Security Ripcord

I am about to harden a Linux box and I need to re-read the documentation to Bastille. As I started typing the URL I remembered that the original URL I am use to following has been obtained by a Domain Squatter. I had originally heard about this incident while listening to PDC. I was then actually affected by it when I discovered that a link in the CIS VMware ESX Server Benchmark pointing one of Jay’s articles was broken because of the new bogus site put up by the Domain Squatter.

If you would like more information about this check out the letter Jay Beale wrote to the users of Bastille. It does seem that he will be able to get the site back through his lawyers. I am not sure if Bastille is trademarked and therefore might not fall under the Anticybersquatting Consumer Protection Act but I assume that he should, at least, have some copyright precedence to fall back on. He also points out that although the new site currently points to the actual Bastille download site he is worried about the potential for this site to distribute hacked versions of the software. To protect against this possibility he will be using his PGP key to create a signature for legitimate releases that users can use to verify the versions they obtain.

This whole thing really ticks me off. I agree that purchasing an original domain name (not a product name that has been trademarked), and selling it to somebody when they find the need for it, is perfectly legitimate. But I do not like the idea of people waiting around for a site’s domain registrations to expire, snatch them up before the original owner or organization can update the account, and then attempt to sell it back to the original owner for a large fee. One simple act by an outside individual could cost a company a lot of money either in the repurchase of the domain name or the re-branding of an entire product or line. Although for big business this might not be a problem, I can see a real impact to open source projects and small businesses.

I wish Jay the best of luck with this whole incident.

Go forth and do good things,
Cutaway

Bastille-Linux, Bastille-Unix, Linux, CISecurity, Security Ripcord, Jay Beale, domain squatter

Paul Asadoorian and Larry Pesce’s recent interview with Intelguardian’s Ed Skoudis, Tom Liston, and Matt Carpenter is another must listen.  It gives a great background to how the Intelguardian team approached escaping from a virtual guest to obtain control of the host operating system.  If you don’t have time to listen Ed gave some similar but less detailed information in a comment to my original post on their release of this information.

Security professionals who are responsible for maintaining a security posture within their organization should, however, listen to the podcast whether they employ virtual environments or not.  There are two reasons for this.  First, if you don’t deploy virtual hosts then it is very likely that somebody will either ask you to investigate the technology or they will tell you to deploy it.  Second, because this interview gives a great insight to the methodologies used by people who are trying find attack vectors.

Let me elaborate on the second topic a little more.  The days of hacking for fun are over.  I think it is safe to say that nearly everybody has come to that realization (there may be a few holdouts in upper management but they will not last long).  This means that the stakes are higher for the good guys and the bad guys.  The interview with Intelguardians shows us how a group of skilled and seasoned professionals attack a problem.  If you think that the bad guys cannot get this organized then you are kidding yourself.  Certainly there is always going to be the individual rouge element which, because of the focus a single person can apply, is dangerous.  But when you get people operating together they become more efficient and effective.  Sure, it took Intelguardians two years to get a piece of software to function in a way that it was not intended and, now that their funding is over, they will not be focusing on this area.  This is how the good guys act.  They find and validate a threat vector, disclose it responsibly, and either keep working on the issue or move on to the next issue depending on funding.  Do you think the bad guys would stop here?  Do you think they would be satisfied with a proof of concept?  Do you think their funding would dry up at this point?  I do not.  There is a reason the term “weaponized exploit” has been coined.  If you still feel that the bad guys cannot get this organized just ask Germany how they feel about their recent encounter with the Chinese.  If you think one or two people were capable of this type of penetration then you are sadly mistaken.  This was an organized, focused, and methodical attack.  Does it matter whether it was a criminal organization or government funded group?  In the case of this point, no.  In the case of broader ramifications, yes.  But that is another topic for another day.

This brings us back around to the concerns about virtual machine escape.  I very much like how Ed and crew have kept their message on target.  The proof of concept exploit that they demoed at SANS Fire 2007 is important because of the fact that it is just that, a Proof Of Concept.  Is it possible that they have a “weaponized exploit” that goes above and beyond what they demoed?  Yes.  But the fact remains, and they repeat this at the end of the podcast, the protections are merely taking the possibility of this threat into consideration during your design, deployment, monitoring, and maintenance of your virtual environments.  They have established a new threat vector and if organizations, especially the vendors of virtual environments, do not take it into consideration then, sometime in the future, you or somebody like you will get p0wned. 

If you do get p0wned, don’t forget to call Intelguardians to handle the incident response.  I hear they have a lot of experience in this area and, since they are professionals, I doubt they will say they told you so.

Go forth and do good things,
Cutaway

P.S. All of this reminds me.  Don’t forget Paul and Larry’s book on Linksys WRT54G Ultimate Hacking.

Technorati Tags: Security Ripcord, Intelguardians, PDC, Ed Skoudis, Tom Liston, Matt Carpenter, Paul Asadoorian, Larry Pesce, VMEscape, VMWare, virtual guest, virtual machine

Powered by ScribeFire.

A few days ago we had Core Security give us a web demo on their product Core Impact.  Although I had watched the demo before, on a prerecorded webcast, this time my colleagues and I were able to ask the demonstrator questions.  Simply put, Core Impact is a tool that encapsulates scanning and exploitation capabilities.  Basically, the scanner will detect hosts, enumerate the information provided by the detected hosts, and version the operating system and accessible applications.  The tool will also accept input from other scanning tools such as, but not limited to, NMap and Nessus.  The exploitation part of the tool will confirm and perform the exploitation of any vulnerability it has been configured to detect.  The real power of this tool comes from the fact that once a host has been successfully exploited it now becomes a stepping stone for the tool to perform the same actions to any other hosts or networks connected to the compromised host.  If Core Impact can exploit a vulnerability on any of your systems you are truly 0wn3d.

Now, you may have seen a few recent blogs that talk about this tool already.  Roger Grimes talked about it in his article "Core Impact puts a vise grip on vulnerabilities ".  Larry Pesce talks about it on his blog and even offers a discount through the Pauldotcom Security Weekly podcast. I thought that I would list a few things that I didn't realize until we were able to ask a few questions.

• Core Impact can exploit a system and network in several manners.  The most common method is to exploit an application or operating system through a known vulnerability that the Core Security research and developers (R&D) have been able to write specialized shellcode.  By special I mean that the R&D team concentrates their efforts on exploits that will allow the shellcode to run "inside" of the exploited process.  This means that once a system is compromised there is no evidence that is readily apparent to human review and even most security related processes.  The shellcode that runs inside of a process is referred to as an agent because it can be used to perform Core Impact functionality from the compromised system.
• Core Impact agents come in two flavors (there may be more but this is what we went over) known as Level0 and Level1 agents.  Level0 agents live in the memory of the exploited process.  This means that no permanent changes have been made to the system or the exploited process.  They can be completely cleaned up either by a command or after a period of inactivity.  Because of the amount of memory they are limited to the communications between the client and server application are transmitted in clear text (important when you cannot trust the connection between the systems - i.e. don't transfer important information like shadow files unless absolutely necessary).  Level1 agents are actual executables that are written to disk.  These agents can be configured to start on system boot.  Because they are a running process and they are not limited in size due to memory they have a lot more functionality.  Although I am not aware of all of these extra functions the one I do know about is that these agents can protect their communications with a Blowfish cypher.
• All of the settings provided through the tool are configurable by the user.  If a service is running on a nonstandard port the user can easily make this adjustment.  Core Security has also provided the user with the means to develop their own modules by including code examples and development documentation.
• Although Core Impact is mainly geared towards exploiting remote and local vulnerabilities it can also be used to exploit client-side vulnerabilities.  An easy example of this is a browser vulnerability.  Once inside a network the tool can send out an email with a specific attack that is designed to exploit a browser vulnerability that is activated through user interaction.  The tool will wait patiently until an unwary user initiates the exploit and the browser then connects back to the tool which, now, 0wn3s that system.
• Every action, from scanning to command line interaction on the exploited system, is recorded and used to document all activity performed during a session.  This can, in turn, be included in the detailed reports that are automatically generated by the tool.
• Currently the tool has exploits for all variations of Microsoft Windows, Linux (x86), Solaris (x86 and SPARC), BSD (x86).  There may be more but that is all I could remember off the top of my head.  Upcoming versions will expand this list and these should include exploits for Mac OSX.

Of course, Core Impact does cost a pretty penny especially when compared to such open source projects as Metasploit.  But when you buy Core Impact you are doing more than just buying a fancy exploitation tool.  You are buying peace of mind that the exploits included in the tool have been rigorously tested by Core Security's R&D team.  If they say that an exploit will not bring down an application or corrupt a system then they mean that they have tested it over and over.  You are also purchasing a maintenance agreement and are thereby supported by this R&D team which makes up close to seventy percent of the company's staff.

That said, you definitely need to check out the new version of the Metasploit framework version 3.0.  This new version is a complete rewrite of the code in Ruby .  Although I have not had time to evaluate it I am getting very good feedback about it already.  Apparently they have taken a few pages from Core Impact and they are, or will be, including a few similar features.  For a list of features that have already been considered for this tool check out the Release Notes.  I am really interested in finding out about its ability to "Support automated network discovery and event correlation through recon modules."

As a final thought I also wanted to point out that these tools are not the end-all-be-all for penetration testing.  These tools are great for finally exploiting a service or operating system but they do not fully cover all aspects required for information discovery.  These tools should be used during the final steps of a penetration test after all other methods of discovery have been performed and the information they return has been analyzed.  Additionally, before using these tools to their full capabilities you must ensure that your customer wants you do perform these tests.  Many applications and system are critical to a company's infrastructure and even the possibility that the system or application may be taken offline might not be an option for them.  It is always good to identify possible vulnerabilities and then ask for additional permission to continue.  Most of the time you will be permitted but there may be a requirement that a system administrator be standing right next to the system in case there is a need to trouble shoot a situation. Getting this person in place may take enough time that you will have to save your session are restart at a later date.

 I sure hope that you find this helpful.  Please leave a comment and let me know.

Thanks,

Cutaway 

NMap, Ruby, Pauldotcom, Nessus, Metasploit, shellcode, MSF3, Larry Pesce, Roger Grimes, Core Impact, Security Ripcord, Core Security

I know that I am going to get a lot of flack about this but I just couldn’t help myself.

The other night I was reviewing an assessment report when I looked up at the TV and I realized that it was on HBO and the series Cathouse was showing. This show is about “the Moonlite Bunny Ranch, a legal brothel located in a sparsely populated desert community outside of Reno” so, of course, I was transfixed for the rest of the show. Well, right at the end of the episode, one of the women was leaving the house when the owner asked somebody to buzz her out. The camera was pointing out the front door and the woman walked through an iron gate which automatically closed behind her. I was just about to turn the TV off and get back to my report when I started realizing something about the show. This show is a great lesson in practical security through proper implementation. Let me walk you through the steps that a client has to go through to have access to the services provided at the Bunny Ranch.

1. The client is let in through the front door which is usually locked but, during acceptable access time periods, it is unlocked and traffic is allowed to enter through the single, monitored, entryway. I consider this the externally facing router.
2. Next the client enters a waiting room where he starts talking to the women that are waiting there to provide a service. I consider this waiting room the firewall. The clients are briefly inspected to determine if they are acceptable. You could also make the argument that this area also acts as an intrusion detection or prevention system.
3. Once it is determined that the client is acceptable he or she is lead back to the bedroom where a price is negotiated and payment is authorized. Here we are obviously talking about the service and how it is using proper authentication and authorization techniques to determine whether the client is permitted to use the service and how much privilege he or she will be given to perform the desired task.
4. While the client and the woman and client are interacting they are using safe sex techniques. This represents input validation. (New)
5. Once services have been rendered the woman who provided the service leads the client back to the waiting room and says goodbye. This resembles the proper termination of activity provided by the service.
6. As I saw during the final moments of the show, all outgoing traffic has to be given permission before it is allowed to leave the building. Obviously egress filtering is just as important at the Cathouse as it is within a network.
7. During the whole process the manager on-duty is moving around and talking to all the employees and keeping tabs on what is actually happening within the whole environment. This activity reminds me of log monitoring and a professional that is ready to take action at the first sign of trouble.

So, I feel that we could learn a lot from this very professional business. I am sure that the Bunny Ranch has come up with this process to protect itself and its clients. Need is the mother of all invention. So, if the oldest profession in the world is following this process out of necessity then we should all take heed.

This article is in honor of “Hack Naked” from Pauldotcom. Guys, this place obviously needs a penetration test (too obvious, no matter…it had to be said!).

Cutaway

There has been a lot of talk about Ethics lately in several Podcasts and blogs. Paul, Larry, and “Twitchy” have really pushed it to the forefront in their show Security Weekly where they have addressed Wireless Piggybacking (Special Edition - Open Show) and teachers assigning social engineering projects for their students (Episode 24). Michael Santarcangelo has just talked to Randal L. Schwartz on his show The Security Catalyst (Episode 26) about his experience with the law and how it has affected his life. Mark Russinovich has informed us of his company’s dealings with Best Buy and how they handle licensed software. Douglas E. Welch, of Career Opportunities, recently talked about being truthful and straight forward in the work place and life (April 21 edition). And, as a member of the SANS Advisory Board and Ethics Council, I have been exposed to several situations regarding ethics.

The point that I have really taken from these recent experiences is that ethics can be hard. Sure the right choice is usually easy to make. For instance, I currently work for a company that requires every employee to have a security clearance. Three weeks ago, when I was walking through one of the conference rooms, I noticed 51 cents on a table. It must have been forgotten by some unknown individual after removing it from his or her pocket to grab a business card or something. Today, as I walked through the same conference room, I noticed the same 51 cents pushed to the back of the table but still visible to everybody entering or leaving the conference room. I started thinking about what we could contribute this to as I walked away. Could it be the fact that we have a bunch of honest employees who are paid well and do not need 51 cents? Could it be that most of them are afraid that this might be a setup by security and pocketing the 51 cents could mean their job? Could it mean that “Twitchy” hasn’t walked through the room, or maybe he did but somebody yelled out “Popcorn?” Or could it be that deep down inside people believed that it was not ethical to take the 51 cents because the owner might come back for it one day?

Actually, I think that it is a little bit of everything. Despite what we see on the news everyday I like to think that most people are honest and good (everybody says this but it is true). Despite how we all tend to trust people to be honest I think that there are people out there who just don’t care. And I also think that there are people out there who like to walk the line stepping one way or the other when it suits them best. And lastly I like to think that there are people out there who are honest and good but who like to challenge the system in an attempt to keep the norm from controlling every situation and ensuring that the boundaries of everyday life do not impose themselves on them. It is this last bunch of individuals that are really addressing the hard ethics questions, or, at least, bringing them to the forefront for all to ponder.

Is port scanning the Internet okay? Is vulnerability scanning the Internet okay? Is piggybacking an unencrypted wireless connection okay? Is packet sniffing the college dormitories network after crawling through the ceiling tiles to get to the switch closet because the door was locked and they should have thought of the ceiling tiles if they wanted to secure the closet okay? The answers to these questions are yes, no, and maybe. Not in that order and of course, the answers are different to everybody. The point is that people are going to push the limits a little bit to determine what is socially acceptable and what is not. Generally these are kids who are exploring their boundaries and we can usually chalk it up to inexperience. It is when these individuals are adults, with a more defined understanding of right and wrong, that we need to be more careful or, if you will, distrusting.

I am starting to see how important it is for people to be flexible in their thinking and yet setting the example in their actions. Defining policy is the most effective way to inform people of where the boundaries lay. Publishing these policies and having open discussions about them are the only way that these policies are going to grow and change with the times. Holding people accountable for blatant violations of policy is a must to set the example of unacceptable behavior. But compassion, understanding, and trust in human nature to not intentionally harm other people and things has to be remembered and considered during any decision making.

I would like to thank all of the people mentioned here for the wonderful insights and opinions. I ask them all to stay true to themselves and to keep pushing society through their actions. And I ask all of you to get permission before you do any port or vulnerability scanning and (cough - cough) wireless piggybacking. And please do not climb in the ceiling, it may be ethically questionable but it is definately dangerous.

Cutaway

Paul at PaulDotCom.com put out a call for scripts using the perl module NMap Parser. This is one that I had and cleaned up a little bit.

Basically this script will search all of the XML files in a particular directory and then output the open TCP ports that were detected. I know that you can see this in a regular scan output but this takes input from all XML files in the directory and then outputs them in an easy to read HTML format. See below for the header notes that describe the script’s functions in more detail.

Download nmap_xot.zip as well as the sample output and tell me what you think about it. I have a thick skin so let me know what you think.

#######################################################
# Name: nmap_xot.pl
# Version: 1.0
# Author: Don C. Weber
# Company: Cutaway Security
# Date: 03/13/2006
# Usage: nmap_xot.pl [-h -d -i <input directory> -o ]
# Purpose: Parse the NMap XML output for open TCP ports
# and display them in a human readable format.
# Currently the ports are color coded for easy
# of use and grouping. Also generates a list of
# targets according to port types (i.e Web,
# Telnet, MS, etc.)
#
# Notes: File must be in the same directory as the
# XML files being parsed. The file will
# output the resulting HTML file to the
# same directory. The -d option is used for
# debugging.
#
# Notes:
# -d Debugging mode will output information not
# necessarily required
#
# -i The input directory should contain the XML
# files that need to be parsed. The value of
# this input will also be used as the output
# directory. This defaults to the local
# directory.
#
# -o The name of the file to output the results.
# Default is open_ports_nmap_.html
#
# -h Sometimes everybody needs a little help.
#
# ToDo (no order):
# 1. Print the host lists to text files for
# new target lists that can be used by
# other tools.
#
# 2. Sort the HTML table according to IP
# addresses. (attempted to do this
# without very much luck). The reason
# for the problem is that the incoming
# XML files may include the same IP with
# different results.
#
# 3. Update the color codings. Move from the
# switch statement to a hash of values.
#
# 4. Move to style sheet.
#
######################################################