Digital Offensive

Posted on Wednesday, 21st March 2012 by Michael

Quick Tips for Linux Security at the CCDC

This guide is to be high level and provide a reference for the CCDC Blue Cell to use to help secure their Linux boxes during the CCDC events. This being said this document does not guarantee your victory.

My understanding is during the contest tools can be downloaded if the tools are free for commercial use. With that being said I will base some of my suggestions on that. Remember time is important. We are already on your box. Also my thoughts may be different than other red cell members.

Read the rest of this entry…

Posted in CCDC | Comments (0)

Posted on Tuesday, 20th March 2012 by Michael

Mid Atlantic CCDC Barcode Scanner Hack:

How many of you would of even thought that the scanner on the med station was actually hackable itself?  Before Brad and I went around hacking them with a simple piece of paper that left them unusable until reprogrammed with another sheet of paper that I gave to the white cell. How many of you were able to figure out how to fix them by researching the product and not going right to the white cell or Larry and Darren?

Up to this event I never really thought about how insecure barcodes were and never really thought how readily available they are for duplicating and circumventing security measures as well as possibly injecting attacks into other systems.

Check these YouTube videos for more on their dangers:

http://www.youtube.com/watch?v=cEDqdYBtpvg <= Three part video of a talk done on barcode hacking at Defcon. This gave me the idea for the attack at the CCDC.

While sitting at my office the day before the CCDC I was watching the twitter trend and notice someone uploaded a picture of the med station and you could see the scanner. I saved the picture and removed everything else out of the picture using gimp except the scanner. I then used the Google Goggles application on my android phone to take a picture of it and to have it tell me what model it was and who made it. In the first several links Google returned I found that it was a Honeywell barcode scanner model MetroSelect. Knowing this and having a few ideas of an attack based on the You Tube video above, I searched Honeywell site for the configuration guide that will provide the codes to configure the scanner. The guide can be found here: http://www.honeywellaidc.com/CatalogDocuments/00-02544%20Rev%20K%202-11.pdf . Side note once I got to MD, I found that we had our own med station and was able to confirm the model was correct as well. But the above gave me the ability to start my research and was actually 100% accurate.

The guide has over 116 pages of information and codes on how to configure the scanners. We used the information found on page 1-2. We made a quick disable print out and a quick enable print out. These codes allowed us to stop your scanners from scanning your badges until they were re-enabled. Though as you all know that was probably the least of your med station problems. Such as the Christmas incident, lock removal, lock additions, wifi attacks and so on.

Hopefully you find the info above informative and it gives you an idea how we think and plan some attacks.

Posted in Blog | Comments (2)

Posted on Tuesday, 20th March 2012 by Michael

How to create nodes in a Checkpoint firewall from a CSV

Have you ever needed to create 100’s if not thousands of new firewall nodes or networks in your Checkpoint firewall? If so you know how tedious of a task this is and you may have even researched means to do this faster.

Research shows there are two tools to do this, the first tool being “dbedit” and it comes on your management server and the second being a toolkit called “Ofiller and Odumper” by Martin Hoz. The latter is no longer being developed but seems to still work on the newer 7.0 code and first one is pretty complex but easy to learn.

Though Ofiller and Odumper have many features and still works, I have an uneasiness using a tool on my enterprise firewalls that is no longer being developed. So to accomplish my task at hand I used dbedit and a ruby script I wrote to create a dbedit import configuration file from the CSV file of IP’s and names. To learn more about dbedit or to find the syntax for dbedit check the following URL: http://downloads.checkpoint.com/dc/download.htm?ID=5518 .

In my problem I had over 100 + nodes that needed to be created and added to a group. The CSV file I had listed the IP and the Name of the facility. Now I just had to go line by line taking column 1 input and setting that as the IP and column two input as the node name. To do this I wrote the following script:

http://www.digitaloffensive.com/files/rbcpgen.rb

This script is great for understanding how the process works and with a few tweaks it can be used on your Checkpoint Firewall as well. The script is to be run on any Linux or Windows box that supports ruby. The import that is created needs to be moved to the management server of your Checkpoint firewalls by either SCP or copying and pasting the contents of the import into a new file on the management server.  Once the file is on your management server make sure you are in expert mode and issue the following command:

dbedit -f file_name –s localhost –u admin_username and then press enter and enter the password.

Before you do this make sure that your CSV file does not have any duplicates before running the script. I know I should of added it in, but this was a last minute rush job for work. Also make sure you have a backup of your database in case something breaks. You use this script at your own risk.

If you have any questions or concerns please feel free to contact me.

Posted in Code | Comments (3)

Posted on Thursday, 15th March 2012 by Michael

Last February I had to study and re-certify for my SANS GCIH certification. The first time I took this test had been 4 years earlier after attending a SANS boot camp held in Las Vegas. My instructor at the time was Ed Skoudis. I got to say if you ever have the opportunity to take this boot camp I strongly suggest attending his. The class was informative and very fun. He kept us fully engaged and we all learned a lot. After the class I took another month to re read the books and make sure I was ready. The first time taking the tests I scored in the low 90’s.

Now jump forward 4 years. I am at a new job that does not offer training opportunities like this so I can not afford to attend another one of these camps on my own so I decide to just pay for a re-cert attempt. These attempts include the new books for the course. The new books did not change much from the originals and while reading them it all came back to me like riding a bike.

Since the test is open book I was not to worried, but you need to remember open book can be your best friend or worse nightmare as the test is timed. I made sure I knew the information inside and out and to get the most use out of the books I wrote the following study guide. If you decide to use my study guide I suggest that you verify the page numbers in it and update it appropriately for your version of books. The study guide lists the key points in each chapter of the book and provides where more details can be found on that key topic. In the sections on attacks it lists the attacks and defense along with the pages to additional information.

This guide and studying helped me score over 95% on the test this time around.

Download it below

SANS GCIH CERTIFICATION GUIDE-V2

If you found this study guide to be useful and would like to donate something to help keep the site going please do so below:

Posted in Papers | Comments (4)

Posted on Friday, 27th January 2012 by Michael

Ruby: Script to check if an IP is up and get its Hostname

This script will go line by through a text file checking to see which IP is up. If the host is not up it will log to the results.csv file as “IP,DOWN,NoName”. If the host is up it will log to the results.csv file as “IP,UP,hostname”. Please note that if the authority DNS server does not have an answer for that IP it will log no name and instead will put the IP address again.  This script is very handy on our firewall audits and cleans ups to see what hosts are still needed and which are no longer even turned on any longer.

You will need to have the IP addresses you want to check in a file called IP.txt, unless you edit the script. Make sure you put the file in the same path as the script.

#!/usr/bin/ruby
require “socket”
require ‘resolv’

def computer_exists?(fwip)
system(“ping -c1 -w1 #{fwip}”)
end

def append_to_file(line)
file = File.open(“results.csv”, “a”)
file.puts(line)
file.close
end

def getInfo(current_ip)
begin
if computer_exists?(current_ip)
host_name = Socket.getaddrinfo(current_ip,nil)
append_to_file(“#{current_ip},UP,#{host_name[0][2]}\n”)
else
append_to_file(“#{current_ip},DOWN,NoNAME\n”)
end
rescue SocketError => mySocketError
append_to_file(“#{current_ip},UP,ERROR”)
end
end

#Myfavorite method, read and process file
ipLST=’IP.txt’
File.readlines(ipLST).each do |line|
current_ip = “#{line}”
getInfo(current_ip)
end

Posted in Code | Comments (0)

Posted on Wednesday, 18th January 2012 by Michael

Today is January 18^th 2012. This is an important date in history as today is the day that thousands of websites are blacking out in protest to two very controversial bills that are written in hast that will censor the internet. At a high level the government plans to use these two bills to legally hijack websites / domains that they deem inappropriate or to be dealing with piracy. They will do this through techniques that can jeopardize your internet security. This will not only affect Americans but everyone as the US has much of the internet infrastructure.

A revised bill putting the burden to protect copyrighted material on the entity is what is required not giving the government the ability to make the decision what to block and what not to block. Our government has more important issues to deal with then doing the legal leg work that these entities should be doing to protect their content.

Watch the video below for more information:

http://www.youtube.com/watch?v=n0X5WCmyokw

To get more information on the bill from a more reliable source (EEF):  https://www.eff.org/deeplinks/2012/01/how-pipa-and-sopa-violate-white-house-principles-supporting-free-speech

To sign the petition click here:

https://blacklists.eff.org/

Posted in Blog | Comments (0)

Posted on Friday, 13th January 2012 by Michael

Daemon Reality

Daniel Suarez wrote in his book Daemon about a man that upon his death a strategically crafted computer system that would launch a mulitude of events that range from something extremely simple to murder. In the book he mentions how there are a multitude of systems monitoring different resources for this person’s death. What if we eliminated the need for such a vast system and used the number one social media site and a simple application. What if we stream line the process?

Today I stumbled upon an application for the social media giant Facebook called “If I Die” (http://www.ifidie.net). This application allows you to record a message or a post that upon your death and verification of your three trustees will be posted to your Facebook account. Wow now over several million people will know I am dead before the newspapers even have the first obituary with my death printed.

So you are now thinking how does this line up with the book the Daemon? Well let’s go back a few months to my Facebook bot I wrote (http://www.digitaloffensive.com/2010/08/facebook-bot-fbcbot-pl/). This bot would monitor my Facebook account for key word posts then launch commands locally to carry out my wishes. So right now you are probably thinking that’s all fine and dandy if you have a system you can guarantee will be up and running all the time as well at least for a short time after your death. Well what about cloud computing? How about Amazon cloud? They offer you a free cloud system as long as you stay below a certain usage each month. From my past usage of the system they charge you at the end of the month or in increments for usage of the cloud. So even if you are dead and your bill can’t be paid it does not matter cause after your bot detects your death it can now do whatever you want, such as create a bot net.

So the process would be this. Upon my death (if this application still exists) my bot running on the cloud will see my post that will give it my final command. It will then check several sites like ww.exploit-db.com for new vulnerabilities. It will then use key Google Dorks from what it found on exploit-db.com to build a list of vulnerable servers and to use the code found on that site to start attacking and infecting these hosts. Right now you are wait this is illegal! What do I care I am dead! Once the infection spreads to multiple hosts it does not matter if my cloud is shut down for nonpayment as my bot net has started.

Now that you have an idea where I am going with this train of thought think about other things you can do? You have a life time to prepare your master piece 🙂

Pictures and code for fbcbot.pl ” I am dead code will be posted shortly”

Posted in Blog | Comments (0)

Posted on Friday, 23rd September 2011 by Michael

Simple powershell script to automate Acuentix command line scans:

Requirements:
1. Windows vista or higher (preferably 7)
2. Powershell 2,0
3. user access control disabled
4. Acuentix installed (v7 or higher)
5. List of sites to scan

Adding functionality:

To add functions to the wvs_console call edit the variable $scan

Code:

################################################
## Automate Acunetix Console Scans
## Edit $scan to add more function (profile, report type, etc)
## Created by Michael LaSalvia
## http://www.digitaloffensive.com for http://SecurityonLocation.com
###############################################

Set-Location “C:\Program Files (x86)\Acunetix\Web Vulnerability Scanner 7”
# Add my directory to the current PATH
$x = (Get-Location).ProviderPath
$env:path = “$env:path;$x”
write-host “Current directory added to ENV:PATH”
##################################################
##Edit below but be careful
##################################################

$sites= Get-Content c:\mytest\sites.txt
foreach ($i in $sites) {
$scan = “/scan $i /generatereport”
Start-Process ‘wvs_console.exe’ -WindowStyle hidden -Wait -ArgumentList $scan -PassThru

}
exit

How to run:

Place code in a file called whatever you want .ps1 and make sure to sign so you can execute it with powershell. Also make sure to edit the variable sites and variable scan to meet your requirements.

Any questions or concerns feel free to contact me.

Posted in Code | Comments (0)

Posted on Wednesday, 20th July 2011 by Michael

Ruby exploit for FreeFloat FTP Server ACCL Buffer OverFlow and remote Shell

The original vulnerability was published here: http://www.exploit-db.com/exploits/17550. The FreeFloat FTP server is a free standing executable FTP server requiring no installation on a computer system. The application itself is riddled with buffer overflows and is extremely simple to crash. Though the trick is not to make it to crash but to gain shell access, Mortis original published the working exploit in python. What we have done here is converted it into a ruby exploit. Why? Simply cause while learning ruby I took it as a challenge to test what I have learned.

Exploiting the vulnerability

To test the actual exploit download the vulnerable software and install it on a Windows XP SP3 machine: http://www.freefloat.com/software/freefloatftpserver.zip. Next on a Linux machine copy the ruby code provided and save it to a file called ftpexploit.rb and chmod it to 777. To run the exploit type in ./ftpexploit.rb and enter the victims IP. If the exploit is successful you will get a windows shell.

The Exploit

#!/usr/bin/ruby

Read the rest of this entry…

Posted in Security Advisories | Comments (2)

Posted on Monday, 18th July 2011 by Michael

Simple Ruby banner grabber and port checker:

This is a simple script I wrote in ruby to scan ports to see if they are open and grab the banner of the service.  The script has error handling built in so it is able to continue on to the next port if the port before is closed. Port banners are displayed to the screen. If you want to log them to a file just alter the print statement to redirect to a file. To change the port ranges to scan alter the line where the “for loop” is 0…65536. This script will only do tcp and not udp. The script was written for fun but when you are doing an actual audit sometimes you cannot install tools on the machines or with in the network you are auditing. This will allow you to use a piece of software that is installed on most new Linux machines.

Read the rest of this entry…

Posted in Code | Comments (0)