security.crudtastic.com

In case you’ve missed the news lately .. there’s been a few little issues with the way Microsoft handles some dll’s. A quick look on exploit-db will show a tonne of new dll hijacking exploits. HD from Metasploit has released version 2 of his DLLHijackAudit Kit that will basically check all the file associations on your machine for DLL hijack vulnerabilities, if it finds that a DLL is vulnerable, it will then create a POC and save it for you.

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

Full posting on the Metasploit blog

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

Read the rest of H D Moore’s post on the Metasploit blog

Yet another awesome email that I received this morning (what a great day it’s been for email – haha)

The guys at Offensive Security have put together a short presentation on a real-world penetration test. The video is super edited to show you just the important bits, but you get the picture of what they’re showing you.

You can see the full blog posting at http://www.offensive-security.com/videos/penetration-testing-in-the-real-world/

I personally have to say that the Offensive Security – Pentesting with Backtrack course was THE best course I have done to date! It was so intense and had an awesome lab to refine your skills in. I have gone from strength to strength since doing this course. I am in the process of rebuilding my testing lab at home so that I can continue to push my newly learnt skills and build upon what these guys have taught me. If there is any thought in your head about this particular course, all I can say is, DO IT! You will not regret it!

After upgrading a Sophos Antivirus solution there was an issue where you could not install the new Sophos Console 4 on a Windows 7 machine. This was a bit of a pain in the butt as the user needed to either have access to another XP/Vista machine to install a remote console or to log into the server and run the console from there. I personally wasn’t a big fan of either.

After looking up another issue on the Sophos knowledgebase I noticed a new link that happened to go off to Sophos’ brand new shiny forums. As with most forums I often feel a little let down and underwhelmed at the amout and quality of responses. As I looked through the posts (there weren’t too many as the forums had only been officialy open for a week or so) I noticed someone posting about installing the console on Windows 7. Can you imagine how happy I was to not only see a response .. but a resonse that was a working solution!

Here my friends, is how to install Console 4 on Windows 7 (if you need to know)

So I had a few issues getting wireless on Backtrack to connect properly. It was a little bit of a bummer as I have a dedicated netbook for BackTrack. Previously I didn’t really care too much cause the only time i really wanted to use the wireless was in promiscuous mode for playing around with WEP/WPA AP’s. But I finally decided that I wanted to use it for a little more than just that, it would actually be cool if I could do some stuff on that machine on my wireless network without being stuck on the other end of a long blue cable. After much stuffing about I finally got it working (although I have a tonne of studying to do .. which im kind of not doing) .. this is far from a perect solution (in fact, its a bit of a hack) and im not too convinced in with keeping my method (you’ll see why soon). Anyway .. lets move on shall we

So first of all you need to get onto the internet via a cabled connection, I will assume you know how to do this and have gotten it going (if not .. google is your friend). You need to install a few things .. you can install all these through “apt-get” commands, and they may even already be installed.

You want to install wicd & the wpasupplicant

Next, I went and edited my /etc/wpa_supplicant.conf file to look similar to the following (edit your own SSID and PSK)


ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=netdev
ap_scan=1
fast_reauth=1
eapol_version=1
network={
ssid="AP NAME"
psk=0123456789abcdef # or psk="your password"
priority=5
}


Theoretically, I should have then been able to add the following to my /etc/network/interfaces file, reboot, and had wireless.

auto wlan0
iface wlan0 inte dhcp
wpa-conf /etc/wpa_supplicant.conf

Unfortunately it didn’t work though

So my final backup plan was to do the following

chmod 0600 /etc/network/interface

So it isn’t exposed to the world, then edit the /etc/network/interface file with the following

auto wlan0
iface wlan0 inte dhcp
wpa-ssid ap_name
wpa-psk wpa_passphrase

I then did an

ifup wlan0

and away I went.

I guess I don’t really feel comfortable in leaving my passphrase in the network interface like that .. but I guess no matter where it is it’s pretty much out in the open in plain text anyway .. at least this way I have the file locked down (a bit)

I hope this helps out anyone having issues with their wireless on BackTrack. It can be used on other flavours of linux as well .. but I did it specifically for BT.

So firstly, let me just say that this is by no means a “How To” post on SQL Injection. This is more of a very basic primer, or an introduction to SQL Injection. Secondly, I would like to thank the guys at Offensive Security for the following information (I hope this isn’t stepping on anyone’s toes – this is my take on the whole concept), it’s a topic covered in the Pentesting with BackTrack course they have on offer. Finally, please don’t try this on anyone’s systems!! If you want to learn more about this please get something like webgoat or configure your own server to practice this on!! One last thing, I will not go into detail here with how/why some of these things work, wikipedia and a host of other sites can explain this all a lot better then me (i’m no SQL injection expert) and there are many many books (big scary books) that will walk you through this concept. With that out of the road .. let’s move on

continue reading…

OH EM GEE .. What can you do with 10 seconds??

Well, according to All About Linux you can learn how to script in Bash. I actually ran across this on Reddit and not in my search for knowledge for the OSCP course!

Read all about Bash in 10 seconds HERE