Posted on Wednesday, 23rd September 2009 by Michael
BlackBerry Firewall guide
A few months ago I wrote for Informit.com and had my buddy Seth Fogie publish my article that I wrote on the BlackBerry Firewall. You can find the article here:
http://www.informit.com/guides/content.aspx?g=security&seqNum=348
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
Authentication Proxies: Secure or Not?
A while back I wrote on cached credentials and proxy authentication in regards to spyware. Well I rewrote the paper and cleaned it up a bit. I then had informit.com publish it for me. to see it check out the url below. This one includes the .net code to make it work.
http://www.informit.com/guides/content.aspx?g=security&seqNum=350
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
Fun with Poison Ivy
Poison Ivy is a remote access Trojan (Tool) that can be found at the following URL: http://poisonivy-rat.com and a support forum can be found here http://ratforge.net/forums/ . Please note that these are Trojans and www.digitaloffensive.com nor any of its staff are responsible for any use or misuse that you do with these files.
Recently I had the opportunity to take a close look at the poison ivy rat and run it through a real world scenario in a controlled lab environment. The tool comes as a single exe that allows you to build a server executable from variables you select in the GUI configuration under the new server option. Neither the client nor the server was detected by Norton, McAfee, AVG or trend. This may have been that the version I was using was released only a day earlier. I did find it a bit weird that inside Vmware that it would not run and would constantly crash. This made me think right away that the creator did not want their code analyzed but a quick Google showed that many people had this issue which was quickly fixed by disabling DEP.
One of the biggest reasons I loved this Trojan so much was that it provided us with a shoveled shell / connection. This means that no matter what ports where open inbound on their firewall we were guaranteed access because most of them were not doing egress filtering. Poison Ivy provided an easy and repeatable server creation process using profiles to easily save and quickly load your favorite configurations. The wizard walks you through each step asking you what you would like to choose. Screen 1 we created our connections which is where we put in the phone home IP or IP’s as well as the shared password. Screen 2 walks you through the install options: IE. Run on startup, place in registry, place in active control, copy itself to folders and more. The third screen provides the advance features options. Here we can change its mutex name so we can run multiple instances of poison ivy on each machine, inject the Trojan into the browser, make it persistent, inject it into running process and my favorite hide in ADS (alternate data streams, thank you Microsoft). The 4th menu allows you to add additional build features such as an external packer to hide it from AV better. The final screen is actual generation of the Trojan server executable.
In the lab we used core impact as well as several other commercial and non commercial exploit tools to gain access to the machines and install poison ivy. Once we had poison ivy installed we were able to view the users screen in near real time by changing the screen shot capture to 5 seconds (don’t suggest doing this over a internet connection), record all the key logs they typed, spawn remote shells, control processes and services as well as countless other things. One of the other real good things it did was to show us in red every place it had hooked in so we can make sure we did not accidentally kill it while killing other processes or files. Once installed poison ivy was able to maintain our access through the day even when it was killed it would re-spawn itself and connect back to us letting us know it was alive.
The only down fall of Poison Ivy was that since it is connect back Trojan the user has the ability to find our IP and to block it in the firewall. Though there are several ways around this. The one that is built into Poison Ivy is to be able to update the code on the fly by replacing the exe with a newly compiled one allowing it to talk back to a new IP or FQDN.
In short I would like to give kudos to the Poison Ivy team for a fine crafted tool and for supplying us several hours of fun while remaining UN detected by AV.
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
CACHED CREDENTIALS, PROXY AUTHENTICATION and SPYWARE OH MY!
Recently a client of mine and I had a long winded debate about the dangers of not protecting machines from spyware and other malware. The client swore up and down that since they had an authenticating proxy that required the windows cached credentials to access the internet that they were protected. They believed that the proxy prevented the spyware and other malware from being able to phone data home as the spyware would not have access to the cache credentials to access the internet. We spent a lot of time searching for spyware or other malware that were known that could use windows cached credentials and could not find any. The results that we did come up with were articles on how using an authenticating proxy helps cuts down on spyware and other malware as they cannot phone home. Even though all the data was pointing to me being wrong I knew if it did not currently exist that as spyware evolved it would exist.
Even though I continued to argue my points and tried to provide relevant supporting data to back my concerns up they were still firm that spyware is not an issue. So I set forth to prove them wrong. I remembered back in the day when I use to write applications in Visual Basic that you could make a web browser in just a few minutes. Visual Basic allows you to do this through the web browser component, which uses the Internet Explorer engine. With this in mind I formulated my first theory. The theory was if it used Internet Explorer then it should use cached credentials to authenticate too without the need to steal them or anything else. To test this out I wrote a quick web browser using the web component in Visual Basic. Once I completed the code I disabled the proxy in Internet Explorer to make sure that without that checked I did not have internet access. Once I verified I did not have internet access I launched my web browser that I just coded and witnessed the same thing. With this tested I then re-enabled the proxy settings in Internet Explorer and repeated the test again. This time both Internet Explorer and the web browser I built connected to the internet. With the theory of my web browser using the cached credentials proven correct I moved on to actually sending data out through the proxy /firewall. To accomplish this I decided to use the “http post” command as it will allow me to submit data to a form over port 80 using the http protocol which is allowed through the proxy / firewall for authenticated users. To do this I found an old “shoutbox” script and used “live http headers” for Firefox to see how a post looked. Once I captured the posting header I broke it down in my application into 2 parts. Part one was the post string and part 2 was the data I recorded from user input. Once I clicked the execute button the data was posted to the shoutbox application and my theory was proven fact.
To double verify my theory I ran a second set of tests:
Test 2: Using Raw packet tools to test my theory.
Without firewall rule allowing me to bypass the proxy
C:\>nc -vv xxxx.net 80
DNS fwd/rev mismatch: xxxx.net != lambda.xxxxxxx.com
xxxxx.net [xxx.xxx.xxx.xxx] 80 (http): TIMEDOUT < — Failed
sent 0, rcvd 0: NOTSOCK
As you can see when I have to use the proxy Netcat can’t automatically authenticate to the proxy hence my http connection to xxxxx.net fails.
With firewall rule allowing me to bypass the proxy
C:\>
C:\>nc -vv xxxxx.net 80
DNS fwd/rev mismatch: xxxx.net != lambda.xxxxxx.com
xxxxxx.net [xxx.xxx.xxx.xxx] 80 (http) open <– Worked
C:\>
As you can see with the rule allowed in the firewall to allow me to bypass the proxy and use the firewall the Netcat application can connect via http to xxxxx.net since it does not have to authenticate.
In the wild a malicious person could use a vulnerability in Internet explorer to download the application and execute it in the background or they could email it to a user and have them run it. The application does not require admin rights all it needs is the ability to use Internet Explorer.
I will upload the POC once I show the company my findings later this week. IP and URL’s have been altered to protect them.
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
The IRS has partnered up with China to help you get a tax bonus!
As some of you know my day job has me providing security guidance to a large user base that vary in their technical skills. Every day we get several requests that come in asking us weather something is a scam or phishing attempt and when time allows we do the research.
Today’s phishing question had to do with the following email:
From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification
Internal Revenue Service (IRS)
United States Department of the Treasury
Dear Taxpayer,
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, use the following personalized link:
http://0x7C.0xDB11D1/www.irs.gov/
Regards,
Internal Revenue Service
Document Reference: (0x7C.0xDB11D1).
I did some quick initial research and replied to the end user with the following information:
From: Internal Revenue Service (IRS) [mailto: taxrefund@0x6c.3xdb24d6.irs.govThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ]
Sent: Tuesday, May 20, 2008 7:25 AM
Subject: Tax Notification
Unfortunately we do not have the full headers here so I cannot confirm or deny the email address above. But I can tell you just looking at it does look real suspicious.
Internal Revenue Service (IRS)
United States Department of the Treasury
Dear Taxpayer,
The IRS knows you and would address you by your full name. IE John Smith not Dear Taxpayer
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
In the past whenever the IRS has owed a individual additional money / rebates they never required additional requests. IE the recent bonus rebates.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, use the following personalized link:
http://0x7C.0xDB11D1/www.irs.gov/
This web address is bogus. The IRS real site is http://www.irs.gov. If you Google the address you will find these links http://www.google.com/search?hl=en&q=0x7C.0xDB11D1 showing that this is indeed a scam.
According to this site the url no longer works though I do not suggest you click it. http://www.phishtank.com/phish_detail.php?phish_id=448690&frame=site. That link will allow you to see the site in a protective format if you hover over the links on the site you will see that many of them do not go to the IRS site.
It is my believe that the 0x7C.0xDB11D1 is another url encrypted with hexadecimal (a computer language) that basically uses some form of cross site scripting, site spoofing, or redirection to steal your information.
Regards,
Internal Revenue Service
Document Reference: (0x7C.0xDB11D1).
Though the response above works for our end users this interested me so I decided to research this further. I figured looking at the URL that the phishers have came up with a new way or was using an old way that stilled worked to obfuscate the URL.
(Before doing any of the below please make sure you are using a live boot cd or a machine that you do not care about. I am not responsible if you infect yourself.)
So first I wanted to decrypt the URL http://0x7C.0xDB11D1. So using a hexadecimal conversion sheet that I found at http://www.dewassoc.com/support/msdos/decimal_hexadecimal.htm
I was able to translate the obfuscated URL to the IP address 124.219.17.209. You could also decrypt this by using the ping –a command. It will resolve it to the IP address.
Second I used Wire shark to capture traffic to and from the site to see if it used any droppers or scripts for redirection or infection. I did not see anything out of the ordinary.
Third I used Firefox and the Live Http Headers plug-in to capture traffic to and from the site to see if there were any scripts or redirection taken place and I did not see anything.
Fourth I manually analyzed the source code of the http:// 0x7C.0xDB11D1/ and the redirected site codes and did not see anything in the code that was obfuscated or out of the norm. The hacked pages pulled a lot of the IRS images and style sheets to make it look like the real thing but the attacker did an extremely poor job of hiding the URL. The URL clearly is not that of the IRS.
Fifth I manually tried to change the URL instead of using http:// 0x7C.0xDB11D1/www.irs.gov I tried http:// 0x7C.0xDB11D1/www.digitaloffensive.com and I got a page cannot be found error. This makes me believe that on the site http:// 0x7C.0xDB11D1 (124.219.17.209) there is a subfolder called www.irs.gov that has a file in it that does the redirection to random sites. I say random sites because during my analyst of this issue two different redirected hacked URL’s showed up. I tried to mirror the site http:// 0x7C.0xDB11D1 with wget –rm http:// 0x7C.0xDB11D1 but most of the directories cannot be accessed. I even tried to mirror it by doing wget –rm http:// 0x7C.0xDB11D1/www.irs.gov/ and that was able to dl one of the other hacked sites but still not provide the redirection source.
In conclusion this is just another phishing scam where the attackers are relying on human stupidity to click on a link and supply their personal information to the attackers. Please head your IT / IS department warnings about Email scams as they are only trying to protect you from yourself.
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
More IRS Shenanigans
Today our director of Internal Audit dropped on my desk a printed email that looked exactly the same as the scam email I wrote about a few weeks ago in the post called “The IRS has partnered up with China to help you get a tax bonus!”. I figured since I had a huge increase in traffic since I did the original story from people searching for what 0x7C.0xDB11D1 was that I would do a follow up to help others out that may be seeing this for the first time.
This time however the amount is no longer 184.80 they are now saying you are entitled to a whopping 284.80 cents an increase of $100.00 dollars.
The URL has changed slightly instead of http://0x7C.0xDB11D1/www.irs.gov/ it is now http://2081062820/www.irs.gov/. The new URL uuencoded is http://124.10.127.164/www.irs.gov/. At the time of this writing it looks like the URL has been removed and is no longer working to con innocent people out of their information. To see how I decoded the URL please read the original story posted here http://www.digitaloffensive.com/index.php?option=com_content&task=view&id=23&Itemid=2 .
The third change was the “Document Reference Number”. In both emails this number was just the obfuscated URL to make it look more official and lend assistance in making the phish fall for the bait easier. In the first mail the “Document Reference Number” was 0x7C.0xDB11D1 and in the second one it was 2081062820.
Once again only way for us to help protect our end users is through constant reminders and training.
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
I am not your Pal. How to detect PayPal-based phishing scams.
The term phishing originated by taking the term fishing, meaning to bait and catch, and using a language of the computer underground where they commonly replace the letter F with PH. Digital criminals use cunning techniques to trick their victims into taking the bait … hook, line and sinker! The victim usually ends up exposing themselves to identity theft, loss of funds and other unpleasant consequences.
Though many companies like PayPal and eBay take many security measures to protect you it’s the human factor, known as Social Engineering, which these predators are counting on. They’re hoping to trick you mentally into believing that they are who they say they are or if you don’t reply bad things will happen.
PayPal has published a list of common email phishing tactics and a list of ways to detect fake emails that can be viewed here: https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/Help/popup/RecognizeSpoof-outside . We strongly suggest that you read this information on PayPal’s website in its entirety, as it is only 3 pages long, but could save you time and money down the road.
Let’s take a look at the following email and see if you can point out the tell-tale signs that it’s a fake. The most important thing to remember, no matter how the email looks, is if you’re unsure of the email’s authenticity manually type in the company’s website and contact them via the phone number found on their site. This assures that you aren’t tricked into a fake site that may contain a fake number.
Another thing to remember is that if you do not have a PayPal account then just delete the email as it‘s definitely a trick.
Here are some tell-tale signs that will help you quickly identify a phishing attempt.
First, the From says PayPal Department but the actual email address is norelay@steelworks.orgThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . That’s not from the PayPal domain which should’ve been name@paypal.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . There are ways to spoof the domain so just because the email has the real domain name don’t base its authenticity on just that.
Second, the message is addressed to Dear PayPal User. Though PayPal, eBay and many other large companies deal with millions, if not billions of people, they’ll always use the name that’s on your account. For example: John Bishop Smith or Jane Y Smith. They will never user a generic greeting.
The third tell-tale sign isn’t very noticeable to the naked eye. If you hover your mouse over the website address Outlook will either show a balloon pop up with the real website that it will take you to, if you clicked it, or it will show the real website address in the Outlook status bar at the bottom of Outlook.
The website address in the pop up doesn’t look like https://www.paypal.com at all! This can also be spoofed through other means to make the pop up show a PayPal website address.
Fourth is the content of the email. The attacker is trying to persuade you with a false sense of urgency to click the link. It’s better to have your account suspended than clicking the link.
To summarize whenever you receive these types of emails it’s best to delete them and contact the company through a manual process to assure that you are not being tricked into falling for a scam. We suggest that you manually type in the PayPal address https://www.paypal.com to verify any information or call them at 1-888-221-1161.
I provided you with a few tell-tale signs to help protect you from falling victim to these attacks. If you have any questions or concerns please feel free to contact me.
Posted in Papers | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
Instant IDS v1.0
Instant IDS v1.0 is a custom shell script that will automatically download, configure and run Snort IDS and BASE web gui.
Though this script has been tested in-depth I the author do not guarantee it will work and or not harm your system. Since this is a shell script and can be easily edited I strongly suggest that you don’t download it from any site but http://www.digitaloffensive.com. Please note that IDS systems need to configure to properly work in your environment. Until they are tuned you may receive false positives.
This script has been tested in-depth on CentOS 5.0, Fedora Core 7 and Fedora Core 6. This script should work on any other Linux flavor that makes use of yum and chkconfig.
This script currently makes use of the snort 2.7 and the rules that were released with this version. We do not download new rules for you as Snort requires a user account to download newer rules. We strongly suggest that if you like the Snort product that you subscribe to their subscription rule base service to receive new rules faster.
What is needed?
a) A default install of Linux with gcc (no need to choose http, mysql or anything like that)
b) A Internet Connection
What Does Instant IDS provide you?
Instant IDS provides you with a fully functional IDS system in minutes. The script will download all needed services, libraries and packages that are needed. It will install and configure each of these items based on the underlying operating system. It will also configure and start the needed services based on user input. Once done it provides you with a fully working IDS system running Snort, MySql and BASE.
What are we planning to do in the future?
Since 96% of the script pulls the newest packages using yum we plan to make sure that we keep the script up to date as new versions of Snort, Base and Libpcap are released. We plan to make the script more customizable by introducing the ability to configure variables. We plan to add more advance means of error checking and improve the code. We also plan to have it lock down the box as much as possible based on user input. With all this said we rely on the users of the script to tell us what they like and don’t like and what they would like us to do in future releases.
How to use Instant IDS
a) cd /root
b) wget http://www.digitaloffensive.com/snort/snort.sh
c) chmod 777 snort.sh
d) ./snort.sh
e) Answer the questions that you are prompted with. Please make sure that if you are using a subnet that you enter it as xxx.xxx.xxx.xxx\\/24 ß or whatever class it is.
f) The wait value you enter will give you some time to make sure there is no show stopping errors, some warning are ok. This is only to be used if there is a major issue and a library or application does not install or compile. If you see a major issue press ctrl +c to cancel the rest of the install.
g) Once instant IDS is installed we suggest you lock down your machine, here are a few examples:
a. Firewall the machine.
b. Disable root ssh access.
c. Create a mysql root password.
d. Update the systems patches
e. Disable unneeded services.
This script is released freely we ask that you keep the original authors information in it though you have right to modify the script as you see necessary. This script may not be sold.
Posted in Code | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
Null Session Scanning
For a recent audit I was tasked with checking a class C network for null sessions. The task itself sounds simple doesn’t it? But I am not one to just run a quick scan without verifying my work. This caused a interesting discovery. My first run at the network I used NTscan and discovered 1 machine with a null session open. If this would of been correct then the client would of definitely improved their security posture since the last audit they had from another company. To verify my work I then ran xscan v3, though I prefer their older versions I could not find a working clean copy in the short time frame I had to use it. This scan returned 3 open machines. Now this was odd but I chalked it up to maybe another machine came up in the time frame it took to run the tools. The third scan I ran with a tool called netscan and this tool not only returned 16 machines open but returned all the drive information with their permissions. Now this totally baffled me, so I ran all three tools one after another and the same results came up. I also manually checked the machines that returned results and each one was indeed open. Now with this in mind I figured the only safest way to confirm what was truly open was to manual test the full class C using net commands. So to this I wrote a simple shell script for CYGWIN to verify the machine was up then to check it for null sessions. The script returned 26 null sessions, which I verified a sampling of them and confirmed my results. The script is attached. The script was not written with the ability to quickly change it with variables as I needed it quickly and did not have time to make it look real pretty. If you would like to customize the script please feel free to do it, or if you need help please feel free to ask.
Part 1:
Verify the node is up: ShareScan: http://genxweb.net/wp-content/uploads/2007/06/shareup.zip
This script will go through a txt file and verify that the ips inside the file are up and if they are up moves it to another file that will be used by the scanner to check for null sessions.
Part 2:
Check for null session: Scan Share: http://genxweb.net/wp-content/uploads/2007/06/scanshare.zip
This script takes the IP addresses that are up from the results from the first part of the script and runs the net use commands on them checking for null sessions. Error checking is basic as we use a simple truth statement && to say if it was mapped successfully then disconnect it.
Side note: I first published this article on my old site http://www.genxweb.net
Posted in Code | Comments (0)
Posted on Wednesday, 23rd September 2009 by Michael
PayPal Garage Sale Point of Sale system
So I am about to have a garage sale and want to accept credit cards so people can’t say they don’t have money so I search all over the internet and there is nothing in the form of a POS for paypal users. So what do I do I create a down and dirty one using a simple Batch file.
Check out the code below.
Title Yard Sale Pyapal Check Out
@echo off
cls
set /p ItemNo=Item No:
set /p ItemName=Item Name:
set /p Price=Price:
pause
echo ^<form target=”paypal” action=”https://www.paypal.com/cgi-bin/webscr” method=”post”^>>Out.htm
echo ^<input type=”hidden” name=”cmd” value=”_xclick”^>^<input type=”hidden” name=”amount” value=”%Price%”^>>>Out.htm
echo ^<input type=”hidden” name=”business” value=” you@your.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it “^>>>Ou
t.htm
echo ^<input type=”hidden” name=”item_name” value=”%ItemName%”^>>>Out.htm
echo ^<input type=”hidden” name=”item_number” value=”%ItemNo%”^>>>Out.htm
echo ^<input type=”hidden” name=”return” value=”www.divepa.com/thanks.html”^>>>Out.htm
echo ^<input type=”hidden” name=”cbt” value=”Continue”^>>>Out.htm
echo ^<input type=”image” src=”cart.jpeg” border=”0″ name=”submit” alt=”button”^>^</form^>>>Out.htm
echo ^<br^>^<br^> >>out.htm
echo You are purchasing item: %ItemName% for %Price% if you agree click the cart above and complete your transaction >>out.htm
pause
start /max “C:\Program Files\Internet Explorer\iexplore.exe” Out.htm
All you do is copy the above code into a notepad file and save the file as paypal.cmd then double click it and fill in the blanks. Make sure you change the email field first to your paypal email account.
Posted in Code | Comments (0)