Friday, March 6, 2009

Detecting PWDump in log files

Helped a client recently to identify if PWDump was successfully run on a system. There's a million ways to do it, however, the easiest way is to see if the PWDump (randomized name) was successfully started and stopped. When PWDump executes, it injects a service, starts it, does its dirty work, and then stops it. This is all tracked in the event log. The following python code can be found on with a compiled binary as well as the source. This is something I whipped up in about 20 minutes so don't be to rough on the code :P Simply export the event log as a CSV, the parser reads in the event log, does some regex and flags if/when pwdump was run.

Source code below:

# import required python modules
import re,sys
print """
[-] PWDump Event Log Finder [-]
[-] Written by David Kennedy @ SecureState [-]
# define logfile name

This tool will search for instances of pwdump within the SYSTEM event log.

Simply enter the filename of the system event log, example: system.csv

*NOTE* Ensure that the event log was exported as a CSV.


Enter the filename for the SYSTEM log: """)
# used for unique report name
servername=raw_input("Enter the servername: ")
# open CSV log file
fileopen=file(eventlog, "r").readlines()
# throw error if filename not there
except IOError:
print "\n[-] Error [-] Filename was incorrect. Try again...."
# define report file
filewrite=file("%sfindingsreport.txt" % (servername),"w")
# set counter to 0
for line in fileopen:
# regex string for pwdump would look something like 23F423432-43AV-2323-FBEA-JSD23930292"The {........-....-....-....-............} service entered", line)
if match:
# flag counter if hit on regex
# write finding to file
# if counter hit and is above 0, define var, print it, and write it to file
if int(counter) > 0:

[-] W A R N I N G [-]


CHECK "%sfindingsreport.txt" FOR MORE INFORMATION.

[-] W A R N I N G [-]
""" % (servername)
print var1
# if no instances of pwdump write to report file that it wasn't found
if counter == 0:
print "\n[-] The system appears to not have executed PWDump [-]\n"
filewrite.write("PWDump was not detected on the system.")
# close write file
# pause before application exit
pause=raw_input("Press to exit the application.")
# except something unexpected and raise error and print it
except Exception, e:
print "Something went wrong, printing error: "+str(e)

Read more!

Firewall Ruleset Review

I’ve done a lot of firewall ruleset reviews for companies large and small. There is a pattern forming in almost every firewall I’ve seen.

Bad management.

It’s not about blaming people though. The economy is in the sewer and layoffs plague every company across the planet. Most every security team is dealing with tons of ongoing work to stay secure and low budgets and resources to get the job done.

The firewall rule sets I’ve seen range from 50 lines to 10,000+ lines. Some are so complex that we schedule a week of work to audit and determine what can be taken out, what needs to stay and what shouldn’t have been there in the first place.

Let’s face it; many firewalls have dead rules, non-existent networks and “permit any” rules. Those are the low lying fruit that we look for first and when fixed, automatically increase security surrounding the attached networks.

Any access list that ends in “permit ip any any” is wasted CPU power and increased RAM usage. Why make your firewall go thru all of those rules if you permit everything at the end anyways? Not to mention, if you’re going to do that, you could have saved yourself hundreds or thousands of dollars and just gotten a router and used static routes to forward traffic. But in the security world that isn’t an option.

Too often we see timeout settings that are too large, insecure protocols being used and lack of ingress or egress rules. The worst cases are the firewalls that are built backwards (a whole slew of deny statements followed by a permit any statement).

Overall, the largest issue is lack of egress filtering. Time and time again, we run into this. And in many of our assessments we capitalize on this. In both Social Engineering attacks and Penetration tests we are able to accomplish many tasks by using these lax rules. Even if you aren’t worried about the next major virus or worm, you should care in not helping spread the infection. Close your doors and be a good neighbor!

All of these issues add up to the sum of bad network security which is caused by bad management. There needs to be process and documentation of all rules and configuration settings within a configuration. Asking “Hey Chuck, there’s a strange rule in here, did you do that?” doesn’t count as documentation either.

At the end of the day, if you skip on a little security here and a little security there, what’s the point of implementing high dollar equipment? If you’re going to implement your firewall properly you should have dedicated process behind the ruleset. Justify every rule, every business segment, set it, and forget it. There should be no need to constantly be modifying your firewall. I can see the need if you’re installing a new server or software package, but adding and dropping lines daily or even weekly is not efficient use of anyone’s time.

The moral of the story is, if you are making constant changes, have bad rules, or an insecure configuration, then you should start over and build your configuration properly. A regular audit of the firewall ruleset is always a good idea and should be budgeted for. Put in the proper change control, documentation and justification, and you will be amazed how much more secure your network will become.

Read more!

Thursday, March 5, 2009

Analysis of a Real World Hacking Attempt

Many of my clients look to me and my team of penetration testers for input on the latest and greatest attacks since we are down in the trenches performing the work and clean-up of real-world attacks. With that being said, a member of the Northeast Ohio INFOSEC forum recently sent out a request for more information regarding over 1,000 recently blocked requests against a website he runs. The attack came from less than 12 IP addresses with a user-agent of "NV32ts", so it *may* be a fair assumption that it came from a bot net.

The attack looked like this:

/modules.php?name=news&new_topic=9\' and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

Just from looking at it, I observe a few things:

  • It is a clearly a SQL injection attempt
  • It utilizes hex
  • I assume the escaped quotes are because of PHP’s magic quotes being enabled
  • Its syntax shows an attempt to inject into a string literal
  • It attempts to append data to a record set with UNION SELECT
  • The UNION SELECT has 21 values with each being CONCAT(0x27,0x7c,0x5f,0x7c)
  • The injection is meant to be in the same query as the page's query since it doesn’t utilize comments (MS SQL allows for “piggybacking” of queries, others like Oracle and MySQL do not)

Let’s break it down into something we can read:

/modules.php?name=news&new_topic=9' and 1=2 union select '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_| and '1'='1

More observations:

  • An underscore (“_”) in MySQL is a wildcard for a single character
  • Two vertical bars in Oracle and other databases is equivalent to “OR” as most people know it
  • ‘|_| would be the same as ‘|*| for those of you that are familiar with an asterisk wildcard, or ‘|?| for those of you that like MSDOS and renaming other things... (for example, to rename test_1.txt to test-1.txt you would use rename test?*.txt test-*.jpg)

What doesn’t make sense:

  • ‘|_| would leave an unclosed quotation there are syntax errors for every value, and the number of values being odd, so let’s say they are careless and they get lucky for single quotes to close each other out, at best, we *may* be able to get 10 values, but we still have one oddball that will cause an would have a string literal of “|_|, “ followed by a |_|, which does not follow logically...The UNION SELECT portion makes no sense to me whatsoever...perhaps me not knowing much about MySQL is an issue, or the attack was by a script kiddy.
  • If you search "0x27,0x7c,0x5f,0x7c" in Google there are 3,450 hits. There is somewhat widespread exposure out there with this...
  • If it is specifically aiming at 21 values in the UNION SELECT, maybe it is targeting a specific 3rd party application?
  • The logic is AND UNION SELECT <21> AND

o AND will always be false

o UNION SELECT <21> will always fail with syntax errors

o AND will be true only if injecting into a string literal

  • From the previous bullet point, whatever the page is that will be loading will NEVER return a record...

After my analysis and trying to think outside of the box, with so many things to go wrong with this attack, I have led myself to believe that the one and only goal of this is to cause deliberate errors. There is the opportunity for unclosed quotations, different numbers of values in the UNION and page, and who knows how many others I missed...

Part of my due diligence as a pen tester is to always be on top of things, and provided the latest and greatest to everyone, and aiding other information security professionals with my knowledge. For those of you that may have been lost through all of that, I chose to post this blog to give some insight as to some of the challenges we face in this world of cyber criminals. Not only do I break into stuff regularly, I also try to decipher the bad guys’ attacks as well. As the saying goes, you have to know how to be a hacker to defend against one.

If anyone has any information as to what this may be or has seen it before, I would love to hear your thoughts so not only I can hear, but I can forward them on to others if someone has a better explanation that I do!

Read more!



“As with any type of competition, 'smack' talk became prevalent in online gaming. Phrases such as 'I am elite' became common place, and somewhere down the line l33t speak crept in, reforming the phrase into '1 4m 3l1t3' in order to demonstrate that the speaker was a hacker and someone to be feared. It was further exaggerated by purposeful bad spelling and eventually wound up as something like this, '1 4m 3l33t!' and simplified to, '1 4m 133t'. Hence the name 'l33t speak'.”

JahBreeze. “Urban Dictionary: l33t.” Urban Dictionary.  18 Nov 2005

In the past I have asked clients, colleagues, and security professionals what the slang word in the hacking community known as ‘l33t’ suggests to them. Many times I have heard the response “To be l33t or elite in the security community, an individual has to be able to perform exploit development.” Although I will not argue that exploit development is very important within the security community and without these professionals I would not be able to perform my job as a penetration tester as successfully as I currently do, in many ways I disagree with this statement.

For those who aren’t familiar with the term ‘exploit development’, in the simplest form, it is the ability to find flaws or vulnerabilities in software or hardware and then develop code, usually in form of a script, to exploit that specific vulnerability. The question becomes, are all exploit developers l33t? It all depends on one’s definition of the word, but I certainly do not think so. Exploit developers contain a certain skill set which allows them to be good at what they do, which in this case, is exploit development. This is no different than receptionists being good at what they do. Can everyone perform exploit development? Certainly not, but not everyone can be a receptionist either.

Exploit development is certainly a skill that can be obtained by individuals who have the aptitude to learn the material. In other words, most exploit developers are not born into it. Like most professions, exploit developers study and learn the material until they obtain a certain skill set which allows them to be good at what they do. With that said, who really deserves to be l33t? Again, it is all in one’s definition of the word. Do I think I am l33t? Absolutely not! I perform my job as a pen tester well but this too is a skill or profession that can be taught to a willing individual.

The individuals who deserve this title, in my opinion (emphasis on “my opinon”) are those that discover new attacks. Individuals such as Robert Morris or Kevin Mitnick who, back in the day, discovered a weakness in the TCP protocol and went on to exploit this weakness. Perhaps, the security researchers that discovered the weakness in WEP could be considered l33t. This is a skill set that in most cases cannot be taught but requires thinking outside the box along with putting many pieces of the puzzle together in order to discover new ideas that aren’t previously known. Many exploit developers are using the same tricks and tactics as their predecessors have to discover and exploit vulnerabilities. This is not to say that one can’t be an l33t exploit developer, but simply being an exploit developer does not make one l33t.

In summary, the security community is composed of many security professionals, all of which have unique areas of expertise. Without all of these skill sets working in unison, the security community would not be as effective as it currently is. Each skill set has, so called l33t individuals, but by simply possessing one skill set as opposed to another does automatically qualify and individual as l33t.

Read more!