Monthly Archives: March 2008

Suspected Malware Infected Hannaford Servers

1
Posted by Tom on March 31, 2008 – 9:15 am
Filed under Identity Theft

Interesting developments in the Hannaford Supermarket breach that was reported a few weeks ago. Seems that malware infected 300 some servers that were located at each of the stores. This malware was apparently collecting and sending customer credit card data to overseas locations. I like the following part the best:

“Andrew Conry of InformationWeek adds that Hannaford, in addition to the breach, has two related class action lawsuits on its hands alleging negligence in maintaining customer security. And he suggests that there might be some truth to the claims, noting that Hannaford should have noticed that “internal servers were transmitting outside the network to a strange IP. This should’ve raised flags somewhere–server logs, IDS logs, firewall logs.”"

No kidding…this should have triggered an alert somewhere don’t you think? Interesting to see this all play out now…

Automated Penetration Testing with the Metasploit Framework

4
Posted by Tom on March 20, 2008 – 9:40 pm
Filed under Penetration Testing

<%image(20080320-metasploit.gif|287|49|Metasploit Framework Rocks!)%>

Last night I did a talk on “Automated Penetration Testing with the Metasploit Framework” to a local information security group in Cleveland, Ohio. This was the last talk in a two part series on automated penetration testing tools. Last month I spoke about CORE IMPACT by Core Security Technologies which is a commercial penetration testing tool.

What is Metasploit and autopwn?
Metasploit is a free, open source tool for developing and executing exploit code against a remote target machine. In regards to automated penetration testing, starting with version 3, Metasploit offers a module called “autopwn” which can automate the exploitation phase of a penetration test. While autopwn is far from perfect, it does a decent job of exploiting multiple hosts. With 269 exploits (as of the latest update) you have lots of options (especially with Windows targets) for gaining a basic bind shell with autopwn.

Some of the strengths of autopwn include the ability to import vulnerability data from Nessus NBE files and to pull in Nmap XML output. Nice feature that works well. In addition, you can run Nmap from within the Metasploit console and it will put the results in the database. Finally, you can launch exploits based on ports, services or vulnerabilities from your imported data.

Limitations of autopwn
Autopwn has some limitations worth mentioning. Autopwn requires either a MySQL, Sqlite or Postgres database. Some pre-configuration required which may be a daunting task for some users. RubyGems, active record (part of ruby on rails), and getting the database configured to work with autopwn are all required. In terms of payloads you are pretty limited as well. Unfortunately with the current version you can only use a basic bind shell as your payload.

If you are looking for fancy reports with your vulnerability data you will have to do that on your own as there is no automated reporting in autopwn. On that same note…decent logging within Metasploit is limited to the debug modes. I recommend you run the “script” command from a shell before you start up the msfconsole so everything is logged to a file. Not much you can do if you use the GUI or web consoles for Metasploit except for screen shots.

Finally, if you are exploiting large numbers (several hundred) or wanting to import a ton of Nessus data..you are going to take a performance hit. Autopwn seems to choke on lots of data. This will probably be fixed as it gets tweaked and tuned in future versions.

More information
HD Moore wrote up a very good autopwn tutorial which you can check out on the official Metasploit blog.

If you really want to quickly test out the features of autopwn without a lot of setup work, I recommend that you download one of the Backtrack disks. Backtrack 2 has autopwn ready to go once you launch the ninja script. Backtrack 3 beta has it installed but you need to update everything first on the disk by using the fast-track.py script which is included. Fast-track is a very useful script if you are a regular user of Backtrack…the creator of this script (Dave Kennedy from SecureState) was actually at the meeting last night and I got to chat with him about some cool stuff coming soon to the fast-track script and some new “to be announced” modules for Metasploit.

You can download the Metasploit presentation I did here. I plan on putting together a tutorial on autopwn installation in the near future. If you were at the talk last night, thanks for all the nice comments and for coming out!

The Honey Stick Project: Tracking Mobile Storage Devices

0
Posted by agent0x0 on March 19, 2008 – 3:20 pm
Filed under Security Awareness

<%image(20080319-honey_pot.jpg|99|110|Honey Pot!)%>

Here is a pretty cool project that I stumbled upon over at Security Catalyst. The concept is to have a “Honey Pot for mobile storage devices” but each mobile storage device (USB key, iPod, etc…) in reality becomes it’s own “Honey Stick” where the researcher can safely track how many people are plugging these devices into their computers. The hope is that by leaving these devices around in public areas, someone will pick them up..and plug them in. There is even a psychological aspect to this because the researcher, Scott Wright, is actually finding people that want to return these found devices to the owner!

While there may be some privacy concerns conducting this type of public experiment…Scott seems to have done his homework on this project thus far. I am looking forward to reading more about his results as the experiment continues. He has results for his first “stream” here. Check out the Honey Stick Project web site for full details and information.

Hannaford Brothers Credit Card Breach

0
Posted by agent0x0 on March 18, 2008 – 2:43 pm
Filed under Identity Theft

Another day…another credit card breach!

This time 4.2 million credit cards were exposed. I personally smell a bit of TJX in this one…

“The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization,” said Hannaford CEO Ron Hodge, in a statement posted to the company’s Web site.

The key phrase being “transmission of card authorization”. Sniffed? Bad Wifi security? Only time will tell…much speculation at this point. However, Securosis.com has some good speculation about what might have happened.

GNUCITIZEN on PaulDotCom

0
Posted by agent0x0 on March 17, 2008 – 9:03 am
Filed under Penetration Testing

Larry and Paul from the PaulDotCom Security Weekly Podcast have a very good two part series interviewing pdp and Adrian from GNUCITIZEN. Lots of good information about embedded device hacking and all the cool things GNUCITIZEN is working on. Check out the mp3′s of the Podcast below….better yet…subscribe to the PaulDotCom Security Weekly Podcast! These guys always have good content and are interesting to listen to as well.

Interview with GNUCITIZEN – Part 1
Interview with GNUCITIZEN – Part 2

Pointsec Disk Encryption Cracked? Not so fast…

1
Posted by agent0x0 on March 12, 2008 – 10:57 pm
Filed under Cryptography

The SANS ISC posted an article titled “Pontsec Disk Encryption Cracked”. Really? Cracked? I was thinking that there was some new cool uber l337 hax0r tool that breaks disk encryption from boot…and no, this isn’t the cold boot attack that has gotten all the attention lately. This is the firewire attack (winlockpwn tool) on Windows that has been known since security researcher Adam Boileau discovered this “feature” back in 2006 (it’s just that the code hasn’t been released until recently). Adam sums up the firewire “feature” best on his web site:

“Yes, you can read and write main memory over firewire on windows.
Yes, this means you can completely own any box who’s firewire port you can plug into in seconds.
Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it’s just one of many.
Yes, it’s a FEATURE, not a bug. It’s the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally dont.”

This LuciData “hack” doesn’t crack disk encryption at all. If the laptop was powered off..that’s a different story. Like Adam says…if you have physical access to a live computer there are lots of attacks you could do..not just the firewire one. Before we announce that the sky is falling…lets get the real details first please. If you are using any disk encryption (not just Pointsec) you should be using pre-boot authentication anyway as this is what most vendors recommend as a best practice for a corporate deployment.

Chinese Hackers or Script Kiddies?

2
Posted by agent0x0 on March 10, 2008 – 8:11 pm
Filed under Hacking

Interesting article on CNN today about a covert group of Chinese “hackers” who apparently have broken into the Pentagon and other high profile sites. Actually, they “know” someone who broke into the Pentagon, they didn’t actually do it themselves.

This isn’t breaking news by any means. There are hackers all over the world trying to do the same things that they are, and they are not necessarily in China. I would bet that this group is nothing more then a bunch of script kiddies just looking for the attention of the US media. Sure, there are vulnerabilities in many, many web sites…some of them even high profile, however, I have my doubts that these guys have serious “skills” given the fact that they have a web site with over 10,000 registered users that distributes hacking software. The site “offers tools, articles, news and flash tutorials about hacking”. Anyone can run a tool or copy a script…what makes these guys so different? How can you really prove that the Chinese government even paid these guys to hack into the Pentagon?

Never fear…this is just media hype over US/Chinese relations and the potential “cyber war”. I am sure this won’t be the last either from these big media organizations.

Online Google Hacking, Ethical Penetration Testing Tool

0
Posted by agent0x0 on March 5, 2008 – 3:10 pm
Filed under Penetration Testing

GNUCITIZEN has released a tool similar to the fat client Goolag Scanner that the cDc released a few weeks ago called GHDB. What makes the GHDB different is that it is browser based and uses JavaScript techniques to scrape information from Johnny Long’s Google Hacking Database without the need for hosted server side scripts. Add this to your growing list of reconnaissance tools for penetration testing!

Cold Boot Attack Tool Released

1
Posted by agent0x0 on March 4, 2008 – 4:43 pm
Filed under Cryptography

Well, that didn’t take long…a tool to dump the memory and pull the encryption keys off of encrypted hard drives has been released. Like I said in a previous post, it was only a matter of time and the risk/threat vector of this vulnerability starts to change with the release of a tool.

On a related note, there was a good blog post over on Princess of Antiquity about some potential engineering solutions to this vulnerability you may be interested in reading about as well as some potential mitigations to this vulnerability that are being discussed. I actually like her quote at the end of her post:

“What we should remember is that no matter how strong your lock is, if you leave the key lying around, you might as well leave the door wide open.”

How true! :)

Penetration Testing Ninjitsu with Ed Skoudis

0
Posted by agent0x0 on March 3, 2008 – 1:44 pm
Filed under Penetration Testing

I recently saw a good webcast presented by Core Security Technologies on “Penetration Testing Ninjitsu”. This was presented by Ed Skoudis who is a very good SANS instructor and is also the author of the book “Counter Hack Reloaded” (I highly recommend all penetration testers read this book). Some of you may have taken his SANS Security 504 class (Hacker Techniques, Exploits, and Incident Handling) and have worked through his hacker challenges that he posts on ethicalhacker.net.

The webcast talks about the motivations for performing penetration testing to improve the security stance of an enterprise and covers some in-depth Windows command-line tips that can help penetration testers use Windows machines more effectively during a penetration test.

You can download the slide deck from Core Security Technologies here.