Cатсн²² (in)sесuяitу / ChrisJohnRiley

SANS Germany 2012

ChrisJohnRiley — Tue, 24 Jan 2012 18:00:17 +0000

So a little birdie told me that the fine folks over at SANS are arranging a conference in Germany this year. Unfortunately I can’t get the time off to attend, but I managed to wrangle a discount code incase any of you fine reader types are thinking of attending…

SANS Germany 2012
SANS Germany 2012 is coming up soon on 5-10 March at the Arcotel Camino in Stuttgart. This will be the first SANS training conference in the country since 2008. SANS is bringing some of its biggest classes back to Europe by popular demand.

SEC504: Hacker Techniques, Exploits and Incident Handling
MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression
DEV522: Defending Web Applications Security Essentials

So if you’re thinking of attending, the discount code “SANS5DE12” should be good for 5% off the cost of the course. Enjoy!

Links:

SANS Germany 2012

Tagged: SANS

Eurotrashsec… the year that was!

ChrisJohnRiley — Thu, 19 Jan 2012 13:00:44 +0000

2011 was a good year for the Eurotrash Security Podcast. We did some new stuff (being a media sponsor for the FIRST conference, and being 50% of the FIRST Podcast with Martin McKeay from the Network Security podcast), and we kept to an almost monthly schedule… which is much harder than you think. We also brought Ben (AKA Wicked Clown, AKA Mr Inappropriate) into the fold, and immediately started to need to edit out offensive content more often. A coincidence I’m sure

In general 2011 was a big year for us… and 2012 could be even bigger. Eurotrashsec got nominated for a social security blogger awards in the best security podcast category! An honor to be sure… even if we don’t (and we won’t) win.

So what was up in 2011 for Eurotrashsec… well, the man behind the curtain, @xme, sent over some stats and a wicked mashup of episodes downloads overlayed on Google Maps… so let’s get to some stats.

General stats:

Total hits: 2.493.500
Total MP3 downloads: 103.346
Total unique IP’s: 56.152
Visits: 5.013
Unique visitors: 3.501

Nice to see that the podcast topped the 100,000 downloads in 2011. I’m sure Pauldotcom does that in a weekend, but we like to be niche… honest! It’s not to late to download the episodes you missed now you know –> XML

Top-5 countries:

I’m pretty sure that the French listeners will be dropping after the last podcast… still we like to try and be equal opportunity offenders (we like to offend everybody equally that is). So looks like we need to move up the list to our German listeners next

I threw together some nice graphs in Excel (@wimremes is probably turning in his grave right now) that show the most popular episodes of 2011 and the downloads (full show and microtrash episodes). I also made a screenshot of @xme’s wonderful map overlay –> full version HERE

Let 2012 begin!

Tagged: Eurotrashsec, podcast, stats

Unsung heros

ChrisJohnRiley — Fri, 13 Jan 2012 13:30:36 +0000

tl;dr : I’m searching for your suggestions for the unsung heroes of security tools (not the usual things we talk about every day). Please send your entries via the form HERE… there will be a random prize for people taking part.

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… if you’re anything like me then it happens all to often. As an industry we have more ideas, methods and tiny tools/scripts than we know what to do with. Every time a conference rolls around (which is almost daily now it seems - Is the answer more InfoSec Conferences?) people are eager to pimp their wares (I’m no different), and sometimes it’s needed to show proof of concept, new technique or something else equally mind-blowing. Some (and only some) of those new techniques, methods, attacks, … will make the jump from niche tool into a framework (such as Metasploit or nmap). Some others will live on in individual tools/scripts. Projects like Backtrack Linux try to gather the most well-known of these tools into a central distribution, but inevitably there’s always the one or two real gems that fall between the gaps. You can’t cram everything into any single framework or distribution, otherwise it becomes unusable.

So where does that leave us? It’s leaves us with Google (or Bing, if you’re really hard up) as the only hope for finding those niche solutions for testing that funky web app that you didn’t even know would run on AIX 5.2.

Previously some very nice people have gone out of their way to document and bring these niche tools together, lest they be lost to the annuls of time. A few years back @mubix took the time to catalogue the tools released at just one conference. The Defcon Tools page shows the tools that could be catalogued after the Defcon 18 conference. That’s a lot of tools for a 3 day period! No wonder we skip over some of the ones we should be paying attention to… and there I finally get to the point of this blog post.

I’m attempting to (and I say attempting, as it relies on you the readers to help out) gather suggestions for your “unsung hero” of the tools world. As we work in Infosec I’m looking specifically to gather a list of tools that aren’t on ever penetration tester, or forensic investigators list, but that you have respect for. We all love Metasploit, nmap and the other popular tools voted for on the SecTool TOP 125 list. However I’m looking for something a bit different here, something off the beat and track.

So, if you’ve got a favourite tool (or 2) that you think are your unsung heroes, I want to hear about it. Don’t wait, don’t even think… you’ve got one in mind right now… just fill in that form and click submit!

Oh, did I forget to mention! I’ll be doing a random draw of 1 of the entries and sending you a book. Not sure what just yet, but I’m sure you’ll like it You’ve gotta be in it to win it!

[contact-form]

Please share this link with your friends, work colleagues, drinking buddies, or hobos… the more the merrier!

Short link –> http://c22.cc/heroes

* Why do I request your email address… simple, at some point (if this goes to plan) there will be a vote. I’m happy to email out links to the vote as and when… then again, if you don’t want to give me your email address, that’s fine too. Not like I’m gonna sell it

Tagged: forgotten, tools

The CSRF that almost was…

ChrisJohnRiley — Sun, 08 Jan 2012 17:07:38 +0000

It’s strange sometimes where your inspiration comes from, but regardless of where, it’s good to be back in the saddle when it comes to really enjoying some research. Some people close to me might already be aware, but I’ve not really been “into it” for a while now, as can be seen by the lack of blog posts or interesting content. Lets hope this is the light at the end of that tunnel (… and that it’s not a train, obviously ;)

So, back to the interesting idea. A lot of the research I did into the SAP Management Console was about what an attacker could do accessing it from the internet, or directly when on the local LAN segment. Although there’s probably a lot more attackers could do with this stuff, the protections that SAP have rolled out should be enough to deter most casual attackers. I’d also looked at what attackers could do to attack client-side, by sitting in the middle and providing a tainted JAVA applet when an administrator comes to load the SAP Management Console… or even forcing Basic Authentication at points before the application requires it. The thing I’d not really done was think about what an attacker could do from the internet without ever actually having access to the SAP Management Console.

Looking back at history a bit, I re-read some posts on using CSRF attacks to change settings on local ADSL routers. The attack isn’t new, and there’s more than a few resources discussing it. However I was interested to see if this sort of attack could be used to perform remote code execution on the SAP Management Console using the OSExecute method. Normally this is an authenticated method, so an attacker would need a username / password, but by using CSRF, this seemed like it could be bypassed if certain conditions were met (i.e. an administrator can be lured to the CSRF page, and they are logged into the SAP MC, or have clicked the “save password” prompt to save time on future logons).

Starting off I needed to find a solution to force a user to perform a POST request, as the SOAP message can’t be sent over GET unfortunately. After a bit or playing and research I stumbled on a post by pentest monkey detailing some work he’d done on the same issue. Using an HTML form containing the contents of the POST request as the name field, it was possible to send the desired request. By adding a JavaScript trigger it was also possible to send the form (and thus the POST request) without user actions. So, all well and good.

The above FORM includes a complete SOAP request (using the OSExecute method) within the first input name field. In the case of the POC script, the servername is set using a variable passed to the page forming the POST message. The name of the SAP system internally can easily be found using one of the SAP Management Console modules that are now in Metasploit.

To get the form to automatically submit without user interaction, I added the following JavaScript… (tested in Chrome, IE and Firefox)

function myfunc () {
var frm = document.getElementById("sap");
frm.submit();
}
window.onload = myfunc;

The result is a page that forms a valid POST request to the SAP Management Console inside the targets network.

POST / HTTP/1.1
Host: server.example.com:50013
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
Referer: http://www.catch22insecurity.com/POC/soap_post.php?servername=server.example.com
Content-Type: text/plain
Content-Length: 575

truecmd /c echo "wimming" > c:\temp\proof.txt0=

Despite the additional “=” sign being tagged onto the end (as a result of the HTML FORM), the request is valid and will be honored by the SAP Management Console if valid credentials are already saved in the browser being used, or a valid Basic Auth header is present… and THIS is where the “almost was” comes into play.

When testing it became evident that browsers (IE and Firefox at the very least) don’t automate the response of valid credentials when they’re stored in the browsers password store. When the SAP Management Console responds to the target asking for credentials, even if they’re stored in the browser, the user is prompted to click OK on the already filled out username/password box.

Well that’s a pity! … and no change when serving it up over SSL either.

So where does this work?

So as to not totally come out of this a looser, where does (or could) this attack work. Sticking with SAP Management Console there are a few places it could still work well.

The obvious –> Admins that click-through anything. If the user accepts (or enters) valid credentials, then the OSExecute will be successful.
SAP MC Methods that are not protected –> Anything where a blind request can be sent and an action is performed without requesting credentials. This is limited in SAP, and as no response can be received by the attacker, the scope is limited.
Attacks against specific SSO implementations –> Not naming names, but there are more than a few Single Sign On solutions out there that take the place of browser passwords stores (and other password stores). These solutions may act differently when saving a password… I’ve seen implementations that fill in the credentials and submit them without user action.
Situations where an SAP Administrator has already performed direct actions against the SAP Management Console through the browser, thus setting a valid Basic Auth token –> Few and far between, as the interaction is mostly through MMC of JAVA applets that do not need to use the browser.
Exploit delivery –> There are, and will probably be in the future, valid one request exploits against SAP Management Console. This attack vector would allow these exploits to be delivered as long as no credentials or other user input is required.

Well there it is… The time invested was minimal and as with everything, you learn as you fail… Feel free to take a look at the POC I put up on my site if you want to try it out for yourself. Please don’t abuse it though!

POC .:

HTTP –> http://www.catch22insecurity.com/POC/soap_post.php?servername=server.example.com
HTTPS –>https://www.catch22insecurity.com/POC/soap_post_ssl.php?servername=server.example.com
- Self signed certificates on HTTPS may cause issues in your testing. YMMV

Tagged: CSRF, sap, So Close, SOAP

Some stuff about SVN

ChrisJohnRiley — Sat, 31 Dec 2011 17:00:47 +0000

As I mentioned in my earlier post, the automated Metasploit Modules posts are going the way of the dodo. Still, there are a few things from my automated posts that I didn’t want to just disappear, mainly because I’m sure I’ll forget them if I don’t post about them. Ignoring all the issues with setting up mutt to email a file at a set time, and getting WordPress to correctly format an emailed HTML file, the main thing I wanted to note was some SVN tricks I picked up while writing my automated shell script. I’m not sure how well-known or useful these tips are, but here that are anyway, for those that are interested.

svn diff

There are various uses for the svn diff command. However for the purposes of automating a list of new modules added to Metasploit I used the diff command to summarize changes to the TRUNK itself.

Example:

svn diff https://metasploit.com/svn/framework3/trunk –summarize -r 14450:HEAD –non-interactive

….

M https://metasploit.com/svn/framework3/trunk/lib/msf/core/rpc/v10/client.rb
M https://metasploit.com/svn/framework3/trunk/lib/msf/core/model/workspace.rb
A https://metasploit.com/svn/framework3/trunk/lib/msf/core/post/windows/shadowcopy.rb
M https://metasploit.com/svn/framework3/trunk/lib/msf/core/auxiliary/report.rb
....

This example will output all changes (Additions, Deletions, Modifications) to the files in the TRUNK between revision 14450 and HEAD (a shortcut for the current revision). This is great, but not everybody happens to remember the revision numbers used on a set date, and although it was useful for automated scripts (simply save the HEAD revision number for use as a starting point in the next script) it doesn’t lend itself to easily seeing what’s been changed in the last week/month/year.

So what can we do to get just the last weeks changes… the -r in the above example can be altered to include a set date as either the start of end point. By putting a date inside {} brackets you can see exactly what was changed in the last week.

Example:

svn diff https://metasploit.com/svn/framework3/trunk –summarize -r {2011-12-24}:{2011-12-31} –non-interactive

We can obviously take this a step further and begin filtering the output for only the newly added scripts using simple regex. I implemented this in a shell script by piping the output to ”grep ‘^A’ | cut -b 8-” to select only the Additions and remove the preamble from the output.

svn info

As an aside, the following command will give you the current revision as well as further information

svn info https://metasploit.com/svn/framework3/trunk

….

Path: trunk
URL: https://metasploit.com/svn/framework3/trunk
Repository Root: https://metasploit.com/svn
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 14492
Node Kind: directory
Last Changed Author: rapid7
Last Changed Rev: 14492
Last Changed Date: 2011-12-30 23:04:03 +0000 (Fri, 30 Dec 2011)

of course, if you just want the Last Changed Rev number, then piping this into “grep ‘^Revision:’ | cut -b 11-” will give you just the reference number itself.

Well there it is, I hope some of you find it a little useful.

Here’s to 2012! See you on the other side…

Tagged: Metasploit, svn, tricks, updates

Metasploit Modules: A Year in Review

ChrisJohnRiley — Sat, 31 Dec 2011 15:15:39 +0000

A month of so back now I started automating some posts on the new Metasploit modules released. As luck would have it, about the same time, the guys over at Rapid7 started to churn out more regular blog post themselves, giving details of the key modules and changes. Although the posts were interesting to a select few, I never saw them as a long-term thing and as the year ticks over to 2012 it’s time to put them to bed. After all, the people at R7 are bound to have a better overview of Metasploit than I am.

Before it goes though, I took time to output newly added modules between 2011-01-01 and now (2011-12-31)… just to show what’s been accomplished in 2011. I’m sure the fine folks at R7 will be putting out a more detailed review together with pretty charts, and maybe even an Infographic or two. Still, I hope this proves useful for some as we wave goodbye to the automated weekly posts.

Note: These are only the modules marked as Additions within the modules / tools or scripts directories. Some modules may be excluded and others may appear if they were Deleted and reAdded at some point in the year. I’ll be posting up something about how the lists were created in a separate post soon.

The following modules have been added to the Metasploit SVN between 2011-01-01 and 2011-12-31

Tagged: additions, Metasploit, svn, year in review

Metasploit Modules: Update 2011-12-26

ChrisJohnRiley — Mon, 26 Dec 2011 09:00:30 +0000

The following modules have been added to the Metasploit SVN between SVN version 14425 and 14460

More information on these modules can be found in the Metasploit Repository

* This is an automated weekly post of additions to the Metasploit SVN

Tagged: Metasploit, svn, updates, weekly

Metasploit Modules: Update 2011-12-19

ChrisJohnRiley — Mon, 19 Dec 2011 09:09:02 +0000

The following modules have been added to the Metasploit SVN between SVN version 14390 and 14425

More information on these modules can be found in the Metasploit Repository

* This is an automated weekly post of additions to the Metasploit SVN

Tagged: Metasploit, svn, updates, weekly

The more things change, the more they stay the same!

ChrisJohnRiley — Sun, 18 Dec 2011 16:33:24 +0000

AKA: 10 years of FAIL!

As it gets closer to the end of the year, you can’t help but despair at the seemingly un-ending flow of prediction posts. Heck even I threw one up on the blog (although more of a joke than anything else). Everyone (not just those trapped in the InfoSec echo chamber) seem obsessed with the next big thing, the year to come and what the future holds. I can see the attraction… looking back at all the mistakes we’ve made is never a nice thing.

I’m willing to bet that most people reading this think things have changed a lot in the last 10 years. We’ve got web 2.0 and things are more complex than ever! I thought the same, until I stumbled on a little bit of history while cleaning out the bookshelves. If you’re as old as me you probably remember those “Top Internet Website Guides” from years gone by. Before the almighty Google took search engines to a new level, people actually had books listing interesting websites. It was just such a book that caught my eye, and I couldn’t resist looking through it to see what the World Wide Web looked like back in 2001.

Websites come and go… they fall from favour and in the blink of an eye they’re gone from the world… some however stand the test of time and surprisingly enough, look pretty much the same now as they did back in 2001. Timeless design? Simple to use interface? or just a little bit of proof that not much changes in 10 years, even on the Internet!

Click to view slideshow.

Look familiar? I’m pretty sure it wasn’t that long ago that Apple.com was still using the same design! Still, that’s all fun and good, but this is an InfoSec blog, so let’s get to the point.

This trip down memory lane got me thinking… what was the landscape like back in 2001. What were the threats, the vulnerabilities and the issue we hoped to fix. What were the predictions and promises we made back in 2002?

Just looking through the schedules for Blackhat (US | EU) and DefCon for 2001 shows just how far we’ve come and how little we’ve actually achieved! 10 years on and the things that we’ve fought against are still the things that we’re fighting against today.

Just to pull a few examples from those schedules .:

One-Way SQL Hacking: Futility of Firewalls in Web Hacking (JD Glaser & Saumil Udayan Shah)

WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)

Hackproofing Lotus Domino (David Litchfield)

Web Vulnerably & SQL Injection Countermeasures (1-2) (Tim Mullen)

GSM / WAP / SMS Security (Job de Haas)

Hacktavism Panel (cDc)

OS/X and Macintosh Security (Freaky)

Scary isn’t it! I’d love to see the reaction people would give if these talks were listed in a conference this year. I’m not sure about you, but I’d think it was a pretty good lineup and relevant to our current issues.

Whats the moral of this story… simple really. We’re failing. You’re failing, I’m failing, and everybody who thinks they’re not is deluding themselves. We’re stuck in this constant InfoSec circle-jerk where we each tell the next how much better things are and how we’re making the world a better, safer place. In reality all we’ve achieved in the last 10+ years is to form an industry around InfoSec that helps to maintain the status quo. We’ve built this virtual altar were we pray at the feet of so-called InfoSec rockstars. The people who we look to, to make things better for us. Well, sorry to say, but Dan Kaminsky isn’t going to come down your chimney this Christmas and leave you a shiny black box that solves all your APT woes! Although, I for one think it would make a cool movie plot! Jeremiah Grossman isn’t going to wave a magic wand and make your SQL injection vulnerabilities disappear in a puff of magical pink smoke… although, it would make a funny clip for next years DefCon (hint, hint)

The more things change, the more they stay the same!

Right about now you’re probably laughing, shouting or just saying to yourself “well he’s just pointing out the problems we already know about… where are the answers loudmouth!”. I don’t blame you, I’d be saying the same thing.

So, what would I do?

Well, in my VERY uneducated opinion these are the things I’d do to make a start in getting to security utopia.

Back to basics

No point in wasting that €75,000 on an all singing, all dancing WAF solution.

What do you expect that WAF to protect? Get to the REAL problem. Train your developers, implement (or begin to implement) an SDLC / process to ensure secure code is put on the web, not Friday afternoon code!

Invest in some basic code analysis… even if that’s just grep and some regex. Start small, and focus on the biggest issues. No point in spending all your budget on a single XSS flaw, when your site is riddled with SQL Injection bugs.

Hardening

Is this a lost art form?

Your WAF / IDS / IPS / Firewall / Black Box with blinky lights, is not going to stop everything. Hardening a system was always the FIRST thing people did before unleashing it on the Interwebz. How about we don’t forget that, and actually spend some time coming up with secure base images for systems!

Hardening goes beyond the external… make sure that when an attacker gets onto your box, and yes the WILL, that they’re tools are useless. Remove netcat, remove GCC and the Linux headers, chroot everything. None of these is a foolproof solution, but make them fight for every inch, and just maybe you won’t be on the front-page of every major newspaper the world over.

Balance

I’ve already posted my thoughts on relying on vendors for everything, and I stick by that. It’s important to have a balance between technology, process and the trained staff to run things. Too much of one or the other and your doomed to failure.

The black box with blinky lights needs somebody to monitor it, tune it, and manage it. If that’s not part of your budget (along with appropriate training and testing time) then what do you expect to gain from buying it. It’s an all or nothing package, and saying “we’ll train on the job” is the first step towards the cliff.

Know your systems, know your company

It’s a sad day when a company gets hacked through a system they didn’t even know they had! Just look at the Sun newspaper. Hacked through old outdated websites they probably didn’t even know still existed anymore. You think you know your network? Go and double-check, because there’s a server somewhere you never know you had!

Security isn’t all about systems… it’s about protecting the business. Most InfoSec professionals however, have almost zero knowledge about what information is valuable to the company. How can you protect something you don’t even know exists. You can’t stop every attack, and trying is a fool’s errand. Knowing where your crown jewels are stored allows you to protect what you know is important, while trying to keep everything else as safe as it can be!

Well that’s it… I don’t think I have a magic pill for the world… but I’d rather accept that we’re part of the problem and start looking to solve it, then just close my eyes and hope for InfoSec Santa to bring me a new Firewall!

Merry Christmas… let’s make it a happy new year!

Tagged: new year, rant, same old problems

Cатсн²² (in)sесuяitу / ChrisJohnRiley

SANS Germany 2012

Eurotrashsec… the year that was!

General stats:

Top-5 countries:

Let 2012 begin!

Unsung heros

The CSRF that almost was…

So where does this work?

POC .:

Top 5 posts of 2011

Some stuff about SVN

svn diff

svn info

Metasploit Modules: A Year in Review

Metasploit Modules: Update 2011-12-26

Metasploit Modules: Update 2011-12-19

The more things change, the more they stay the same!

Back to basics

Hardening

Balance

Know your systems, know your company

Merry Christmas… let’s make it a happy new year!