Video of my presentation:
(edit: the videos audio doesnt start until 18 seconds in. I’ve edited it, and the video is updating on youtube. This is temporary, please bear with me)
Slide Deck: long-tail-of-the-internet.pdf
So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes. Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.
Enter lm2ntcrack.pl – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.
So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.
Anyhow, here’s my updated copy of the script - lm2ntcrack-viss.pl
Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).
Just about three months ago I wrote a quick post about having the Motorola Xoom for approximately 12 hours.
First I’d like to address some of the points I made in my last post:
Now the TODO list:
Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).
This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.
It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!
I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.
I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.
tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.
How to hack a facebook account – or, basically how to hijack php sessions. Yes – this is old news – yes its a common vulnerability – but you get a better idea for what it is and how it works when things are explained in detail (with screenshots!).
Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.
Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:
Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e
You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.
First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:
Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.
Simply browse to facebook – make sure you are not logged in:
Hit ALT-C to bring up the cookie injector dialog box:
Then paste in the cookie!
Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.
Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!
P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.
However good or bad you think you are at security, this may put a few details into perspective for you:
In the last few weeks Ligatt Security has been “making headlines” with their 90′s-esque hackers-style commercials and advertisements – the three most notable of which advertise that large black men, 12 year old boys, and “hackers” with what appear to be ethernet-enabled projectorgoggles are “out to get you”. Their fear-based marketing campaign slants the average computer users security experience using the standard “if you don’t hire us, your life is pretty much over” routine.
It’s a pretty huge bag of fail – I really hope this is a learning experience for them. One of the more important ‘scout badges’ I’ve earned in my time as a contractor so far is “practice what you preach”. A “large”, publicly traded “information security company” probably should have taken the time to do some BASIC SECURITY on their own website – CLICKY!
EDIT: After a couple of twitter posts about this they’ve firewalled me off of the host. Firewalling one guy isn’t gonna help guys, I’m certain I’m not the only person to have found a CORNUCOPIA of publicly available vulnerabilities on your site.
How many of those wordpress, joomla, drupal blogs, web2.0 products of various sort and other websites do you go to that are encrypted using SSL(https)? How many times a day to you enter your credentials, or use cookie based (the ‘remember me’ checkbox type) authentication on websites a day? Do you find yourself in coffee shops, or other public wifi frequently and sometimes wonder who is watching your traffic?
I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.
I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.
I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk
Video courtesy of @northlight
I thought that doing security101 at places like oggis may have been a tactical mistake because I want people to actually learn and benefit from some of this stuff, so having the discussion broken by the wait staff frequently simply murdered all the momentum the discussion had and the event turned into a hacking 101 lab where I just demonstrated attacks.
That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see refreshsd.org for details, or see the meetup group.
Here is my proposed curriculum:
- How do computers talk?
- what is a packet?
- whats IN a packet?
clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
Hope to see you all there!
Everyone knows that there are vunlerabilities from time to time and you should upgrade things like wordpress, windows, osx and other pieces of software commonly used by lots of people. One thing that people don’t take into account is the actual times and dates of the proof of concept (POC), subsequent weaponization of the exploit (if it came from a nefarious source) then the vendors patch and announcement (if they even notice or care).
Lets take the most recent exploit that came out for internet explorer as our example. The first easily referencable date I could find for this exploit.
Thats right – Four days from POC to “publically downloadable and available for anybody to use“.
The day I’m writing this post (Monday Night, Dec 16) The microsoft investigation page still says they’re investigating. If they have any sense tomorrows ‘patch tuesday’ security patch should contain a fix.
That being said – It’s been a week and there is no patch. What does that mean for the end user, CEO, Marketing folks, Sales people, Graphic Artists and other people who arent focused on security all the time?
Not everyone has to be security concious all the time. For that theres people like us!
Heres something I see every day: The list of new exploits that come out on milw0rm.com (which is just one of the many sites that exist for publishing known exploits):
Look at the third one down on Dec 15