Dissecting the Pass the Hash Attack

28 07 2010

Nice to see an article including Backtrack on the windowsecurity.com list. Its a nice writeup on using backtrack to pass the hash to use psexec to remotely launch a reverse shell. If you havent read much about using password hashes, this would be a good read. It also links to other articles about gaining access to hashed passwords, from physical box access to various tools.

In this article we will look at how this technique works and I will demonstrate the process that can be used to take stolen password hashes and use them successfully without having to crack their hidden contents. As always, I will cover some detection and defensive techniques on how you can prevent yourself from falling victim to this attack.

via Dissecting the Pass the Hash Attack.


27 07 2010

HAHAHA – in the same format as the iPhone4 vs EVO vid.


Portable Linux Apps Which Work With Any Linux Distro

25 07 2010

I have to admit, I am on the portable apps bandwagon – I cant live without my portable windows apps, meaning I dont have to install software onto restrictive machines – but still be able to do what I want to do (putty / portable firefox with foxproxy etc etc). Now that I have started using DropBox – I have my various Windows machines pretty well sorted with Apps & Data from anywhere. I was curious about other portable apps for Linux / MAC etc and stumbled across this one for Linux Portable Apps from my MakeUseOf feed – its worth a read.

Portable Apps for Windows and Mac have been around for a long time, but are less common in the Linux world. Due to the complexity of Linux dependencies, and the different way different distributions locate these dependencies, the portable Linux application long seemed like a pipe dream.

Until now.

New website PortableLinuxApps features a number of portable Linux applications, which will work on any Linux distribution. These can run off your flash drive or from a folder in your home directory; it doesn’t matter. Best of all, there’s documentation out there to help you make your own program, should you not be able to find what you’re looking for.

via Portable Linux Apps Which Work With Any Linux Distro.

web page speed test & recon

23 07 2010

I was looking for tools to test webpage load speeds, and found these ones from pingdom & site-perf. I use pingdom for monitoring uptimes & its great, it emails me once a month with a summary of downtimes.

These tools test website load times, which is cool – but it also gives you a visual of each object loaded, its size & speed – this is VERY useful when investigating pages – showing all the objects (javascripts / css / images etc).

These ones might prove useful in recon of public accessible websites & also for testing access to pages you manage.

How it works

Response time exampleThe Full Page Test loads a complete HTML page including all objects (images, CSS, JavaScripts, RSS, Flash and frames/iframes). It mimics the way a page is loaded in a web browser.

The load time of all objects is shown visually with time bars.

You can view the list of objects either in load order or as a hierarchy. The hierarchy view allows you to see which objects are linked to in for example a CSS file.

Every test also shows general statistics about the loaded page such as the total number of objects, total load time, and size including all objects.

Note: This version doesn’t load objects included in JavaScripts. We have also put a limit on the number and size of the objects that are loaded (to prevent the tool from downloading movies, for example).

via Pingdom Tools Full Page Test.

With Site-Perf.com, you get an accurate, realistic, and helpful estimation of your site’s loading speed. The script fully emulates natural browser behaviour downloading your page with all the images, CSS, JS and other files – just like a regular user. Spot bottlenecks, reach perfect performance and balance your site load with Site-Perf.com, a smart and flexible testing tool. Focus on important things while Site-Perf.com delivers the speed facts straight to your screen. Try it right now!

via Site-Perf.com – Know all about your site performance.

lastpass – the last password you will need to remember

22 07 2010

So, thats the tagline, but does it really work – I was pretty skeptical.

I had previously used a combination of mashedlife.com (for the cloud) – secured by a yubikey usb one time password token. This was great, I could log into mashedlife, using my otp token, then when I needed to log into a secure website, I would just click on a bookmarklet – and the username & password would automagically be transferred via ssl into the page. This works great, but I always wondered about security etc etc. It was secured by my one time password & a pin number, so there was really no option for replaying if I logged on via a net cafe with a keylogger – but in my ever increasing need for change & “projects” – I wanted something else.

Enter lastpass. I was having a poke around on their site, being pretty impressed with what I saw – but without knowing all the details, was reluctant to try it out. I then found a review by Steve Gibson aka Security Now Podcast aka GRC.com here. Some of the highlights for me were:

“at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We’ve talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing. “

“So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA – it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It’s just like it’s been digested into this thing. In fact, hashes are called “digests,” also, for that reason.

What that is, is that is your cryptographic key. That’s the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They’re holding the encrypted results of your own personal database, just because that’s what they do. That’s the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone’s ever heard of. So but what they’re holding, they have no ability to decrypt. They never get the key. That never leaves your system. “

“So the whole concept here is that we establish a database of domains that we’re logging into, and usernames and passwords for those domains. And this is our personal database. And the beauty of this, and I’ve been playing with this now for about a week, is that, for example, I did change a couple passwords because I’d been a little lazy, too. And I thought, okay, now’s the time. So I changed those passwords here at home on my system in Firefox, and changed them in the website. And LastPass watched me change them. I said, okay, remember this. And LastPass remembered it.”

After digesting Steve’s review, I gave it a go. I had previously been using keepass, but keeping it synced was beginning to be a PITA – which version of my keepass database was correct, was it the one on my USB stick, the one I had copied to Google Docs, the one I had in Dropbox or the one on my laptop. If I want to change a password, which database do I change it in & then have to scratch my head about which one I copy over the other one ….. messy.

I create my lastpass account, upload the accounts from my keepass database & start to play. It allows me to do a security check, checking out how secure my passwords are, multiple uses etc. It works on Firefox / IE / safari on either my mac or windows or work pc (generic windows browser plugins installed) all seamlessly.

The sites I usually have to bust out my keypass database or mashedlife account from the cloud – I just log into the lastpass browser plugin, it downloads & decrypts the account database and for the rest of my browsing session – whenever I open a page that requires logging into, lastpass just enters the username & password automagically for me – kind of like browser password remembering – except its not stored in clear text like the browsers do.

So back to the whole cyber cafe in the back streets of some dingy city – you need to log into a site but are worried about keyloggers. Lastpass has you covered for this – for starters, you have an on screen keyboard, this way the malware infected machine you are on cannot capture the keystrokes. Not for you ? then how about single use passwords – without a dongle. You login in advance, go to their one time password section & print out a list of them. Or maybe you prefer a second factor on your standard login – you can use their grid system, where you login & then it prompts you for a 4 characters from a printed grid sheet (think battleship).

Anyway – im sold on it. Its secure, it is truly cloud based & accessible from any platform at any time. If you use keepass or one of those, do yourself a favour & check out lastpass.

Malware Persistence without the Windows Registry

21 07 2010

Found an interesting post below, it seems that we can use dll files to deliver malware persistance without reg hacking (easily spotted) …. I wonder how this goes with meterpreter …. one way to find out I guess …. stay tuned.

Malware Persistence without the Windows Registry
Written by Nick Harbour
For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems. The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry. Notable exceptions include the Startup Folder and trojanizing system binaries. Examining malware persistence locations in the Windows Registry and startup locations is a common technique employed by forensic investigators to identify malware on a host. Each persistence technique commonly seen today leaves a forensic footprint which can be easily collected using most forensic software on the market.

The persistence technique I’ll describe here is special in that it doesn’t leave an easy forensic trail behind. A malware DLL can be made persistent on a Windows host by simply residing in a specific directory with a specific name, with no trace evidence in the registry or startup folder and no modified system binaries. There isn’t just one directory location and DLL filename that are candidate locations for this persistence mechanism but rather a whole class of candidate locations exist for any given system. On my laptop Windows 7 64-bit there are no less than 1032 such path and DLL name combinations where a DLL could be placed such that it would automatically be loaded at some point during my normal boot-up, and that’s just for a 32-bit DLL! If you had a 64-bit malware DLL the number would be much higher as I have many more 64-bit processes running at boot time. So how does this work?

via M-unition » Blog Archive » Malware Persistence without the Windows Registry.

Tool Here

VMware vCenter memory usage issues – tomcat6

10 07 2010

So my vCenter was constantly alerting on memory usage, no matter how much memory I assigned to it. Looking in the process list “tomcat6” was using as much available memory as I fed it …. a little searching of the interwebs & I came across the following, which resolved the issues.

Update: as per http://deinoscloud.wordpress.com/2009/11/30/tomcat-for-vcenter-memory-tuning/ a couple of Jvm memory parameters are pre-set for the vcenter tomcat6 instance.

Removing the fixed-allocation settings in the registry seems to have the desired affect of keeping the tomcat6 memory usage to a more “normal” amount

Locate the following registry key, for either x64 or x86 systems

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\vctomcat\Parameters\Java

HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\vctomcat\Parameters\Java

And set each value to 0x0 and restart the vCenter Webservices service

JvmMs = 0x0

JvmMx = 0x0

JvmSs = 0x0

via VMware Communities: vServer – tomcat6 memory usage HIGH ….