Midnight Research Labs

LDAP password audit and general hackery
sth posted in tools on November 17th, 2008
comments:0

I have a few smaller tools/scripts I’m going to be posting in the near future on a new hackery page. Some of these are random things that don’t quite deserve a whole project page, but I still wanted to put a general reference together.

The first thing I’m putting up is a small tool that will dump out a unix-like password file given a LDAP database dump in LDIF format. The point of this is so that you can audit your LDAP passwords with something like john the ripper. Here’s an example usage:

./ldap-passwd-dump.py 

usage: ./ldap-passwd-dump.py <ldif file> <output password file> [<user matchString>]
       example: ./ldap-passwd-dump.py ldif.out passwd.txt "^ou: MyGroup"
       (matchString default is "objectClass: posixAccount")

 # Dump the initial database with slapcat
 $ slapcat > ldap.out
 $ ./ldap-passwd-dump.py ldap.out pw.out
 [*] Adding new user [New User, newuser] to results
 [*] Adding new user [A User, auser] to results
 [*] newuser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::New User
 [*] auser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::A User
 [*] Wrote [2] password lines to [pw.out]
 [*] Done

$ john pw.out

Anyway, hopefully it’s mildly useful to a couple people. Since the standard PAM modules for password policy enforcement are a little harder to use with LDAP, sometimes it seems like weak LDAP accounts can linger around for a longer than intended. Let me know if you have any problems running it, I know there are several different possible password encoding and hashing types, and posixAccount setup schemas, so YMMV

Look for some more things to be posted to the hackery page in the coming days.

BotHunter LiveCD and new releases
sth posted in Uncategorized on November 12th, 2008
comments:0

It looks like BotHunter has been busy since the last time I was looking at them. They have a new Live CD to test out the software, and some new releases with some new features (including a GUI) that are worth checking out. Here’s the blurb on what bothunter does:

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Last time I tried them out, the installation was a bit clunky, but overall it was a very valuable tool. Having the correlation between the different major points in the bot life cycle really helps with a much more accurate detection. In tests it was doing a way better job at reducing false positives to come up with some usable results than a traditional IDS.

If you’re interested in the subject, this is a good white paper on their design, how they do the correlation between different points in the life cycle, and some of the anomaly detection features they’ve added among other things. I thought it was well worth the read.

Unclogging the tubes
sth posted in SeverelyBroken on October 29th, 2008
comments:0

D’oh. We had some problems with the MRL server over the last week, but things are slowly coming back to life. The wiki and CVS are still down, but most things should be back up for the meantime. We’ll probably be migrating again in a few weeks to a more permanent location, but hopefully that should be a more graceful move, .

Depant your network
sth posted in tools on October 12th, 2008
comments:19

MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). Depant works by downloading a default password list, and then mapping out the local network to see what open services are available. Once it has a list of services, it will test each service for default passwords. Once it’s gone through each of the services, depant will determine the fastest service (as recorded in phase one) and use it to perform an optional second phase of tests with a larger (user-supplied) set of default users/passwords.

By default depant has a list of “safe” services to test. These are tested services that hydra seems to work well with. Currently it’s a small list as depant (and hydra) needs to be tested against more networks to see what are good default services to test for. Alternately a user can specify ‘-A’ to scan all ports that hydra knows services for. You can also specify only certain ports with ‘-o’ (it supports ranges, and comma separated lists). If any errors arise from running with extra services, please try to run depant with the ‘-d’ flag (debug), and send us the output.

User/Password combinations can be entered in one of two ways, either with separate files for usernames and passwords (this will test every combination of username/passwords), or with a “combined” file that has entries formatted like “username:password”. ‘-u’, and ‘-p’ (or ‘-U’, and ‘-P’ for the second phase) specify the individual username/password files, and ‘-c’ (or ‘-C’ for the second phase) specifies a “combined” username:password file. Only one of these methods is intended to be used at one time.

Here is the usage information, along with a couple examples:

usage: depant ( -H <host> | -f <hostList>) ( -c <userPassList> | -u <userList> -p <passList>) <options>
Options:
-H <host (or CIDR block) to scan>
-f <host list file> (each ip or CIDR block per line)
-e <exclude hosts list> (each ip or CIDR block per line)
-g <output file for default password list> (Gets list from Phenoelit site)
-c <combined user:password list> (not in conjunction with -u/-p)
-u <username list> (used in conjunction with password list)
-p <password list> (used in conjunction with username list)
-o <port list> (e.g. 21,22,137-139 default is “safe ports”)
-O <output file> (CSV log of any user/passwords we find)
-C <second phase combined user:password list> (not in conjunction with -U/-P)
-U <second phase user list>
-P <second phase password list>
-A (run all ports hydra knows about)
-D (Do a dry run only, map network, and output what things are going to be checked)
-h (help)
-d (debug)

Examples:
Downloads the default password list into dpl.txt:

./depant.py -g ./dpl.txt

Checks for the user:pass combinations in dpl.txt on all ports for ips in hosts.txt:

./depant.py -f ~/hosts.txt -d -A -c dpl.txt

Checks the network services anywhere in 192.168.1.1/24 (excluding hosts listed in exclude.txt)
with the users and passwords specified, and if nothing is found, it will check the
larger user and dictionary list against the fastest service:

./depant.py -A -H 192.168.1.1/24 -e exclude.txt -u users.txt -p passwd.txt -U more-users.txt -P big-dict.txt

And here’s a quick example of it running against a local system. This will check against a combined user/pasword file for the first phase, and then use the separated user and password files for the second phase. You can see that in the second phase it is able to find a username and password:

$ depant -c ./dpl -U ./user.txt -P ./pass.txt -H 127.0.0.1/30

-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-

[*] Phase 2 scanning enabled
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [127.0.0.1] port [22] to list of services to test
[*] Found [1] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [127.0.0.1] port [22]
[*] Fastest service to run second phase on is [127.0.0.1] port [22]
[*] We did not find results in phase one… going to second phase
[*] Starting phase 2
[*] Checking for default passwords on host [127.0.0.1] port [22]
[!!!] Found user [testuser] with pass [YourPasswordSucks] on [127.0.0.1] service/port [22]
[!!!] We found logins on [1] hosts
[*] Total runtime was [34] seconds
[*] Finished.

Thanks to the other resources that make something like this possible. Hydra does the password brute-forcing, and nmap does the actual scanning. Also thanks to Phenoelit for the default password list.

We’re very interested in getting feedback for this or anything else we’re up to. Let us know either way, whether you run into major problems, or if works well for you. You can try running the tool with “-d” (for debug) to get extra information during the run. If you submit any bugs, please include the debug output to help us troubleshoot the issue. You can email me at aaron {@t} midnightresearch.com if you have any feedback (which is greatly appreciated).

Happy Downloading, .

Update: Here’s an updated version that adds a couple extra options to optimize the nmap flags that are run.

“MIFARE Classic” report released
quine posted in SeverelyBroken, security news, vulns on October 8th, 2008
comments:0

Researchers from the Institute for Computing and Information Sciences at Radboud University in The Netherlands have, at long last, published their report (PDF) on the security posture of the MIFARE Classic system. The report, simply and appropriately entitled “Dismantling MIFARE Classic”, was presented as part of the 13th European Symposium on Research in Computer Security (ESORICS 2008).

At a mere 18 pages, the report still provides good detail about the team’s findings, including hardware setup, crypto used by MIFARE Classic (including the oft ridiculed 48-bit CRYPTO1 cipher), and exploits that can be launched against the system. Additional information can be found at the homepage of Flavio D. Garcia, one of the researchers involved.

Hat tip to Security4all for the notification on this paper.

Clickjacking details released
sth posted in vulns on October 8th, 2008
comments:0

It looks like some of the details on clickjacking have been finally released. There are tons of different variants of it that have different impact, and varying levels of remediation. Here’s a quote from RSnake on this:

First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use CSRF to pre-load data in forms, some don’t.

There’s a proof of concept for camera hijacking along with a video of it. There’s also PoC of hijacking your microphone from RSnake. There’s supposed to be some clickjacking code released here, but I wasn’t able to download it when I tried last. (edited: code link should work now)

Here’s a couple of the bad ones:

Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of Flash on Firefox on MacOS are particularly vulnerable to camera and video monitoring due to security issues allowing the object to be turned opaque or covered up. This fix relies on all users upgrading, and since Flash users are notoriously slow at upgrading, this exploit is expected to persist. Turning off microphone access in the bios and unplugging/removing controls to the camera are an alternative. Here is the information directly from Adobe.

and

Issue #2b STATUS: Resolved. Flash security settings manager is also particularly vulnerable, allowing the attacker to turn off the security of Flash completely. This includes camera/microphone access as well as cross domain access.

RSnake is going to be releasing a full paper in the next day or two, and hopefully more patches will be rolling in. In the meantime maybe it’s time for an internet vacation, .

Update: Here’s a more informative video from Jeremiah Grossman on the webcam hijacking
Update 2: The link to the clickjacking code was fixed on the ha.ckers.org site.

Helix v2.0 released
sth posted in Uncategorized on September 30th, 2008
comments:5

Helix is the definitive computer forensics, incident response live CD distribution, and it has recently released version 2.0. Here is the listed of updated features. Among lots of new tools and tool upgrades, one big change is that it is now based on Ubuntu rather than Knoppix. Some other cool new tools that have been added to Helix are winlockpwn which bypasses windows authentication via firewire, Volitility for parsing processes, network information and many other things out of raw memory, and something else cool from metlstorm, bioskbsnarf, which parses the realmode keyboard buffer out of the bios data area. It looks like a couple of the newer memory dumping utilities for windows have also been added to the windows live portion of the distro.

The only bad thing that I’ve noticed is that the static binaries (important for incident response) are no longer distributed directly on the CD, but at least they are still available for download. Maybe they (or someone else) will put together a DVD that includes these.

I was told a while before the release came out that it was no longer going to be free, so
I’m pretty glad to see this release is public and still free. That being said, it’s a worthwhile project to contribute to, so I’d suggest buying a pressed CD to help them out. If not — happy downloading, .

PS — And yes, it is v2.0 that has been released despite them calling the distribution “Helix 3″ for some slightly confusing reason.

Toorcon (en route)
sth posted in Uncategorized on September 26th, 2008
comments:0

I’m at the airport at a very unearthly hour, but the bright side is that I’m headed to Toorcon. If you’re around at Toorcon, I’ll be the one in a black t-shirt, . I’m looking forward to hanging out with some people that I haven’t seen since the last conference. See you there…

XSRF and Identity Misbinding Attacks
sth posted in Uncategorized on September 25th, 2008
comments:0

I thought this was kind of a clever chain of attack vectors. I think it illustrates well how you can take multiple smaller security problems, and use the series to exploit something greater (in this case youtube accounts).

In the post Jeremiah links to a good paper that has some other interesting attack vectors. The paper starts with basic XSRF and current remediation strategies, but then goes into some new attacks that cause a victim user to log into a site with the attackers credentials. They outline a couple of scenarios where this could allow them to gather credit cards through PayPal, or credentials for iGoogle. They also poke holes in some of the current remediation strategies and even some of the tools that implement them. Defense against this kind of login XSRF is difficult because it requires maintaining some type of pre-session session/token, so they also have some recommendations for adding a new standard Origin HTTP header which has a number of advantages. It’s good reading, you should go read it if you’re at all interested in web security.

(In)secure Magazine Issue 18
sth posted in Uncategorized on September 24th, 2008
comments:0

There’s a new issue of (In)secure Magazine out and available for download. It looks like it has a few interesting articles in it on different security tools, PCI (WAF vs. code review) and secure web programming. They usually have some interesting content to flip through, and it’s nice to have it as download-able content.