Tomorrow I fly out to Vegas for an extended run of training, conference attendance, networking, and speaking. I’ll get to all of that, but last things first: I am very happy to have been chosen to, for my third consecutive year, present at DEF CON on a fun and offense-oriented topic:

defcon21talk

 

This year I’ll be speaking about the attack surface of attack tools. Specifically, small devices hidden by malicious attackers or shipped to a client for pentesters for the purpose of remote access and attack. I’ll discuss some of the problems with having a small embedded device that runs a pile of perhaps-not-completely-hardened tools, how to respond to a device if one is located within your organization, and how such devices may be open to counter-attack. We’ll spend some time discussing the implications of a malicious attacker compromising a pentester’s implantable device, and then roll into a case study involving the most popular device of this type: Pwnie Express’ Pwn Plug. I’ll demonstrate some (very easy to follow) zero-day in the Pwn Plug, as well as discuss what one might want to do post-exploitation, along with how to acquire a nice forensic image of the device.

That talk will be on Saturday, August 3rd, at 2PM in Track 3 of DEF CON 21. I’ll be holding what I hope will be a nice informal Q&A afterwards (my past talks at DEF CON have had excellent Q&A sessions), so I hope to see some readers there.

Apart from that, I’m going to be in Vegas for a while. I am extremely excited to be taking Stephen Ridley and Stephen Lawler’s Advanced ARM Exploitation training for my first 4 whole days in Vegas. The Stephens are the operators of dontstuffbeansupyournose.com and by all accounts have put together a very good class. I’m excited about improving my skills, and if you follow me on twitter (@McGrewSecurity) I’m sure you’ll hear all about it.

I’ll be in attendance at both Blackhat and DEF CON, so be sure to track me down to have a word. My current beard-status is pretty close to my twitter avatar, so I should be easy to spot. Also, I’ll be the one floating a few inches off the ground, due to the fact that I’ve recently completed my Ph.D. dissertation (on the topic of SCADA HMI vulnerabilities, the topic of my talk last year), and have taken a position at Mississippi State as an assistant research professor. If you have interesting research ideas or just want to raise hell with a security geek with strong views, do get in touch and/or find me at either conference.

 

Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

 

The guys that I brought together here at Mississippi State to serve as a Red Team for University of Alaska Fairbanks’ CCDC had a great time Saturday.  This CCDC was a “practice” run for two Alaskan teams and two Hawaiian teams, and I believe we gave them a good taste of what they’d likely face in regional and national CCDCs if they decide to run it again for-real next year and send a team to regionals (which I hope they do!).

I gathered up a team of skilled students here that had performed well in past CTF events we’ve held here at MSU, or otherwise shown some aptitude (such as the guy who developed our SCADA radio attacks).  With a good team in place, we prepared our attack with the following goals in mind:

  • Fair distribution of attacks – If we were able to compromise a team’s system, once we were in, we tried to run the same kind of attack against all of the other teams.  If a team escaped the evil treatment we gave another team, it was because they had defended themselves against it, and not due to arbitrary choices of who we pick on.
  • Annoyance, not destruction - Once we were in, we were careful to not do anything that the teams could not recover from.  No “rm -rf” or dropping tables.
  • Increasing levels of noise – Early in the game, our goal was to get in and subvert things quietly.  As the game progressed, I instructed my Red Team to get increasingly “loud” and annoying, to see at what point the teams realized there was a compromise, and observe how they would react.

I won’t go into too much detail about the scenario, in case they want to re-use parts of it, but I can give a good summary of things from the Red Team perspective without getting into spoilers.  On our end, we set up shop in the MSU NFTC’s forensics lab (our security lab is isolated from the public Internet), and connected to the CCDC network remotely using the VMWare vSphere client.  There, the organizers had set the red team up with a number of Backtrack 4 and Windows XP virtual machines.

The defending teams were given a 30 minute grace period, during which we were only allowed to perform recon.  We took the time to scan the network, and get Metasploit and other tools ready to go.  I quickly knocked together a phishing site based off the web applications the teams had to maintain.

Within the first five minutes of our attack, members of the Red Team had compromised all four teams’ DNS servers and installed back-door software that maintained access for most of the competition.  This allowed us to point the teams’ domain for web access (www.) to the phishing site I created and set up before the attack.  This site logged usernames and passwords for all teams throughout the competition, and served as a nice central place to deface and taunt them (with the phished account list) once we decided to get noisy.

While we waited for the central DNS server to update its cache for the teams’ web servers, I managed to break their web apps, so that if they did manage to point them back to the right location, they’d still have some work to do.  They were running a web hosting business that allowed new clients to select the subdomain they wanted to host their site.  I registered an account on the first team’s site and requested the “www.” subdomain.  This instantly replaced their web app with an Apache test page.  Delighted, I moved on and broke the others in the same way.  Only one team’s app survived this, but only because they had broken account creation and login (likely, by trying to secure Apache or Django’s config).

From this point on, we played cat-and-mouse with the teams on their other systems, but they never resumed business operations.  One thing we discussed with them in our post-game wrap-up was a sense of priority.  I’m not sure how it would reflect in the scoring of a regional or national CCDC, but at least in the real world, the focus should have been on getting their web sites back up and operational so that business could continue.  Everything else could work, but if you can’t sign up new clients or provide service, you’re dead in the water.  Most of the other stuff we did (compromising the mail server to send resignation letters and rude emails to the CCDC organizers on behalf of the teams, fighting for control/chatting with team members on their workstations) were distractions to keep them from kicking us out of the systems that really mattered.

Overall, though, the teams did a good job of not panicking in a bad-and-rapidly-deteriorating situation.  By the end, a couple of the teams had managed to kick us out of their DNS servers and given some more time, would have been able to restore operations.  They all seemed to be good sports about it too :)

As for my Red Team, I’m very proud.  They held it down, but kept things fair and didn’t make things hopeless for the defenders.  They quickly executed our planned attacks and kept their eyes on the goal: disrupting business, not just owning boxes.

 

I’ve been busy this week teaching part of the intro series of courses we have at the National Forensics Training Center, but I still wanted to post a quick update.  I figured I’d share a few interesting things I read this week, and talk a bit about some extracurricular activities going on in our lab tommorow.

For a couple of weeks now, I’ve been using Instapaper to mark articles and sites to “Read Later”.  The benefit of Instapaper is, with the integration and sync’ing between all the different computers I use and (crucial) my iPod Touch, I actually wind up reading things that I intend to read later, instead of them just getting bookmarked and forgotten.  While I’m on WiFi I can sync them all up to the iPod and read them anywhere, offline, where I don’t have the distractions of grabbing new emails and messages.

Some things I star’d and enjoyed recently:

  • Should I Learn Assembly Language – HD Moore tackles the question of whether or not penetration testers have a need to learn assembly language.  Spoiler: The answer is, essentially: you can get away with not knowing it if you just use the shellcode in Metasploit, but it’s a must if use public-sourced exploits or just want to understand how the shellcode works (which you should).
  • Network Time Protocol (NTP) Fun – Cool little writeup over at the carnal0wnage blog about a new module in Metasploit that performs some information gathering over NTP.
  • Clueless FUD Article… – In which Steve Manzuik points out that there is a lot more information sharing going on behind the scenes in infosec than you might be aware of (or at least more than the author of a specific DarkReading article is aware of)

Tomorrow afternoon, a group of guys (who have historically done well in past CTF events here at the university) and I will be acting as the red team for a cyber-defense exercise being hosted by the University of Alaska Fairbanks.  They have a nice VMWare setup in Fairbanks that all of the teams will be remoting into, and we’re really looking forward to giving the participating universities a hard time.  If you happen to be one of the readers that local enough to Mississippi State University to drop by for a visit, feel free to come by the forensics lab in Butler Hall tomorrow between 1:30 and 7:30 PM to see how things are going.

 

Previous parts (Pre-requisite information.  There will be a pop quiz at the end.):

  • Part 1 – Definitely read the criminal complaint.
  • Part 2 – Watch some videos

In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online.  These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there).  When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.

What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software.  HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements.  The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.

Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system).  HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system.  While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak.  Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.

Let’s take a look at the shots (click them to see them at full resolution):

Photobucket

In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital.  The most interesting thing here is the dialog box, “BACtalk Alarm”.  The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future.  An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs.  The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.

Photobucket

Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5).  Among other things, you can see the open/closed status of the vents in various rooms.  The buttons to the right of these status could be controls to toggle the status.  I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is.  If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)

Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory.  Operators have to be trained to understand the elements of each system.  This one’s not really that bad compared to a lot of them, though.

Photobucket

This is the scary one.  It’s a list of parameters for systems in a “Surgery Center” or operating room.  Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off.  I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.

These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:

Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki

In reality, GhostExodus compromised the system with physical access as a night security guard.  It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols.  It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.

GhostExodus followed up in the same thread on warezscene with this post:

nice. You almost can’t help it ya know. It must be done!

Hopefully this isn’t something many people feel compelled to do.

 

Over at the excellent ethicalhacker.net site, the results of the Santa Claus is Hacking to Town Skillz Challenge have been posted:

These challenges are a lot of fun, and educational as well.  Ed Skoudis puts a lot of effort into writing and judging them.  There’s a whole archive of previous challenges available here, and I highly recommend at least reading through, if not working through, some of the previous challenges.  

This time around, I managed to get an honorable mention for my entry!  I’m very happy with this.  I was unable to test the Windows-centric parts of my solution before I had to submit it and move on to real work, so that part wasn’t %100, but I did have a really solid way of getting netcat onto the web server via the command-injection-vulnerable script, and some nice netcat pivoting.  

Oh, and apparently I’m a security stud! :

We had entries from notable security studs like Wesley McGrew, Raul Siles, Ryan Linn, Mark Baggett, Zoher Anis, Paul Tartar, and others.

I might put “notable security stud” on some business cards, or maybe a button, now.

 

I really need to get back into the habit of writing on here, so maybe a few words on the new non-Patch-Tuesday vulnerability is in order.  I just got my MacBook back from warranty service yesterday, and was reading about this on Twitter as I was getting everything set back up.  I’ll give you a few links that I’ve seen in my feed reader, Twitter, and IRC (shouts to #pauldotcom and #securabit on freenode), and a little commentary:

It’s been a while since we’ve had a vulnerability that is this clean and perfect for large-scale attacks: remote, pre-authentication, and something you can count on running on most Windows systems.
There is active exploitation of this “in the wild”.  Whoever developed that exploit probably noticed the problem while looking at the code affected by MS08-040.  
ThreatExpert calls the above exploit/malware-payload a worm, and while it really doesn’t seem like this particular chunk of code will spread extremely far, it does fit the definition.  I expect to see a much leaner exploit+scanning worm developed around this vulnerability.  Such a worm could cause some serious problems, although I don’t think that it would be on quite the same level as Slammer.  For starters, this one will at least have to go through the trouble of setting up full TCP connections, instead of just flooding links with UDP :) .
This is a reverse-engineered-to-C analysis of the vulnerable function, from Alexander Sotirov.  The function in question is in netapi32.dll, and if I’m reading the milw0rm exploit right, is called from _NetprPathCanonicalize.  The vulnerability results in a stack-based overflow, but the core problem is a little more subtle.
…and finally, a proof-of-concept exploit on Milw0rm.  This one just shows you that taking control of EIP is pretty straightforward.  I’d expect that there’ll be a pretty reliable code-execution exploit soon.
Edit:
Mubix just pointed me at this great in-depth look at the vulnerability. Really good reading material.  Print this and read it over lunch :)
 

If you’re lucky enough to be in Vegas these next few days for Defcon 16, you really should drop by Immunity’s booth to pick up another certification to put behind your name (apparently free).  The appropriately acronym’d NOP (Network Offense Professional) certification is more than a little tongue-in-cheek, however it’s basic enough to be a good “put up or shut up” for those who claim to have some skills and understanding of basic exploitation.

Here’s the announcement:

Immunity is proud to announce the launch of our new certification, the
Network Offense Professional (NOP) at Defcon. NOP will allow prospective
employers to know that you have the capabilities needed to understand
the complex issues at the heart of information security.

Specifically, to obtain the certification you will need to write a
buffer overflow from scratch within a certain time period. You will
first find the buffer overflow by reverse engineering a target program,
and then obtain a shell from it or execute a command. This is a hands-on
certification, not a paper test. Immunity Debugger, Immunity CANVAS, and
VisualSploit will be available to you during the certification process
to enable you to write the exploit quickly. The target process will be
running on a Windows 2000 SP4 machine.

Successfully completing the challenge will allow you to use the NOP
signifier after your name and will potentially allow you to obtain
discounts of Immunity products.

Taking the NOP certification is on a first come first serve basis. Come
to the Immunity Defcon booth and try your hand.

Any inquiries can be sent to admin_at_immunityinc.com.

Thanks,
Dave Aitel
VP Media Relations
Immunity, Inc.

It’s also meant as a way to show off just how easy Visual Sploit is to use.  I haven’t personally used it, but today, Dave posted a really great flash video demonstrating its use in developing a simple buffer overflow exploit:

Really easy stuff there.  If you understand the concepts of how buffer overflows work, then that video should show you how easy it is to throw an exploit together.  Very clean procedure:

  • Demonstrates that the return pointer can be overwritten, by passing a large strings of A’s and seeing 0×41414141 in EIP
  • Finds an exact offset for the return pointer by passing a string of AAAABBBBCCCC… and seeing what winds up in EIP
  • Since the buffer is sitting at the stack pointer, an exact jump can be made to the shellcode by returning to a “jmp esp” that’s already in memory.
  • Drops a “shellcode” of “int 3″ repeated, so the debugger will break and we can see that it worked.

Cool stuff!  Wish I was in Vegas to take the test ;)

 

On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server.  It seemed like an easy enough hack, so I’ve thrown this together.  I can see this being useful in some situations, and hopefully you will too.

Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address.  This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb.  It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify.  Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide.  This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

Let’s have a look at the “show info”:

HacBook:framework wesley$ sudo ./msfconsole
Password:

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info

       Name: MITM DNS Service
    Version: 5540

Provided by:
  unknown <ddz>
  hdm <hdm@metasploit.com>
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME                   yes       File of ip,regex for filtering responses
  REALDNS                    yes       Ask this server for answers
  SRVHOST   0.0.0.0          yes       The local host to listen on.
  SRVPORT   53               yes       The local port to listen on.

Description:
  This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
  server. Requests are passed through to a real DNS server, and the
  responses are modified before being returned to the client, if they
  match regular expressions set in FILENAME.

Once it's loaded, we can set our variables:

msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
[*] exec: cat /Users/wesley/hosts.txt

192.168.1.1,google.com
10.0.0.1,example.com
msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
FILENAME => /Users/wesley/hosts.txt
msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254
REALDNS => 192.168.1.254
msf auxiliary(mitm_fakedns) > run
[*] Auxiliary module running as background job
msf auxiliary(mitm_fakedns) >

The file you specify should have an IP address and a regular expression, one pair per line.  Once it’s running, you can test it out by pointing “dig” at it:

HacBook:~ wesley$ dig @127.0.0.1 example.com

; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		99270	IN	A	10.0.0.1

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug  4 22:59:01 2008
;; MSG SIZE  rcvd: 45

This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks.  Here’s the source:

 

I wasn’t going to talk about this on here for a while, since the public disclosure and paper won’t be out for another six months, probably, but my major professor is so excited about it that he just had to put out a press release:

I’m going to clear up a few things on this, but I’m also going to have a bit of fun…

A Mississippi State graduate student working with the university’s Critical Infrastructure Protection Center could be nicknamed “Johnny-on-the spot.” (sic)

I feel like I’m in the Rat-Pack now.  “Hey Frank, I need a big-leaguer who can trace through this stuff in immdbg!”, “Call that kid up at MSU, he’s a real Johnny-on-the-spot.”

Robert W. “Wes” McGrew

This is the part where we abbreviate my middle name, Wesley (which I go by among people I know), put it in quotes as a nickname, and then place it after my middle initial, which is what it stands for anyw… damnit now even I’m confused.

OK, now for some clarifications:

…discovered what is being called “a significant software vulnerability” that could allow hackers the ability to gain entry to computer control systems of numerous industries and potentially threaten national security.

“We know that this software exists in very critical infrastructures in the U.S.,” said Vaughn. “Through his research, Wes demonstrated how it was possible to obtain unauthorized access to the control system in just a few seconds.

The vulnerabilties that I have found (I’m not even disclosing the software’s name yet) are very serious, however they’re not remote-access-granting by themselves.  Once you have any sort of access, remote or local, you can pretty much run all over the access controls and other security/auditing mechanisms.  It’s still troubling, as many installations of these systems have hacked-together remote access over rdp or software packages like PCAnywhere.  We’ve heard several first-hand accounts of the poor physical security of these systems as well.

There’s been a lot of instances in the past of computers on SCADA networks being compromised by worms, botnet herders, and other attackers that didn’t even realize they were on a SCADA system.  These are the sort of vulnerabilities that can turn a normal attack that happens to be on a SCADA system into an actual control systems attack.

I promise you’ll get all the juicy details you can eat in the paper.

The National Security Agency was notified immediately of McGrew’s discovery. Shortly thereafter, the Department of Homeland Security broadcast an alert that included information on how to rectify the problem.

Too bad you didn’t have your shortwave radio tuned to the right frequency or you would have caught some zero day.  Seriously though, I do think some important installations have been given some heads-up and mitigation strategies.

That’s really about all (or more than) I want say about it at this point :)

Edit: Never going to live this down on IRC:

14:05 < jgk> Robert W. "Wes" McGrew of Collinsville recently discovered
             what is being called "a tiramisu" that could allow hackers
             the ability to gain satiety of numerous industries and
             potentially threaten a toilet.
© 2012 McGrew Security Suffusion theme by Sayontan Sinha