NBNS Spoofing in Metasploit

 exploitation, links, network, pentesting, vulnerabilities  5 Responses »
Mar 312011
 

Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

 Posted by wesley at 6:52 pm

Live Hacking CD vs. Backtrack 4

 pentesting  14 Responses »
May 102010
 

The idea for doing this comparison came to me after seeing some back-and-forth on twitter between @attritionorg and @dralijahangiri about the Live Hacking CD.  After @attritionorg called the point of the Live Hacking CD into question (when Backtrack 4 is already available), Dr. Ali Jahangiri made claims that “Live Hacking CD is much easier than BackTrack and its tools are updated”, and that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”.  Dr. Jahangiri followed this up with an example that there are “old” tools in Backtrack: Kismet.

I had not used the Live Hacking CD before, so I figured that testing out these claims and comparing the two distributions might be worth doing.  I’m always interested in new live CDs, both for my own use, and as recommendations for students and others new to infosec.  Backtrack 4 is the current pentest-distro-of-choice around here.  It’s to the point now that a BT4 install is about as good as anything I’d roll myself for a pen-testing Linux install, and it’s also something I can recommend to the students for lab exercises, and our end-of-semester CTF.

One might ask, why would the Live Hacking folks want to re-invent the wheel?  If you are just a user of Backtrack, it may not have occurred to you, but there is a business rationale for competition in the pen-test Live CD arena.  The BT4 maintainers, Offensive Security, offer some very well-liked and technical training classes that use Backtrack in a classroom setting.  Live Hacking also holds workshops that teach similar material.  It would make sense, then, that one training company would not want to have students spending much of their time in class staring at an advertising vehicle for another company.

So, the Live Hacking CD makes sense for the Live Hacking training.  They don’t have students sitting and looking at their competitor’s logos throughout class.  They can load it up with the specific tools that they teach in the class and update it along with their material.  At the NFTC, we’ll likely soon be doing something similar with a forensics live distro, so I definitely “get it”.

The question is: if I am not currently in the Live Hacking training, is their Live CD something that is useful independent of the class?  The answer for Backtrack 4, with the new features for cleanly installing and package management, is a resounding “yes”.  Backtrack serves as a tough competitor, but Dr. Jahangiri seems to compare the Live Hacking CD favorably to BT4, so let’s take it to task:

Tools

I considered building a table that compared the two sets of tools, but there’s honestly no point.  Backtrack 4 is a DVD distribution, giving it a huge advantage over Live Hacking’s CD in this category.  You can view a list of tools that are on the Live Hacking CD here, though I am not aware of a list for Backtrack 4 (there is a Backtrack 3 list here, though it’s not quite accurate for BT4).

While Backtrack 4 has all but a few of the tools from Live Hacking (Relay Scanner, for example), there are some interesting omissions from Live Hacking.  The Live Hacking CD seems to focus on reconnaissance, spoofing, and wireless tools.  It’s missing a lot of vulnerability finding and exploitation tools.  For example, it’s very surprising to me to see a live CD meant for penetration testing that does not include the Metasploit framework.  I don’t see any web application tools, either.

I’m sure there’s good reason for this on the Live Hacking CD side of things.  If you’re building a CD to go along with exercises for a class, there’s no reason to put a tool on the disc that isn’t used in an exercise.  This doesn’t make for a good pen-testing disc for general use, though, and I’d have to say that Backtrack 4 wins hands-down on this.

Updates

There was a claim that the tools on the Live Hacking CD are “updated”.  I’ll take that as an opportunity to look at how they both handle updates.  This cuts to the very nature of each disc, really illustrating how they’re meant for very different purposes.

The Live Hacking CD is heavily based on the Ubuntu Desktop 9.10 ISO.  So much so, that VMWare Workstation detects the ISO as being Ubuntu 9.10 and offers to do a quick install.  If you check the sources.list, you will find that it even uses Ubuntu’s repositories.  Many of the pen-testing tools are installed from Ubuntu’s repositories, and have recent version numbers.  If a tool were to be updated in the 9.10 repositories, you would be able to update it in LHCD easily.

Other tools that aren’t in the Ubuntu repos (such as metoscan) or haven’t been updated in a while (Kismet) appear to have been installed manually.  To use Dr. Jahangiri’s example, Kismet in LHCD is from the January 2010 release (found by running ‘strings’ on the kismet_server binary).  On Backtrack 4, Kismet was built from SVN in July of 2009.

So, Kismet is newer on LHCD than on the Backtrack 4 DVD.  On Backtrack, however, Kismet is a package maintained by the BT4 developers.  Backtrack, like LHCD, is based on Ubuntu, but unlike LHCD, the Backtrack developers have put a lot of work into setting up their own repositories and providing updates and tools independently of Ubuntu.  Because of this, the BT4 developers could, at any time, rebuild Kismet from SVN and you would be able to apt-get it in.  If the LHCD maintainers were to update Kismet, it would likely require a new version of the disc.

So, while the Live Hacking CD might have slightly newer versions of some tools, Backtrack 4 has a better framework for keeping those tools up to date.

Ease of Use

I’m not sure how to measure this claim, but I hesitate to say that either one is “much easier” to use than the other.  Both are a collection of tools and you either know how to use them, or you don’t.  Backtrack 4 is a more popular distro than Live Hacking, and therefore you may be able to find help with problems on Google easier, but there’s not anything inherently easier about one over the other.

A claim was made that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”.  If this is part of the argument that LHCD is easier, I would have to disagree.  There are many tools in BT4 that I don’t use, but they don’t get in my way, or reduce the ease at which I use the others.

Conclusions

If it weren’t for the claims made about the Live Hacking CD comparing it to Backtrack 4, I probably wouldn’t have looked at the two together or posted about it.  It really isn’t anything resembling a close-call.  They are two very different beasts.

The Live Hacking CD is a disc designed as a companion to a class, and I’m sure it fits that purpose well.  There are good reasons for developing custom live CD’s for classes.  It does, however, have limited use outside of the class.

Outside of the classroom, Backtrack 4 is a much better choice, in my opinion.  It has a much more comprehensive set of tools, a system for updating them, and a team of developers that are committed to keeping it relevant.  Unless you have a very specific need for something else, BT4 is as good as it gets for pen-testing Live CDs.

 Posted by wesley at 8:03 am

Password Masking

 defense, pentesting  5 Responses »
Jun 262009
 

I’m going to have to disagree with Bruce Schneier and Jakob Nielson on this one:

I, and many other users, are often in situations where we are in the position of logging into systems in the vicinity of people with which we wouldn’t want to share the password.

Let’s look at the arguments against masking from the original story:

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I’m not sure I agree with the first one at all.  Password entry is so commonplace now that only the freshest of the new users would decide to not use a site or product because it masks passwords.  Everybody has experience with it and knows what they’re getting into.

As far as overly simple passwords go, I think that the need to remember the password is the limiting factor here, not having to type it blind.  If you displayed the password back to the user as they typed it, I don’t think most users would choose any more complex passwords than they already have.  Copying and pasting passwords is actually a great idea here, but not quite like Jakob Nielson has put it.  If you have a password manager, like KeePass X, copy a masked password from there into a masked field, and it falls out of your copy buffer afterwards, you’ve got pretty good security even when someone is looking over your shoulder.  They could catch your password to unlock your manager, but looking over someone’s shoulder at the keyboard is magnitudes of order more difficult than reading a password off a screen, especially if the user can type it quickly (being one of the few passwords they actually have to remember).  Even if they do, that password won’t get them into a remote system, they’d have to get ahold of your password management db first.

The checkbox idea is alright, though:

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.

I think more users would be at risk, more often than they think, if password fields were unmasked by default.  I would support having a checkbox like this checked by default in all situations.  Then a user will have to at least think for a moment and maybe assess their current situation before deciding to unmask.

If people start implementing non-masked fields because of this, I’m investing in a higher resolution camera with a good zoom.
Update:

Moyix made a really great point on twitter in response to this:

@McGrewSecurity Makes attacks like http://crypto.m2ci.org/unruh/publications/backes08compromising.html much more effective too :)

The link goes to a very interesting paper on reading data off LCD screens from the reflections on objects in the vicinity.  Not to put words in his mouth, but Bruce would, if he ever read this blog, likely argue that this is a movie-plot threat, but it looks pretty doable to me (and a fun project).

Moyix’s blog, “Push The Red Button” looks very nice too.  I’m definitely adding it to my reader.

 Posted by wesley at 8:31 am

Man-in-the-middle Fake DNS for Metasploit

 exploitation, network, pentesting  11 Responses »
Aug 042008
 

On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server.  It seemed like an easy enough hack, so I’ve thrown this together.  I can see this being useful in some situations, and hopefully you will too.

Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address.  This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb.  It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify.  Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide.  This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

Let’s have a look at the “show info”:

HacBook:framework wesley$ sudo ./msfconsole
Password:

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info

       Name: MITM DNS Service
    Version: 5540

Provided by:
  unknown <ddz>
  hdm <hdm@metasploit.com>
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME                   yes       File of ip,regex for filtering responses
  REALDNS                    yes       Ask this server for answers
  SRVHOST   0.0.0.0          yes       The local host to listen on.
  SRVPORT   53               yes       The local port to listen on.

Description:
  This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
  server. Requests are passed through to a real DNS server, and the
  responses are modified before being returned to the client, if they
  match regular expressions set in FILENAME.

Once it's loaded, we can set our variables:

msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
[*] exec: cat /Users/wesley/hosts.txt

192.168.1.1,google.com
10.0.0.1,example.com
msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
FILENAME => /Users/wesley/hosts.txt
msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254
REALDNS => 192.168.1.254
msf auxiliary(mitm_fakedns) > run
[*] Auxiliary module running as background job
msf auxiliary(mitm_fakedns) >

The file you specify should have an IP address and a regular expression, one pair per line.  Once it’s running, you can test it out by pointing “dig” at it:

HacBook:~ wesley$ dig @127.0.0.1 example.com

; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		99270	IN	A	10.0.0.1

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug  4 22:59:01 2008
;; MSG SIZE  rcvd: 45

This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks.  Here’s the source:

 Posted by wesley at 10:30 pm

Really clever Vista trick!

 pentesting  10 Responses »
May 252008
 

EditThe real action’s going on down below here in the comments :) .  Be sure to catch up on them after you read the post.

Jesse Varsalone, a computer forensics expert that happens to be a reader of this site, just emailed me a link to a cool video where he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine.  In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe .  The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U.  The video is available on the Offensive Security (maintainers of BackTrack) site:

If you’re into doing physical-presence penetration tests, you might want to roll your own custom CD or bootable USB drive that boots faster than BackTrack, and automatically swaps Utilman.exe out for the executable of your choice.  Perhaps something that installs a nice rootkit or Core Impact agent, and then places the real Utilman.exe back into its rightful place. 

Thanks Jesse!  Excellent choice of soundtrack as well!

 Posted by wesley at 7:48 pm
© 2012 McGrew Security Suffusion theme by Sayontan Sinha