Michael Boman has made the slides and papers available on his site:

I’m really thrilled to start reading through some of this :) .

    These may not necessarily be the final slides as-presented, as it comes from the CD that was handed out to conference attendees.


    Everything we knew, plus some really neat tricks.


    I suppose I could edit this after the fact, so if you really want to keep me honest, copy/paste or print this off for future reference :)

    HacBook:Desktop wesley$ md5 the_dirt.txt
    MD5 (the_dirt.txt) = a6fc95c8a8cd6f996c3a572af6d57f4d

    Yet another thing you’re just going to have to hang on for.

    Edit: Here’s the SHA-1 for you really picky ones :) :

    HacBook:Desktop wesley$ openssl sha1 the_dirt.txt
    SHA1(the_dirt.txt)= 4759da1616dce01137a57ac16a2a24b89ba311ae

    On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server.  It seemed like an easy enough hack, so I’ve thrown this together.  I can see this being useful in some situations, and hopefully you will too.

    Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address.  This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb.  It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

    It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify.  Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide.  This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

    Let’s have a look at the “show info”:

    HacBook:framework wesley$ sudo ./msfconsole
                                     | |      o
     _  _  _    _ _|_  __,   ,    _  | |  __    _|_
    / |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
      |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
           =[ msf v3.2-release
    + -- --=[ 299 exploits - 124 payloads
    + -- --=[ 18 encoders - 6 nops
           =[ 68 aux
    msf > use auxiliary/server/mitm_fakedns
    msf auxiliary(mitm_fakedns) > info
           Name: MITM DNS Service
        Version: 5540
    Provided by:
      unknown <ddz>
      hdm <hdm@metasploit.com>
      Wesley McGrew <wesley@mcgrewsecurity.com>
    Basic options:
      Name      Current Setting  Required  Description
      ----      ---------------  --------  -----------
      FILENAME                   yes       File of ip,regex for filtering responses
      REALDNS                    yes       Ask this server for answers
      SRVHOST          yes       The local host to listen on.
      SRVPORT   53               yes       The local port to listen on.
      This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
      server. Requests are passed through to a real DNS server, and the
      responses are modified before being returned to the client, if they
      match regular expressions set in FILENAME.

    Once it's loaded, we can set our variables:

    msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
    [*] exec: cat /Users/wesley/hosts.txt,google.com,example.com
    msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
    FILENAME => /Users/wesley/hosts.txt
    msf auxiliary(mitm_fakedns) > set REALDNS
    REALDNS =>
    msf auxiliary(mitm_fakedns) > run
    [*] Auxiliary module running as background job
    msf auxiliary(mitm_fakedns) >

    The file you specify should have an IP address and a regular expression, one pair per line.  Once it’s running, you can test it out by pointing “dig” at it:

    HacBook:~ wesley$ dig @ example.com
    ; <<>> DiG 9.4.1-P1 <<>> @ example.com
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
    ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;example.com.			IN	A
    example.com.		99270	IN	A
    ;; Query time: 39 msec
    ;; SERVER:
    ;; WHEN: Mon Aug  4 22:59:01 2008
    ;; MSG SIZE  rcvd: 45

    This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks.  Here’s the source:


    I wasn’t going to talk about this on here for a while, since the public disclosure and paper won’t be out for another six months, probably, but my major professor is so excited about it that he just had to put out a press release:

    I’m going to clear up a few things on this, but I’m also going to have a bit of fun…

    A Mississippi State graduate student working with the university’s Critical Infrastructure Protection Center could be nicknamed “Johnny-on-the spot.” (sic)

    I feel like I’m in the Rat-Pack now.  “Hey Frank, I need a big-leaguer who can trace through this stuff in immdbg!”, “Call that kid up at MSU, he’s a real Johnny-on-the-spot.”

    Robert W. “Wes” McGrew

    This is the part where we abbreviate my middle name, Wesley (which I go by among people I know), put it in quotes as a nickname, and then place it after my middle initial, which is what it stands for anyw… damnit now even I’m confused.

    OK, now for some clarifications:

    …discovered what is being called “a significant software vulnerability” that could allow hackers the ability to gain entry to computer control systems of numerous industries and potentially threaten national security.

    “We know that this software exists in very critical infrastructures in the U.S.,” said Vaughn. “Through his research, Wes demonstrated how it was possible to obtain unauthorized access to the control system in just a few seconds.

    The vulnerabilties that I have found (I’m not even disclosing the software’s name yet) are very serious, however they’re not remote-access-granting by themselves.  Once you have any sort of access, remote or local, you can pretty much run all over the access controls and other security/auditing mechanisms.  It’s still troubling, as many installations of these systems have hacked-together remote access over rdp or software packages like PCAnywhere.  We’ve heard several first-hand accounts of the poor physical security of these systems as well.

    There’s been a lot of instances in the past of computers on SCADA networks being compromised by worms, botnet herders, and other attackers that didn’t even realize they were on a SCADA system.  These are the sort of vulnerabilities that can turn a normal attack that happens to be on a SCADA system into an actual control systems attack.

    I promise you’ll get all the juicy details you can eat in the paper.

    The National Security Agency was notified immediately of McGrew’s discovery. Shortly thereafter, the Department of Homeland Security broadcast an alert that included information on how to rectify the problem.

    Too bad you didn’t have your shortwave radio tuned to the right frequency or you would have caught some zero day.  Seriously though, I do think some important installations have been given some heads-up and mitigation strategies.

    That’s really about all (or more than) I want say about it at this point :)

    Edit: Never going to live this down on IRC:

    14:05 < jgk> Robert W. "Wes" McGrew of Collinsville recently discovered
                 what is being called "a tiramisu" that could allow hackers
                 the ability to gain satiety of numerous industries and
                 potentially threaten a toilet.

    The other day I decided that I wanted to become more familiar with the internals of the Metasploit Framework, so with the latest svn of the framework and a couple of books on Ruby, I started digging.  I decided a fun project would be to port some of my existing tools and scripts into the framework.  I have started this with this ground-up rework of GooSweep (which has fallen into disrepair), and I have to say: Putting this together in Ruby with the Metasploit framework was a very enjoyable experience, and resulted in something that’s useful and usable way beyond what GooSweep used to be.  I’m definitely going to be writing stuff in the framework more often, now.

    This module, web_search_scan, will perform search engine queries (Google by default, but configurable) for each IP address (and, optionally, hostnames found by rDNS) in a range specified by the user.  If there are hits on the search engine for a host, the module will display the number of hits, and URLs to view the results.  If you have a database connected, it will also log notes to the database for each host that it finds.

    It’s a simple idea, but I’ve found the technique to be very useful.  It requires a little manual work to check out the results, since there’s no way of really knowing what you’re going to find, but you can find some interesting things like this.  For example:

    • Publicly-accessible and indexed web logs and stats – You can tell if someone at that IP has visited a site, and possibly even when, how often, and what their user agent was
    • Wiki edits and IP user pages
    • Mailing list and newsgroup posts – Hits from the mail/post headers, or occasionally admins asking for configuration help that don’t censor addresses
    • Abuse reports for open proxies, spammers, etc.
    • Posts to forums, comments, or guestbooks that log and display IP addresses

    With a little detective work, you can map out some known active hosts on a network, and some information about those hosts, without having to actively probe the network.  This is great for the information-gathering phase of a penetration test.  I’ve also found it to be very helpful for learning more about potential attackers when doing incident response.

    Here’s what the module’s info looks like in Metasploit (output edited for width):

    HacBook:framework wesley$ ./msfconsole
                    __.                       .__.        .__. __.
      _____   _____/  |______    ____________ |  |   ____ |__|/  |_
     /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
    |  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
    |__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
          \/     \/          \/     \/ |__|
           =[ msf v3.2-release
    + -- --=[ 299 exploits - 124 payloads
    + -- --=[ 18 encoders - 6 nops
           =[ 68 aux
    msf > use auxiliary/scanner/misc/web_search_scan
    msf auxiliary(web_search_scan) > info
           Name: Web Search Engine IP Address Scanner
        Version: 5612
    Provided by:
      Wesley McGrew <wesley@mcgrewsecurity.com>
    Basic options:
      Name         Current Setting  Required  Description
      ----         ---------------  --------  -----------
      LOOKUP       false            yes       Reverse lookup IPs and
                                              search hostnames too? (Not
      PROXYCHAINS                   no        Pipe-delimited (|) list of
                                              proxy chains to use
      QUIET        false            yes       Quiet output (still logs to
      RETRIES      3                yes       Number of times to retry
                                              queries if they fail
      RHOSTS                        yes       The target address range or
                                              CIDR identifier
      SLEEP        3                yes       Minimum time to sleep between
                                              requests (seconds)
      SLEEPRAND    3                yes       Random additional time to
                                              sleep (seconds)
      THREADS      1                yes       The number of concurrent threads
      This scanner will do a web search engine query for each IP address
      (optionally, rDNS names as well) and record the number of hits and a
      URL to the query results. This is a useful for determining some
      active hosts and information gathering about a network without
      having to directly probe the network. Common results include
      publicly accessible web access logs, mailing list posts, abuse
      reports, and wikipedia edits. (WARNING: If you set LOOKUP to true,
      your target may notice the reverse DNS lookups.)
    msf auxiliary(web_search_scan) >

    A quick overview of these options:

    • RHOSTS - Set of IP addresses you want to scan.  You can comma-delimit sets of hosts, do dash-seperated ranges, or masks, just like with any Metasploit module
    • LOOKUP - If you like, the module can do a reverse-DNS query for each IP address and perform search engine queries for each hostname found.  If you're trying hard to be stealthy, you may want to avoid this option, as the target's DNS will see the queries.
    • SLEEP and SLEEPRAND - After each search engine query, the module will sleep for SLEEP + rand(SLEEPRAND+1) seconds.  Many web search engines will freak out if you throw queries at it faster than a normal/human user would.  You can adjust this to be faster or slower, depending on how dangerous you feel.
    • RETRIES - Sometimes, even when we're careful, a search engine will respond with something we have no idea how to parse.  Or stops responding altogether.  This is the number of times the module will attempt a query before giving up.  At the end of a complete scan, the module will display all the queries that failed, so that you are aware of any false-negatives.
    • QUIET - If set to "true", the module will only output status at the beginning and end of its run.  If you set this, you will want to have a database connected, as that's the only place the results will be going.  You can set this, use "run -j" to execute the scan, and it will run in the background fairly quietly, letting you do other things in metasploit while this slowwww scan runs :) .
    • PROXYCHAINS and THREADS - Many metasploit modules allow you to specify a proxy chain to work with.  This one allows you to specify multiple chains, which will allow you parallelize and run a scan faster, even with all the necessary sleeping.  For best results, set THREADS to a few greater than the number of proxy chains.  Each thread will claim a proxy for duration of each individual query.  I apologize that this feature isn't extremely well tested (I left my botnet in my other pants).

    There's also some "advanced" options, that allow you to tweak where and how the module gets its results.  This can be useful if you need to use a different search engine, or fix the current one if it's changes and breaks the regex.  Here's what you can tweak:

    msf auxiliary(web_search_scan) > show advanced
    Module advanced options:
       Name           : NOHITSREGEX
       Current Setting: (?:No results found)|(?:did not match any documents)
       Description    : Regex to match a zero-hit search
       Name           : NUMHITSREGEX
       Current Setting: of (?:about )?<b>((?:[,\d])+)<\/b> for <b>
       Description    : Regex to match number of hits
       Name           : SEARCHHOST
       Current Setting: www.google.com
       Description    : Hostname of search engine
       Name           : SEARCHPORT
       Current Setting: 80
       Description    : Search Port
       Name           : SEARCHURI
       Current Setting: /search?hl=en&q=*&btnG=Google+Search
       Description    : Search URI (* for query location)
       Name           : TIMEOUT
       Current Setting: 10
       Description    : Timeout for the search engine to respond
       Name           : USERAGENT
       Current Setting: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv: Gecko/2008070208 Firefox/3.0.1
       Description    : The User-Agent header to use for all requests

    One thing you could do with the SEARCHURI option is add in extra parameters such as “site:example.com” to look for mentions IP addresses and hosts only on a specific site.

    Here’s what a scan might look like (searching non-routable ranges guarantees some results, but it’s a bit pointless too :) ):

    So there you have it!  Here’s the code, if you want to drop it in the framework (tested with the latest SVN of metasploit) and use it yourself:

    © 2012 McGrew Security Suffusion theme by Sayontan Sinha