crazylazy.info

dangerous Confickr

First of all I've to say: I'm sorry for the poorest html layout and "coding" I ever did. Every 12-year old beginner normally could do better here. I'll never make the mistake again to let Blogspot's backend compose my entries. I'll rewrite it completly - maybe as a pdf... but not this week. It's there, and I hope the content isn't that bad. I just extracted stuff from my private knowledge base. Sorry... if you look at the html source you'll die. Try to avoid that please ;).

Call for education! Help IT security, now!

- But nevertheless it's a good week. The "honeynet heroes" pwned Confickr. Calling is "Unficker" is kewl, if you're German and you know what they mean. Why does it always need Germans to fight back Malware? Stormworm has been successfully neutralized by the same guys back in December this year. I think Felix and Tillmann - and the other more or less anonymous guys from the projects - should go into teaching how they always do that.
If they'll do - I'll be there! Believe it! And btw. the Honeypot Workshop at 25c3 was awesome.

Since Fyodor implemented scanning routines into Nmap - and they're freely available for everyone - it'll be possible to find and eliminate this bastard Confickr everywhere. And I know that Tenable has got a scanning routine too in Nessus, but this won't help where the budget is so low, that people can't even afford a licensed updated Windows operating system. That's the backside by making a product commercial. You lose a certain effectiveness here and there.

So this is the big news for this week.

What to code as a pentester

Often argued, never solved: which languages serves best - working as a pentester? Ruby, Python, Java? Hmmh...

Python projects:

• Twisted - for network stuff
• PaiMei - for reversing. Featured here.
• integration into WinDBG, and Immunity Debugger
• There's IDAPython
• Peach Fuzzer - I never used it until now... but I will.
• other BRILLIANT Immunity stuff like Spike... or Canvas. Core's Impact framework, too
• OWASP Pantera - never used it; but I'll give it a try.
• w3af - featured here.
• Metagoofil - featured here.

If you ask me that's just a small collection of the most amazing projects with Python I know. But it encourages me to learn more. You MUST learn Python. EOD.

Ruby maybe even as strong?

• Metasploit - a MUST know
• Eventmachine - for writing network stuff together with amazing stuff like Mongrel
• Metasm - a MUST know
• DiStorm64 and BinData - new for me

Okay, you MUST know Ruby. EOD. It speaks for itself.

Java? Well... Java is important to be honest. There're multiple VizSec projects - and if you analyze stuff regularly, you will need Java.

• BURP - you MUST KNOW dude!
• NetGrok - visualizer for network behavior
• TNV - analyze pcaps
• iNetVis - my favorite network plotter

So?

Advice for starters: learn C. Then goto Python or Ruby. Don't start with Python or Ruby. That'll make you suffer for the rest of you software-developer's life.

My advice for professionals: you want Python because more and more products feature it. You want Lua for the same reason. Not just for automation, but for modification and interactive working with systems and software.
Competitively seen Python has much more projects, but Ruby has brilliant ones. Ruby isn't that hard to learn, that you've got the chance to avoid it - even if you wanted. You need both. Much Python, some Ruby, and you may just want Java.

Ruby and Python have:

• direct integration with libpcap for raw packet work
• OpenSSL bindings for crypto
• Mature C function interfaces for API access
• WxWindows for UI work
• web stacks

The Java stuff - I'd say - is almost academic. If you're an academic, you'll probably already know Java. Maybe you're in IT security now, and you don't see a reason for good old Java? Well... there're are very good reasons for Java. Most Java based programs are very structured and well designed. Therefore useful.

I see many (good) people in IT security, lurking around with little or no programming skills. My personal opinion here is, that maybe some have a very good understanding... but too many don't have.
If you're going to tell a C++/C# developer why his program isn't secure, and you can't even refer to explain secure coding standards, you're just not competent enough. Of course most common vulnerabilities are caused by software, by (bad) code. And of course ~50% of all exploits are buffer overruns. Common Heap executions, no NX bits set, sloppily done or deadlined before finishing.
But a Pentester who can't even explain how the exploits - he used - work, how they exactly managed to compromise a system, and what he did with his framework, is just another motormouth. Maybe CISSPs learn how to interact with management, and maybe these so damn smart consultants and auditors know how to speak rhetorically. And I know that too *g*, but one simple question can change everything. Ask the right questions at conference and - if the security team, that has been hired has no skills - it's over. Totally.

It gets better every day - automation, lowering the bars

Hell yeahr, automated credential collection with meterpreter... Who needs post-exploitation skills any longer? Meterpreter does. So be it.

Sometimes I think competent security researchers should close doors once they're in. This is one of these situations where I say: responsibility is more important than awareness.
In the past I always referred to responsible disclosure - and I post exploits if I see them - to inform people. What I explicitly don't appreciate is posting and teaching how to break stuff. It's important that people know it. But you don't have to advertise stuff like that everywhere and boost false and inconstructive behavior. Keep it silent, keep it simple, but don't overdo it.
Post-exploitation automation - on a certain level - is useful. I think this - in general - goes too far, because I see almost every attempt in IT destruction getting possible with a script.
if you've got the skills it always will be possible. But if not it shouldn't be.

The race is open. Harden systems or die? Guess what, that's not helping to improve the situation!

Mac/Windows Malware?

Yes my dear friends. The Mac is totally secure, because Apple knows magic. Really. And you don't even have to cast a spell.

Well... I don't know whether WinAutoPwn is a Malware. But I believe it's crap. DragonFly BSD update-server? A cluster or what?
I disassembled the binary (1 minute), decompiled it (5 seconds), and looked at the source.

chdir("exploits");
printf((const char *)&unk_4073FC);
strcpy((char *)&unk_40B350, "perl FreeSSHd_1.2.1_(rename)_RBOF_XPLT.pl ");

It's just starting cygwinzed Perl with scripts, and that's it. Nothing suspicious during scans (tested with regmon and filemon in a XP VM). No successful penetrations. I had no vulnerable targets. I never used the exploits in the tool's repro. They look similar to some I saw on Milw0rm.

10 minutes in IDA pro - my guess: not good, but not bad either. Try and die? Well - no as far as I'm concerned. But I guess the one hosting the site is not the original author and just copied some child-ware from a One-Click hoster. My guess.

% md5sum winAUTOPWN/winAUTOPWN.exe
89dd466bdb2517b655e300acc0c5b112 winAUTOPWN/winAUTOPWN.exe

Source: http://winautopwn.exofire.net/winAUTOPWN.RAR

nothing too suspicious - linear code-flow, no obfuscation

So, the old dichotomy again rises - constructive security against some (potential) Malware, and constructive insecurity against some bad guys. - Not speaking about post-exploitation-automation.

Have fun,
wishi