Cyber Operations: second edition

The second edition of my book is now available!

Though the book ended with 1134 pages, believe it or not, I had quite a bit of material that did not fit. There is supplemental material for each chapter including exercises and additional notes, like the release dates of various pieces of software.

• Chapter 1 System Setup Supplement
• Chapter 2 Basic Offense Supplement
• Chapter 3 Operational Awareness Supplement
• Chapter 4 DNS and BIND Supplement
• Chapter 5 Scanning the Network Supplement
• Chapter 6 Active Directory Supplement
• Chapter 7 Remote Windows Management Supplement
• Chapter 8 Attacking the Windows Domain Supplement
• Chapter 9 Privilege Escalation in Linux Supplement
• Chapter 10 Logging Supplement
• Chapter 11 Malware and Persistence Supplement
• Chapter 12 Defending the Windows Domain Supplement
• Chapter 13 Network Services Supplement
• Chapter 14 Apache and Modsecurity Supplement
• Chapter 15 IIS and Modsecurity Supplement
• Chapter 16 Web Attacks Supplement
• Chapter 17 Firewalls Supplement
• Chapter 18 MySQL and MariaDB Supplement
• Chapter 19 Snort Supplement
• Chapter 20 PHP Supplement
• Chapter 21 Web Applications Supplement

You can also download the scripts that are in the textbook from GitHub.

Cyber Operations: The Book

So what have I been doing over the last year and a half? Why has this blog gotten so eerily quiet?

You can now pick up a copy at Amazon.

Security News #0x89

• Metasploit has a new Browser Autopwn module! If you want to learn how it works, take a look at Part 2 of that series.
• There is a new OS X 10.10 local root privilege escalation attack, that is so sophisticated it fits in a tweet. Yeah, it is in Metasploit.
• There is also a new Metasploit module for local privilege escalation on Windows; this affects Windows 7 and Windows Server 2008 R2. The underlying vulnerability is CVE 2015-1701 and was patched by MS 15-051.
• There is another Windows local privilege escalation attack available; this one coming from the results of the Hacking Team. This underlying problem is CVE 2015-2426 and patched by MS 15-078.
• There is a new Metasploit module for Adobe Flash, Adobe Flash Player Drawing Fill Shader Memory Corruption. This targets CVE 2015-3105. The exploit has been tested on a number of combinations, including Windows 7 (32 bit), Flash 17.0.0.188 and IE 11 or Firefox 38.0.5; it also works against Windows 8.1 (32 bit) with Flash 17.0.0.188 and Firefox 38.0.5. More interestingly, it also works against Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.460. This success against Linux targets differentiates this Flash exploit from previous ones.
• There is another new Metasploit module for Adobe Flash, Adobe Flash Player ShaderJob Buffer Overflow; this one exploits CVE 2015-3090. Like the previous, this one also hits both Windows and Linux targets, including Windows 7 SP1 (32 bit) with Flash 17.0.0.169 and either IE11 or Firefox 38.0.5; Windows 8.1 with FLash 17.0.0.169 and Firefox 38.0.5, and Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.457.
• As proof positive that I have spent too much time on my book and not enough on the blog, here is a third Metasploit module attacking Adobe Flash; this one exploits CVE 2015-5122 and impacts a range of Adobe Flash versions, including Adobe Flash 18.0.0.203 on Windows 8.1 (32 bit). Take a look at the module’s source code for a list of tested targets.
• Another new module is VNC Keyboard Remote Code Execution, which attacks VNC servers on Windows or Linux.
• Did you know it is possible to perform SSL certificate verification on your Metasploit shells? Well, I didn’t.
• There is a Metasploit module module to forge certificates to allow and SSL MITM attack. The underlying problem, CVE 2105-1793 impacts OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c. Qihoo 360 has some technical details of the flaw.
• There is a local privilege escalation attack now available for Ubuntu 15.04, 14.10, 14.04, and 12.10. The underlying vulnerability is CVE 2015-1328.
• Cisco apparently has default SSH keys on a number of their applicances.
• Vlad Tsyrklevich has an interesting discussion on the state of the 0-day market based on fallout from the Hacking Team dumps.
• One of the attacks described in my forthcoming book is a brute force attack against an SSH server. Well, there is now a better way to run such attacks, at least against OpenSSH. Try Ars Technica for some perspective.
• One interesting bit of fallout from the Hacking Team leak is the fact that they had a UEFI BIOS rootkit that would provide persistence across even replacing the hard drive.

Security News #0x88

So, where have I been for the last month? Lots of grading! However, that is now done, and my students have graduated into the wide wide world (Good luck all!).

The book is moving along smartly. The first draft is finished- 750 pages of hacking goodness. Technical reviews is about half finished, and we are looking at publication in a few more months.

In the meantime though, there has been a lot of news….

• For years I relied on Sourceforge as a location to find high quality open source tools. Well it seems that they have gone over to the dark side, and are now adding adware to Windows installers for projects on their site. This became big news when GIMP announced this had happened to them. For some details, see Ars Technica.
• There is a new local privilege escalation exploit for Windows 8 that has appeared at Exploit-db. This is a Python based exploit that attacks CVE 2014-4113 and was patched in MS 14-058. I tried the exploit on a couple of virtual machines though, and could not make it work.
• There is a new local privilege escalation exploit for Windows 7 (x86) that has appeared at Exploit-db. This one appears to attack CVE 2015-0003 and was patched in MS 15-010.
• There is also a new local privilege escalation exploit available for recent Ubuntu systems using apport; this one also appeared at Exploit-db. This exploits
  CVE 2015-1325, though this has not yet made it into the official MITRE database.
• There is a new Metasploit module that exploits Flash 17.0.0.134 on Windows 7 SP1. The underlying vulnerability is CVE 2015-0359.
• Don’t forget about the latest name brand vulnerability, VENOM (CVE 2015-3456). This affects QEMU and Citrix Xen.
• Talking about exploits, have you read about the proposed arms control restrictions on exploits?
• Raphael Mudge has another nice post on how to use Mimikatz to pass the hash.
• There is a trojaned version of PuTTY in the wild. Be sure to check those hashes folks! FCIV is your friend here.
• There is a nice summary of NCCDC from the Red Team point of view on Lockboxx.
• Have you considered writing your own Snort rule to detect Meterpreter reverse HTTP shells?

Security News #0x87

• As someone who has coached three different teams to the finals of the National Collegiate Cyber Defense Competition, let me say that Raphael Mudge’s analysis is spot on and hugely helpful. Mind you, there is a difference between knowing what Red Team wants to do, and being able to meaningfully stop them…..
• If you are looking for a nice write-up on MS 14-068, head over to Veris Group and read what one of my ace former students has to say.
• There is a new denial of service attack against Minecraft servers.
• If you want to see a technical analysis of MS 15-034, the recently announced vulnerability in HTTP.sys, you might want to head over to Security Swift and a recent piece by Mike Czumak.
• Metasploit is developing a DoS exploit to attack MS15-034. I wonder how long it will be before this becomes remote code execution.
• If you want to see some of the technical details behind the recent Chinese attack against GitHub, check out Netresec.
• There is a (post-authentication) backdoor available for pfSense firewalls. This backdoor was used extensively during the 2015 SECCDC. Sam Cappella talks about his experience on Red Team at the SECCDC, including the development of the backdoor.
• One interesting area of research over the last few years has been looking at statistical patterns of people’s passwords. Take a look at the recent blog post of Julian Dunning to get a better handle on the question.
• CVE 2015-1862 is a vulnerability in Linux systems that can potentially result in privilege escalation. Tavis Ormandy has proof of concept exploits.
• The New York Times has a piece on how car thieves might be able to break into cars using a power amplifier.
• There is a new Metasploit privilege escalation exploit for Mac OS X, named “Rootpipe”. The underlying vulnerability is CVE 2015-1130.
• An older way to attack Windows systems is to pass a URL like file://a.b.c.d to Internet Explorer; then Windows attempts to authenticate via SMB and so credentials can be harvested. It turns out that HTTP redirects (302) can be used to accomplish the same task.
• There is a proof-of-concept exploit for CVE 2015-0240, which is a vulnerability in Samba.
• Have you seen this interesting approach to attacking Gnome screensavers?
• Here is a neat piece on detecting debuggers. Not my area of expertise at all, but an interesting read nevertheless.

Security News #0x86: The MACCDC Edition

Congratulations to UMBC, who won the just completed Mid-Atlantic Collegiate Cyber Defense Competition. The University of Maryland came in second and we at Towson came in third. Thanks go to the organizers, especially Lewis Lightner for putting on a professional event. Thanks also go to the red team (captained by Rob Fuller); they are all volunteers who take time out of their schedules to come down and help teach my students. Well done all!

• Raphael Mudge has an excellent post on the red team perspective of the first five minutes of a CCDC event. If you haven’t seen how the CCDC event runs, students are given (usually) older unpatched systems, and the start of the event is utter mayhem as students try to change default passwords and update systems while the red team is busy pwning all the things and setting up persistence. He ends with the question- should it be this way? As a professor and coach, I say emphatically no. The just completed MACCDC event had students defending unpatched Windows 2000 and Windows 2003 servers and a Red Hat 7.2 server. Most defensive tools don’t work on such antiques, and the threat model is just silly. Why does CCDC rely on such old systems? MS 08-067. This, along with default credentials is the usual way (not the only way) that red team gets its initial footholds on systems. When I teach my class (which uses these types of exercises extensively) we do not use anything older than Windows 7 / 2008 R2. The systems are unpatched, but not vulnerable to remote network attacks like MS 08-067. To ensure red team gets a solid foothold, student teams are restricted to choose passwords from a small list; they are also required to open any emails received, visit any requested web pages, and run and received programs. This gives red team a variety of ways to get in, which means students can zero in on one or two attack types; they also get to use and deploy many other defensive tools (EMET or SRP anyone?). Competitions differ somewhat from classes, but as competition systems move towards virtualization there is no reason why the competition could not include unprivileged users on workstations doing all of the things real users do- opening carefully prepared packages of joy sent by attackers. If we don’t move to a model like this, the day will come when students are asked to defend systems that are older than they are.
• While I am thinking about the Red Team- the Nyan cat that was used to overwrite all of those MBRs is available.
• Lockboxx has a write-up on the just completed WRCCDC from the Red Team perspective.
• The Metasploit module to exploit Firefox 31-34 (CVE 2014-8636) is now available.
• Are you unsure how to set up and execute a reverse shell? Check out Arr0way who has put together an excellent cheat sheet.
• Did you know that Metasploit has a post module to search through local Outlook email messages?
• Windows registry keys can be made more difficult to examine by using non ASCII characters.
• It looks more and more like it is time to move away from RC4 in TLS.

Security News #0x85

• There is a new Metasploit module to exploit Adobe Flash player. Currently the module is restricted to only Internet Explorer on Windows 7 running Adobe Flash player 16.0.0.235. The underlying vulnerability is CVE 2015-0138 which is reported to impact Adobe Flash player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux. The post from Project Zero at Google on this issue is well worth reading.

• There is a new Metasploit module to exploit Adobe Flash player. (Is there an echo here?) This module works on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. Here the underlying vulnerability is CVE 2015-0311.

• It looks like Metasploit will soon be getting a module to exploit Firefox 31-34.. The underlying vulnerability is CVE 2014-8636, and he pull request (including code) is now available.

• The folks at Qualys have published a Metasploit module to exploit Exim mail servers. The underlying vulnerability is GHOST, CVE 2015-0235, which is a problem in the GNU C Library, in the gethostbyname() functions.

• Older versions of Windows were vulnerable to an attack that exploited how Windows handles shortcut files; there is an existing and a new Metasploit module to attack the problem; the vulnerability is CVE 2010-2568 and was patched in MS 10-046. Mostly. It turns out that the patch does not quite solve the problem, and there are two new Metasploit modules that are able to exploit the issue, even if MS10-046 is installed on Server 2003 SP2, or if MS14-027 is installed on Server 2008 SP2. (Sigh). The underlying vulnerability is now named CVE 2015-0096 and it was patched in MS15-020.

• openEMR 4.2.0 suffers from both Cross site scripting and SQL injection vulnerabilities.

• If you want to see how Red Team approached the pacific regional CCDC event this past weekend, take a look at the blog from LockBoxx.

• Did you know that you can grab plaintext passwords from a memory dump of lsass? Mimikatz for the win.

• Would you like to learn more pivoting using SSH and/or Meterpreter? Take a look at the post from Arr0way.

• Did you know it is possible to run man-in-the-middle attacks against MSSQL?

• Here is a neat trick that can recover a MySQL password without restarting the MySQL daemon.

• If you are a student looking at different ways to maintain persistence on a Windows system, you might want to take a look at the approach of blakhal0, who uses Windows scheduled tasks.

• RIP Terry Pratchett.
  

  +++ Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
  — (Terry Pratchett, Hogfather)

Security News #0x84

• The big news of the week is the rowhammer attack which exploits hardware level features of DRAM chips. In particular, repeated accesses in one part of a memory row can flip a bit in an adjacent row. If that bit controls whether the process has read-write access to its own memory, then the attack can be leveraged to cause privilege escalation.
• Incursus Absconditus has a nice piece that shows how to hijack existing SSH connections.
• Did you know that it is possible to perform a full packet capture on a Windows box, beginning with system boot without using tools like Wireshark or tcpdump?
• GreyHatHacker.NET summarizes a number of techniques that can be used to bypass Windows UAC (User Account Control).
• Business Insider has an infographic that shows the largest data breaches by time.
• If you are a student (and aren’t we all students?) you might be interested in a nice piece by Mark Vavrusa entitled What a C programmer should know about memory.

Security News #0x83

• The blog Jump ESP, jump! has a nice piece on the different ways an attacker can backdoor a Windows domain. Definitely worth a read!
• In a similar vein, Harmj0y talks about how an attacker can exploit domain trusts as part of a compromise of a complex network.
• Matthew Green has an excellent summary of the FREAK attack against SSL, and how it can be considered a consequence of poor decisions about the export control of cryptography from the 1990s.
• There is proof of concept exploit for CVE 2014-7911, a local root exploit for Android.
• A new version of PuTTY (0.64) has been released to patch a recently discovered security hole.
• Are you interested in learning the technical details behind CVE 2015-0311, a recent vulnerability in Adobe Flash? Take a look at what Core Security has to say.
• It may turn out that the recent vulnerability in Samba (CVE 2015-0240) may not be exploitable. See also a PoC from worawit.
• We all know the importance of using salt in password hashing algorithms. For an overview of salts, how they work and how bad salting methods can be less secure, head over to CrackStation.
• Kahu Security has a nice walk through that shows how to find malware embedded in a Microsoft Word document, using tools like OfficeMalScanner and OleDump.
• There is a PowerShell script which tried to replicate many of the features of netcat.
• Moonpig is a company that sells personalized greeting cards in Britain. To say that their web security is sub-optimal, well, decide for yourself.
• Alternate data streams are an old way to hide data in on Windows systems. Now there is PowerShell script to inject code into an alternate data stream and execute it.
• I had never considered the idea of doing LDAP injection along the same lines as SQL injection. Neat.
• Did you know that 85% of the average tech workers wardrobe is free tech t-shirts?

Security News #0x82

• Tickets are available for BSides Charm, on April 11-12 in Howard County.
• Lenovo shipped PCs with adware that automatically performs a man in the middle attack against any SSL connections made from the system. The tool is called Superfish, and if you are running a Lenovo system and want to remove what can only be considered malware, head over to Lenovo support. If you want to see how the certificate can be exploited, check out Errata Security.
• There is a new privilege escalation attack (with exploit code) for Android systems. The underlying flaw is CVE 2014-7911.
• Someone has been able to reverse engineer the Apple Lightning cable.
• The folks at Google Project Zero have a nice blog entry full of technical goodness on the recent PCRE vulnerability in Flash CVE 2015-0318.
• Do you use random numbers in your C or C++ code? Do you use the rand() function? Then head over to Explicit C++ and learn!
• Have you considered using HoneyHashes as a way to detect Mimikatz use on a network?
• A new vulnerability, CVE 2015-0240 in Samba was announced. It may be possible to exploit the vulnerability to gain remote code execution without authentication; if so this would be a most significant issue.
• There is a new remote code execution vulnerability in PHP affecting PHP 5.4.1-5.4.3; this includes proof of concept exploit code. The vulnerability has been tentatively assigned the ID CVE-2015-0273.
• Did you know you can include custom payloads in your Metasploit modules?
• Would you like to be able to use Python to script connections to Microsoft RDP servers? Check out RDPY.
• There is a new Metasploit module to attack Java JMX servers.