Search n00bz.net
Friday
Apr152011

He’s pissing into the wind! How brilliant can he be?

Sometimes the most technical solutions are undone by the most simple of things…

In the movie Deep Blue Sea (the one with evil sharks and LL Cool J) Samuel L Jackson arrives on the rig and is being introduced to the crew.  One of my favorite quotes is when Dr. Whitlock is pointed out.

There’s Doctor Jim Whitlock, the most brilliant man ever!

He’s pissing into the wind!  How brilliant can he be?

Names have been changed to protect guilty and sorry, no pictures for this one. 

After some preliminary investigation, an employee was identified as stealing Intellectual Property.  We will call him Dwight.  Dwight on the outside looked like the model employee.    He was always ready to stay late, never complained about being volen-told to do work , and didn’t care about things like promotion or missing that bonus.  Dwight was a good employee.  Except he wasn’t.  Dwight was mad and decided to take his revenge.  Downloaded GPG and created his very own private key (RSA3072).

Around this time IT was running out of space on a network drive.  Some employee was storing large files. A sysadmin accessed the drive and saw a bunch of files that were encrypted.  The sysadmin called the Security Team and the investigation began. 

First thing was monitor email.  Dwight was sending only 1 person any files (which was encrypted).   The email account was some random account which in the end belonged to Dwight. 

It seems that Dwight is a brilliant guy and knows that there is no evidence.  Sure we could beat him and make him decrypt but thanks to legal we can’t. 

Well this guy was pissing into the wind…. First thing we did was create a meterpreter payload. 

Note: There are many tools that can be used.  However this guy needed to be taken down a peg and since the afternoon was free, open source we go.

Using psexec, we run meterpreter on this machine on his behalf… meterpreter session 1 open

Next we grabbed some screen shots…  It looked like he copying some sensitive information into a document. 

Game… 

Next we start a keydump…  we see the key strokes “Sensitive Project Marketing Plan.doc” next we see “B33TF@rm3r4life”  Could this be his gpg password?

Set…

Next through a series of screen shots we saw him compose the email with the attachment to that secret email account.  Before he hit SEND, we remotely turned off his keyboard and mouse.  We also flipped on his webcam just to make sure it was him at the keyboard.

Match…

Afterwards we looked at the GNU Privacy Handbook at gnupg.org

Ultimately, there are diminishing returns on the extra security a large key provides you. After all, if the key is large enough to resist a brute-force attack, an eavesdropper will merely switch to some other method for obtaining your plaintext data. Examples of other methods include robbing your home or office and mugging you.

Well now he is in jail, getting a brute-force attack!

Lessons Learned:

  • Shell is money, but Post-Exploitation is Priceless.
  • No matter how smart you are, you don't know everything
  • Even though I know we are all geniuses, please remember to piss downwind. 

 



Wednesday
Mar302011

Show me the E-Money!

If one wants to find the root of all evil, the best way is to follow the money.  Banking Laws in the US require reporting to the government anything over $10,000. Plus we SHOULD be paying taxes on our money and you can't say you got your cash from being a gangster.  Tax Evasion is how they got Capone. 

Enter the Money Laundering!  This is a way to clean your money.  We all remember the scene from Scarface where they open all the businesses, a pizza place, car wash, salon for his sister, etc. 

In the digital world, the cyber Soprano's try and move the money around so that it can't be traced.  Bank to Bank, Country to County, Dollars to Euros to Yen to Euros to Dollars.

In this world, it helps to have a good bank.  Enter Liberty Reserve.  

This bank requires you to provide information (unverified) to create an account.  They do send you an email however I don't know anywhere on the internet that would provide you a 15 min email address.  (I really do ;)

When dealing with the cyber underworld, most carders and botnet providers choose LR as the official bank of the underworld.  It is also awesome for Online Poker, or so I have been told.

Funding your LR account is easy.  There are many places online that will exchange money into the different E-Currencies.

So now we have funded our account with funds for all legal purposes only, how do we get it out?  You can use the exchanger once again or you can get a prepaid debit card.  They have more uses then the last minute gift for that family member that is weird and hard to shop for... wait a minute, I always get a gift card from my parents.  

 Now I know some of you are wondering is all this "safe" since we are dealing with online banking.  If the fact that the cyber criminals bank this way is not enough, take comfort knowing that LR is VeriSign Trusted and McAfee Secure.

I would recommend researching the money exchange merchants.  If you get a letter from someone who needs to move money out of Nigeria and only you can help them, have them wire you the money using this service... Nigeria's most reliable link to the World e-Currency Economy. 

Digital currency has created trading markets just like the Dollar to Euro Spot rate, we have LR to other currencies spot rates.  He is a scam investment opportunity now.

http://libertyreserve-investments.com/ 

Bitcoin is a peer-to-peer digital currency.  Bitcoins have value if they are accepted as payment by many.

  • Bitcoins can be sent easily through the Internet, without having to trust middlemen.
  • Be safe from instability caused by fractional reserve banking and central banks. The limited inflation of the Bitcoin system’s money supply is distributed evenly (by CPU power) throughout the network, not monopolized by banks.
  • The total eventual circulation will be 21 million bitcoins. There will never be more coins than that.

http://www.bitcoin.org/

One of the things about P2P money is being able to "hypothetically" send it around the virtual world through all the nodes and peers without a central bank (or recording agency).

Sign up for a bitcoin account and go here for 0.05 bitcoins to get you started.  https://freebitcoins.appspot.com/

Since bitcoins is a real currency you can watch the value of it here.

http://bitcoincharts.com/markets/

The latest market rates as of 03/30/2011 at 10:00AM

 This is just a brief introduction into the world of digital currency.  As always use this knowledge for educational purposes only and not for digital crime.  Most of us are too pretty for jail!

 

Friday
Mar182011

What a long strange trip it has been….

1 year of InfoSec Blogging and Twitter.

I am sitting here listening to Dave @rel1k Kennedy speaking about SET on OSOC and I am reflecting how I got here… 

Present day: I am successful in my career.  Using the information I have learned in the past year, I carved out a niche in my role and helped create a global security group responsible for the InfoSec programs at my company.  I am successful in my home life as well.  I have a wonderful healthy baby boy who is the prize for living this life.  

1 year ago: I was an auditor who tested using checklists.   As a youth, I was big into computers and hacking but after high school I took a break and went the Finance route.  I knew Security but it was only the tip of the iceberg.  I did have a CISSP after all.  As part of my work goals, I joined Toastmasters to enhance my public speaking.  I did the first speech about my youth being a hacker/BBS user and I quoted this. 

http://www.n00bz.net/blog/2011/1/27/the-conscience-of-a-hacker.html

The words were true today as they were when I first read them. 

And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."

I realized that I never left the security scene because InfoSec was in my blood and I was still me.  At my core, I am a hacker.  I had starved my hunger for new knowledge long enough.  It was time to go where I belong….

South Florida ISSA

1 year ago today I attended a South Florida ISSA meeting that changed everything.  I had attended them before.  Several years ago I was a winner of the ISSA Hack the Flag and Chili Contest.  I always had something going on and had stayed away for several years. 

At the meeting, HackMiami was showing off several attacked including Wireless Attacks.  I shared some techniques I used vs. what they were using to crack it just a little bit faster.  After that, I went for some beers with the group.  I had met Tim Krabec @tkrabec before and I sat by him.  Tim introduced me to someone and they asked “what is my twitter name and did I have a blog?”  I never went on twitter and I didn’t have a blog.  A few beers later, I went home and got on the puter and registered a domain. 

I had a blog and I went on Twitter. 

 n00bznet is born

I started a blog…  It had some security things as well as a few fun things along with some pictures…

http://n00bz.net/blog/2010/3/29/nerd-porn.html

http://n00bz.net/blog/2010/3/28/google-ipo.html

http://n00bz.net/blog/2010/5/12/dui-in-the-making.html

I also had a few awesome videos.

http://n00bz.net/blog/2010/5/6/starwars-legos-awesome.html

http://n00bz.net/blog/2010/5/10/cloud-computing-killed-the-third-reich.html

During this time I gave my first presentation on Wifi (In)Security.  It went very well and HackMiami asked me to present again. 

The Pwn-Off

During this time, Rapid7 had released Metasploit Express and I got a demo copy of that along with Core Impact to bring to the ISSA Hack the Flag Challenge.  Problem was the challenge had moved dates.  (4 letter word here).  I told Alex and Peter from HackMiami that we should have a pwn off and run the 2 tools against each other. 

http://n00bz.net/blog/2010/6/3/core-impact-vs-rapid7-metasploit.html

http://n00bz.net/blog/2010/6/3/bring-me-your-tired-and-poor.html

http://n00bz.net/blog/2010/6/4/hackmiami-rumor-immunity-ready-to-rumble.html

http://n00bz.net/blog/2010/6/4/rumor-confirmed-immunity-is-coming-to-play.html

http://n00bz.net/blog/2010/6/4/hackmiami-canvas-vs-core-vs-metasploit.html

With 2 million packets going across the wire, the winner was Rapid7 and Metasploit Express.

http://www.n00bz.net/hackmiami-the-scorecard/

It was an amazing event and through this event we got to meet some great people.

Press F1 for pwn

A short time later, Tavis Ormandy released a bug in Microsoft HelpCenter. (CVE-2010-1885)  This is a bug I would become very familiar with.  The great debate was not over the bug, but disclosure policy.  The 2 sides torn between how much long of a time do we need to let the vender try and fix/acknowledge the bug vs. just posting it out for all to see.  Full vs. Ethical disclosure.  Many people slammed Tavis.  I soon learned his frustrations when alerting a vendor of a bug and being pushed aside. 

http://n00bz.net/blog/2010/6/21/brad-spengler-gets-the-amen-award.html

This was patched my Microsoft in what was the last patch for XP SP2 and Windows 2000.

http://n00bz.net/blog/2010/7/6/patch-tuesday-windows-xp-help-and-support-center-exploit.html

http://n00bz.net/blog/2010/7/13/cve-2010-1885-1-month-later-better-then-7-years.html

Shortly after I was showing the help center bug when I discovered that my AV application told me it removed the threat and protected me.  Oh yah, it also generated a meterpreter session. 

http://n00bz.net/blog/2010/7/15/poc.html

I called up McAfee and they were awesome.  "@DaveMarcus is the man."-@rodsoto!  In fact, that needs to be said a few more time.  @DaveMarcus is the man.   @DaveMarcus is the man.   @DaveMarcus is the man. 

The Best News Ever

I also learned that a few months ago, I dropped a payload during a pentest and the exploited code had been run.  My wife was carrying my son.  This picture he looks like an alien but he is a lot better looking now :)

http://n00bz.net/blog/2010/7/23/say-hello-to-alexander.html

DEFCON

@jcran had been hyping up the Rapid7 party so I figured I would go.  It happened that Blackhat/DEFCON were going on the same time so off to Las Vegas I went.

http://n00bz.net/blog/2010/7/29/defcon-day-1.html

http://n00bz.net/blog/2010/7/29/defcon-official-day-1.html

http://n00bz.net/blog/2010/7/30/core-impact-vs-metasploit-express-defcon.html

Coverage of Defcon fell off after that point…. A good time was had and so knowledge was learned by me.  I met some amazing people.  @digininja, the crew from Hak5, the guys from CCC, DCNYC, and DualCore!

I recommend anyone who likes security and even if you don’t, come to DEFCON. 

I will be bringing 4 new people to their first DEFCON this year.

I am going to BlackHat/DEFCON again this year… now it is part of my job responsibility.  

Metasploit Express/Pro Demos

With several updates, Metasploit Express gained new functionality and I had a good time exploring new uses for the tool.

http://n00bz.net/blog/2010/8/18/client-side-attacks-with-metasploit-express.html

This one had the awesome USB in the bathroom picture!

http://n00bz.net/blog/2010/9/15/social-engineering-using-metasploit-express.html

Using Metasploit Expres to pwn a Domain

http://n00bz.net/blog/2010/9/22/using-metasploit-express-to-own-a-domain.html

DLL Hijacking was announced. 

http://n00bz.net/blog/2010/8/27/dll-hijacking-roundup.html

I even wrote up how to Hijack some DLL’s with Metasploit Express

http://n00bz.net/blog/2010/9/15/dll-hijacking-with-metasploit-express.html

Rapid7 also released a Professional version of Metasploit

http://www.n00bz.net/metasploit-pro/

http://n00bz.net/blog/2011/1/4/metasploit-pro-bypass-win-uac-ftw.html

Public Speaking

Over the past year I got to use my ToastMaster Skills doing some presentations.

I gave an awesome presentation on Buffer Overflows.

http://www.n00bz.net/blog/2010/9/7/hackmiami-buffer-overflow-slide-deck.html

I had the opportunity to speak at HackerHalted in Miami.  Here I met some awesome people and also presented my CVE’s about AntiVirus detection after malicious files are executed. 

http://www.n00bz.net/antivirus-cve/

McAfee was awesome in resolving this issue. 

Some other vendors, not so much:  http://n00bz.net/blog/2010/11/20/avfail-at-the-mall.html

http://n00bz.net/blog/2011/1/4/killing-av-when-it-just-will-not-die.html

Even some of the good venders slip up some times.

http://www.n00bz.net/blog/2011/1/5/virusscan_bypassrb-now-with-a-lame-security-bulletin.html

 What am I doing now?

Lately I have been playing around with Metasploit 3.6 and using it to remove Malware

http://n00bz.net/blog/2011/3/8/metasploit-36-review.html

http://www.n00bz.net/blog/2011/3/11/using-metasploit-to-remove-malware.html

I have also been interested in the PS3:

http://www.n00bz.net/blog/2011/2/16/quick-ps3-backup-managers-tutorial-for-355-kmeaw-cfw.html

It should be noted: I do not own a Playstation 3/Any Sony Device.  Suck it Sony.

I am working with my #HackMiami crew creating a test network infrastructure for a new CTF arena to host the Pwn-Off Part 2.  Last time the Joes ran the tools... Lets see what happens when the Professionals run them!

Like many, I am working hard with my job and enjoying time with my family.  At the end of the day, we do the best we can and make sure to take care of the things that really matter!

My Challenge to you

So 1 year later, I am reflecting on where I have been and I issue a challenge to all…  Find someone new.  Find someone who loves Computers and Security.  Find someone who is a hacker; whether they know it or not J  I want you to reach out to them.  Share with them the “\/\The Conscience of a Hacker/\/” and watch their mind reboot and new ideas are formed.  Challenge them to ask “Why?” and be there to help them discover the answers.  Take them out to the desert for DEFCON or DerbyCon.  Give them the taste and hunger for knowledge. 

Reach out to them…. after all, we're all alike.

http://www.n00bz.net/blog/2011/1/27/the-conscience-of-a-hacker.html

 



Friday
Mar112011

Using Metasploit to remove Malware

So I have a family member who loves malware however it is not like us who like to research and understand it.  He likes to goto websites ("I never went to that site.") and click every link possible as fast as he can.

As a result, he has a great collection of malware. 

He has gotten every version of FakeAV known.  Here is how I use Metasploit to remove it.

 

Step 1:  Generate a windows meterpreter executable and rename it "explorer.exe".  Most malware do not allow any AV or Malwarebytes to run.  Renaming the file "explorer.exe" will allow it to get through on the malware's whitelist.

Step 2: Run our executable on the infected machine and connect back/bind to the meterpreter session.  Since Meterpreter does not touch disk and injects itself into memory this is a great way to get a foothold onto the machine. 

Step 3: Escalate to SYSTEM.  Windows 7 is no longer a problem thanks to @Dave_Rel1k and @KevinMitnick UACBypass.  I love this script/post exploit module.  Go to @Derbycon!

Step 4: Reward yourself... I recommend Crown Royal with a splash of Ginger Ale.  YMMV

Step 5: Now that you are SYSTEM, type "ps".  Some of these things are not like the other.  Some of these things just don't belong.

Step 6: Identify the PID number next to the rouge processes and "kill ####"

Step 7: At this point, you should have broken the hold on the system that the malware had.  Install http://www.malwarebytes.org/mbam-download.php 

Step 8: Run some scans and remove the naughty objects.  I also recommend something AV/Malware Related... McAfee, Microsoft Security thingy, anything....  Check NSSLabs for some recommendations.

Step 9: Give the computer back to your family member and wait till next week when he finds a new site that he didn't visit and runs a file he never ran!

 

 

Tuesday
Mar082011

Metasploit 3.6 Review

Yesterday Rapid7 released Metasploit 3.6.  This edition of the Professional version of Metasploit has added some key features.

@sussuro has some great video walk-through you can find here: http://www.ethicalhacker.net/content/view/357/1/

Below I am going to highlight my favorite updates

PCI Reporting

Over the past 2 days, I have received 2 great resources for PCI compliance.  The first is this You-Tube video.  It helps to laugh in-between the tears.

The 2nd is the new report that Metasploit Pro includes.  This is a key report that could not come too soon.

I fired up a test Windows 2000 SP4 to test the report.  Below is an except.

As noted above, the following PCI requirements are tested with a result of pass/fail.  Included in the report if further information.  Looking at 6.1 we can see this box was not patched. 

Post Exploitation

A month ago there was a move from post exploitation scripts to modules.  Seeing the 3.6 update, I understand the method to the madness.  The say "shell is only the beginning."   With the new Post-Exploitation Modules, this saying has more truth then ever.

Once a session is generated on a box, the available Post-Exploitation Module is available on the Session tab.  The use of the modules are extremely easy.  Point, Click, Pwn!

 

A hidden gem feature is the ability to run Post-Exploitation Modules on all sessions generated.

Running the Module generates the results that my test machine was a VMware machine.

 

Revisiting my favorite Post-Exploit trick, UAC Protection Bypass.  I generated a session on a Windows 7 machine.

Before the module we are #Losing.

After the module, we are #Winning.

 

Exploit Features

A hidden gem that I noticed is with the Exploit Button.  It has been described as Super AutoPwn.  A new feature at the end of the Exploit Menu is the addition of a "Choose Exploits" button.

This allows the PenTester to customize which exploits are going to be fired at the target allowing for a focused attack. 

 

Conclusion

Version 3.6 of Metasploit has many features and hidden gems. Abe Lincoln said "If I had eight hours to chop down a tree, I’d spend six sharpening my axe."

 

Version 3.6 is razor sharp out of the box!

 Try it for 7 days with a full featured demo: http://www.rapid7.com/downloads/metasploit-pro.jsp

 

 

 

Page 1 ... 6 7 8 9 10 ... 54 Next 5 Entries »