Tomorrow I fly out to Vegas for an extended run of training, conference attendance, networking, and speaking. I’ll get to all of that, but last things first: I am very happy to have been chosen to, for my third consecutive year, present at DEF CON on a fun and offense-oriented topic:

defcon21talk

 

This year I’ll be speaking about the attack surface of attack tools. Specifically, small devices hidden by malicious attackers or shipped to a client for pentesters for the purpose of remote access and attack. I’ll discuss some of the problems with having a small embedded device that runs a pile of perhaps-not-completely-hardened tools, how to respond to a device if one is located within your organization, and how such devices may be open to counter-attack. We’ll spend some time discussing the implications of a malicious attacker compromising a pentester’s implantable device, and then roll into a case study involving the most popular device of this type: Pwnie Express’ Pwn Plug. I’ll demonstrate some (very easy to follow) zero-day in the Pwn Plug, as well as discuss what one might want to do post-exploitation, along with how to acquire a nice forensic image of the device.

That talk will be on Saturday, August 3rd, at 2PM in Track 3 of DEF CON 21. I’ll be holding what I hope will be a nice informal Q&A afterwards (my past talks at DEF CON have had excellent Q&A sessions), so I hope to see some readers there.

Apart from that, I’m going to be in Vegas for a while. I am extremely excited to be taking Stephen Ridley and Stephen Lawler’s Advanced ARM Exploitation training for my first 4 whole days in Vegas. The Stephens are the operators of dontstuffbeansupyournose.com and by all accounts have put together a very good class. I’m excited about improving my skills, and if you follow me on twitter (@McGrewSecurity) I’m sure you’ll hear all about it.

I’ll be in attendance at both Blackhat and DEF CON, so be sure to track me down to have a word. My current beard-status is pretty close to my twitter avatar, so I should be easy to spot. Also, I’ll be the one floating a few inches off the ground, due to the fact that I’ve recently completed my Ph.D. dissertation (on the topic of SCADA HMI vulnerabilities, the topic of my talk last year), and have taken a position at Mississippi State as an assistant research professor. If you have interesting research ideas or just want to raise hell with a security geek with strong views, do get in touch and/or find me at either conference.

 

If you are unfamiliar with Daniel Suarez’ pair of brilliant novels: Daemon, and its sequel Freedom(tm), you really need to stop right here and go read them. They’re fascinating books and I think most folk in information security would enjoy reading them.

Possible mild spoiler alerts follow.

A major element of the two novels is a botnet, created with artificial intelligence and pathfinding elements developed by an MMO game developer, that, upon the creator’s death, begins to wreak havoc in order to affect a form of major societal change. While a botnet can autonomously do a lot electronically, such as build up funding via various forms of fraud, gather information from online systems, etc., it would be limited in what it can do in the “real world” (beyond what’s in the immediate reach of control systems).

To accomplish things outside of cyberspace the botnet recruits human operators to do various tasks, using VOIP, surveillance systems to monitor progress, and the funds it is acquiring to reward/incentivize operators. By the second book this escalates to the point that “DarkNet” operators wearing glasses that project waypoints and objectives for them to accomplish perform tasks for “DarkNet credits”, an alternative currency built around the new society being built by the system.

In short: Human nodes in a botnet. You can treat a human like a remote procedure call: arguments are task description and money, return value is measured success or failure.

Obviously this is something that Google Glass was created for. I think so, and Google appears to agree:

BGYeEuUCYAAbZfR

I don’t think they read the same books I read, but hey, maybe they did.

Honestly, I was just having a laugh at what immediately came to mind when Glass was announced. While I’d be happy to develop a nice tactical objective/waypoint control system for multiple operators using Glass, I’m not (at the moment) keen on paying $1500 and a flight to New York for the privilege.

If anyone wants human botnet software and wants to fund it, let me know.

 

By using Mandiant’s Redline tool, I’ve identified three of the seven new samples that VirusShare has just added:

  • GLOOXMAIL - 3de1bd0f2107198931177b2b23877df4
  • BISCUIT - 12f25ce81596aeb19e75cc7ef08f3a38
  • TARSIP-MOON - bd02b41817d227058522cca40acd390

This week marks the first week that I have integrated APT1 samples into the graded practical exercises in the Reverse Engineering class I teach at Mississippi State University. The use of real-world malware attributed to state-sponsored actors in my classroom has been the focus of some recent positive media attention. If you’re interested in following along, this is the assignment my students are working on this week:

The students have been excited about applying what they’ve learned to malicious software that’s been making headlines recently. Most of the APT1 samples are easy enough to analyze to be good exercise material for the students at this point in their reverse-engineering-education, and it’s interesting to look at the software that’s been responsible for the theft of so much information. I’m very impressed with my students’ progress so far, and I hope they’re enjoying getting their hands dirty this week.

 

EDIT: Below is all of my personal manual tinkering around with strings and the descriptions to identify samples roughly. That being nice and all, I’ve managed to point Mandiant’s Redline tool at the set using the IOC appendix to generate a much nicer, complete, and accurate report, which I’ve exported and made available here:

http://mcgrewsecurity.com/codedump/apt1_ioc/

The “hits” marked in the above report represent samples available in the 281-sample VirusShare.com set. Enjoy! (Looks like there’s a few below that aren’t in the above report, (SWORD for example) so the rest of this post will still be of some use).

(Edit: By the time you read this, there’ll be more hashes on the VirusShare list. I’ll take a look at those tonight, but for now this list isn’t complete, obviously.)

(Edit Edit: Took a look at the 34 samples added to VirusShare)

(Third edit: Added some rough classification of the 281-sample set that VirusShare now has as a torrent)

(Tiny fourth edit: I’m pretty sure I was wrong classifying what I had as MANITSME. Not sure what I was thinking there.)

Earlier today, I took the set of MD5 hashes from Mandiant’s report on APT1 and ran it against the set of hashes of malware stored and provided by the VirusShare.com repository. Out of a little more than 1,000 hashes provided by Mandiant, 22 hashes matched files that are on VirusShare. The list is here. If you fit the description of someone who should have access to malware samples, you can read about signing up here.

In the Mandiant report and appendices, they use a set of codenames for samples and families of malware being used by APT1. With a very quick comparison of indicators and strings, I’ve managed to map MD5 hashes of some of the 22 samples available on VirusShare to the names they have been given in the Mandiant report. This is very rough, incomplete, and possibly inaccurate, but if you’re interested in picking apart some of this malware, it’s a start:

  • BISCUIT – 15901ddbccc5e9e0579fc5b42f754fe8
  • GOGGLES - 9fc3ed6c9b8056fbf155f79569ca7cb1
  • HELAUTO - 47e7f92419eb4b98ff4124c3ca11b738
  • STARSYPOUND - c0a33a1b472a8c16123fd696a5ce5ebb
  • TARSIP-MOON - 0908d8b3e459551039bade50930e4c1b
  • WEBC2-CLOVER - 29c691978af80dc23c4df96b5f6076bb
  • WEBC2-CSON - 73d125f84503bd87f8142cf2ba8ab05e
  • WEBC2-HEAD - 649d54bc9eef5a60a4b9d8b889fee139
  • WEBC2-GREENCAT - fab6b0b33d59f393e142000f128a9652

The following were added to VirusShare after the above quick analysis (34 samples were added that match Mandiant’s MD5s). I’ve taken a quick look to see if I can identify a few of them too.

  • BISCUIT - 034374db2d35cf9da6558f54cec8a455 , 70a55fdc712c6e31e013e6b5d412b0d6
  • LONGRUN - a2cd1189860b9ba214421aab86ecbc8a , 0496e3b17cf40c45f495188a368c203a
  • STARSYPOUND - 2ba0d0083976a5c1e3315413cdcffcd2 , 65018cd542145a3792ba09985734c12a , 8442ae37b91f279a9f06de4c60b286a3
  • TABMSGSQL - 052ec04866e4a67f31845d656531830d
  • WEBC2-BOLID - 5ff3269faca4a67d1a4c537154aaad4b , d8238e950608e5aba3d3e9e83e9ee2cc
  • WEBC2-GREENCAT - 36c0d3f109aede4d76b05431f8a64f9e , e83f60fb0e0396ea309faf0aed64e53f , 36c0d3f109aede4d76b05431f8a64f9e , b3bc979d8de3be09728c5de1a0297c4b , 55fb1409170c91740359d1d96364f17b , e54ce5f0112c9fdfe86db17e85a5e2c5 , 57e79f7df13c0cb01910d0c688fcd296
  • WEBC2-YAHOO - 2b659d71ae168e774faaf38db30f4a84 , a8f259bb36e00d124963cfa9b86f502e
  • WEBC2-Y21K - 4cabfaef26fd8e5aec01d0c4b90a32f3 , 2479a9a50308cb72fcd5e4e18ef06468

Again, this is all based off of a brief glance at matching strings. Some of the unidentified samples so-far may be packed, preventing them from being matched in this way, and some of the ones that appear to be a match may turn out to behave differently. If you’re interested in something specific from the Mandiant report, however, the above may point you to what samples you’d like to look at first.

Rough Edit: The following is a dump of matching unique strings from Mandiant’s report with the 281-sample set being served up by VirusShare via torrent. This is rough among rough things and quite possibly wrong. If and where it contradicts the above, you may be better off with the above. Double-check for yourself if it’s very important what sample you’re looking at. There are a lot of samples that don’t match up very closely with the descriptions in the Mandiant appendix C, but are obviously of the same family, authorship, and likely functionality.

I hesitated to share this set of results just yet for the above reasons, but I’d rather be able to point someone interested in a particular named-malware to a set of samples that “probably” match it, than nothing at all, as feedback seems to be that this is more useful than nothing. I intend to post more detailed analysis once I finally get to prioritize on a specific sample and dig in.

BISCUIT
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_5a728cb9ce56763dccb32b5298d0f050 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

COOKIEBAG
Binary file VirusShare_0c28ad34f90950bc784339ec9f50d288 matches
Binary file VirusShare_5bd5a22d42c04db7ac1343a2a9f471fe matches
Binary file VirusShare_f3611c5c793f521f7ff2a69c22d4174e matches

GOGGLES
Binary file VirusShare_51326bf40da5a5357a143dd9a6e6a11c matches
Binary file VirusShare_a5b581c0600815b1112ca2fed578928b matches
Binary file VirusShare_bcb087f69792b69494a3edad51a842bb matches

GREENCAT
Binary file VirusShare_15901ddbccc5e9e0579fc5b42f754fe8 matches
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_70a55fdc712c6e31e013e6b5d412b0d6 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

HACKSFASE
Binary file VirusShare_0d0240672a314a7547d328f824642da8 matches
Binary file VirusShare_17199ddac616938f383a0339f416c890 matches
Binary file VirusShare_1a0c7e61bcc50d57b7bcf9d9af691de5 matches
Binary file VirusShare_7712d05c8b499fc7a1f4a6a6b6dee825 matches
Binary file VirusShare_9e860622fee66074dfe81dcfcc40c4e2 matches
Binary file VirusShare_bcbdef1678049378be04719ed29078d2 matches
Binary file VirusShare_f7c63592ffb87b81ce45c89d207e9403 matches

HELAUTO
Binary file VirusShare_da6b0ee7ec735029d1ff4fa863a71de8 matches
Binary file VirusShare_fe8ff84a23feb673a59d8571575fee0b matches

KURTON
Binary file VirusShare_15901ddbccc5e9e0579fc5b42f754fe8 matches
Binary file VirusShare_268eef019bf65b2987e945afaf29643f matches
Binary file VirusShare_43b844c35e1a933e9214588be81ce772 matches
Binary file VirusShare_5a728cb9ce56763dccb32b5298d0f050 matches
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches
Binary file VirusShare_c6a4bb1a4e4f69ec71855d70d6960859 matches
Binary file VirusShare_da383cc098a5ea8fbb87643611e4bfb6 matches

LONGRUN
Binary file VirusShare_13f0b56c28995e4efc8da784ad862853 matches
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches

MACROMAIL
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches

NEWSREELS
Binary file VirusShare_0dd3677594632ce270bcf8af94819caf matches
Binary file VirusShare_17f5a2e0997b59449ca2120b20b5b7ce matches
Binary file VirusShare_523f56515221161579ee6090c962e5b1 matches
Binary file VirusShare_d271ae0f4e9230af3b61eafe7f671fde matches

STARSYPOUND
Binary file VirusShare_1f2eb7b090018d975e6d9b40868c94ca matches
Binary file VirusShare_2ba0d0083976a5c1e3315413cdcffcd2 matches
Binary file VirusShare_2dd892986b2249b5214639ecc8ac0223 matches
Binary file VirusShare_33de5067a433a6ec5c328067dc18ec37 matches
Binary file VirusShare_65018cd542145a3792ba09985734c12a matches
Binary file VirusShare_650a6fca433ee243391e4b4c11f09438 matches
Binary file VirusShare_6576c196385407b0f7f4b1b537d88983 matches
Binary file VirusShare_6faa4740f99408d4d2dddd0b09bbdefd matches
Binary file VirusShare_785003a405bc7a4ebcbb21ddb757bf3f matches
Binary file VirusShare_8442ae37b91f279a9f06de4c60b286a3 matches
Binary file VirusShare_8b75bcbff174c25a0161f30758509a44 matches
Binary file VirusShare_99a39866a657a10949fcb6d634bb30d5 matches
Binary file VirusShare_9ea3c16194ce354c244c1b74c46cd92e matches
Binary file VirusShare_a316d5aeca269ca865077e7fff356e7d matches
Binary file VirusShare_b07322743778b5868475dbe66eedac4f matches
Binary file VirusShare_c0a33a1b472a8c16123fd696a5ce5ebb matches
Binary file VirusShare_ca6fe7a1315af5afeac2961460a80569 matches
Binary file VirusShare_d9fbf759f527af373e34673dc3aca462 matches
Binary file VirusShare_ec8aa67b05407c01094184c33d2b5a44 matches
Binary file VirusShare_f6655e39465c2ff5b016980d918ea028 matches
Binary file VirusShare_f8437e44748d2c3fcf84019766f4e6dc matches

SWORD
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches

TABMSGSQL
Binary file VirusShare_001dd76872d80801692ff942308c64e6 matches
Binary file VirusShare_002325a0a67fded0381b5648d7fe9b8e matches
Binary file VirusShare_052ec04866e4a67f31845d656531830d matches
Binary file VirusShare_2f930d92dc5ebc9d53ad2a2b451ebf65 matches
Binary file VirusShare_3e87051b1dc3463f378c7e1fe398dc7d matches
Binary file VirusShare_55886d571c2a57984ea9659b57e1c63a matches
Binary file VirusShare_8a86df3d382bfd1e4c4165f4cacfdff8 matches

TARSIP-MOON
Binary file VirusShare_0908d8b3e459551039bade50930e4c1b matches
Binary file VirusShare_6808ec6dbb23f0fa7637c108f44c5c80 matches
Binary file VirusShare_95f25d3afc5370f5d9fd8e65c17d3599 matches
Binary file VirusShare_a5d4ebc0285f0213e0c29d23bc410889 matches
Binary file VirusShare_c91eacab7655870764d13ba741aa9a73 matches

TARSIP-ECLIPSE
Binary file VirusShare_123505024f9e5ff74cb6aa67d7fcc392 matches
Binary file VirusShare_4f763b07a7b8a80f1f9408e590f79532 matches
Binary file VirusShare_ca327bc83fbe38b3689cd1a5505dfc33 matches

WARP
Binary file VirusShare_15244d2321faa3a271ff0b1e5a23148f matches
Binary file VirusShare_36cd49ad631e99125a3bb2786e405cea matches
Binary file VirusShare_5100f0a34695c4c9dc7e915177041cad matches
Binary file VirusShare_77fbfed235d6062212a3e43211a5706e matches
Binary file VirusShare_7acb0d1df51706536f33bbdb990041d3 matches
Binary file VirusShare_81b03cbcfc4b9d090cd8f5e5da816895 matches
Binary file VirusShare_bc723e4f93a3bf85f4d1e1910393d1a3 matches
Binary file VirusShare_c0134285a276ab933e2a2b9b33b103cd matches
Binary file VirusShare_d7796209412da17b2ee2ccf2309b4abf matches
Binary file VirusShare_ddf3db31f9fa21cd43ff19dde393aba8 matches

WEBC2-ADSPACE
Binary file VirusShare_523cf1c9741f5f9d11388a58de6a83a4 matches
Binary file VirusShare_ab00b38179851c8aa3f9bc80ed7baa23 matches

WEBC2-BOLID
Binary file VirusShare_1ea61a0945bde3c6f41e12bc01928d37 matches
Binary file VirusShare_53b263dd41838aa178a5ced338a207f3 matches
Binary file VirusShare_5ff3269faca4a67d1a4c537154aaad4b matches
Binary file VirusShare_d8238e950608e5aba3d3e9e83e9ee2cc matches

WEBC2-CLOVER
Binary file VirusShare_065e63afdfa539727f63af7530b22d2f matches
Binary file VirusShare_29c691978af80dc23c4df96b5f6076bb matches
Binary file VirusShare_2fccaa39533de02490b1c6395878dd79 matches
Binary file VirusShare_689dcd40d5eae8c0d315265f3d90ffae matches

WEBC2-CSON
Binary file VirusShare_277964807a66aeeb6bd81dbfcaa3e4e6 matches
Binary file VirusShare_4192479b055b2b21cb7e6c803b765d34 matches
Binary file VirusShare_50f35b7c86aede891a72fcb85f06b0b7 matches
Binary file VirusShare_575836ebb1b8849f04e994e9160370e4 matches
Binary file VirusShare_73d125f84503bd87f8142cf2ba8ab05e matches
Binary file VirusShare_7d3140bd028f70f1fa865364b69c5999 matches
Binary file VirusShare_a38a367d6696ba90b2e778a5a4bf98fd matches
Binary file VirusShare_d22863c5e6f098a4b52688b021beef0a matches
Binary file VirusShare_f1e5d9bf7705b4dc5be0b8a90b73a863 matches
Binary file VirusShare_f802b6e448c054c9c16b97ff85646825 matches

WEBC2-GREENCAT
Binary file VirusShare_1ce4605e771a04e375e0d1083f183e8e matches
Binary file VirusShare_36c0d3f109aede4d76b05431f8a64f9e matches
Binary file VirusShare_55fb1409170c91740359d1d96364f17b matches
Binary file VirusShare_5e42780f52763c77d592044e535e4b01 matches
Binary file VirusShare_7388d67561d0a7989202ad4d37eff24f matches
Binary file VirusShare_95d85aa629a786bb67439a064c4349ec matches
Binary file VirusShare_a241eec892637dec971bd925a40d3efb matches
Binary file VirusShare_ba0c4d3dbf07d407211b5828405a9b91 matches
Binary file VirusShare_c044715c2626ab515f6c85a21c47c7dd matches
Binary file VirusShare_c41e44045cebebfba234063de8fd7c4d matches
Binary file VirusShare_e54ce5f0112c9fdfe86db17e85a5e2c5 matches
Binary file VirusShare_e83f60fb0e0396ea309faf0aed64e53f matches
Binary file VirusShare_f4ed3b7a8a58453052db4b5be3707342 matches
Binary file VirusShare_fab6b0b33d59f393e142000f128a9652 matches

WEBC2-KT3
Binary file VirusShare_476fea8761a03bef16e322996c2f6666 matches
Binary file VirusShare_e689b1fb0610b752f42adafc403fa49f matches

WEBC2-RAVE
Binary file VirusShare_438983192903f3fecf77500a39459ee6 matches
Binary file VirusShare_a2534e9b7e4146368ea3245381830eb0 matches

WEBC2-YAHOO
Binary file VirusShare_0149b7bd7218aab4e257d28469fddb0d matches
Binary file VirusShare_1415eb8519d13328091cc5c76a624e3d matches
Binary file VirusShare_1c16bd1488163c03cd506c2f71486a0f matches
Binary file VirusShare_2b659d71ae168e774faaf38db30f4a84 matches
Binary file VirusShare_36d5c8fc4b14559f73b6136d85b94198 matches
Binary file VirusShare_37ddd3d72ead03c7518f5d47650c8572 matches
Binary file VirusShare_4c9c9dbf388a8d81d8cfb4d3fc05f8e4 matches
Binary file VirusShare_5c6f30cc369cd164d44941d381e282cc matches
Binary file VirusShare_7a670d13d4d014169c4080328b8feb86 matches
Binary file VirusShare_a8f259bb36e00d124963cfa9b86f502e matches
Binary file VirusShare_aa4f1ecc4d25b33395196b5d51a06790 matches
Binary file VirusShare_cc3a9a7b026bfe0e55ff219fd6aa7d94 matches
Binary file VirusShare_d16947b200afa74a917f055597b772c0 matches
Binary file VirusShare_f7f85d7f628ce62d1d8f7b39d8940472 matches

WEBC2-Y21K
Binary file VirusShare_2479a9a50308cb72fcd5e4e18ef06468 matches
Binary file VirusShare_4cabfaef26fd8e5aec01d0c4b90a32f3 matches
Binary file VirusShare_7d3140bd028f70f1fa865364b69c5999 matches

MAPIGET
Binary file VirusShare_01e0dc079d4e33d8edd050c4900818da matches
Binary file VirusShare_0908d8b3e459551039bade50930e4c1b matches
Binary file VirusShare_0b506c6dde8d07f9eeb82fd01a6f97d4 matches
Binary file VirusShare_0c28ad34f90950bc784339ec9f50d288 matches
Binary file VirusShare_123505024f9e5ff74cb6aa67d7fcc392 matches
Binary file VirusShare_1ea61a0945bde3c6f41e12bc01928d37 matches
Binary file VirusShare_277964807a66aeeb6bd81dbfcaa3e4e6 matches
Binary file VirusShare_3107de21e480ab1f2d67725f419b28d0 matches
Binary file VirusShare_3120fc8630c5252002f26f6e11b09eca matches
Binary file VirusShare_321d75c9990408db812e5a248a74f8c8 matches
Binary file VirusShare_3b1b190407b868406c5c155a79f3d146 matches
Binary file VirusShare_4f763b07a7b8a80f1f9408e590f79532 matches
Binary file VirusShare_50f35b7c86aede891a72fcb85f06b0b7 matches
Binary file VirusShare_5100f0a34695c4c9dc7e915177041cad matches
Binary file VirusShare_53b263dd41838aa178a5ced338a207f3 matches
Binary file VirusShare_543e03cc5872e9ed870b2d64363f518b matches
Binary file VirusShare_57326cd78a56d26e349bbd4bcc5b9fa2 matches
Binary file VirusShare_5bd5a22d42c04db7ac1343a2a9f471fe matches
Binary file VirusShare_5c6f30cc369cd164d44941d381e282cc matches
Binary file VirusShare_5ff3269faca4a67d1a4c537154aaad4b matches
Binary file VirusShare_649d54bc9eef5a60a4b9d8b889fee139 matches
Binary file VirusShare_6808ec6dbb23f0fa7637c108f44c5c80 matches
Binary file VirusShare_6e8f302794cfaae731840e345063e652 matches
Binary file VirusShare_7712d05c8b499fc7a1f4a6a6b6dee825 matches
Binary file VirusShare_7b42b35832855ab4ff37ae9b8fa9e571 matches
Binary file VirusShare_830a748959bdd1ad3b6a1f72aab6f063 matches
Binary file VirusShare_88c7c50cd4130561d57a1d3b82c5b953 matches
Binary file VirusShare_8934aeed5d213fe29e858eee616a6ec7 matches
Binary file VirusShare_95f25d3afc5370f5d9fd8e65c17d3599 matches
Binary file VirusShare_973f4a238d6d19bdc7b42977b07b9cef matches
Binary file VirusShare_989b797c2a63fbfc8e1c6e8a8ccd6204 matches
Binary file VirusShare_a5d4ebc0285f0213e0c29d23bc410889 matches
Binary file VirusShare_b3848edbabfbce246a9faf5466e743bf matches
Binary file VirusShare_b74022a7b9b63fdc541ae0848b28a962 matches
Binary file VirusShare_c0134285a276ab933e2a2b9b33b103cd matches
Binary file VirusShare_c110f08399c5dca64d7dc4539eb82083 matches
Binary file VirusShare_c39e272e9ea15d61e0c8e6b749a1ad46 matches
Binary file VirusShare_c4c638750526e28f68d6d71fd1266bdf matches
Binary file VirusShare_c9172b3e83c782bc930c06b628f31fa5 matches
Binary file VirusShare_c91eacab7655870764d13ba741aa9a73 matches
Binary file VirusShare_ca327bc83fbe38b3689cd1a5505dfc33 matches
Binary file VirusShare_d262cb8267beb0e218f6d11d6af9052e matches
Binary file VirusShare_d8238e950608e5aba3d3e9e83e9ee2cc matches
Binary file VirusShare_db2580f5675f04716481b24bb7af468e matches
Binary file VirusShare_ec3a2197ca6b63ee1454d99a6ae145ab matches
Binary file VirusShare_f3611c5c793f521f7ff2a69c22d4174e matches
Binary file VirusShare_f627990bbe2ec5c48c180f724490c332 matches
 

Wikipedia articles carry with them a revision history that logs every change made to an article, as well as information on the user or IP address that made the change. The revision history and user information can provide someone gathering intelligence with as much or more information about a topic than its article. Many Wikipedia editors are personally connected to the articles they edit, or otherwise have a stake in what is being said, and by processing the revision data, it’s possible to gain some insight into those connections.

This is somewhat awkward and time consuming to do through the web interface, so it helps to automate. I had a need to determine what revisions and users introduced certain phrases in an article, and wrote the following script to help:

To use, first export the article(s) you want to process to XML using Wikipedia’s Special:Export page (be sure to uncheck ”Include only the current revision”). Once you have the XML saved locally, usage is as follows:

./wikiadded.py <xml file> <word or phrase>

The output is comma-delimited and contains the Wikipedia timestamp, user information (username/id or IP address), and a link to the revision that introduced (or re-introduced) the phrase.

Hope this is of use to someone besides myself!

 

Today, while updating this VPS, I took the opportunity to change the style/design of mcgrewsecurity.com. I’m especially proud of the new logo. It’s a combination of several out-of-copyright book scans, and my co-worker Kendall’s keen observation that the bit of the key looked like an RJ-45 Ethernet port. A bit of work later and now it very much looks like one.

Over the past several months, No Starch Press has been kind enough to send along review copies of several of their recent security-related book releases. Soon you’ll start seeing my reviews being posted. Overall, I can say I’m very impressed.

 

I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now.  If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.

In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:

  • enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
  • imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
  • nbd_server.rb – Maps a remote physical/logical drive to a local network block device server.  You can then mount and/or use any forensics tools you’d like on it.

Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:

Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.

 

This is just a quick post to remind readers that I will be in Vegas for Black Hat and DEFCON this week, and I’m looking forward to meeting as many of you as possible. I will be giving a talk at both Black Hat and DEFCON:

  • Wednesday, August 3rd, 3:15 PM – Black Hat USA 2011 – Track 7
  • Friday, August 5th, 3:00 PM – DEFCON 19 – Track 2

My talk is entitled “Covert Post-Exploitation Forensics With Metasploit”, and I’ll be talking about a set of Metasploit Post-modules that I have developed for performing forensic analysis of machines over a meterpreter connection. With these modules, penetration testers (as well as other roles) will be able to run currently-available/popular forensic tools on remote drives in the same way that forensic examiners currently use them on local drives. Through some protocol trickery and using Railgun to pipe the Windows API over meterpreter, you can essentially make a local block device that maps to the victim’s. I’ll have some discussion, including a basic introduction to disk/file-system forensics for penetration testers, a demo, and some time for questions and discussion.

The presentation and tools will be available on the disc, as well as “latest” versions on here as soon as I can manage to put them on here after my talk. The modules ought to be available in the Metasploit SVN soon as well.

I’ll also be actively attending/prowling around the conference, so feel free to track me down to talk shop about breaking things, forensics, etc. I have lots of fun stories that aren’t appropriate for the blog/twitter.

Edit:

I will also be bringing 20 of the challenge coins we normally hand out at the end of the Advanced Forensics class at the Mississippi State University National Forensics Training Center. If you want one, track me down at Black Hat or DEFCON and offer me something cool/interesting for one ;) :

Double Secret Edit:

I also have fun 0-day for Tiny Tower on all IOS devices (iPhone, iPad, iPod Touch), which I will disclose to attendees for the price of one drink and a handshake Non-Disclosure Agreement (negotiable). You’re not going to be hacking the Gibson with this one anytime soon, but it’s *fun*.

 

I’ve put off doing this review for too long.  I was sent this book close to its release date, and made quick work of reading through it and making notes for the review. As you’ll see in this post, I don’t think much of it, and I wasn’t looking forward to making such a negative post about it. I would just let it slide, as I prefer to post reviews of books that I like and recommend at least to some extent, but Packt Publishing are heavily promoting this book and I’ve seen several people I know purchase or consider purchasing it. For that reason, I feel like it’s a good idea to warn the target audience of this blog away from it.

At a first glance, it’s easy to be skeptical of this book due to the fact that it had the misfortune of being a Backtrack 4 book published at almost the exact time Backtrack 5 came out. This doesn’t bother me so much. If it were written well, it could easily make up for any differences in the details between versions. Unfortunately, being dated is the least of this book’s problems.

The vast majority of the book is padded with a grocery list of what appears to be each and every tool in the Backtrack distribution. Comprehensive coverage is fine, though each tool is only given the very briefest of coverage, with almost no coverage or consideration to educating the reader on how the tools work or the background needed to effectively use them. New terms and concepts are thrown at the user relentlessly without introduction or explanation. This book falls into a useless “middle” state where a beginning user would be better served by a book that gives more depth of coverage for a handful of tools (see Web Application Hacker’s Handbook), while still failing to serve an advanced user that could find the same information quickly in a man page. The book falls well short of its goal of serving as a “single professional, practical, and expert guide to develop hardcore penetration testing skills from scratch”.

There are many instances of wasted space in the book as well. A straight copy-paste of /etc/services is the worst offender. The text doesn’t exactly live up to the promises of its table of contents either. A segment on “Writing exploit modules” simply takes the reader through the source code of an existing metasploit module, with only the barest of commentary that makes one wonder if the authors understand how it works, much less whether or not the reader will be able to write one (or even read one) in practice.

Aside from the “list of things” approach that takes up the majority of the book, there is a fair amount of text about the penetration testing process that, if executed properly, would make an excellent introduction to newcomers. Unfortunately, it’s written as though the authors intentionally wanted it to be impenetrable and difficult to understand. The following sentence is a representative example:

Since the exponential growth of an IT security industry, there are always an intensive number of diversities found in understanding and practicing the correct terminology for security assessment.

Some of it’s just plain wrong. A set of paragraphs equate “black hat” hacking with “black box” testing, and goes on the state the same about “white” and “grey”. It’s difficult to imagine that anyone in penetration testing believes that. The authors take the reader through overwrought descriptions of various testing “methodologies” (the OWASP top ten is not a methodology), and then throw them out in favor of an over-simplified “Backtrack Testing Methodology” that appears to be a simple depth-first traversal of the BT4 menu options.

While it may be tempting to buy this book as a quick reference or summary of all of the tools, I would not encourage it. I would strongly discourage anyone thinking to start out, or get up to speed in penetration testing from buying this book. It’ll just frustrate you. For more experienced readers, there are books that are far more worthy of your time and money.

 

Just a quick note to readers in security roles that might be responsible for end-user actions: Tonight’s announcement that Osama Bin Laden has been killed will likely spawn a large number of malware purporting to be videos or pictures of the body or operation. You may want to pre-empt this by reminding users of the dangers of clicking and running things from untrusted sources.

I think most of the readers of this blog are smart enough not to fall for this themselves (and might even seek it out for the malware samples!), and that a good percentage are in offensive security roles, but this could be a big problem for the readers in defensive roles. So, heads up!

© 2012 McGrew Security Suffusion theme by Sayontan Sinha