Local Physical Attack Against VISTA To Obtain SYSTEM

Pretty cool video doing a local physical attack against a Vista Box.

http://www.offensive-security.com/movies/vistahack/vistahack.html

McGrew Security Blog pointed me to it:

"he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine. In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe . The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U."

Its short and worth a look.

2 More Webcasts by Ed Skoudis

Here are two more webcasts to take a look at. I know you have to be registered to see the SANS one.

New Computer Attack Tools and Techniques at SANS

Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security

The SANS one was good. here is the outline:

• Improved Scanning with NSE
• Cain – The Attacker’s Dream Tool
• Pass the Hash Attacks
• New Research Areas & Conclusions

Pretty good stuff. I hope that nmap can become the "single vulnerability" checker that nessus used to be, that would be handy.

You can also get some more info on Pass the Hash stuff on my blog and similarly the token impersonation techniques. Both things you should probably be incorporating into your pentest methodology.

I havent watched the Penest Ninjitsu Part II one yet.

School District in PA "hacked" by a 15 year old

From Dark Reading:
15-Year-Old Steals Data on 55,000 People in School District Hack

A Pennsylvania school district suffered its second consecutive breach at the hands of one of its students – the latest attack involved personal information on students, staff, and county residents.
http://www.darkreading.com/document.asp?doc_id=154709

Before you click that link, read this one from the school district.
http://dasd.us/security/?cat=3

start from the bottom and read up, its an interesting chain of events. Especially conflicting reports of "that a student had overridden the security of a classroom computer" and "The breach occurred in the high school during the student’s study hall, a time when students are authorized to use the school’s computer for studying and research."

This is also pretty good:

"Prior to 2006, Social Security numbers had been used by the district as key indicators in our resident data base. The file the student accessed was a copy of a report that had been issued in 2005. (He did not access our secured database) Social Security numbers are no longer used by the district and our new database does not include this information. "

In response, the District has:

• Tightened up folder security by confirming all folder permissions
• Separated network servers to ensure that students have access only to student servers
• Reconfirmed the integrity of the district’s firewall protection to prevent unauthorized outside users
• Removed all access to folders that had been breached.
• Continued to remind teachers and administrators to keep individual district passwords private.
• Begun a Board authorized complete overhaul of the active directory file structures dealing with login, password security and folder access permissions.

I'm far removed from this, but it looks suspiciously like the "hack" was someone browsing the network shares that had crappy permissions on them. How that equates to "unauthorized access" in beyond me but i'm sure the kid will take the fall and not the school's network admins for doing a shitty job.

A better question is why a database or names, addresses and social security numbers is sitting unencrypted on a network share.

"Your personal information including your name, address and social security number in an unencrypted and un-redacted form were among those accessed."

and for a next to final kick in the nuts:

"We are providing you this notice so that you can take measures to contact the credit reporting agencies and monitor any unusual activity in your account....Under Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, contact www.annualcreditreport.com..."

Yep we lost your data, we were irresponsible, our admins failed to safeguard your PII and you basically get the same thing you got if we had been doing the right thing.

and lastly:

"In December 2007, another DASD student circumvented the security of the district’s computer network by using unauthorized software. That student was arrested and has been charged. The district responded to this incident by researching and putting together a plan to overhaul the active directory file structures dealing with login, password security and folder access permissions. The second security breach will require complete additional security revamping."

Oh yeah? and six months later this happens? looks like you did a A+ job on that one. Someone should be sooooo fired.

May NoVA Sec Meeting on IPv6 Security

quick post on tonight's NoVA Sec meeting. It was on IPv6 security. I went thinking it would be the standard blah blah IPv6 talk I have seen 10 other times, but it wasn't. Joe Klien of command information gave a really really good talk on IPv6 security issues. He gave just a taste of the fun network hacking things to come and I'm pretty excited about it.

He covered alot, but big stuff was IPv6 addressing schemes basically how are the addresses are being (& going to be) assigned, how well current FW/router/OS vendors are doing with IPv6 integration and support, how well security scanners are doing with IPv6, and some talk about all the broken stuff in IPv6.

Things I took away from the talk:
-that snort 2.8.whatever and snort 3 (which natively supports IPv6) have a whopping 6 alerts for IPv6. So looks like if you can identify some IPv6 boxes you can scan them all day and probably not generate an alert.
-most FW admins aren't blocking things on IPv6 addresses, so your IPv4 address space/ports might be locked up tight but IPv6 is open to the world.
-applications can bind to one, several or all IPv6 addresses, so we'll probably start seeing malware binding to some random globally addressable IPv6 address and pretty much be hidden.
-also a bit on discovery of IPv6 devices on the network, at this point you mostly need to do passive scanning to see if anyone is talking in IPv6 protocols on the network and go from there or query DNS.

There was tons more but thats about all I can think of right now. Oh and they offer training on IPv6 Security, so maybe something worth looking in to.

podcast comments

Caught a couple more podcasts.

Old one from sploitcast from shmoocon. Most interesting part was the SCADA stuff. After seeing Jason Larson's talk on SCADA Security at BH D.C. it seems that even though the impact of SCADA can be pretty high, you aren't going to get into a SCADA system and start issuing arbitrary commands. There is a pretty big element of needing to know what protocols the system is speaking and figuring out what it can do. I'm oversimplifying, but its not like taking out the gas company is as easy popping it with dcom and hitting the blow up button (or issuing the blowup command on the commandline).

*edit* someone emailed me and said it was pretty much that easy as far as getting into those types of systems because they cant be patches. making them do bad things is a bit harder.


Of other interest was the talk about ZigBee (wikipedia definition).

ZigBee just may be the next new thing to break and to claim that the sky is falling about. The whole public safety wifi, 2nd link, 3rd link, 4th link net is more fun but probably wont win you any friends in LE. I can't find the link but I did read somewhere that encryption was optional in the standard...whoo hooo.

Network Security Podcast 103, best part was them talking about how Rich, Martin and Paul of pauldotcom got into the security business and the discussion on the CISSP certification. On the same topic, EthicalHacker.net has a really good interview with Ed Skoudis and big topic of the interview is getting into the security business.

Risky Business #61 & 62. I don't have anything to say about 62, but 61 was with HD Moore. I'm a self confessed metasploit fan, so pretty much anything related to that fires me up and HD's "evil EeePC" sounds awesome. Cool little laptops, karma and metasploit, owning people on the plane, too much fun. As soon as I can find someone selling the new Eee PC 900 in "hacker" galaxy black I'm all over that bad boy.

also caught pauldotcom #107. got nothing for you on that one. oops scratch that. Free wifi at starbucks by changing your user agent to "mobile safari" is the bomb.

Lastly, someone asked if I was actually getting anything out of the podcasts and the answer is yes. By the time I get to work I've got my mind right and I'm not totally focused on wishing I had a missile launcher in my car to blow up the asshat driving 55 in the fast lane.

ChicagoCon Day 1 wrap-up

The first round of talks was on Friday nite and they went well. By far the best talk was Luke McOmie and Chris Nickerson's talk on "The Art of Espionage" They talked about why red team style pentesting is working and why you should want your organization to have those types of tests conducted. They also gave out a good basic methodology on conduction those kind of assessments. It was a really good talk and I am looking forward to their workshop tomorrow.

2nd up was my talk on "New School Information Gathering". took me a bit to get warmed up but I think it went well after I got going.

The talk was basically about information gathering beyond just using whois lookups without sending non-standard traffic or scanning to the target domain.

End Result?
Organization's net blocks, external servers IPs and domain names, internal IP ranges, emails to send phishing attacks to, phone numbers to call, trust relationships with other organizations, & other relevant information for your audit and hopefully identifying exploitable flaws in the target’s network without scanning or sending non-standard traffic at the organization.

3rd was Matt Luallen of Sph3r3 LLC. He talked about "Simple Principles to Protect Information and Control Now and Tomorrow." He rolled out 22 principles to protect information. Definitely worth taking another look at when the slides come out.

Last up was Kelly Housman of Microsoft talking about "A look into Defense In Depth Security." I missed the first part because i was snagging free food. What I did catch was about Microsoft's Network Access Protection (NAP) initiative. Basically NAC implemented in windows software, where if your agent doesn't check in with the server and you aren't patched up you wont get network access tickets and you'll be segmented off and ignored by other clients. I'm old school and I like network gear doing my layer 2/3 protection instead of it being implemented by a server and some client software. I'm also leery of how a client will start to "ignore" an unauthenticated host on a LAN as well. He also went into some IPSec stuff, very MS centric and if you are running OSX or *nix you may be out of luck. Of course the whole trick to NAC is just figuring out how to tell the "checking software" what it wants to hear.

I'm excited for day 2, hopefully I'll get out an update on day 2 tomorrow.

New School Information Gathering Talk at ChicagoCon

Gave my New School Information Gathering talk at ChicagoCon. I think it went pretty well and I got some good feedback on it afterwards.

here was the agenda:

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools
Netcraft/ServerSniff/DomainTools/CentralOps/Clez.net/Robtex
Maltego

I was pretty surprised that most people had not heard of the tools and only like 3 people had heard of Maltego. I should have a Maltego v2 review getting pushed out on EthicalHacker.net soon.

slides and audio should be out next week on the ChicagoCon site. If you are really anxious you can email me and I will probably send them to you.