2007
Threat Modelling Talk at CSI Phoenix
After a six hour delay due to technical problems *before* my journey
even started I’m finally on the plane and waiting for take off. Tag
an additional five hour delay due to a missed connection in New York
and this quickly become a very, very long trip. Perhaps my longest
ever. Ah well, the price we pay for living at the end of the world, I
guess.
VMware for OSX (Fusion) – Beta 4
VMware have just released beta4 of its Fusion product for OSX.
The initial beta was hard to justify and a little flaky, which allowed Parallels to take an early lead. We still have people in the office who swear by parallels.. But.. in my book VMware has just been such a life saver since we first started making heavy use of it (about 6 years ago) that i figured it was worth sticking it out..
Right escalation via services or scheduled tasks in Windows
Scheduled tasks and services are often run as accounts with excessive privileges (HP Insight, backups etc) instead of limited service accounts. By exploring the tasks under c:\windows\tasks or the services by managing the computer, you can quickly see possible options to escalate your rights. By replacing at the actual exe that the service or task runs with a exe of your own, you can spawn a netcat shell. I use a batch file to exe converter and use the batchfile to call nc.exe with the correct parameters. *You can not alter the service or task itself in anyway else you loose the stored credentials. Attached are some screenshots that should illustrate this.
Hotel Hacking
Check out http://hongkong.langhamplacehotels.com/accom/technology.htm in Hong Kong. They provide Cisco IP phones in the rooms, but with a difference. According to an article I read in TIME the hotel will collect your most frequently dialled numbers and load them onto the touchscreen phone when you return for your next visit. Not only that, they also program the phone to show stock quotes or news and weather from your home town, AND if you forward them snapshots of your loved ones they’ll pre-load those onto the phone’s interface also.
Re: Jeremiah Grossmans “How to find your websites”
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear to our hearts, with 3 Blackhat talks on it (or applications of it) (“Automation – Deus ex Machina or Rube Goldberg Machine?“, “Putting The Tea Back Into CyberTerrorism“, “The Role of Non Obvious Relationships in the Foot Printing Process“), a commercial tool almost dedicated to it, and a full blown chapter on it in Open Source Penetration Testing by charl and gareth. Footprinting is a genuinely important part of a companies security assessment, cause it doesn’t matter if they have multi-layer firewalls and WAF’s protecting the web app on their www.company.com, and an old barely used sql-injectable form on their community.company.com site that lets you grab SA on their SQL server anyway..
(Now that the shameless self promotion is over..) i wanted to touch on an interesting aspect of webserver discovery that is often skipped, and thats the issue of multiple websites running as name based virtual hosts on the same web-server. There was a time (not so long ago) when all of the popular scanning tools, failed to take into account that scanning 209.61.188.39 was not the same as scanning www.sensepost.com (or hackrack.sensepost.com which happens to be on the same ip address).
Second Life land grab case moves into U.S federal courts..
Ars Technica is reporting on the law suit filed in 2006 by Martin Bragg who accused Linden labs of wrongfully seizing his virtual land.
-snip-
Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.
-snip-
A few things about this are super interesting..
Linden Labs (creators of Second Life) literally sells online assets for real world money.. Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1) Bragg apparently invested thousands planning to buy low and sell high We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..
Web Mashups point and click style (open invite for Sammy v2.0) ?
[Yahoo pipes] looks like an awesome way for even non-programmers to create web mashups trivially. Aside from the fact that its interface is super-cool, it brings an interesting dimension to next gen web attacks. (Google Video on Pipes by Pipes developers).
pdp has already covered pipes in his OWASP talk where he used it to re-write a jikto equiv. in almost-0 lines of code, along with a tinyurl filesystem. pdp also mentions Dapper, which i have not checked out till now, but looks like fun waiting to happen too..
In all the services look leet, and look like a cool way to get “unification” going for browser attacks*. Check them out, the possibilities for evil’ness should start running through your head from click 1.
Windows filesharing on OSX still vulnerable…
Aaron Adams over at SYMANTEC, did a quick check on the version of Samba running on currently up to date OSX machines and found that the Macs were still running 3.0.10. He did a quick mod on the existing Metasploit module and has reliable code execution going..
If you are running OSX, you probably want to make sure your samba isnt exposed while you grab the latest source and build..
/mh
Welcome to extern blog SensePost;
Ok.. so after many moons of making excuses for not making our internal blog public we have decided on a happy compromise.. Some of the “work-safe” posts from internal, will make its way out here.. {we have a ton of posts on internal, and promise to publish them if they are ever referenced by new posts here to stop the foncusion}
Other than that.. Welcome, thanks for taking the time to read us..
Adventures while moving… (Part II)
Ok.. so we have an outside gate type thing that leads to our garden. Since we would probably get to the gate at random points of the day / week we figured a combination lock would make sense. Now i know that combination locks traditionally have a pretty small keyspace, and have a horrible reputation so i asked Deels to make sure she got one with at least 4 digits, and had a good name behind it..