Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

{Quick Post} Commandline Kung-fu needed! Apply within

Edit:

After some more playing, and some headache tablets, it seems I’ve found a solution (or should I say, found the bug in a solution I thought didn’t work)… I won’t post a spoiler just yet incase people are playing… but I will post the answer I found tomorrow once I have time!

In the meantime happy hunting…. and remember, Windows sucks sometimes!

—- —- —-

So, I’ve been fighting with the following command for a while and can’t quite get it working (due to whitespace or linefeeds at the end of the string). So I’m putting it out there and asking for help!

Goals:

Create a single Windows command-line (not a script) that runs on all modern versions of Windows (no powershell here) that resolves a localgroup name from its SID, and feeds this group name (including any spaces!) into a “net localgroup” command… It seems easy, but due to the spaces present in some group names, it’s a bit tricky to solve without using some mystical command-line kung-fu that I certainly don’t seem to posses!

Example (not working):

For /F “usebackq Tokens=1* Delims==” %I In (`wmic group where sid^=’S-1-5-32-551′ get name /Value ^| Find “=”`); do net user username password /ADD && net localgroup %J username /ADD

The above example uses the SID for “Backup Operators” as it contains a space… which meets the criteria! It also fails…

Example (working for group names w/o spaces only):

FOR /F “usebackq skip=1″ %g IN (`wmic group where sid^=’S-1-5-32-544′ get name`); do net user username password /ADD && net localgroup %g username /ADD

This example works for group names like “administrators”, but if you alter the SID to S-1-5-32-551 then it will only take “backup” from the “backup operators” group name and therefore fail. It’s simple enough to fix if you known beforehand that the group has a space, but that’s not the point… we don’t know for all cases.

Anybody got the smarts to solve this? I hate batch scripting!!!

Unsung Heros (the list)

Back in January I had this crazy idea to make a list of tools/scripts/programs that some people considered the best thing since slides bread, and others had never even heard of. Over the last couple of months I’ve received just over 30 entries from all areas of InfoSec… Not as much as I’d have liked, but still an few interesting gems in the mix.

As I said in the original post, I’ll be pulling a name out of the digital hat for a book from No starch… as I’ve just got finished reading the excellent “Tangled Web” I think it would make a great prize. I’ll be drawing and contacting the winner this week and will post their name on Twitter (unless they wish to remain anonymous).

I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things ;)

Category: Monitoring

  • pastebin.py (link)
    • Written by Xavier Garcia, this small python script continuously monitors pastebin.com, looking for interesting keywords (based on regex)
  • PasteLert (link)
    • PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries.
  • OSSIM (link)
    • OSSIM is the de facto standard Open Source SIEM
Category: Forensics / Incident-Response
  • Xmount (link)
    • xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE
  • PhotoREC (link)
    • Specifically designed for digital photo recovery.  Due to its algorithms for reconstructing files, it is also able to strip encryption from data in some cases.
  • TestDisk (link)
    • Great portable tool for performing a deep search and recovery of deleted partitions and files on physical drives and image files.  It’s simple and scriptable.
  • TCPflow (link)
    • Very handy for quick recovery of *data* (payload without ip/tcp headers, etc) traversing a network interface as well as different data flows.
  • Network Miner (link)
    • A great tool for extracting information and transferred files from sniffed network traffic.
  • Chaos Reader (link)
    • A freeware tool to trace TCP/UDP/… sessions and fetch application data from snoop or tcpdump logs.
Category: Systems Administration
  • Deep Freeze (link)
    • Deep Freeze provides the ultimate workstation protection by creating a “frozen” snapshot of a workstation’s configuration and settings. Each time you restart your machine, Deep Freeze restores your computer to this desired “frozen” state.
  • splitcap (link)
    • Tool for splitting PCAP files
  • rawcap (link)
    • RawCap makes it possible to sniff network traffic on Windows machines without WinPcap.
  • Log Parser (link)
    • Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
  • WOL-E (link)
    • WOL-E is a suite of tools for the Wake on LAN feature of network attached computers.
Category: End-point detection
  • GMER (link)
    • Application that detects and removes rootkits
  • Fail2Ban (link)
    • fail2ban checks log files for information on brute forcing attempts and exploit probing, and then temporarily “bans” the offending IP.
  • Sigtool (link)
    • Sigtool (part of clamav) lets you create your own signatures next to the “known” malware signatures. So when virustotal says “0/42″, you still can block the files.
Category: Penetration Testing
  • Ebrute (link)
    • Why is this your unsung hero: Windows domain username enumeration via Kerberos
  • Arachni (link)
    • Web application scanner
  • Keimpx (link)
    • Covering the gap of MSF psexec spraying the domain with dumped credentials (pass the hash)
  • NfSpy (link)
    • Takes all the hard work out of spoofing one’s uid in order to gain access to all the files on an NFS share. Additionally, supports all sorts of shortcuts to get around “security measures” like firewalling port 111.
  • ratproxy (link)
    • A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
  • ThickNET (link)
    • Thicknet is a TCP session manipulation and take-over framework. it is a great tool for internal penetration testing. It is modular which allows users to develop and customize the tool for their particular target protocols.
  • Tachyon (link)
    • Tachyon is a dead file scanner, written in python. The main goal of tachyon is to help webadmins find leftover files in their site installation, permission problems and web server configuration errors
  • SWFscan (link)
    • SwfScan decompiles Flash into source and checks it for security issues. Even if it doesn’t find security problems, discovery of additional server URLs, viewing application logic, and the opportunity to manually view the source for issues are invaluable. All done in a pretty nice GUI.
  • Mona (link)
    • Mona is a PyCommand for Immunity Debugger that replaces pvefindaddr.
  • UAtester (link)
    • A tool for testing web-site reactions to a range of User Agent strings. Useful for ensuring wide coverage of web applications.
  • Evilgrade (link)
    • Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
  • PMCMA [Post Memory Corruption Memory Analysis] (link)
    • Helps automating the process of finding a way to exploit a (known) memory arbitrary read/write vulnerabilities
  • MimiKatz (link)
    • Can recover clear text passwords of logged on users on a windows machine, by lsass injection.
  • OWTF (link)
    • The offensive Web Testing Framework – An awesome framework just recently developed to help better test passively and actively web applications.
  • Yeti (link)
    • A network foot printing tool from the Sensepost crew
  • Reaver-WPS (link)
    • A tool for exploiting WPA/WPA2 issues (in particular the WPS bug)
  • Dirfuzz (link)
    • Directory discovery and info gathering of web applications
  • MORF v0.3 — NINJA ENCODER (link)
    • Encoder with a wide range of supported encoding types (URL, HTTP, Base64, HEX, MD5, SHA1, UTF-7…)

Category: Miscellaneous

  • xdotool (link)
    • This tool lets you simulate keyboard input and mouse activity, move and resize windows, etc. It does this using X11′s XTEST extension and other Xlib functions.
  • Risu (link)
    • Risu is a Nessus parser, that converts the generated reports into a ActiveRecord database, this allows for easy report generation and vulnerability verification.
  • Thinkst – Infosec Conference Collector (link)
    • An online tool for searching prior and upcoming conference talks. Useful for  attribution, reference checking, and trend spotting. Doesn’t cover everything, but a good starting point.

I hope there’s at least 1 or 2 unsung heroes on the list for everybody… and if you have any additions, feel free to leave them in the comments, and I’ll update the post when I can! Thanks to all those who took part… this list if yours after all, not mine!

P.S: Thanks to the generous person who suggested UAtester… even if it was a joke ;)

What, more Python ctypes! – DNS TXT records

Yeah I know, this is turning into a Python blog, and not a very good one at that. Still, hang in there, because all these handy little scripts will make sense soon. Yes, there’s method in the madness!

For those who missed the earlier posts, you can view info on IcmpSendEchoInternetConnectedState and WinInet (SSPI).

So we’ve covered some interesting stuff, but one thing was still bugging me… Thanks to a pointer by Didier Stevens (literally, it was a pointer issue), I managed to get a simple DnsQuery script running to gather and display DNS Text records.

Again, the script is a little large to post on the blog in its entirity, but I’ve included the dnsapi.DnsQuery_A function below for those searching for that specific function. There’s a lot more to getting this running than just the below code, but for the full info you can download the example source (dnstxt.py) below.

....
dnsquery = dnsapi.DnsQuery_A(
           dns,
           DNS_TYPE_TEXT,
           Options,
           False,
           precord,
           False,
           )
....

As with the other examples I’ve created a small (and narrowly focused) tool to retrieve DNS Text records and display them on the screen. It’s a simple script, that takes a dns name, and has options to restrict the request to UDP or TCP only if desired. It’s interesting to use UDP only to test of Text records are too large, and need TCP. Feel free to check it out on c22.cc (which is too large for UDP).

Those who’ve done any work with Python will know that there’s a few modules that you can download and install to handle DNS requests of various types. Modules like PyDNS and dnspython are going to give you more flexibility for most things. Unless you really need (or want) to go the ctypes route of course)… yes, I’m a sucker for punishment!

Example use:

The above example runs with the default UDP and TCP requests and merges the responses into a unique list to return to the user. By selecting –udponly you can restrict the request to only UDP traffic (see below)

Specifying –tcponly works the same way, but restricts to TCP only. Specifying both is just stupid ;)

dnstxt :

  • Python sourcecode –> HERE
  • dnstxt.exe –> HERE
Feel free to leave any comments if you have ideas, uses, or generally want to laugh at by bad coding ;)

Links:

  • DnsQuery Reference – MSDN

{Quick Post} URL shortcuts

I’ve had this little snippet hanging about for a while, and I’m almost sure 99% of people are already aware of this, but hey, that still means 1% aren’t. So here’s a quick quirk that I noticed a few years back in the way browsers process values entered into the location bar.

If you’re like most users, you type google.com to get to Google much more than you type http://www.google.com… after all, if HTTP is the default and the remote site handles the redirect to the right place, it’s all good! Still, in the location bar, HTTP isn’t the default! Before tying that, your browser is going to check you didn’t mean something else…

To test this, create a shortcut on your Windows desktop called yahoo.com and assign the shortcut to go to http://www.google.com… if you want to do this programatically, just open an editor and enter the following :

[InternetShortcut]
URL=http://www.google.com/
IDList=

Now save that as yahoo.com.url on the desktop and open your favourite browser. Type yahoo.com into the location bar and see what happens!

Conclusion:

As far as a security issue goes, I’m not sure you can class this as a problem. After all if you have the ability to edit files on a system, then surely altering the etc/hosts file would be more effective. Still, maybe on restricted systems this might come in handy!

Note:

A few people have mentioned that this seems fixed in the latest Chrome and in IE 8. Tested this end and IE 7 is “vulnerable” to this quirk. Nice to see browser vendors have started fixing this over the past year or so!

Follow

Get every new post delivered to your Inbox.

Join 36 other followers