March 7, 2015 Leave a comment
- The blog Jump ESP, jump! has a nice piece on the different ways an attacker can backdoor a Windows domain. Definitely worth a read!
- In a similar vein, Harmj0y talks about how an attacker can exploit domain trusts as part of a compromise of a complex network.
- Matthew Green has an excellent summary of the FREAK attack against SSL, and how it can be considered a consequence of poor decisions about the export control of cryptography from the 1990s.
- There is proof of concept exploit for CVE 2014-7911, a local root exploit for Android.
- A new version of PuTTY (0.64) has been released to patch a recently discovered security hole.
- Are you interested in learning the technical details behind CVE 2015-0311, a recent vulnerability in Adobe Flash? Take a look at what Core Security has to say.
- It may turn out that the recent vulnerability in Samba (CVE 2015-0240) may not be exploitable. See also a PoC from worawit.
- We all know the importance of using salt in password hashing algorithms. For an overview of salts, how they work and how bad salting methods can be less secure, head over to CrackStation.
- Kahu Security has a nice walk through that shows how to find malware embedded in a Microsoft Word document, using tools like OfficeMalScanner and OleDump.
- There is a PowerShell script which tried to replicate many of the features of netcat.
- Moonpig is a company that sells personalized greeting cards in Britain. To say that their web security is sub-optimal, well, decide for yourself.
- Alternate data streams are an old way to hide data in on Windows systems. Now there is PowerShell script to inject code into an alternate data stream and execute it.
- I had never considered the idea of doing LDAP injection along the same lines as SQL injection. Neat.
- Did you know that 85% of the average tech workers wardrobe is free tech t-shirts?
February 25, 2015 Leave a comment
- Tickets are available for BSides Charm, on April 11-12 in Howard County.
- Lenovo shipped PCs with adware that automatically performs a man in the middle attack against any SSL connections made from the system. The tool is called Superfish, and if you are running a Lenovo system and want to remove what can only be considered malware, head over to Lenovo support. If you want to see how the certificate can be exploited, check out Errata Security.
- There is a new privilege escalation attack (with exploit code) for Android systems. The underlying flaw is CVE 2014-7911.
- Someone has been able to reverse engineer the Apple Lightning cable.
- The folks at Google Project Zero have a nice blog entry full of technical goodness on the recent PCRE vulnerability in Flash CVE 2015-0318.
- Do you use random numbers in your C or C++ code? Do you use the
rand()function? Then head over to Explicit C++ and learn!
- Have you considered using HoneyHashes as a way to detect Mimikatz use on a network?
- A new vulnerability, CVE 2015-0240 in Samba was announced. It may be possible to exploit the vulnerability to gain remote code execution without authentication; if so this would be a most significant issue.
- There is a new remote code execution vulnerability in PHP affecting PHP 5.4.1-5.4.3; this includes proof of concept exploit code. The vulnerability has been tentatively assigned the ID CVE-2015-0273.
- Did you know you can include custom payloads in your Metasploit modules?
- Would you like to be able to use Python to script connections to Microsoft RDP servers? Check out RDPY.
- There is a new Metasploit module to attack Java JMX servers.
February 17, 2015 Leave a comment
- As my students get ready for Exercise 1, I thought that they might want to learn how to lock and unlock a Linux account from the command line.
- Mimikatz is an offensive security tool that can do things like extract passwords (not hashes) from running memory. It is so cool, it has been incorporated into Metasploit. However, there are some caveats to the module’s use against Windows 8.1 targets. The folks at Carnal0wnage describe the issues.
- Another feature of Mimikatz is its ability to generate Kerberos golden tickets. If you don’t know what these are, quickly head over to Raphael Mudge’s blog and find out! There isn’t a lot that can be done about them- take a look at the recommendations from the CERT-EU to see the extent of the problem. Well, this week Microsoft released a script to reset the krbgt account password to provide some additional defensive options. For more details, head over to the Cyber Trust Blog.
- Speaking of golden tickets, a new Metasploit module to automate the process of generating a golden ticket has been released.
- There is another new Metasploit module to escape from the sandbox in Internet Explorer on Windows 7. The underlying vulnerability is CVE 2015-0016 and it was patched in MS 15-04.
February 10, 2015 1 comment
- ET Pwn Phone? (Thanks to Ryan for the idea!) This is a Metasploit module that exploits the futex_requeue bug in Android phones prior to June 2014. This exploits CVE 2014-3153.
- It is possible to crash the Google email application with a single email. What makes this denial of service particularly problematic is that the target then needs to find a way to delete the malicious email without using the Google mail application.
- Internet Explorer 10 and 11 are vulnerable to a universal cross site scripting attack. As yet, this is unpatched; there isn’t even a CVE number. Of course, Metasploit has a module. A technical description is available.
- An attacker that has gained a foothold on a network often needs to obtain network credentials before moving laterally. One interesting approach is to ask the user. This is a new Metasploit module to phish credentials by popping up a dialog box on a compromised system.
- Linux is not immune to this type of attack. Here is a Metasploit module that steals passwords used to unlock the screensaver or use the Policy Kit
- Are you interested in learning more about how a Linux system boots?
- Recent Samsung televisions allow for voice control. The catch is that the voice recognition is not done on the television, but rather at a remote site. Now imagine that every word you speak in your living room is sent to a third party. Maybe I don’t need a TV with voice recognition.
- LD_PRELOAD is a way of modifying code execution in Linux without modifying the code; this is done by changing the library functions that the code relies on. One malicious use of LD_PRELOAD is as a way to hide malware and rootkits. haxelion has one of the best write-ups on the topic I have seen, especially the question of detection.
- Nat McHugh has provided a step-by-step method to generate MD5 collisions using Amazon AWS and HashClash at a cost of roughly 65 cents per collision.
- Stephen Brennan has a nice tutorial on how to write your own shell. Well worth a read.
February 3, 2015 Leave a comment
- I have been asked how to make your computer "100%" secure. Last year, someone posted an excellent video with recommendations. I can’t quite endorse the method; if you watch to the end the attacker is still able to get in, but it did require some significant effort. Call it "99+%" security and I am happy. My students should know though, that this technique is not permitted during Exercise 1.
- There is a proof of concept for a privilege escalation attack on Windows 8.1 that exploits a race condition during login. The underlying issue is CVE 2015-0004 and was patched in MS 15-003.
- There is a new Metasploit module to bypass protected mode on Internet Explorer on Windows 7 SP1 (32 bits). The underlying problem is CVE 2015-0016, which was patched in MS15-004.
- Did you know you can crack the WEP key of a wireless network without being in signal range of the AP and without sending any packets to the AP? (I didn’t!). Take a look at this piece at the Penetration Testing Lab that describes the Hirte attack. [The key is finding a client that has connected to the AP in the past!]
- If you want to learn about the technical details behind CVE 2014-9322, a privilege escalation exploit in recent (<3.17.5) Linux kernels, take a look at this blog post from Rafal Wojtczuk at Bromium Labs.
- Samsung phones are vulnerable to an attack named currupdate. [As an aside, is anyone else tired of naming vulnerabilities? It’s like folks are trying to sell products!] The underlying issues are named CVE 2015-0863 and CVE 2015-0864, though they have not yet made it to the MITRE database.
- May DDos attacks rely on amplification, where at attacker sends a (spoofed) packet to a host of size s, which sends to the DDoS target of size a*s. The number a is the amplification factor of the attack, and if a is large then a small number of attackers can flood the bandwidth of a victim. Last year a DDoS attack against the city of Columbia (MO) was launched using MSSQL achieving an amplification of as much as 440. Take a look at Default Deny for the technical details.
- Here is a neat trick to tunnel Meterpreter over SSH.
January 28, 2015 1 comment
- A vulnerability in glibc that affects the
gethostbynamewas announced by Qualys. As seems to be all the rage, it was given a nickname, in this case “ghost”. I prefer the easier to remember CVE-2015-0235, though it should be noted that this is marked as reserved rather than assigned in the various databases. Ars Technica has a broad overview of the vulnerability. Because this affects a commonly used library, there are many applications that could potentially be vulnerable; for a list, check out the Sucuri blog. After some reading though, my conclusion is that the best technical analysis is available at lcamtuf’s blog; it should be required reading.
- I read a wonderful blog post where they build and run a functioning C program without a
main()function. In fact, the entire program (which prints “Hello World!” to the screen) consists of a single variable declaration. Intrigued? Check it out..
- Do you want root on a Nexus 5 with Android 4.4.4? Packetstorm has proof of concept code.
January 6, 2015 1 comment
With my class starting in just a few weeks, I am going to try to catch up on all of the cyber security news that has started to fill my inbox to bursting.
- Did you know that John Troony has a page full of PHP webshells available for analysis? Just don’t trust them- remember the story about the C99/C99.PHP shells.
- Raphael Mudge has developed and released a virtual machine named Morning Catch configured to be used as a sample system for phishing attacks. Similar in spirit to Metasploitable, students can use the system as a target in phishing and other types of attacks.
- If you spend a lot of time working in Virtual Box, you might want to know about a Metasploit module that attacks VirtualBox up to 4.3.6 running on Windows 7 SP1 (x64). The underlying problem is in 3D acceleration on the virtual machines; it is designatedCVE 2014-0983.
- Firefox 15-22 is exploitable via a Metasploit module. There are two underlying problems, CVE 2013- 1710 and 2013-1670.
- Various NTP server implementations are vulnerable to DoS Amplification. In an amplification attack, the attacker sends x bytes of traffic to a server that responds by sending n times x bytes of traffic at a different system. In one of the vulnerabilities, the amplification factor n is 46, so an attacker can flood the target with 46 times the traffic they themselves can send out.
- One new topic in the upcoming book (and not in these notes) is the DNS amplification attack. if you want to know if your DNS server might be contributing to DNS amplification attacks, check out the Open Resolver Project.
- Brad Antoniewicz has developed an an ActiveX control and tutorial for Internet Explorer to help students learn the basics of browser exploitation. Most cool.
- If you are a student who participates in CTF competitions, check out this collection of CTF writeups.
- The Mid-Atlantic CCDC virtual qualifiers are set for March 2-7, with the finals March 25-28.
Hacking the World
- The Nest thermostat is vulnerable to attack, at least by folks close enough to gain physical access to the device.