Navigation

Entries by Carlos Perez (157)

Thursday
May122011

Review of Kingpin Book

Kingpin is the story of Max Vision from his teen years to when he got arrested and sentenced as the top carder in the underground and how he used his hacking skills from good to bad and his constant attempts to do the right thing and kept being pulled back to the world of a black hat. The book covers from his youthful pranks, his forays in to hacking and being one of the top white hats in the industry, while the industry was young and booming during the dot com era. Max made several bad decision do his temper and lack of control, in addition the intellectual addiction that hacking produces, the rush of euphoria that causes the act of one being pitted against another, the challenge of bypassing defenses and being a shadow undetected and powerful inside a system caused him to delve deeper on the wrong side of the law, not to mention the amount of money he was making and his believes that in some part he was doing good and only harming the big companies. He used that energy and passion to become the master of one of the most powerful carder forums out there. The book also covers the early history of the security industry its players, covering the small band of programmers and technologist that started many of the security companies that change the landscape. Max being one of the contributors to the beginnings of projects like Snort the Opens Source IDS and the sharing of knowledge that formed the beginnings of the industry. The book also covers the side of the law enforcement agencies and officers that participated in the cat and mouse game against the different crime organizations. It shows how law enforcement had to adapt to the ever-changing landscape of then Internet and how it changed the rules of the game. Also we see how the paths of many of the prominent figures involved in attacks intermingled in the small community of the carder underground, where many of those that where committing the crimes also at one time or another also worked with law enforcement as informants and helped in operations, voluntarily or under threat of jail. My favorite part is on the hacking techniques used by this brilliant people, how they adapted and hid form law enforcement and the mistakes made that lead to their discovery and arrest. One of the areas of interest is how some of the people involved targeted law enforcement with success to gain information of their operations against them. I do believe that nobody could have brought this story to life in this way than Poulsen did, in great part do to his history as a hacker, knowing what motivates and drives the mentality of one and his experiences as a man on the run from the law. His career as a journalist for wired magazine provided the skills for him to transmit in a way that it is easy to grasp all the technical concepts in the book, taking the reader from scene to scene as played by each of the different players of the story and bring each one of those stories together and showing how the are all intertwined together.

Wednesday
May112011

Activating Nessus on Backtrack 5

One of my favorite tools in my toolbox is the Vulnerability Scanner Nessus, in part because of it’s accuracy and because I’m part of one of the teams that works adding new cool stuff to it during the day. So I was super happy to see it included as part of Backtrack. Ever since I started working professionally in security Nessus has been part of my toolkit, once nessuscmd was out it became more integral in to my workflow because I could automate stuff for my customers. Before I had to always follow some weird procedures some times to get Nessus installed on the early versions of Backtrack and those procedures where always prone to breaking when I had to update to a latest version. I would like to share how to activate your copy of Nessus in Backtrack and some of the caveats that are present when activating it depending of your setup. The first step is to have Bactrack installed as a virtual machine on your pentest/audit rig or installed locally on the hard drive of the machine. Do not try to activate by running it from the bootable DVD or from a USB Drive if you intend of using it on several physical machines because the registration process marries the activation to that specific host. So moving the VM from one host to another or the USB drive depending on how you configured Backtrack is more than likely to require re-activation of your copy of Nessus. So one of the first thing you need to do if using a professional feed go to http://support.tenable.com and log in and go in to Manage Activation Codes and get your professional feed activation code. If you will be using a Home Feed you will have to go to http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code and register for a Home Feed, you will receive your activation code to the email you provided. Once you have the activation code you can proceed to activate it on your Backtrack Machine running as root:

root@bt:~# /opt/nessus/bin/nessus-fetch --register M4D0-EWWQ-1EZU-3KSN
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

And yes the activation code in the example if a fake one for demonstration purposes only.

The next step is to add an admin user on this box so it can connect, create profiles, policies and launch scans:

root@bt:~# /opt/nessus/sbin/nessus-adduser
Login : carlos
Login password : 
Login password (again) : 
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that carlos has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done : 
(the user can have an empty rules set)
Login             : carlos
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y] 
User added

Once the user has been created we can launch the Nessusd Daemon:

root@bt:~# /etc/init.d/nessusd start
Starting Nessus : .

Do keep in mind that since this is the first time you will be running the daemon it will take a while for it to load and configure all the checks. You can run top on the system and use the capital P to sort by CPU and then the capital R to change the order if needed, you will see that while loading nessusd will take close to 100% of you CPU and when finished it will normalize. Once it does you just need to connect with your web browser to https://localhost:8834/ or if connecting remotely the IP of the machine instead of localhost. Make sure that NoScript is set to allow script from localhost or the machines address depending your case.

Tuesday
May102011

Virtualizing JunOS on VMware

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating. I did this for a friend who needed to migrate the configuration of several of his Juniper Routers to a newer version of the OS and Hardware and also asked me for recommendations for hardening the routers. I do have to say I really like JunOS specially since it is a full FreeBSD subsystem underneath to wish a user has access to.

Requirements

 

Software required to install JunOS on VMware:

  • Download FreeBSD 4.11 mini ISO from FreeBSD ftp site Link
  • M Series Router jinstall Domestic Signed tgz file, Export version does not provide SSH.
  • Jweb tgz file for the version of JunOS being install

NOTE: Do not ask for Juniper images I will ignore those messages. You need a valid contract to obtain them.

Settings for Workstation 7.x


  • On VMware Workstation:
  • Create a New Virtual Machine.
  • Select on the image the FreeBSD ISO image.
  • Ensure that FreeBSD is selected as the operating system type.
  • Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
  • For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
  • After creation of VM and before installation open VMX file and sure that the SCSI devises presence settings be set to FALSE: scsi0.present = "FALSE"

Settings for VMWare ESX 4.x


On VMWare ESX and ESXi :

  • Create a New Virtual Machine with Operating System Other -> FreeBSD 32-bits
  • Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
  • "Select the Edit Virtual Machine Settings Before Completion" Check Box.
  • Change the SCSI Controller to LSI Logic SAS
  • For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
  • Set in the CD Rom the FreeBSD 4.11 ISO and make sure that it is Connected before saving.

FreeBSD Installation


  • Skip the kernel configuration and choose the standard installation.
  • When prompted to use fdisk select OK.
  • When you get to partitioning, allocate first the whole disk to BSD.
  • Press c then OK for the other prompts and finish by selecting q.
  • Select BootMrg as the boot manager.
  • Create the disk slices as shown in the table below:
Slice Name Size
ad0s1a / 2000M
ad0s1b    Swap 1024M
ad0s1e    /config 64M
ad0s1f    /var Remaining Space
  • / has to be a reasonable size or else you'll run out of space on /mnt.
  • Choose 'Minimal' installation type and skip installing ports.
  • After the base is installed it will ask you if you want to configure Ethernet settings, select yes and use DHCP to configure your NIC (em0), Write down the IP given by DHCP and set a Hostname for the server. This allow us to scp the jinstall file after reboot.
  • Except for the DHCP on interface em0, choose "no" for everything else (IPv6. Linux compatibility, NFS, FTP, Inetd, TimeZone etc..)
  • When asked to create a user create one called junos, set a password for it and add it to the group wheel. Ensure to put a password for the root account.
  • After the installer completes it will reboot. Make sure that you have disconnected the CD so as to make sure the VM will not boot in to the CD again.
  • scp to /var/tmp on the VM the jinstall file only, do not copy the jweb file yet since during installation the file system will be formatted and changed.
 $ scp jinstall-<version>-domestic-signed.tgz junos@<ip>:/var/tmp
  • Once the file is there yo will SSH in to the server and use the su command to gain root privileges:
    $ su -

    JunOS 9.6R1


    Unpack the different parts of the installer and remove hash files used to validate the installer:

    # cd /var/tmp/
    
    # mkdir jinst
    
    # cd jinst
    
    # tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
    
    # rm *.md5 *.sha1 *.sig
    
    # mkdir domestic
    
    # cd domestic/
    
    # tar xvzf ../jinstall-9.6R1.13-domestic.tgz
    
    # mkdir pkgtools
    
    # cd pkgtools
    
    # ls
    
    # tar xvzf ../pkgtools.tgz

     

    Make sure that check for hardware always return true by replacing the checkpic command:

    # cp /usr/bin/true bin/checkpic

    Repackage the installer:

    # tar cvzf ../pkgtools.tgz *
    
    # cd ..
    
    # rm -rf pkgtools
    
    # tar cvzf ../jinstall-9.6R1.13-domestic.tgz *
    
    # cd ..
    
    # rm -rf domestic/
    
    # cd jinst
    
    # tar cvzf ../jinstall-9.6R1.13-domestic-signed.tgz *
    
    # cd ..
    
    # rm -rf jinst/

    Install the package using pkg_add:

    # pkg_add jinstall-9.6R1.13-domestic-signed.tgz
    
    Adding jinstall...
    
    sysctl: unknown oid 'hw.product.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    WARNING:     This package will load JUNOS 9.6R1.13 software.
    
    WARNING:     It will save JUNOS configuration files, and SSH keys
    
    WARNING:     (if configured), but erase all other files and information
    
    WARNING:     stored on this machine.  It will attempt to preserve dumps
    
    WARNING:     and log files, but this can not be guaranteed.  This is the
    
    WARNING:     pre-installation stage and all the software is loaded when
    
    WARNING:     you reboot the system.
    
    Saving the config files ...
    
    Installing the bootstrap installer ...
    
    WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
    
    WARNING:     'request system reboot' command when software installation is
    
    WARNING:     complete. To abort the installation, do not reboot your system,
    
    WARNING:     instead use the 'request system software delete jinstall'
    
    WARNING:     command as soon as this operation completes.

    DO NOT REBOOT, Ensure you can interact with JunOS on the VM Console:

    # chmod +w /boot/loader.conf
    
    # vi /boot/loader.conf
    

    Add this line to the file:

    console="vidconsole"

    Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

     

    JunOS 10.4R1 and JunOS 11.1R1


    This process is the same for 10.x and 11.x. Unpack the different parts of the installer and remove hash files used to validate the installer:

    # cd /var/tmp/
    
    # mkdir jinst
    
    # cd jinst
    
    # tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
    
    # rm *.md5 *.sha1 *.sig
    

    Open in vi the +INSTALL file

    # vi ./+INSTALL
    


    Modify the variable re_name in the check_arch_compatibility() function as shown bellow, inside vi you can do a :/check_arch<enter> to go directly to it.

    check_arch_compatibility()
    
    {
    
        #re_name=`/sbin/sysctl -n hw.re.name 2>/dev/null`
    
        re_name='olive'
    
        if [ -z "$re_name" ]; then
    
            Error "hw.re.name sysctl not supported."
    
        fi
    


    Continue unpacking the next level of the package:

    # mkdir domestic
    
    # cd domestic/
    
    # tar xvzf ../jinstall-10.4R1.9-domestic.tgz

    Open with vi +INSTALL and +REQUIRE and modify the variable re_name in the check_arch_compatibility() as done before. Unpack the pkgtools.tgz file and make the checkpic file always return true:

    # mkdir pkgtools
    
    # cd pkgtools
    
    # tar xvzf ../pkgtools.tgz 
    
    # cp /usr/bin/true bin/checkpic 

    Repackage the installer:

    # tar cvzf ../pkgtools.tgz *
    
    # cd ..
    
    # rm -rf pkgtools
    
    # tar cvzf ../jinstall-10.4R1.9-domestic.tgz *
    
    # cd ..
    
    # rm -rf domestic
    
    # tar cvzf ../jinstall-10.4R1.9-domestic-signed.tgz *
    
    # cd ..
    
    # rm -rf jinst

    Install the package:

     # pkg_add jinstall-10.4R1.9-domestic-signed.tgz 
    
     Adding jinstall...
    
     sysctl: unknown oid 'hw.product.model'
    
     sysctl: unknown oid 'hw.re.model'
    
     sysctl: unknown oid 'hw.re.model'
    
     sysctl: unknown oid 'hw.re.model'
    
     WARNING:     This package will load JUNOS 10.4R1.9 software.
    
     WARNING:     It will save JUNOS configuration files, and SSH keys
    
     WARNING:     (if configured), but erase all other files and information
    
     WARNING:     stored on this machine.  It will attempt to preserve dumps
    
     WARNING:     and log files, but this can not be guaranteed.  This is the
    
     WARNING:     pre-installation stage and all the software is loaded when
    
     WARNING:     you reboot the system.
    
     Saving the config files ...
    
     Installing the bootstrap installer ...
    
     WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
    
     WARNING:     'request system reboot' command when software installation is
    
     WARNING:     complete. To abort the installation, do not reboot your system,
    
     WARNING:     instead use the 'request system software delete jinstall'
    
     WARNING:     command as soon as this operation completes.
    

    Ensure you can interact with JunOS on the VM Console, there is no need for this step with version 10.4 but recommended in case there is a change in any other 10.x package:

    # chmod +w /boot/loader.conf
    
    # vi /boot/loader.conf

    Add this line to the file:

    console="vidconsole"

    Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

    Initial Configuration


    On the console at login enter root and enter on the password prompt. Enter cli to enter in to command line interface of JunOS and enter:

    % cli
    
    > configure

    Set the hostname for the router:

    # set system host-name <router name>

    Set the root password:

    # set system root-authentication plain-text-password <enter>
    Create a secondary admin user to use for SSH:
    # set system login user <username> class super-user
    
    # set system login user <username> authentication plain-text-password <enter>
    Set an IP Address on the interface em0 so as to connect to the router:
    # set interfaces em0 unit 0 family inet address <ip/mask>
    Enable and set the SSH Version of the protocol to use to version 2:
    # set system services ssh protocol-version v2
    Enable Telnet:
    # set system services telnet
    Enable FTPD:
    # set system services ftp
    Set the default gateway:
    # set routing-options static route 0.0.0.0/0 next-hop <Default Gateway IP>
    Set the DNS Server to use:
    # set system name-server <name server IP>
    Save the configuration:
    # commit
    To get full list of software installed and version without paging:
    > show version | no-more
    To get full configuration:
    > show configuration | no-more 
    To get full configuration in XML format:
    > show configuration | no-more | display xml

    Install the Web Interface


    Copy to the router the jweb file using scp and the secondary admin account created above:

    > show configuration | no-more | display xml
    SSH in to the router and run:
    > request system software add /var/tmp/jweb-<version>-signed.tgz
    After installer finishes execute a reboot of the router
    > request system reboot 
    
    Reboot the system ? [yes,no] (no) yes
    It will take a while for the router to reboot since it is setting up the files for the web interface. Once the router is back up connect to it, enter configuration mode and enable the the web management system on the interface you configured:
    # set system services web-management http interface em0.0
    
    # commit

    Saturday
    Apr302011

    Zero Day Review

     

    Zero Day is a novel by Mark Russinovich, his name is very well known to security professionals and system administrators that work with Microsoft systems alike, all have used the great set of utilities that he has written under his own company Winternals before being acquired by Microsoft and still available and updated as part of the sys internals suite of tools. He has used his experience in the Security field and community to write this novel in an action style story Tom Clancy style.

    The story starts via a series of events caused by computer systems failing and data and information being altered with catastrophic events, this opens the story to the introduction of the main character Jeff Aiken a security consultant that is called to look at an infection the destroyed the systems of a New York law firm. The character is of a bright security consultant driven by events in his past and the passion for the trill of the chase of hackers and solving the complex puzzle of digital forensics.  As he delves deeper in the origins of the virus and the work of Daryl Hagen a bright determined women that manages a US CERT team and is part CISU/DHS looking at the other cases they discover that this infections are all connected and just the tip of the iceberg of bigger attack that will hit the western governments. The story covers the typical terrorist plot of vengeance against the corrupted west that has been seen in so many novels after 9/11 but this one presents the twist that this time the attack is a cyber attack with very dark consequences.

    As as security researcher and professional I can relate to what Mark exposes in the book, specially the reality that our capacity to defend against a coordinated cyber attack is just not existent.  All of us in the industry that have found holes in systems have been frustrated many times with the speed of the response of private companies to address these holes and the lack of cooperation between them. He mentions how antivirus vendors are flooded with more samples of malware code than what they can handle. He cover the reality how we are loosing the battle against malware writers but in this case the malware writers have a more deadly agenda than feeding their egos or making money like many out there in the real world. I do have to say I do relate to all the problems faced by the heroes in the story making it more real in my imagination as I read the book. I could even relate to the pain of some of the victims having gone to clients to assist in recovering from security breaches and malware infections. I even related to the addictive nature that we in the security field have when we are faced with the hunt of an adversary while doing incident response and how that trill of the chance consumes us in the process.

    He also covered the problems that some of the bright women that are in this industry faced with prejudice and lack of respect by their peers. I found this part of the story very interesting knowing myself women in the industry and in general that have had to face this and fought to be measured and valued by the quality of their work and knowledge.

    I don have to say that I really liked the book and the pace of the story. My tactical side related to the accuracy of the depiction of the action and the weapons and my info sec side related perfectly with main characters and their frustrations with government and industry and the drive that pushed them. I even related with Russian character persona and the choices that many starting in the security field are faced with in term of the direction our research takes and the consequences of those decisions and what may drive many ton make the wrong ones.

    I recommend d this book to any security professional in the industry and to any person who likes actions and intrigue found in Tom Clancy and Alex Berenson books. I do hope that Mark writes another one like this and gives life to the characters behind this book.

    Book on Amazon

    Friday
    Apr292011

    Microsoft EMET

    Many times we are faced with the situation of not being able to patch software in time and many times do to the way companies work and handle security vulnerabilities the time of exposure is a very long one. Microsoft has worked in to making it harder for attacker to exploit code by adding in to the operating system and to several of their products mitigating technologies, but sadly not all Microsoft products or third party products use these mitigating technologies. To help with this Microsoft released the Enhanced Mitigation Experience Toolkit. This toolkit include several pseudo mitigation technologies aimed at disrupting current exploit techniques, it is not a perfect solution in terms that it can make it harder for known techniques used out there, so this makes this toolkit very effective in managing risk. It provides 7 protections:

    Structure Exception Handler Overwrite Protection (SEHOP)

    • Dynamice Data Execution Prevention (DEP) Application Level
    • Dynamice Data Execution Prevention (DEP) System Level
    • Heapspray Allocations
    • Null Page Allocation
    • Mandatory Address Space Layout Randomization (ASLR)
    • Export Address Table Access Filtering (EAF)

    This options are not present on all Operation Systems

     

    image

     

    Also depends on the CPU

     

    image

     

    As it can be be seen from the table, the latest the OS the more protection can be used. The advantage of EMET is that many applications have to be compiled with proper flags and libraries to be able to use these protections, but with EMET they can be forced at the system and application level. With attackers moving more and more to client side attacks and with many companies dependent on applications that many times can not be updated do to the vendor not supporting them on newer versions of Windows, patches taking to much time or just plain quality problems from the company that programed the tool.

    Once you install the tool the main screen is very Spartan in terms of information given:

    image

    You can see 2 configuration areas the top part for configuring the system settings and the lower part for configuring the application protection settings. The System configuration

    image

    You can select one of 2 recommended profiles:

    • Maximum Security
    • Recommended Security Settings

    or you can set each of the protection settings.

    You can also configure several protections per application:

    image

    You can push the tool to your servers and client systems thru any package manager that can automate the installation thru MSI. The configuration of the programs to add for protection can be automated very easily via the command line:

    C:\Program Files (x86)\EMET>EMET_Conf.exe
    
    Usage: EMET_Conf.exe [--list | --add path\program.exe | --delete path\program.ex
    
    e | --delete_all]
    

    I highly recommend this tools for anyone that run Microsoft Windows. I highly recomend it for all web browsers, Document editors , media player and for any service that can be touched via the network. I have test a large number of Metasploit exploits and found that this Microsoft solution has bloqued all exploits I could throw at my test machine, machines that I was able to compromise with each before I installed and configured EMET. I do hope MS integrates this in to Service Packs and on the next versions of Windows.

    Download at:

    EMET 20.0