Detecting PWDump in log files

Helped a client recently to identify if PWDump was successfully run on a system. There's a million ways to do it, however, the easiest way is to see if the PWDump (randomized name) was successfully started and stopped. When PWDump executes, it injects a service, starts it, does its dirty work, and then stops it. This is all tracked in the event log. The following python code can be found on https://www.securestate.com with a compiled binary as well as the source. This is something I whipped up in about 20 minutes so don't be to rough on the code :P Simply export the event log as a CSV, the parser reads in the event log, does some regex and flags if/when pwdump was run.

Source code below:

# import required python modules
import re,sys
print """
[-] PWDump Event Log Finder [-]
[-] Written by David Kennedy @ SecureState [-]
"""
# define logfile name
eventlog=raw_input("""
[--------------------------------------------------------------------------]

This tool will search for instances of pwdump within the SYSTEM event log.

Simply enter the filename of the system event log, example: system.csv

*NOTE* Ensure that the event log was exported as a CSV.

[--------------------------------------------------------------------------]

Enter the filename for the SYSTEM log: """)
# used for unique report name
servername=raw_input("Enter the servername: ")
try:
# open CSV log file
fileopen=file(eventlog, "r").readlines()
# throw error if filename not there
except IOError:
print "\n[-] Error [-] Filename was incorrect. Try again...."
sys.exit()
# define report file
filewrite=file("%sfindingsreport.txt" % (servername),"w")
# set counter to 0
counter=0
try:
for line in fileopen:
# regex string for pwdump would look something like 23F423432-43AV-2323-FBEA-JSD23930292
match=re.search("The {........-....-....-....-............} service entered", line)
if match:
# flag counter if hit on regex
counter=counter+1
line=line.rstrip()
# write finding to file
filewrite.write(line+"\n")
# if counter hit and is above 0, define var, print it, and write it to file
if int(counter) > 0:
var1="""

[-] W A R N I N G [-]




PWDUMP WAS EXECUTED ON THIS SERVER!!!!!!

CHECK "%sfindingsreport.txt" FOR MORE INFORMATION.




[-] W A R N I N G [-]
""" % (servername)
print var1
filewrite.write("\n"+var1)
# if no instances of pwdump write to report file that it wasn't found
if counter == 0:
print "\n[-] The system appears to not have executed PWDump [-]\n"
filewrite.write("PWDump was not detected on the system.")
# close write file
filewrite.close()
# pause before application exit
pause=raw_input("Press to exit the application.")
# except something unexpected and raise error and print it
except Exception, e:
print "Something went wrong, printing error: "+str(e)

Read more!

Firewall Ruleset Review

I’ve done a lot of firewall ruleset reviews for companies large and small. There is a pattern forming in almost every firewall I’ve seen.

Bad management.

It’s not about blaming people though. The economy is in the sewer and layoffs plague every company across the planet. Most every security team is dealing with tons of ongoing work to stay secure and low budgets and resources to get the job done.

The firewall rule sets I’ve seen range from 50 lines to 10,000+ lines. Some are so complex that we schedule a week of work to audit and determine what can be taken out, what needs to stay and what shouldn’t have been there in the first place.

Let’s face it; many firewalls have dead rules, non-existent networks and “permit any” rules. Those are the low lying fruit that we look for first and when fixed, automatically increase security surrounding the attached networks.

Any access list that ends in “permit ip any any” is wasted CPU power and increased RAM usage. Why make your firewall go thru all of those rules if you permit everything at the end anyways? Not to mention, if you’re going to do that, you could have saved yourself hundreds or thousands of dollars and just gotten a router and used static routes to forward traffic. But in the security world that isn’t an option.

Too often we see timeout settings that are too large, insecure protocols being used and lack of ingress or egress rules. The worst cases are the firewalls that are built backwards (a whole slew of deny statements followed by a permit any statement).

Overall, the largest issue is lack of egress filtering. Time and time again, we run into this. And in many of our assessments we capitalize on this. In both Social Engineering attacks and Penetration tests we are able to accomplish many tasks by using these lax rules. Even if you aren’t worried about the next major virus or worm, you should care in not helping spread the infection. Close your doors and be a good neighbor!

All of these issues add up to the sum of bad network security which is caused by bad management. There needs to be process and documentation of all rules and configuration settings within a configuration. Asking “Hey Chuck, there’s a strange rule in here, did you do that?” doesn’t count as documentation either.

At the end of the day, if you skip on a little security here and a little security there, what’s the point of implementing high dollar equipment? If you’re going to implement your firewall properly you should have dedicated process behind the ruleset. Justify every rule, every business segment, set it, and forget it. There should be no need to constantly be modifying your firewall. I can see the need if you’re installing a new server or software package, but adding and dropping lines daily or even weekly is not efficient use of anyone’s time.

The moral of the story is, if you are making constant changes, have bad rules, or an insecure configuration, then you should start over and build your configuration properly. A regular audit of the firewall ruleset is always a good idea and should be budgeted for. Put in the proper change control, documentation and justification, and you will be amazed how much more secure your network will become.

Read more!

Analysis of a Real World Hacking Attempt

Many of my clients look to me and my team of penetration testers for input on the latest and greatest attacks since we are down in the trenches performing the work and clean-up of real-world attacks. With that being said, a member of the Northeast Ohio INFOSEC forum recently sent out a request for more information regarding over 1,000 recently blocked requests against a website he runs. The attack came from less than 12 IP addresses with a user-agent of "NV32ts", so it *may* be a fair assumption that it came from a bot net.

The attack looked like this:

/modules.php?name=news&new_topic=9\' and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

Just from looking at it, I observe a few things:

• It is a clearly a SQL injection attempt
• It utilizes hex
• I assume the escaped quotes are because of PHP’s magic quotes being enabled
• Its syntax shows an attempt to inject into a string literal
• It attempts to append data to a record set with UNION SELECT
• The UNION SELECT has 21 values with each being CONCAT(0x27,0x7c,0x5f,0x7c)
• The injection is meant to be in the same query as the page's query since it doesn’t utilize comments (MS SQL allows for “piggybacking” of queries, others like Oracle and MySQL do not)

Let’s break it down into something we can read:

/modules.php?name=news&new_topic=9' and 1=2 union select '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_|, '|_| and '1'='1

More observations:

• An underscore (“_”) in MySQL is a wildcard for a single character
• Two vertical bars in Oracle and other databases is equivalent to “OR” as most people know it
• ‘|_| would be the same as ‘|*| for those of you that are familiar with an asterisk wildcard, or ‘|?| for those of you that like MSDOS and renaming other things... (for example, to rename test_1.txt to test-1.txt you would use rename test?*.txt test-*.jpg)

What doesn’t make sense:

• ‘|_| would leave an unclosed quotation mark...so there are syntax errors for every value, and the number of values being odd, so let’s say they are careless and they get lucky for single quotes to close each other out, at best, we *may* be able to get 10 values, but we still have one oddball that will cause an error...you would have a string literal of “|_|, “ followed by a |_|, which does not follow logically...The UNION SELECT portion makes no sense to me whatsoever...perhaps me not knowing much about MySQL is an issue, or the attack was by a script kiddy.
• If you search "0x27,0x7c,0x5f,0x7c" in Google there are 3,450 hits. There is somewhat widespread exposure out there with this...
• If it is specifically aiming at 21 values in the UNION SELECT, maybe it is targeting a specific 3^rd party application?
• The logic is AND UNION SELECT <21> AND

o AND will always be false

o UNION SELECT <21> will always fail with syntax errors

o AND will be true only if injecting into a string literal

• From the previous bullet point, whatever the page is that will be loading will NEVER return a record...

After my analysis and trying to think outside of the box, with so many things to go wrong with this attack, I have led myself to believe that the one and only goal of this is to cause deliberate errors. There is the opportunity for unclosed quotations, different numbers of values in the UNION and page, and who knows how many others I missed...

Part of my due diligence as a pen tester is to always be on top of things, and provided the latest and greatest to everyone, and aiding other information security professionals with my knowledge. For those of you that may have been lost through all of that, I chose to post this blog to give some insight as to some of the challenges we face in this world of cyber criminals. Not only do I break into stuff regularly, I also try to decipher the bad guys’ attacks as well. As the saying goes, you have to know how to be a hacker to defend against one.

If anyone has any information as to what this may be or has seen it before, I would love to hear your thoughts so not only I can hear, but I can forward them on to others if someone has a better explanation that I do!

Read more!

l33t?

L33t?

“As with any type of competition, 'smack' talk became prevalent in online gaming. Phrases such as 'I am elite' became common place, and somewhere down the line l33t speak crept in, reforming the phrase into '1 4m 3l1t3' in order to demonstrate that the speaker was a hacker and someone to be feared. It was further exaggerated by purposeful bad spelling and eventually wound up as something like this, '1 4m 3l33t!' and simplified to, '1 4m 133t'. Hence the name 'l33t speak'.”

JahBreeze. “Urban Dictionary: l33t.” Urban Dictionary.  18 Nov 2005
http://www.urbandictionary.com/define.php?term=l33t.

In the past I have asked clients, colleagues, and security professionals what the slang word in the hacking community known as ‘l33t’ suggests to them. Many times I have heard the response “To be l33t or elite in the security community, an individual has to be able to perform exploit development.” Although I will not argue that exploit development is very important within the security community and without these professionals I would not be able to perform my job as a penetration tester as successfully as I currently do, in many ways I disagree with this statement.

For those who aren’t familiar with the term ‘exploit development’, in the simplest form, it is the ability to find flaws or vulnerabilities in software or hardware and then develop code, usually in form of a script, to exploit that specific vulnerability. The question becomes, are all exploit developers l33t? It all depends on one’s definition of the word, but I certainly do not think so. Exploit developers contain a certain skill set which allows them to be good at what they do, which in this case, is exploit development. This is no different than receptionists being good at what they do. Can everyone perform exploit development? Certainly not, but not everyone can be a receptionist either.

Exploit development is certainly a skill that can be obtained by individuals who have the aptitude to learn the material. In other words, most exploit developers are not born into it. Like most professions, exploit developers study and learn the material until they obtain a certain skill set which allows them to be good at what they do. With that said, who really deserves to be l33t? Again, it is all in one’s definition of the word. Do I think I am l33t? Absolutely not! I perform my job as a pen tester well but this too is a skill or profession that can be taught to a willing individual.

The individuals who deserve this title, in my opinion (emphasis on “my opinon”) are those that discover new attacks. Individuals such as Robert Morris or Kevin Mitnick who, back in the day, discovered a weakness in the TCP protocol and went on to exploit this weakness. Perhaps, the security researchers that discovered the weakness in WEP could be considered l33t. This is a skill set that in most cases cannot be taught but requires thinking outside the box along with putting many pieces of the puzzle together in order to discover new ideas that aren’t previously known. Many exploit developers are using the same tricks and tactics as their predecessors have to discover and exploit vulnerabilities. This is not to say that one can’t be an l33t exploit developer, but simply being an exploit developer does not make one l33t.

In summary, the security community is composed of many security professionals, all of which have unique areas of expertise. Without all of these skill sets working in unison, the security community would not be as effective as it currently is. Each skill set has, so called l33t individuals, but by simply possessing one skill set as opposed to another does automatically qualify and individual as l33t.

Read more!

University of Florida Breach: Detected, Eradicated, and Educated

Detected (sounded like an internal effort):

"On January 14, 2009, the University of Florida discovered that a server was accessed by an unauthorized intruder from outside UF. This server contained names and Social Security Numbers (SSNs) for 97,200 people that used the system between 1996 and 2009. Although no evidence was found that this information was accessed, there is no absolute certainty that it was not."

Eradicated:

"...the University of Florida discovered that a configuration error allowed outside access to a directory containing Social Security numbers, information normally protected from unauthorized access. UFID numbers and Social Security numbers were used interchangeably for verification purposes until the university discontinued the practice in 2003.

The configuration error was fixed immediately. An investigation revealed the error allowing the unauthorized access had been made four months earlier by an information technology specialist working on the directory. We have no evidence any personal information was obtained, but out of an abundance of caution, the University is working to notify those individuals with information on the directory

Educated

"Answers to Commonly Asked Questions Regarding Grove Incident"

When I went through the list of questions and answers, I was impressed. They did a great job of detailing just about every question that goes through someone's mind when they're affected by something like this.

Obviously, breach = no good. On the other hand, I think (from a high-level) the University did a great job in how they reacted. And isn't it all about detection and reaction?

First off, they perform system audits and are actively looking for anomalies. It's how they found the compromise. This is a clear indicator that they take information security risk and minimum security baselines seriously.

Second, they decided to err on the side of caution. They stated that after their investigation and forensic analysis (which lasted 2 weeks) gave no indication that Personally Identifiable Information (PII) was accessed or copied, but there was no definitive indication that it WAS NOT. This is key. If you can't prove that information has NOT been compromised, you need to notify the people potentially impacted. Notification is expensive. I'm sure it was for the University: more than 97,200 people. On top of that, they don't have contact information for 5,000 of the affected. Again, more time and effort will be spent by the University to track down those people and notify them. To summarize, they did the right thing.

Finally, they used the breach to effectively communicate a LOT of information about information privacy, details around the incident, and effectively highlight their Information Privacy repository. Education, education, education. All of the news sources point to their Privacy site.

Security breaches happen. How you react to the breach (do we notify? priority of incident?) as well as how you educate those parties affected sets you apart from the flunkies. From a 20,000 foot view, the Gators did a good job...

Read more!

SecureState Speaks at ShmooCon 2009

SchmooCon for SecureState! SecureState's Dave Kennedy and Matt Neely will be speaking at ShmooCon in Washington, D.C., the annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.

Principal at SecureState, Dave Kennedy focuses on the technical side of security, performing penetration tests, source code review, web application security, data forensics, electronic discovery and wireless assessments. Prior to SecureState, Dave worked for the National Security Agency (N.S.A.) and has worked with some of the nations most elite security groups. Dave is also the author of Fast-Track, an open-source penetration testing suite available in Linux, has previously presented at Defcon, and is a contributor to the BackTrack distributions.

Dave Kennedy, Principal at SecureState

Dave's presentation (The Fast-Track Suite: Advanced Penetration Techniques Made Easy) will be the last talk in the Bring It On! track where he will discuss attacks in detail and also release the newest version of Fast-Track.

Matt Neely, Profiling Manager at SecureState

Matt Neely, Profiling Manager at SecureState, will be presenting "Radio Reconnaissance in Penetration Testing - All Your RF Are Belong to Us," in the first talk of Bring It On! track this Saturday.

Read more!

SecureState Attends PCI Compliance Seminar with ISACA

Craig Monastra of Sterling Jewelers with Brian Telesz and Nicole McClain of SecureState

Today, ISACA’s membership—more than 86,000 strong worldwide—is characterized by its diversity. Members live and work in more than 160 countries and cover a variety of professional IT-related positions inlcuding but not limited to IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor.

SecureState's Brian Telesz and Nicole McClain (pictured above with Craig Monastra of Sterling Jewelers) attended the most recent ISACA seminar at Harry's Steakhouse for good food and a great presentation on PCI Compliance. Keynote speaker was Lisa Peterson of Progressive Insurance.

The Information Systems Audit and Control Association is primarily focused on promoting quality IS audit and governance education to its members. The IS audit profession is based and dependent upon technological expertise. With Audit and Compliance being one of SecureState’s four divisions of expertise its helps our consultants and directors keep abreast on the latest hot topics, concerns and trends in the IT audit world. SecureState is a leader in the Audit and Compliance world. We engage in many different environments such as finance, insurance, manufacturing, retail and energy which gives us a very diverse expertise in the many compliances and security regulations that companies need to adhere to.

In addition to the importance of Audit and Compliance, SecureState belongs to the local chapter and attends the monthly meetings to keep SecureState in front our current and prospective clients who are members. We will also speak and present at these monthly meetings which helps educate ISACA chapter members on what SecureState sees out in the field during engagements and clarify and educate on IT audit issues.

Would you like SecureState to speak at your next event? Contact SecureState at 800.903.6264 for more information.

Read more!