com/revue/news/117027.shtml Secuobs.com : 2009-07-02 23:19:04 - InfoSanity - Recently added to my wireless toolkit is a USB GPS reciever After a fairamount of research and some advice from more experience guys I endedup with the Globalsat BU-353 device below:If you can't make it out, that is a British 10p for size comparisonUnsurprisingly given some of my previous posts, the initial use of theGPS device is to increase the power and data gathering ability of mywar-driving rig for wireless security assessments Therefore I was alittle disappointed when I struggled to got the device working out ofthe box with gpsd, which is pretty much the de-fact0 standard in gpssoftwareAfter much hair-pulling, command-typing and Google-searching I found aseries of articles and forum posts stating that the BU-353 works finewith gpsd-237 sorry, can't find links, but thanks to all those whoput the information out there A quick download and compile later andeverything was goodI don't have prior experience with GPS devices for comparison, butI've got no regrets with the purchase The accuracy seems veryimpressive, and the data logging ability when coupled with wirelesssensors is equally soI'm still looking into the best ways to capitalise on thefunctionality and data from the GPS unit, my first attempt atharnessing the data set was released yesterday, a PoC release ofkismet2gmapstatic Potential ideas in the pipeline include improvingon kismet2gmapstatic to produce interactive javascript maps, againwith the Google Maps API, or go the whole hog and output *kml filesfor importing to Google Earth Alternatively I'm considering readingthe GPS data directly on a walking site survey, focusing on a singleESSID to map the strength and coverage of a particluar wirelessnetwork Either way, hopefully be more to come in the future--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116502.shtmlhttp://www.secuobs.com/revue/news/116502.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I've just taken delivery of, and started to experiment with, my newwireless equipment consisting of an Alfa AWUS036H and some additionalantennas My primary official motive for purchasing new hardware wasthat my primary incident response laptop only has 80211b internal socan't connect to newer networks and I've just upgraded my homenetwork to a 80211g only access pointUnofficial reason is that I have never owned a wireless device capableof packet injection and other advanced wireless penetrationtechniques In this regard the Alfa comes very highly recommended,both from Aircrack's own documentation wiki and from security guys inthe field In my testing so far the Alfa has performed admirably onall accountsIn addition to the Alfa I acquired an additional antenna with magneticmount, perfect for many tasks including mounting to the roof of amoving vehicle for a bit of data gathering Despite being a life-longgeek, I was still amazed by the concentration of wireless networkdevices available In my first test I left my equipment running whilstI made the short commute from work to back home, during this trip Icollected details of 1100+ access points and 250+ active clientsFrom these straw poll statistics the level of security implemented wasconcerning although not completely surprising* 200+ of the access points were running with no encryption at all,whilst this is mitigated by the fact many appear to be going fromessid publicly provided networks designed for guest use forexample BTOpenZone many also appear to be for home use or merelydevices in their default setting* 300+ of the APs were running with the provenly insecure WEP* The remaining 600+ access points were configured to use acombination of the more secure WPA and WPA2 frameworks, althoughless than 80 of these devices were configured to use the morerecent and secure WPA2Best feature of my new equipment New possibilities and ideas So farmy head is buzzing with new possibilities so watch this space At aminimum I want to add a GPS reciever to my wireless arsenal; currentlylooking at the TripNav TN200 which was suggested by Antonio Merola inhis SANS reading room paper Wi-Fi with Backrack The device seems toget good reviews everywhere I've found, but the paper is slightlydated 2007, if anyone has any suggestions for better hardware let meknowAndrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116293.shtmlhttp://www.secuobs.com/revue/news/116293.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - If you've got an interest in information security, then there is a goodchance that you've got a good handle on malware in all it'singlorious forms The books, articles and war stories are nice,interesting and can result in some improved knowledge but to get areal feel for malware nothing beats live samples Best way to get livesamples Get infected To manage this without bringing your networkand organisation to it's knees best practice is a honeypot, in one ormore of it's various formsFor exactly this purpose I've been running the Nepenthes applicationfor around 10 months Nepenthes is a low interaction honeypot whichemulates several known vulnerabilities across multiple services in anattempt to capture live malware samples as it is 'exploited' TheNepenthes services advertise known vulnerabilities, emulate serviceinteraction to the point of exploit and final store theshellcode/binary provided by the malicious systemIf my honeypot system is any indication, these systems will and do getpounded heavily from prospective intruders, over the lifetime of myhoneypot systm I have collected in excess of 850 unique malwaresamples In fact when the system was first installed it captured it'sfirst malicious binary within 30 minutes of gaining a live networkconnection in this case an IRC botNepenthes has the ability to automate a fair chunk of the analysisprocess by automatically submitting any collected binaries to one ofseveral sandboxes for example the Norman Sandbox This can provideanalysts with an immediate indication as to the type of malware beingdealt with, and perhaps most significantly prevent analysts fromutilising resources analysing essentially the same binary/malware Oneword of caution however is that the submit process does not alwayswork 100% this hasn't been investigated in too much detail, could beNepenthes, could be the sandboxes not accepting/reviewing the file,could be the winds of fate As with many things, your mileage mayvaryAs an example of the interactions and logging processed by Nepenthes,below is a log snippet of a malware sample that has just literally'exploited' my honeypot NB IPs edited to protect the guilty:12042009 16:36:51 warn module Unknown NETDDE exploit 76 bytes State112042009 16:36:51 warn module Unknown SMBName exploit 0 bytes State112042009 16:36:51 info handler dia Unknown DCOM request, dropping12042009 16:36:57 info sc handler i = 1 map_items 2 , map = port12042009 16:36:57 info sc handler bindfiletransfer::amberg - 998812042009 16:36:57 info sc handler bindfiletransfer::amberg -wxyz:998812042009 16:36:57 info down mgr Handler creceive download handlerwill download creceive://wxyz:9988/012042009 16:37:12 info mgr submit File9604e9c99768c5cd2deb108935356196 has type MS-DOS executable PE for MSWindows GUI Intel 80386 32-bitVirusTotal analysis of this file MD5 hash:9604e9c99768c5cd2deb108935356196 indicates it is a member of the Rbotfamily of malware When working with and investigating the malwarecollected by Nepenthes I have found the VirusTotal Hash Search featureto be particularly useful as it allows analysts the ability to searchVirusTotal's extensive database to gain analysis of the file inquestion purely from the binary's hash value This means that youdon't need to transfer the binary itself between systems to upload tothe VirusTotal for actual analysis, removing the potential for anunintended double-click causing havok on a network And if VirusTotalhasn't seen the file in question you may have something new andexciting to analyse yourself or an old polymorphic binaryThe downside of using a low interaction honeypot like Nepenthes isthat you are not going to be collecting on the bleeding edge As theprocess suggests, as Nepenthes emulates known vulnerabilities, thevulnerabilities in question need to be known and coded into Nepenthesbefore it will collect any malware exploit the vulnerability Forinstance, dispite all the recent hype and media attention thishoneypot system as not captured any sample of Conficker/DownAdUpHowever, as most new malware will still utilise old vulnerabilities toincrease potential targets this isn't a major limiration Confickerwas somewhat unique in that it originally limited itself to thems08-067 vulnerability, before expanding it's repertoire withsubsequent variantsHoneypots of any variety also provide a good return on investmenteven in environments where the analysis of malware isn't a primary oreven secondary concern As the honeypot server has no legitimateservices then the only traffic targetted at the honeypot should bemalicious Placed externally, this can provide an early warning systemfor attacks that eventually target legitimate systems and can givesystem administrations a better indication of the types and frequencyof attacks that will be directed at live services Placed internallythey can help identify any internal infections, as compromised systemssweep the internal networks for other vulnerable hosts and trigger thehoneypot These logs can also help identify the root cause of anyinfectiona and potentially the initial infection vectorUltimately honeyput systems of all varieties have a myriad ofbeneficial uses There is an enormous wealth of high qualityinformation available from the various honey pot organisations, forexample Shadowserver, the Honeynet Project and CarnivoreIT home ofNepenthesAndrew Waite'If you know your enemy and know yourself, you need not fear theresult of a hundred battles' - Sun TzuIMAGEhttp://www.secuobs.com/revue/news/116292.shtmlhttp://www.secuobs.com/revue/news/116292.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - A couple of SANs ISC diaries "Recent VMware updates available" and"VMware exploits - just how bad is it" should be a concern foranyone running a VMware lab or VMware production environment TheISC diaries explain the situation better than I could, but to cut along story short the exploits allow a malicious user/payload to escapethe guest system and gain direct access to the hostLooks like I know what I'll be doing after work tonight I'll try todocument the update process as I go, watch this spaceAndrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116291.shtmlhttp://www.secuobs.com/revue/news/116291.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - We've just completed the initial build for a new standalone IDS sensorrunning Snort Having had previous experience ~15 years previously,manual source compile I was amazed with the ease and speed with whichthe system was built, configured and operationalI'll spare most of the details as installation requirements will varyfrom environment to environment, but the basic steps are below:* Installed OS, latest Debian build via net install* #apt-get install mysql-server* Added blank database and associated user for use later* #apt-get install snort-mysql* Debian Snort package with support for MySQL database back-end,which is required for the Acid/Base web front end* #apt-get install acidbase* Debian package for the Acid/Base web front endEach stage required some additional configuration steps but all wereintuitive, or solvable with a couple of minutes Google-Fu Only realand still minor stumbling block was the Base front end initiallycomplaining about the ADODB modules, as one of the Apt steps statedthat this file had moved and would need fixing in the configuration wespent some time trying to locate the location within our installationOnly to find that all prerequisites weren't met with the packageinstalls, a quick #apt-get install php5-mysql rapidly fixed the issueand all was good with the world againOnly task still on the To-Do list is to install the Debian Oinkmasterpackage to ease Snort rule updates and allowing finer grain controlover the process The sensor is now fully functional but still in needof some tuning to reduce the noise ratio of alertsA useful addition to the security toolbox in less than a few hours,not bad for an afternoon's work-- Andrew Waite-- Andy RigbyIMAGEhttp://www.secuobs.com/revue/news/116290.shtmlhttp://www.secuobs.com/revue/news/116290.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - As promised when the postman delivered the Alfa equipment, I've done someinitial analysis of my first wireless capture The data being analysedwas collected during the evening commute back home, a trip thatincludes urban, sub-urban and rural areas so should be goodrepresentative sample groupSecurityThe previous wireless post has already touched on the security aspectof the found access points The chart below shows the breakdownbetween the the various security implementations The WPA+ categoryincludes WPA, WPA2 and WPA2WPA columns as categorised by airodump-ngDue to the known insecurities within WEP, almost half of theencountered access points do not have any reliable security in placeto protect the attached network and users of their networksDefault ConfigurationsMost, potentially all wireless access points have the ability to beconfigured in a secure manner However, a large percentage home andsmall office users are not aware of the security implications ofwireless equipment or other computer technology As a result thedefault factory settings that a wireless device is shipped with oftenprovides the baseline security configuration The below diagram showsthat over 50% of the encountered access points were running in adefault state either provider or manufacturer settings nbassumption is based solely on essidThe issue is shown by the split of the BT Home Hub devices, BT are oneof the major telecommunications providers within the UK The initialHome Hub with default ESSID of BTHomeHub-#### are, in this data set,exclusively protected by WEP In contrast the majority of newerversions of the same device ESSID: BTHomeHub2-#### operate with theWPA/WPA2 protocols Another large UK telecoms player, SKY appears totake security of their provided devices seriously all encounteredaccess points configured with SKY's default ESSID SKY##### almostexclusively employ WPA The chart below shows the provider breakdownof the encountered access points obviously we are unable to determinethe provider of access points with a custom ESSID, with the dominanceof BT and Sky in this area the default configuration of their devicescould be crucial for a large number of home usersCustom ESSIDsWhilst some default configurations are insecure, some modifiedconfigurations may inadvertently provide additional information topotential attackers One advantage behind default configurations isthat it can be difficult to determine the location or physicalconnections of any given access point, however the ESSID can provide agood probability of determining the physical connections Numerousaccess points within the data have ESSIDs set to an address orindividuals name, this is potentially unavoidable for businessesWhilst security through obscurity can never replace solid security,some obscurity and misdirection can reduce risk and volume ofcompromise attempts As a prime example, this data set includes anaccess point related assuming ESSID is relevant of a local branch ofa national bank, more worryingly the access point appears to berunning WEPA large volume of modified ESSIDs are given 'humorous' values orreferences to pop-culture Some network names may bereferences/retorts from the network owners in response findingunauthorised users on the network, Dont-steal-our-network andwe-know-who-u-are-thief Both these networks run WPA2, potentiallylearning the security message the hardwareThe last network name that caught attention may be an attempt atoffensive security, the ESSID reboot may potentially be an attempt totrip up malicious users parsing available networks through poorlyconsidered shell scriptSummaryWithin the dataset analysed the findings show that wirelessinfrastructure is becoming widespread Further to this, the volume ofdefault and insecure configurations may indicate that the usage andsecurity implications of wireless connectivity may not be wellunderstood within the general population The growing trend ofwireless enabled devices to be shipped with secure defaultconfigurations is a positive move within this field-- Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116289.shtmlhttp://www.secuobs.com/revue/news/116289.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - 'WEP is insecure and breakable' - No surprise here, everyone knows thisis the case But there can be a large difference between knowingsomething is theoretically possible and seeing the security provisionsfall over merely by being looked at Recent InfoSanity research hasshown WEP is still found on 30% of real-world access points Thismeans that WEP security is still a valuable skill for anyone workingwithin information securityOne of the best sources for wireless security information is theAircrack Project site currently unavailable, Google cache can be ofassistance for the impatient The tutorial section of the sitecontains many great walkthroughs and guides to all aspects of wirelesssecurity I'm not going to attempt create an all encompassing guide toWEP security, but merely to provide a real-world example ofcompromising WEPFirst phase of any wireless compromise is to locate and identify thetarget network, this could be achieved with any number of tools,personally I activate airodump-ng from the aircrack suite with minimalparameters bt ~ # airodump-ng wlan0 From the target network collectthe station MAC address BSSID, network name ESSID and operatingchannelWhilst not a necessity, testing the ability of your equipment toinject packets into the target network can prevent wasting time andresources with an unsuccessful compromise attempt The ability toinject packets will have a large impact on the ability to compromise aWEP key and the time required to make the compromise Again theAircrack suite has good tools for the job, this time in the form ofaireplay In my case the required command was:bt ~ # aireplay-ng --test -b 00:0F:B5:DC:DE:B7 -e mist wlan0where -b and -e parameters are the targets BSSID and ESSIDrespectively The output will show if packet injection is possible,and the reliability of that injection The Aircrack documentationstates that injection rate should be at or near to 100% Whilst thisis beneficial, I have successfully completed an engagement withinjection as low as 15%Next step is set up a packet sniffer, airodump does the job nicelyAdding some additional parameters -c # to fix the capture to thetargets operating channel will increase success rate and reducecapture times as your card doesn't lose packets whilst channel hoppingacross the wireless spectrum Again, in my case I used:bt ~ # airodump-ng -c 13 --bssid 00:0F:B5:DC:DE:B7 -w WEP-examplewlan0-w filename, specifies the file to write captured traffic toBefore injection packets, the injecting interface needs to associatewith the target base station Aireplay-ng to the rescue again:bt ~ # aireplay-ng --fakeauth 0 -a 00:0F:B5:DC:DE:B7 wlan0Aireplay-ng also provides a function for implementing an ARP injectionattack:bt ~ # aireplay-ng --arpreplay -b 00:0F:B5:DC:DE:B7 wlan0This is where the packet injection ratio determined by the --testfunction comes into play, the Alfa card with RealTek 8187 chip in useduring this engagement generally injects packets at a rate of 500packets per second, in this scenario the test function report 92%success, airodump-ng reported capturing approx 490 packets per secondFinal stage is to actually crack the collected packets, Aircrackdocumentation suggests collecting 250,000 IV packets to ensurecompromise In this case I collected 100,000 packets and the key wascracked in under a second, in previous engagements I have successfullygained the encryption key with as few as 10,000 collected packets:bt ~ # aircrack-ng WEP-example-01capIn this case overall engagement required less than 15 minutes fromfinding network point to obtaining network key From here it's trivialto get a machine connected to the wireless network, in many cases thisprovides direct access to the soft and fluffy internal network, andfrom there World target network is your oyster-- Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116288.shtmlhttp://www.secuobs.com/revue/news/116288.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I don't normal bother with analysing spam, however two received yesterdaycaught my attention Mostly they were noticeable as they avoided myusually bulletproof filtersBoth spam emails are similar in subject, content, and sending optionsSender address was spoofed surprise, surprise in this case Isupposedly sent the email myself, from the same account as thedestination This is a technique that I've started seeing morefrequently, I'm assuming that this is to bypass senderwhite/black-listsContent is a single line, ultimately linking to a 'medication' salessite hxxp://plfctqvlamwipvoqencn/ and hxxp://sbuihgukceyiqcn/Standard Disclaimer: Links may be nasty, don't blame me if they donasty things to your machines Fortunately, or unfortunatelydepending on your point of view, Wepawet analysis states the sites arebenign so no interesting samples for further analysisAs expected both URLs are linked, being hosted on the same 3 IPaddresses: 5817344, 58201405 and 220248167126 samedisclaimer as above Whois records show that the IP addresses belongto separate organisations, but ultimately all IP addresses areallocated by "China Unicom Hunan provincial network", AS9929Nothing groundbreaking in any of this, just a slightly interestingway to kill 30 minutes on a sleepy Sunday afternoon-- Andrew WaiteUpdate 2009/04/28: Spam run is still continuing and still makingit's way through filters, but it appears to be changing tact,unsurprisingly, to take advantage of recent Swine flu concerns Lastemail body "Swine flu coming We know how to protect you from ithxxp://osdnshencedixcn/" Usual warning and disclaimers applyUpdate 2 2009/04/29: Looks like a wide spread spam run, Malware Cityhave just posted some analysis on the same emailsUpdate 3 2009/04/29: Great write-up by Dancho Danchev on his blogmore domains than I've seen personally Also include a nice diagramof the DNS/server infrastructure in use, nice work DanchoIMAGEhttp://www.secuobs.com/revue/news/116287.shtmlhttp://www.secuobs.com/revue/news/116287.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Whenever I'm analysing large amounts of data I prefer to start theanalysis within a spreadsheet as I find the built in capabilitiesinvaluable for some quick and dirty data diving This typically allowsfor a good overall understanding of the data set and availablestatistics without spending time coding before the required statisticsare fully understood A prime example of this was the data I analysedfrom wireless connections In this scenario the existing tools arevery helpful, airodump-ng's standard output format is csv, makingimporting the captured data to a spreadsheet straight forwardUnfortunately, the same ease of data transfer is not available whenworking with the logs generated by Nepenthes To aid this I've coded asmall python script to read the logged_submissions log file and outputthe interesting data in csv format Admittedly the script is nothingspecial and can likely be improved on as my coding skills are a bitrusty, but this may be useful to others, or provide a starting pointin similar situationsnb apologises for the rendering, I'm working on it In meantimecutetpaste is the quick and dirty way to view all codeUPDATE: Code downloadable from InfoSanity#/usr/bin/pythonimport sys## Reads Nepenthes logged_submissions file and outputs data as comma-seperated value## Typical usage:# cat logged_submissions | submissions2csvpy outputfilecsv## Author: Andrew Waite aka RoleReversal# http://wwwinfosanitycouk##write 'headers to stdout'sysstdoutwrite"Date,Time,Source IP Address,Malware Source,Malware MD5"#read from stdinwhile 1:line = sysstdinreadlineif not line:breaklogData = linesplit' ';timestamp = logData0strip''date = timestampsplit'T'0time = timestampsplit'T'1sourceIP = logData1sourceMalware = logData4malwareMD5 = logData5out = "%s,%s,%s,%s,%s" %date, time, sourceIP, sourceMalware, malwareMD5sysstdoutwriteoutHopefully some will find this useful More nepenthes statistics tocome-- Andrew WaitePS thanks to Pythoncom and O'Reilly for providing good on-linereferences used in the coding of this toolIMAGEhttp://www.secuobs.com/revue/news/116286.shtmlhttp://www.secuobs.com/revue/news/116286.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Several days of playing working with the raw data and a couple ofintermediate scripts csv et mysql have paid off I'm now ready torelease the first version of Infosanity's Nepenthes log parserThis utility is substantially larger than my previous two releasesalthough still small so I'll not include source code here, head toInfosanity for the submissions2statspy file Usage is fairly simple,read logged_submissions file into stdin and let the script do it'sjobStatistics are quite general at this stage, mainly compiling overallstatistics from the log file including:* Total number of submissions* Number of unique malware samples based on MD5 hashes* Number of unique source IPs* Run time* Average daily submissions* Five most recent submissionsBy default the script outputs plaintext to standard out, but this canbe changed to HTML via the --output=html commandline flagsI'm going to hold back releasing any example output from my ownservers as I wanted to generate the statistics for use in an upcomingpresentation I'm giving for local group Super Mondays If you're freeand in the area Newcastle, UK on May 26th please stop by for theevent and to say hiIf you're running a Nepenthes server I'd appreciate any feedback orissues running the script I'm still looking to flesh the system'scapabilities out, so any suggestions/requests for additional featuresor statistics would be appreciatedcontactno-spamatinfosanitydotcodotuk --Andrew WaiteNB The latest versions of all Infosanity tools related to statisticgeneration for Nepenthes can be found hereIMAGEhttp://www.secuobs.com/revue/news/116285.shtmlhttp://www.secuobs.com/revue/news/116285.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Quick heads up to anyone following the Phorm/privacy debates: Thegovernment's response to an e-petition to ask the government to stopISP's from breaching privacy laws has been releasedThe full response can be read here, it's fairly short so I won't gointo too much detail, but I'm glad to see the government is takingthis seriously and not passing the buck to the ICO the ICOs view:ICO is an independent body, and it would not be appropriate forthe Government to second guess its decisions However, ICO hasbeen clear that it will be monitoring closely all progress on thisissue, and in particular any future use of Phorm’s technologyThey will ensure that any such future use is done in a lawful,appropriate and transparent manner, and that consumers’ rights arefully protected"Thank you for bringing this to our attention; your concerns are veryimportant to us; your concern will be answered shortly"IMAGEhttp://www.secuobs.com/revue/news/116284.shtmlhttp://www.secuobs.com/revue/news/116284.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - For those that don't know I'm scheduled to give a presentation at theupcoming Super Mondays meeting next week The topic of thepresentation is malware honeypots, and is based as a follow up to myoriginal Honeypotting with Nepenthes, and I'm hoping to discuss somestatistics generated by my submissions2statspy script from myhoneypot logsThe session will begin with a demonstration of some new technologies,including ambient kitchens and surface computers Following this willbe a presentation on cultural technology and HCI by Patrick Oliver anda presentation of meaningful technology and her work on digitaljewellery by Jayne Wallace, before ending the night with mypresentationTickets are free and going fast so register now to reserve your place,event registrationIt is shaping up to be a good night, so look forward to seeing you allthere--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116283.shtmlhttp://www.secuobs.com/revue/news/116283.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Having recently been left with several hours to kill with nothing but alaptop and my virtual lab I thought I'd try my hand at somerudimentary malware analysis For a random live sample I selected themost recent submission to my Nepenthes Server$ tail -n1 /opt/nepenthes/var/log/logged_submissions2009-05-21T19:10:59 90130169175 - 19597252143creceive://90130169175:2526 93715cfc2fbb07c0482c51e02809b937To start with I wanted to get an idea of what I was dealing with, so Ipassed the file's hash to VirusTotal's Hash Search utility; andpromptly found that VirusTotal had no knowledge of this particularhash Means we could be dealing with a completely new malware strainor variant or more likely a polymorphic binary creating a unique filesignatureThe question was promptly answered when transferring the binary to myanalysis machine by AVG, 'Threat detected: worm/Allapleb' Notwanting to take the word of a single AV vendor I proceeded to uploadthe binary itself to VirusTotal have I mentioned I like VirusTotalyet Sure enough most AV engines agree with AVG's analysis althoughthere was some dissention over which version of Allaple the samplewas Most AV engines 37/40 flagged file as malicious Comodo,nProtect and PrevX gave the binary a clean bill of healthBeginning with some static analysis, the 'strings' utility is always asafe place to start As I'm using a Windows platform for this analysisI use the SysInternals strings binary This revealed little, otherthan confirming the binary is a windows executable usual 'Thisprogram cannot be run in DOS mode' string and a reference toKernal32dll and some function names FindFirstVolumeW,GetShortPathNameA, GetConsoleAliasesLengthW, AddConsoleAliasA,GetModuleHandleW, CreateProcessA, GetUserDefaultUILanguage,LocalReAlloc, SetHandleInformation, SetConsoleCursorInfoAs there was limited information available from a plaintext stringssearch my next step was to see if the binary had been packed For thisI used PEiD utility, PEiD initially stated that there was 'NothingDetected' although the entropy found within the file 793 causedPEiD to suggest that the binary had indeed been packedWith some basic static analysis undertaken this could/should havebeen taken further but my RE/assembly-fu is a bit rusty, especially at3am I changed tact and went with some initial behavioural analysisFor an initial run I utilised iDefense's SysAnalzer tool written byDavid Zimmer SysAnalyzer is a great utility for automatingbehavioural analysis and capturing system changes, from it's downloadpage:SysAnalyzer is an automated malcode run time analysis applicationthat monitors various aspects of system and process statesSysAnalyzer was designed to enable analysts to quickly build acomprehensive report as to the actions a binary takes on a systemThe tool snapshots not to be confused with VM snapshots the state ofthe system, runs a given binary, then snapshots the system afterexecution before comparing the two snapshots This can provide somedetailed, succinct information to an analyst, but may miss any dynamicand temporary system changes One weakness or strength, depending onyour perspective that SysAnalyzer has is that it does not sandbox themalicious binary from the analysis system Meaning that if the binaryis destructive it *will* hose the system it is being analysed on,obviously if you're utilising virtualisation and snapshopfunctionality this shouldn't be an issueOn starting the analysis, the malicious executable promptly erroredusual Windows' 'executable has failed, please send all information toMicrosoft' type pop-up and SysAnalysis stated that the system wasunchanged by the binary Well that was disappointing, possible someform of VM detection causing the malware to shut downNot to be denied, I re-ran the process: Again the executable crashedwith Microsoft's pop-up, but this time SysAnalysis saw some systemchanges, from API and registry calls to the creation of new processesHowever on further analysis the new processes and files were all onlyrelated to the DWWINexe executable which, as explained here, is partof Windows itself and is the cause of the pop-ups discussed aboveOne aspect that may be causing the binary to lock up is that it isisolated from the network From experience some malware will performan initial lookup to an external resource, if the code can't accesssaid resource the malware assumes it is on a closed system and shutsdown To test this theory I re-ran the executable this time manually,without the SysAnalysis utility with Wireshark sniffing all networkinterfaces As expected the binary crashed with the same error pop-up,reviewing the wireshark capture no traffic was generated outbound toany resource from the infected hostAnother possible reason for malware to refuse to run is newer VMdetection techniques However no evidence of this is present in theAPI calls captured by SysAnalysis, nor can I find any reference to VMdetection capabilities present within the Allaple family from a searchof the web Ideally to test this theory the malware would be executedon a natively installed OS to bypass any potential VM detectionUnfortunately at this stage I do not have resources available tosacrifice a physical machine in this manner, so analysis must stophereOne final possibility is simply that the binary is defective, justbecause the malware is spreading does not necessarily mean that thepayload delivered upon exploitation is fully functional It is notuncommon to have one malware strain being propogated by an entirelydifferent strain This is rapidly becoming more prevelant as'cybercrime' I hate that phrase matures with the recent emergence ofcrimeware-as-a-serviceWhat-ever the reason for the binary failing to have any perceivableimpact on the system, the behaviour that has been observed during thissample's execution does not match that which is expected from otheranalysis of the Allapleb malware strain Sophos' analysis forexample, states that upon infection Allabpleb will:* When first run W32/Allaple-B copies itself tosystemurdvxcexe* The W32/Allaple-B is registered as a COM object* W32/Allaple-B installs itself as a service with the name"MSWindows"No evidence of this behaviour has been seen during analysis, nor areany of the changes present on the system post infection This is agood example of why there isn't always a need to panic when AV picksup a malicious item Until the infection has been analysed in moredepth there is no way of knowing how scary the compromise andinfection is--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116282.shtmlhttp://www.secuobs.com/revue/news/116282.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - OK, so we'd all like to be 1337 and know everything without missing abeat, but for mere mortals like myself I find that impossible so I'm afan of the various cheat sheets that people and organisations put outfor succinct, to the point memory joggersI've got links to these scattered in various places and I've beenmeaning to get them organised in single location for a while, LennyZeltser's recent tweet @lennyzeltser pointing out a couple of newresources gave me a reminder that this has been on my to-do list fortoo long, so here goes:* SANS - Intrusion Discovery Linux* SANS - Intrusion Discovery Windows* SANS - Netcat* SANS - Misc Tools Hping, Metasploit et fgDump* SANS - Windows Commandline* SANS - TCP/IP et tcpdump* SANS - Google Hacking* Lenny Zeltser - DDoS incident handling* Lenny Zeltser - Reverse Engineering* Lenny Zeltser - Security Achitecture for Internet Applicationsadded 2009-06-22* PacketLife - Too many to list Direct download all zip* SecGuru - Nessus et Nmap* @NickHarbour - x86 AssemblyThats the lot some of my bookmarked links are dead, I'm sure thiscan't be the be all and end all of infosec cheat sheets If you've gotsome resources I've missed, then please feel free to shareLikewise, if you created one of the linked to resources and don't wantthe link here, just let me know and I'll remove it These resourceshave saved my bacon on numerous occasions so I definitely don't wantto be stepping on anyone's toes--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116281.shtmlhttp://www.secuobs.com/revue/news/116281.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I had a really enjoyable night at last night's SuperMondays eventSome of the innovative uses for technology on display from NewcastleUniversity provided a great glimpse of where we could be heading inthe future towards ubiquitous computing Of special interest were theresearch being undertaken with surface computing, which seems to havetaken centre stage of new technologies recently, althoughunfortunately the expected MS Surface device wasn't available at thelast minuteI also liked the work being done by the Ambient Kitchen project Whilethe technology is still in it's early stages it is easy to see howthis technology could be a part of every day life With the focus thegroup has on providing assistance and support to people with cognitivedifficulties the fruits of the project could go a long way togenuinely improving people's lives It makes a nice change to see newtechnology being developed for a real, useful purpose rather than theusual, 'we can, it's cool, why not' approach to some tech developmentLinked with these new technologies Patrick Oliver and Jayne Wallacedemo'd and talked about some of their work with developing culturaland meaningful technologies One example was a twinned pair ofnecklaces which allowed the wearers to communicate some acts ofdistance, for example holding one pendant would cause the other tovibrate As wireless communications become more pervasive I canenvision similar technologies becoming more subtle and common placeDespite my initial perception of the topic as being 'arty' and notreally that useful, I enjoyed the presentation and can see some validand quite exciting uses for this technology in the futureThe event finished with a change of pace, with me presenting about myexperience with using honeypot systems and hopefully convincing othersthat the system are valid additions to any network, and are good funin the process From my perspective I feel that the presentation wentwell, although I blew through the material a bit rapidly I wasgenuinely relieved and thrilled with the amount of questions anddiscussion that was generated at the end of my presentationUnfortunately I believe that there isn't a recording of thispresentation, as is customary with SuperMondays talks, as the videocamera decided to flatten it's battery just before I started As acompromise I've posted my slide-deck from the presentation Hopefullypeople may find this useful, I'm always open to questions ordiscussions so please let me know your thoughtsBottom line from all this SuperMondays is a blast, if you're in thearea and haven't been along yet, why not I'm definitely going to makemore of an effort to ensure I'm available for future events, see youall there next time--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116280.shtmlhttp://www.secuobs.com/revue/news/116280.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I jumped the gun slightly when I said previously that there was norecording of my talk, the camera managed to catch the first 2+ minutesof the presentation Just enough time for a brief overview of theintention behind honeypot systems Direct LinkThe rest of the Super Mondays event was recorded more successfullyCheck it out here for the official write-up and event videos Wellworth a look--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116279.shtmlhttp://www.secuobs.com/revue/news/116279.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Last week I bit the bullet and bought a 'toy' I've been looking at for awhile, the Acer Aspire One AA1, and so far I've had few regretsWhilst being small and, more importantly to me, light the screen sizeis still large enough to work with including using multiple windowsat once and the keyboard is large enough that it did not take long toget up to full speed Only real problem with the keyboard is somethingI've seen on full-size laptop keyboards, the home/end keys require atwo key combination with the Fn key Not a deal breaker, but Inaturally use end and home keys so it is taking some getting used toBefore getting the AA1, I'd heard several complaints about thetouchpad mouse layout Make no mistake, having the mouse buttons tothe side, rather than beneath the touchpad is a major pain If the AA1was designed to replace a desktop or notebook this would be a problem,but I mostly stick to command line and use a mini USB mouse when at mydesk so this hasn't disgruntled me too muchThe linux operating system shipped with the AA1boots ridiculouslyquickly partly due to the solid state hard drive my model is equippedwith, whilst I've not taking a stopwatch to the boot process I don'tfeel concerned quoting a 10-20sec boot time Easily fast enough for menot to worry about if I've got time to boot and carry out whatever Iintend Usability wise, the OS clearly targets those with no Linuxexperience, as the internals are hidden as much as possible Luckilyfor those wanting to play under the hood it's a simple matter ofrunning Terminal through a Ctrl+F2 promptI've spent most of my Linux time with Debian, so only have limitedknowledge of the yum package framework, but a bit of experimentationfound that it is on the service at least similar to the apt packagesystem so familiarity hasn't been an issueFrom a security standpoint, I was pleased to find that my standard USBdrive currently BackTrack3 w/Helixworked out of the box, mostlywithout issue I needed to follow the instructions in this forum anddownload the referenced display driver package to enable Backtrack'sGUI Playing with the rest of my equipment I've also found that myrecent wireless purchases work without issue as well which hasresulted in some interesting results from warwalkingIt's still early days, but so far I'm delighted with the purchase Formy purpose, backup machine for security research and incidenthandling, the AA1 is perfect but I've also had discussions with peoplesince owning the machine who've informed me that it works equally wellfor young children or elderly parents A great multi-purpose tool forany generation--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116278.shtmlhttp://www.secuobs.com/revue/news/116278.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Cleaning the harddrive of any machine, be it desktop, laptop or server,before either repurposing or selling or even scrapping, should be abasic requirement of any organisation But there is a seeminglyunrelenting stream of reported incident, some of which coming fromorganisations that really should know better, MI6 and militarycontractors for exampleIs securely wiping data from drives really that difficult Not reallySimply boot the system with nearly any live linux system I useKnoppix for this kind of work, then simply use dd discussedpreviously to image drives to overwrite the drive with random dataFor example:dd if=/dev/urandom of=/dev/sdaThis simple overwrites the entire physical drive, sda, with randomdata taken from the pseudo device /dev/urandom For more indepth infoon wiping with dd and some different options see this guideThe downside to wiping drives in this method is the length of timeinvolved, in recent cases I have seen a 80GB drive take a little offive hours to completeDisclaimer: this may not make your data completely irratrievable butit should be enough to prevent the data being obtained by the simplycurious To truely ensure irratrievable data, try this methodDisclaimer's Disclaimer: Server destruction should only be carried outbe trained professionals, InfoSanity accepts no responsibility forloss of live, limb or eyebrow--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116277.shtmlhttp://www.secuobs.com/revue/news/116277.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Johannes Ullrich recently posted an article detailing quick and simpletraps you can add to a web site or web app to flag up suspicious andmalicious activity on the site Johannes does a better job of explainthan I could so I'd recommend a read of his post, but put simply thetraps discussed are:* Don't hand session credentials to automated clients* Add fake admin pages to robotstxt* Add fake cookies* Add 'Spider loops'* Add fake hidden passwords as HTML comments* Use 'hidden' form fieldsAll of the ideas are relatively simple to implement to a greater orlesser extent I've spend the last week experimenting with some of theproposals and have seen some success so far If I gain any unusual orinteresting results I share my findings in a future post--Andrew WaitePS if your not already following the AppSec Street Fighter blog I'dhighly recommend itIMAGEhttp://www.secuobs.com/revue/news/116276.shtmlhttp://www.secuobs.com/revue/news/116276.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I've been meaning to post a quick review of this for a while, but betterlate than neverRecorded at Notacon '09 CG and g0ne gave a great presentation onclient side attacks, video here The talk starts of with explainingwhat client side exploits are, and more importantly why we shouldcare And finished off with some quick and dirty client side attackexamples using MetasploitI've found this talk really useful and have listened through it onseveral occassions to get a better feel for the client side aspect ofpenetration testing Client side is an area that has been targettedquite extensively by the 'bad guys' and is just starting to get wideranging attention from the security industry as a wholeThroughout the slides, and at the end of the presentation, there areseveral links to additional reading and sources used for thepresentation Like the presentation itself I've found these to be veryinformative and provide useful info and techniques with genuinereal-world application Highlights of these links come from LennyZeltser and two post from Carnal 0wnageI definitely agree with all those that believe that client side is thenext or current source of pain for the security industry and thattraditional security architecture and tools aren't currently up to thejob of protecting against the threatAs though client-side attacks weren't easy enough thanks to the powerof Metasploit as demonstrated, I recieved a link to a blog postpriming the world for the release of Assagai, a new phishingframework If it can live up to the billing, then I can't wait to getmy hands on the framework at release--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116275.shtmlhttp://www.secuobs.com/revue/news/116275.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Keeping with todays theme of working through a backlog, I've had two ISCdiaries flagged for several months, Dealing with Security Challangesand Making the most of your runbooksThe first is more a question of how to handle security incidents andrequirements with minimal resources This seems to be a common theme,with lots of in-house security teams complaining that resources aretoo tight and that priority rightly or wrongly is given to otherbusiness units The summary of tips provided is too generic for myliking as most should be obvious or common-sense issues, although I'ddefinitely like some advice on how to actually achieve some of themFor example:* Set priorities, don't waste resources on unimportant ornonconsequential tasks* Get buy in from other business units especially management* Stay calm* Request assistance if workload is too muchThe second article provides more concrete advice on planning for, andmanaging security incidents and boils down to three goal markerswithin an incident handling framework:* If you don't have written procedures or steps for handling anincident, then write some* Centralised, digital procedures are more useful than paperrecords Allowing for easy access and colloboration by multiplemembers, with a specific recommendation of using a wiki* Automate as much of your procedures as possible For example ifone of the procedures is to search web server logs for specificentries, add a button or page to the wiki that automaticallysearches the specific logs and returns the information Less stepsfor responders remember/work through, and less chance of making amistake when under pressureFinally the diary entry makes two points to make the case for why youwant these systems in place* Compliance; logs from wiki based procedures can prove to auditorsthat the specified and pre-approved actions were taken duringincident X* Management; logs and records from past incidents can prove thevalue of security and incident handling teams within anorganisation, or prove SLA compliance with internal and/orexternal clients--Andrew WaitePsst You are checking the ISC diary daily aren't youIMAGEhttp://www.secuobs.com/revue/news/116274.shtmlhttp://www.secuobs.com/revue/news/116274.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Earlier this week the hackersorg blog posted the release of theSlowloris HTTP DoS tool primarily coded by Rsnake, discribed as Thelow bandwidth, yet greedy and poisonous HTTP clientThe attack vector essentially works by initialising an HTTP requestbut never completes the request, causing the handling thread to waitfor the end of the request Slowloris uses multiple threads to rapidlyexhaust the web servers available network resources The attack iseffective against several web server platforms, but most significantin terms of market share and install base is Apache 1X and 2XservicesThe HTTP request currently generated by Slowloris is below, howeverbefore trying to use the info to create IDS signatures the packetcontents could easily be modified to avoid overly specific signaturesand overally general signatures could generate high volume offalse-positivesGET / HTTP/11Host: 19216880129User-Agent: Mozilla/40 compatible; MSIE 70; Windows NT 51;Trident/40; NET CLR 114322; NET CLR 20503l3; NET CLR3045062152; NET CLR 3530729; MSOffice 12Content-Length: 42Highlighting the potential damage this technique could course, theInternet Storm Center has already posted two diaries discussing theattack since it's release, the first introduces the tool and has somerudimentary low-level analysis of the attack vector The seconddiscusses potential mitigation techniques, unfortunately these arecurrently far from bulletproof at presentSince it's release I've tested the Slowloris script and,unfortunately, it's been wholly effective everytime Whilst thesuggested mitigations can improve a web server's resilience to theattack, as the point of the web-server is to provide services to theoutside world it is near impossible to prevent a maliciuos attack ofthis nature without similarly impacting legitimate service provisionUnfortunately the maliciuos user has the up-hand in this battle, asthe level of resources required to deny service is miniscule comparedto the potential damage and resources required to avoid the threatEven against a server modified with some of the proposed mitigations,the attacker still only required a sustained traffic flow ofappoximately 45Kbps, easily obtainable from even a single ADSLconnection This also means that the attack may be missed by sometraditional techniques such as monitoring for unusual traffic levelsEspecially as other servers on the server will be responsive,basically if you have issues with your web services I'd recommendchecking current connections to the Apache service, for example:#netstat -antp | grep :80Best response I've found so far is re-active, basically get hit withthe attack, find source IP and block at firewall perimeter or hostbased, not ideal but, at least currently I haven't seen this attackin the wild to justify modifying functional production servers to onlymitigate against a potential attack when those modifications coulddeny legitimate services itselfLife could be about to get interesting--Andrew WaitePS Twitter plug: whilst this attack vector could be significant, itwas publically available 48hours before I noticed any reference ineven information security focused mainstream media However, I had atest environment demoing the script within 60 minutes of RSnake @rsnakepublicising the link on TwitterIf you're not already following the industry in real-time give it ago; @Jhaddix has a short guide to using Twitter to follow the securityindustry at EH-NetIMAGEhttp://www.secuobs.com/revue/news/116273.shtmlhttp://www.secuobs.com/revue/news/116273.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - The Remote-Exploit boys have done it again, pre-release version ofBackTrack 4 is available for download here As always there is a largeamount documentation available on the Remote-Exploit wiki and forum,and the Offensive-Security blogIn case you've been living under a rock, BackTrack is now based onUbuntu which makes the OS easier to install thanks, in part, to theUbuquity installer, a video demo of the process is included in aseries of intro videos designed to get you up and runningSo far I've had the latest version run on all my usual hardware, onlyissue I still need resolve or to find someone elses' solution is theresolution on my AA1, so far the driver and cheat codes used to fixthe issue with BT3 don't have the same effectAs expected BT4 has the usual assortment of best of breed tools, butit seems to have trimmed some of the fat that was found in previousreleases Whilst some may miss specific tools, I think this helps keepsome focus; rather having multiple tools perform the same the taskwith varying degrees of proficiency, the high-end tools are includedto get the job done I'm sure if anyone's favourite tools are missingit will be easy enough to add as requiredCustomisation appears to have been a focus of the new release as theprocess has been made easier and more automated than in previousreleases, this article describes the new changes with an accomanyingvideo demoNot much else to add, BackTrack is still great and moving forward toaid system 0wnage everywhere Big thanks to Muts and the rest of theRemote Exploit Team--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116272.shtmlhttp://www.secuobs.com/revue/news/116272.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - Live boot CDs have always been the mainstay of security and incidentresponse toolkits These days CD drives are starting to becomescarcer, optical media is prone to scratching, and flash media israpidly getting cheaper Additionally flash drives often have muchhigh capacity storage for their sizeAs a result USB pendrives are starting to overtake CD/DVD in terms ofpopularity One fallback was often the difficulty encountered ingetting the drive to both store the required live filesystem and bootfrom power on For example, my first successful bootable driverunning BackTrack3 was the result of several days trial and errorHowever, things now much simpler thanks to the Unetbootin utilitySimply select a distribution a support distribution from drop-downlist which will automate the download of required media and select anattached USB drive and start the process The tool then goes off inthe background and creates a bootable USB drive, no fussAlternatively you can point the utility at a local *iso file, whilstnot all distributions are officially supported by Unetbootin, I'm yetto have it fail on meIf you need a portable tool-kit, give Unetbootin a look--Andrew WaitePS the Backtrack4 Up and Running video series shows the Unetbootinprocess in all it's simplicityIMAGEhttp://www.secuobs.com/revue/news/116271.shtmlhttp://www.secuobs.com/revue/news/116271.shtml Secuobs.com : 2009-07-02 14:20:58 - InfoSanity - I'm still following my recent interest in wireless networks and devicesIn the past month I gained a USB gps reciever which I forgot to writeabout, may have a short review shortly After adding gps capabilityto my wardrive setup I proceed to scan the local area, then hit abrick wall There appears could be my google-fu is failing me a lackof available tools to meaningfully use the captured dataAfter a lot of digging a stumbled upon this script, designed to parsethe output from Kismet and generate a kml file to import into GoogleEarth Unfortunately, I've been unable to get this to work as GoogleEarth complains when opening the file Could be a version issue soyour mileage may vary, if anyone does get it working please let meknowThe PerryGeo code did however provide an excellent foundation toutilise the Kismet log file and generate different output To this endI have released a basic proof of concept script that generates astatic map via the Google Maps API If you want to do anythingsimilar, or want to extend or modify my image code I found the Googledocumentation to be invaluableTo the tool itself, starting a disclaimer:This tool should not be used for illegal or malicious purposes Itwas created to visualise network locations and implementedencryption technologies, in an effort to enhance previous analysisof wireless network statisticsFor each discovered access point, the script places a marker on themap, colour coded to level of encryption: Open access points aregreen, WEP encrypted access points are yellow, whilst WPA encryptedAPs are redThe Google maps API appears to have a limit to the length of URL thatit is able to support, as a result the script limits the plotted APsto the first 50 in a given Kismet xml log file This should besufficient for site surveys, but is less useful for mapping theresults from a wardrive trip I haven't manage to locate any firmdocumentation on this limit, if anyone is able to shed any light orknows a workaround I'd appreciate a heads upBelow is an example of the tools output actually, it just outputs theURL, which in turn requests google create the image The image iscreated from a subset of data collected during a drive around theAngel of the NorthThis is still very early days for the tool started coding 24hoursago so any feedback, issues or feature requests would be appreciatedDownload available here: kismet2gmapstatic-0_1bpy--Andrew WaiteIMAGEhttp://www.secuobs.com/revue/news/116270.shtmlhttp://www.secuobs.com/revue/news/116270.shtml