System Overlord

A blog about security engineering, research, and general hacking.

Book Review: The Hacker Playbook...

20 May 2014 in Security (Reading time: 6 minutes)

The Hacker Playbook: Practical Guide To Penetration Testing is an attempt to use a continuous series of football metaphors to describe the process of a network penetration test. Maybe the metaphors would work better for someone who actually watches sports, but I felt they were a bit strained and forced at times. That being said, the actual content and techniques described are solid and generally useful information. It’s arranged in the stages of a good penetration test, and reads like a strong guide for those relatively new to penetration testing. Unfortunately, it doesn’t set up general guides for each area as much as describing specific “plays” for each area, so once those techniques start to fall flat, it doesn’t leave you with a lot of depth.

  • Chapter 1. Introduction is unsurprisingly lackluster, describing only the flow of the book and the benefits perceived by the author in thinking about the penetration test like a series of football plays.
  • Chapter 2. Pregame – The Setup is all about getting into a position to conduct your test, including reconnaissance, scoping, and all of the prep required before the actual pentest.
  • Chapter 3. Before the Snap – Scanning the Network will be familiar territory to anyone who’s used Nmap before, but goes into more depth and explores the other scanning tools, such as vulnerability scanners like Nexpose/Nessus, and how to get the most out of using your scanners (as well as how you can be covert when scanning).
  • Chapter 4. The Drive – Exploiting Scanner Findings describes a step that too many pentesters do not follow. Altogether too many “penetration testers” deliver a report that is little more than straight output from a web security scanner. If clients wanted a Nexpose report, they’d just buy a Nexpose license and skip the pentester’s markup. The value of a pentester is in verifying findings, evaluating the real risk to the organization, and providing advice on remediation or mitigation. This chapter handily covers how you can not only verify scanner findings, but use them to pivot and escalate.
  • Chapter 5. The Throw – Manual Web Application Findings really just scrapes the surface of the world of web. There’s so much to be covered in web that you really ought to go far beyond this and review The Tangled Web for an overview of the problems faced by modern web applications, and The Web Application Hacker’s Handbook for a more practical approach to web pentesting through vulnerability discovery and exploitation. However, if you’re going to be focusing on internal enterprise networks, the Playbook gives you some handy approaches to looking at internal webapps that you might find on a corporate network.
  • Chapter 6. The Lateral Pass – Moving Through the Network covers basic Pass-the-Hash and other approaches to leverage the access you already have into more access. It’s important to see how far an attacker could take things, so pivot & escalate is critical, and this chapter provides a handful of plays that could fit the bill.
  • Chapter 7. The Screen – Social Engineering is, again, just a brief preview into a topic far too deep to be adequately covered in a book as broad as this one. The plays here are quite basic, and focus on phishing-style social engineering, leaving out the many ways social engineering can be leveraged in reconnaissance, physical pentesting, and other scenarios.
  • Chapter 8. The Onside Kick – Attacks that Require Physical Access was a little disappointing. While there are good parts to it (like the use of the Odroid U2 as a dropbox), nothing was particularly groundbreaking and I was hoping for a little more unique aspect to physical. (On the other hand, maybe I just want to live vicariously through this book – I don’t do get to do much physical pentesting.)
  • Chapter 9. Special Teams – Cracking, Exploits, Tricks
  • Chapter 10. Post Game Analysis – Reporting provides some sage advice on producing the report that gets you paid. Since I work on an internal Red Team, I don’t have to write the type of reports described here, but if you’re in a position to be writing reports, this will really help in crafting a clear and concise report. Most importantly: don’t ever hand a client a Nessus scan and expect to be getting paid.
  • Chapter 11. Continuing Education is surprisingly thorough, though it is mostly a list of resources to help you find more things to try, such as conferences to attend, vulnerable targets to practice on, and more. There were a few vulnerable targets I hadn’t heard of, but will definitely be giving a try in the near future.

Overall, it’s an interesting book, and would definitely be good for someone who hasn’t been pentesting much, but ultimately, it’s just a collection of specific tasks (“plays” in the parlance of the book) that you can execute. I wasn’t expecting much more, and plays in there are solid, but eventually you’ll need to learn to craft your own plays, and I feel the book falls short there. It’s 294 pages and attempts to cover an entire field while remaining practical. Naturally, this is very difficult, and while there may be some shortcomings, Peter Kim manages to provide several useful plays, but probably best for those who haven’t yet developed their own playbook.

DEF CON 22 CTF Quals: Hackertool

18 May 2014 in Security (Reading time: 3 minutes)

Hackertool was one of the Baby's First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

So what is this every_ip_address.txt? Seems like it might be a list of all IP addresses. In fact, if you add up the length of all IP addresses written in decimal dotted-quad form, separated by newlines, you get 61337501696 bytes, exactly the same as the length of our target torrent. But is it newline separated? What order are they in? Fortunately, torrents also contain the SHA-1 of each 256kb block of the file. So I wrote a little python script to quickly check if we had a match for the first block:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

import hashlib

def get_block():    
  block = 256 * 1024
  v = ''
  for a in xrange(0, 256):
    for b in xrange(0, 256):
      for c in xrange(0, 256):
        for d in xrange(0, 256):
          v += '%d.%d.%d.%d\n' % (a,b,c,d)
          if len(v) > block:
            return v[:block]       


print hashlib.sha1(get_block()).hexdigest()

This matched the value from the torrent file, so I knew we were on the right track. Unfortunately, python is too slow to hash 61GB this way, so I turned to C for the final solution:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#include <openssl/md5.h>
#include <string.h>
#include <stdio.h>

int main(int argc, char **argv){
  char buf[64];
  MD5_CTX md5_ctx;
  int i,j,k,l;

  MD5_Init(&md5_ctx);
  for (i=0;i<256;i++) {
    printf("%d.\n", i);
    for (j=0;j<256;j++) {
      for (k=0;k<256;k++) {
        for (l=0;l<256;l++) {
          sprintf(buf, "%d.%d.%d.%d\n", i, j, k, l);
          MD5_Update(&md5_ctx, buf, strlen(buf));
        }
      }
    }
  }
  MD5_Final(buf, &md5_ctx);
  for (i=0;i<128/8;i++) {
    printf("%02ux", buf[i] & 0xFF);
  }
  printf("\n");
  return 0;
}

There might’ve been prettier ways, but this ran in the background while I moved on to another hash, and got us our first flag not too long afterwards.

Weekly Reading List for 5/16/14

16 May 2014 in Security (Reading time: 1 minute)

###How Target Blew It Normally, I stick to more technical articles, but this article from Businessweek is a very interesting read on how, despite doing most of the right things technically, company procedures and humans can still be the weak link in your security infrastructure.

The Machine Inside the Machine

12 May 2014 in Security (Reading time: 5 minutes)

Imagine this scenario:

One of your employees visits a site offering a program to download videos from a popular video site. Because they’d like to throw some videos on their phone, they download and install it, but it comes with a hitchhiker: a RAT, or remote access trojan. So Trudy, an attacker, has a foothold, but the user isn’t an administrator, so she starts looking at the network for a place to pivot. Scanning a private subnet, she finds a number of consecutive IP addresses all offering webservers, FTP servers, and even telnet! Connecting to one, the attacker suddenly realizes she has just found her golden ticket…

Dell calls it iDRAC; IBM refers to it as RSA or IMM; HP likes iLO; and Intel goes with AMT. Whatever the name, most servers offer an out-of-band management option, and those are an oft-overlooked potential backdoor into your network. Generally these devices use their own network connection, are powered even if the server is shut down (so long as the power supplies are on), and offer a number of powerful features:

  • Remote console (most often a Java applet)
  • Attach remote drives (ISOs or disk images)
  • Reboot server
  • Update firmware
  • Control boot and BIOS/EFI settings

What can our attacker do with this? These devices are intended to provide system administrators with access roughly equivalent to physical access, and for attackers, they do the same.

Connecting to the out-of-band controller, Trudy hopes that whoever racked the server hooked up the controller but did no more configuration, such as changing the passwords. Almost all use a static password, so upon seeing the logo on the login screen, she immediately knew to try PASSW0RD, and was presented with the admin interface moments later. Launching the Java-based remote console, she was delighted to see a Windows Server 2012 interface with the hostname “DC2”, indicating the server was probably a Domain Controller, but was slightly disappointed to see that someone hadn’t done her the favor of leaving it logged in.

No matter, she had her bag full of tricks. She mounted an ISO of Kali Linux and, hoping the failover would work properly, clicked the reboot icon. After the system booted, she mounted the hard drives and replaced a few less-critical service executables with binaries that had some extra functionality. As she disconnected her ISO and power-cycled the server again, she fired up Metasploit on her laptop and started listening for connections. Shortly after the server booted, she saw an incoming connection pop up on her screen.

1
2
3
4
5

[*] Sending stage (748032 bytes) to 192.168.9.9
[*] Meterpreter session 1 opened (10.3.13.37:4444 -> 192.168.9.9:1051)
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Due to an insecure Lights-Out Management device, Trudy now has SYSTEM on a domain controller at her target. Even with servers configured to best practices and fully patched, the network is now wide open. Trudy is free to pivot throughout the network, extract sensitive data, and whatever else she’d like. In short, you’ve been pwn3d.

####Securing Out of Band Management

Not all hope is lost, however. While these devices pose a risk, they are also very useful. We can secure the controllers, but it takes planning.

  1. If you’re not going to use them, don’t connect them. If it’s not on the network, it’s not the way in.
  2. Maintain inventory of these devices, and include them in your patch management lifecycle. Patch them now.
  3. Like any server, disable unneeded services. Are you really going to use the telnet service on it? Ideally, only leave encrypted services around so passive sniffers aren’t a risk.
  4. Change the passwords. Nearly all of these devices have a default password that is the same across the board, so it doesn’t take much to get in if you haven’t changed the passwords.

Watch out for the machine within the machine!

Workflowy: Good for Keeping Organized?

09 May 2014 in Personal (Reading time: 3 minutes)

I’ve been using Workflowy for a while as an organizational tool. It self describes as thus:

WorkFlowy is an organizational tool that makes life easier. It can help you organize personal to-dos, collaborate on large team projects, take notes, write research papers, keep a journal, plan a wedding, and much more.

I’ve been using Workflowy for about 6 months now, and so I think I’ve developed a good feeling for what’s working for me and what’s not, but I think it’s important to recognize that everyone will have different needs and expectations out of an organizational tool.

###What Works

  • Workflowy’s hierarchical/tree view is its best feature. I very much think of problems in categories, and then subdivided into other problems. I start at the top level with “Priority TODO”, “Life”, “Security Research”, “Blogging”, etc., and then break each of those down into smaller areas.
  • You can blow up any bullet level to be a top-level page, so you can limit your focus to the information in this category. Likewise, each branch node and be collapsed to hide information you don’t need to see at the moment.
  • You can star these pages for quick access to your most frequently used areas.

###What’s Missing

  • Deadlines or date prioritization. I’d like to be able to find things that need to be done in, say, the next week. Workflowy suggests using tags for deadlines, but this still makes it hard to filter on “next 7 days”.
  • Orthogonal views. I wish I could categorize entries to look at them in different ways. I can get close with tagging and search, but it’s not as nice as, say, GMail style labels.

###What else I’ve tried For comparison, I’ve tried a number of other tools that didn’t work as well for me.

  • Remember the Milk
  • Todoist
  • Wunderlist

If you’re looking for a better way to get organized, give Workflowy a try.